Add pass-through LFS proxy support

[dmetz-figma]

Adds a pass-through proxy for Git LFS batch API requests. LFS requests (POST /info/lfs/objects/batch) are detected before the Git protocol v2 check, authenticated via RequestAuthorizer, and forwarded upstream with the server's OAuth2 token. The response (containing download URLs) is streamed back to the client.

This is a pass-through proxy — no LFS object caching. Per the Basic Transfer API spec, download URLs are returned in the batch response's actions.download.href field, which for GitHub points to external cloud storage. Clients fetch objects directly from those URLs, bypassing Goblet.

LFS endpoints

Read paths (relevant for Goblet):

• POST /info/lfs/objects/batch — Batch API for discovering download/upload URLs (currently supported)
• GET /info/lfs/objects/:oid — Direct object download via "basic" transfer. Some servers support this as a fallback, but GitHub uses the batch API exclusively and returns signed S3 URLs in the batch response, so this is unlikely to be hit.

Write paths (not relevant — Goblet is read-only):

• POST /info/lfs/objects — Legacy single-object upload (deprecated)
• POST /info/lfs/locks — Create a lock
• POST /info/lfs/locks/verify — List locks for pre-push verification
• POST /info/lfs/locks/:id/unlock — Delete a lock

Unsupported /info/lfs/ paths return HTTP 501.

Spec references: Batch API, Basic Transfers, File Locking

Notes to Reviewers

LFS routing intentionally sits between RequestAuthorizer and the Git-Protocol: version=2 check, since LFS uses its own HTTP/JSON protocol rather than Git wire protocol.

Test Plan

I manually validated it by doing the following:

• Created a build with personal access token support auth support (see e8fb900 which is atop this branch).

Then with that checked out locally:

cat > /tmp/goblet-config.json <<'EOF'
 {
    "port": 8080,
    "cache_root": "/tmp/goblet",
    "token_expiry_delta_seconds": 300,
    "repositories": [
     "https://github.com/Schoonology/git-lfs-test.git"
   ]
 }
 EOF

docker build -t goblet-local .

docker run --rm -p 8080:8080 \
  -e GH_TOKEN="$(gh auth token)" \
  -v /tmp/goblet-config.json:/app/config.json \
  goblet-local -config /app/config.json

Then watch this succeed in another terminal:

git clone -c protocol.version=2 \
    -c http.https://github.com.proxy=http://localhost:8080 \
    https://github.com/Schoonology/git-lfs-test.git /tmp/lfs-proxy-test