feat: add private repository support with SSH key and HTTPS token auth

- Generate SSH ed25519 key pair on agent startup for cloning private repos via SSH
- Add GET /api/v1/settings/ssh-public-key endpoint to expose deploy key
- Add auth_token and auth_username fields to TrackedRepository model
- Wire git2 credential callbacks for both SSH and HTTPS authentication
- Validate repository access before saving (test-connect on add)
- Update dashboard add form with optional auth section showing deploy key and token fields
- Show error toast if private repo cannot be accessed

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

compliance-core/src/config.rs

@@ -24,6 +24,7 @@ pub struct AgentConfig {
     pub scan_schedule: String,
     pub cve_monitor_schedule: String,
     pub git_clone_base_path: String,
+    pub ssh_key_path: String,
     pub keycloak_url: Option<String>,
     pub keycloak_realm: Option<String>,
 }

compliance-core/src/models/repository.rs

@@ -28,6 +28,12 @@ pub struct TrackedRepository {
     pub tracker_type: Option<TrackerType>,
     pub tracker_owner: Option<String>,
     pub tracker_repo: Option<String>,
+    /// Optional auth token for HTTPS private repos (PAT or password)
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub auth_token: Option<String>,
+    /// Optional username for HTTPS auth (defaults to "x-access-token" for PATs)
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub auth_username: Option<String>,
     pub last_scanned_commit: Option<String>,
     #[serde(default, deserialize_with = "deserialize_findings_count")]
     pub findings_count: u32,
@@ -64,6 +70,8 @@ impl TrackedRepository {
             default_branch: "main".to_string(),
             local_path: None,
             scan_schedule: None,
+            auth_token: None,
+            auth_username: None,
             webhook_enabled: false,
             tracker_type: None,
             tracker_owner: None,