feat: Add GitHub App gateway credentials (#431)

* feat: Add GitHub App gateway credentials

* fix: Fail closed for cached GitHub App auth

* fix: Skip credentials for non-HTTPS upstreams

* fix: Skip non-repo GitHub credential URLs

* feat: load GitHub App credentials from config

* feat: add GitHub App serve flags

* fix: report daemon GitHub App credentials in doctor

* fix: keep daemon GitHub App auth in config

Author: lox

docs/gateway.md

@@ -214,16 +214,54 @@ Not wired yet:
 
 ## Credentials
 
-Host-side credentials are provided via environment variables:
+Host-side GitHub App credentials can be configured in the host runtime config:
+
+```yaml
+gateway:
+  credentials:
+    github_app:
+      app_id: "3817917"
+      installation_id: "134770928"
+      private_key_file: /Users/lachlan/.config/cleanroom/github-app.pem
+      repo_prefixes:
+        - buildkite/
+```
+
+`private_key_file` is read by the host-side `cleanroom serve` process. It should
+point at a local PEM file readable only by the daemon user.
+
+Installed daemons read this from runtime config. `cleanroom daemon install` does
+not persist GitHub App credentials as service arguments.
+
+Foreground `cleanroom serve` also supports command-line overrides for the same
+GitHub App settings. These flags use Kong environment bindings, so the matching
+environment variables can be used instead of flags:
+
+| Flag | Environment variable | Purpose |
+|------|----------------------|---------|
+| `--github-app-id` | `CLEANROOM_GITHUB_APP_ID` | GitHub App ID for host-side GitHub Git authentication |
+| `--github-app-installation-id` | `CLEANROOM_GITHUB_APP_INSTALLATION_ID` | GitHub App installation ID |
+| `--github-app-private-key-file` | `CLEANROOM_GITHUB_APP_PRIVATE_KEY_FILE` | Path to PEM-encoded GitHub App private key |
+| `--github-app-repo-prefixes` | `CLEANROOM_GITHUB_APP_REPO_PREFIXES` | Comma-separated `owner/` or `owner/repo` scopes where GitHub App credentials may be used |
+
+Static token credentials are also supported through environment variables:
 
 | Variable | Purpose |
 |----------|---------|
 | `CLEANROOM_GITHUB_TOKEN` | GitHub authentication |
 | `CLEANROOM_GITLAB_TOKEN` | GitLab authentication |
 
 Credentials are injected into upstream requests by the gateway. They are never
-exposed to the guest environment. The same host-side credential provider chain
-is used by the embedded `content-cache` upstream clients.
+exposed to the guest environment. GitHub App credentials take precedence for
+matching `github.com` Git remotes when configured; token mint failures fail the
+upstream request instead of falling back to unauthenticated Git or host
+credential helpers. GitHub repositories outside
+the configured `repo_prefixes` continue through the rest of the credential
+chain. If runtime config does not define `gateway.credentials.github_app`, a
+foreground `cleanroom serve` process uses any GitHub App values provided by
+`serve` flags or their bound environment variables. The same host-side
+credential provider chain is used by the embedded `content-cache` upstream
+clients.
 
 ## Configuration