Bug description

When configuring a Git source with the documented git.auth git: repository: https://gitlab… auth: username: oauth2 passwordFile: /secrets/git/password

the registry server (v0.4.9) still clones anonymously and returns HTTP Basic: Access denied. Looking at internal/config/config.go for both v0.4.9 and current main, GitConfig lacks any Auth fields, so the config block is silently ignored even though the docs (docs/configuration.md) describe it.

Impact: Private Git registries can only be synced by embedding credentials directly in the repository URL, which is less secure and can’t leverage Kubernetes secrets cleanly.

https://github.com/stacklok/toolhive-registry-server/blob/main/docs/configuration.md#git-repository

Steps to reproduce

• Deploy ghcr.io/stacklok/thv-registry-api:v0.4.9.

• Configure git.auth.username/passwordFile per docs.

• Observe registry logs: git clone attempts use anonymous HTTP and fail with 401.

Expected behavior

The server reads git.auth.username / git.auth.passwordFile and uses them for HTTP Basic auth.

Actual behavior

The fields are ignored; the clone runs without credentials.

Environment (if relevant)

• OS/version: Ubuntu 24.04
• ToolHive Registry API version: 0.4.9

Additional context

Request: Implement the documented git.auth structure (or update docs to reflect the current limitation). Until then, only inlining the PAT in the repo URL works. PAT shows in logs