Remove member grant for registry - admins only

Registry access restricted to admins (who already have full access).
Members don't need to push/pull container images.
K8s accesses registry locally on indri, not via Tailscale.
Added note about Zot htpasswd auth for future reference.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/k8s-migration.md

@@ -91,23 +91,23 @@ This applies to all mcquack LaunchAgents (zot, devpi, kiwix, borgmatic, metrics
 "tag:k8s":      ["autogroup:admin", "tag:blumeops"],
 ```
 
-2. Add registry grant to `grants` section (around line 48, after the `tag:pg` grant):
-```hujson
-{
-	"src": ["autogroup:member"],
-	"dst": ["tag:registry"],
-	"ip":  ["tcp:443"],
-},
-```
+2. Add test cases to `tests` section:
+   - Update Erich's accept list (around line 111) to include registry:
+   ```hujson
+   "accept": ["tag:grafana:443", "tag:kiwix:443", "tag:feed:443", "tag:loki:3100", "tag:pg:5432", "tag:homelab:22", "tag:registry:443"],
+   ```
+   - Update Allison's deny list (around line 117) to deny registry:
+   ```hujson
+   "deny": ["tag:grafana:443", "tag:loki:3100", "tag:nas:445", "tag:registry:443"],
+   ```
 
-3. Add test case to `tests` section (update Erich's accept list around line 111):
-```hujson
-"accept": ["tag:grafana:443", "tag:kiwix:443", "tag:feed:443", "tag:loki:3100", "tag:pg:5432", "tag:homelab:22", "tag:registry:443"],
-```
+**Note:** No member grant needed for registry. Admins already have access via `"dst": ["*"]`.
+K8s on indri accesses the registry locally (`localhost:5000`), not via Tailscale.
+Zot supports htpasswd auth if we later need finer-grained control.
 
 **Testing:**
 ```bash
-mise run tailnet-preview   # Review changes - should show new tags and grants
+mise run tailnet-preview   # Review changes - should show new tags
 mise run tailnet-up        # Apply changes
 ```