[BUG] Single-file deps from private repos fail without PAT even when git credential helpers are configured

[danielmeppiel]

Problem

There is an authentication asymmetry between folder-level and file-level dependency downloads:

	Folder deps (org/repo/folder)	File deps (org/repo/folder/file.md)
Mechanism	git clone via _clone_with_fallback()	GitHub REST API via _download_github_file()
Auth fallbacks	Token → SSH → git credential helpers	Token only
Private repos without PAT	✅ Works (credential helpers)	❌ Fails

Users with gh auth login, macOS Keychain, or any git credential helper configured can download folder deps from private repos without setting GITHUB_APM_PAT. But targeting a single file from the same repo fails with an auth error.

This violates the principle of least surprise — if git clone works, downloading one file should also work.

Root Cause

• _clone_with_fallback() (line 395-462) relaxes GIT_ASKPASS/GIT_CONFIG_* when no token is present, allowing OS credential helpers to provide auth
• _download_github_file() (line 675-768) uses only self.github_token (from GITHUB_APM_PAT/GITHUB_TOKEN env vars) — no SSH, no credential helper fallback

Solution

1. Add GH_TOKEN to token precedence for modules (catches gh CLI users)
2. Add git credential fill as a last-resort token resolver — the same mechanism git uses internally, platform-agnostic, cached per host
3. Improve error messages to mention gh auth login as a zero-config fix

Related: #319