feat: cache per owner installation tokens + retry improvements

[hibare]

Problem

GATE creates a new installation token for every GetContents call to fetch trust policies. This causes:

1. Transient 403 errors — newly minted tokens hit GitHub's edge before replication completes:

   {"msg":"authorization denied","code":"POLICY_LOAD_FAILED","details":"fetching .github/gate/trust-policy.yaml: fetching contents: GET https://api.github.com/repos/tr/a209462-oia-customviz-lib-looker/contents/.github/gate/trust-policy.yaml: 403 Resource not accessible by integration []"}

2. Unnecessary API calls — repeated token minting for the same repo wastes GitHub App rate limit quota
3. Thundering herd — concurrent requests for the same repo each mint independently

Changes

• Token caching — cache contents:read installation tokens per repository with 5-minute expiry buffer, avoiding repeated minting
• Retry on stale token — if a cached token gets 401/403, evict it and retry once with a fresh token
• Replication delay — wait 2 seconds after minting a new token before using it (per GitHub Support guidance)
• Singleflight deduplication — concurrent cache misses for the same repo coalesce into a single mint + delay
• Installation ID singleflight — concurrent installation ID lookups also coalesced
• Eviction guard fix — fixed zero-value comparison bug in installationCache.set eviction logic
• Extract utilities — parseRepository, constructRepository, permissionsKey helpers

[arber-salihi]

Decision: generate a token per GitHub App (and organization) in an opportunistic way. The rest is preserved.