Authenticate private HTTPS repo clones with explicit repo token

[pentaxis93]

Summary

The runner's container script runs git clone before runa run, but private HTTPS repositories cannot be cloned because resolved credentials are injected as generic environment variables that git clone does not consume automatically.

The repo credential is structurally different from agent runtime env vars — it is consumed by the runner's clone step, not by the agent process. It should be modeled as a distinct field.

Governance Decision

Add an optional repo_token: Option<String> field to SessionInvocation. When present, the runner passes it to git via -c http.extraheader="Authorization: Bearer $TOKEN" on the clone invocation. No credential helper scripts, no URL mutation, no persistent git config.

Constraints

• The token must not appear in the process table or persist in any file inside the container after the clone completes.
• The http.extraheader must be scoped to the single clone invocation, not written to git config.
• When repo_token is None, the clone runs without auth headers (public repos).
• This is a public API addition to SessionInvocation.

Acceptance Criteria

• SessionInvocation has an optional repo_token field.
• When repo_token is Some, git clone receives -c http.extraheader="Authorization: Bearer <token>".
• When repo_token is None, the clone command is unchanged from current behavior.
• Test coverage for both the authenticated and unauthenticated clone script output.
• The token value does not appear in any container-persistent file or in podman create arguments.