fix: enforce provider ID (type/host) consistently across both proxy modes

Provider IDs must be `type/host` everywhere (e.g. `forgejo/gitea`,
`github/github.com`). Previously bare type names (`gitea`, `github`) were
accepted in YAML config, stored in rules/permissions, and returned from
APIs, causing identity resolution and access rule failures.

Changes:
- RepositoryUrlRuleHook: replace stub (always-pass) with full deny/allow
  rule evaluation matching UrlRuleAggregateFilter behaviour; S&F mode now
  enforces URL rules
- StoreAndForwardReceivePackFactory: accept and wire UrlRuleFilter list +
  RepoRegistry so the hook can evaluate config and DB rules
- GitProxyServletRegistrar: build URL rule filters for S&F path and pass
  alongside registry to the factory
- JettyConfigurationBuilder: validate provider IDs in rules, permissions,
  and scm-identities at startup (crash on unknown ID); use getProviderId()
  instead of getName() in rule filter construction; cache provider list
- UrlRuleFilter: add matchesRepo() for rule evaluation without HttpServletRequest
- UrlRuleAggregateFilter: fix recordFetch to store getProviderId() not URI host
- ProviderController: add `id` (type/host) field to ProviderInfo response
- RepoController: validate provider ID on createRule/updateRule; use stored
  provider field (not URL hostname) for active repos aggregation
- PushController: drop redundant ROLE_SELF_CERTIFY Spring authority check;
  isBypassReviewAllowed() is sufficient and was already enforcing the grant
- AuthController: dynamically add ROLE_SELF_CERTIFY to /api/me response
  when the user has any SELF_CERTIFY permission grant (fixes UI self-certify)
- Frontend dropdowns (Profile, UserDetail, Repos): submit provider ID (p.id)
  as value, display hostname (p.host) as label
- YAML configs: update all provider references to type/host format
  (gitea → forgejo/gitea, github → github/github.com)
- Delete InMemoryFilterConfigurationSource (dead code)
- Tests: update RepoControllerTest for new validation; add
  IdentityVerificationMode coverage tests

closes #94

Author: coopernetes

docker/git-proxy-docker-default.yml

@@ -21,23 +21,23 @@ users:
     emails:
       - testuser@example.com
     scm-identities:
-      - provider: gitea
+      - provider: forgejo/gitea
         username: test-user
 
   - username: user2
     password-hash: "{noop}Test1234!"
     emails:
       - user2@example.com
     scm-identities:
-      - provider: gitea
+      - provider: forgejo/gitea
         username: user2
 
   - username: user3
     password-hash: "{noop}Test1234!"
     emails:
       - user3@example.com
     scm-identities:
-      - provider: gitea
+      - provider: forgejo/gitea
         username: user3
 
   - username: reviewer
@@ -47,51 +47,51 @@ users:
 permissions:
   # test-user: LITERAL — only /test-owner/test-repo
   - username: test-user
-    provider: gitea
+    provider: forgejo/gitea
     path: /test-owner/test-repo
     operations: PUSH
 
   # user2: GLOB — any repo under otherorg
   - username: user2
-    provider: gitea
+    provider: forgejo/gitea
     path: /otherorg/*
     path-type: GLOB
     operations: PUSH
 
   # user3: REGEX — test-owner repos matching test-repo.*
   - username: user3
-    provider: gitea
+    provider: forgejo/gitea
     path: /test-owner/test-repo.*
     path-type: REGEX
     operations: PUSH
 
   # reviewer: APPROVE on all the same paths
   - username: reviewer
-    provider: gitea
+    provider: forgejo/gitea
     path: /test-owner/test-repo
     operations: REVIEW
   - username: reviewer
-    provider: gitea
+    provider: forgejo/gitea
     path: /otherorg/*
     path-type: GLOB
     operations: REVIEW
 
-  # LDAP testuser (maps to gitea/test-user): same literal grant as test-user above.
+  # LDAP testuser (maps to forgejo/gitea/test-user): same literal grant as test-user above.
   # When docker-default,ldap profiles are combined, GITEA_TESTUSER_TOKEN resolves to
   # "testuser" (the LDAP proxy user). Only LITERAL /test-owner/test-repo is granted
   # so that push-permission-literal.sh still passes the deny-on-other-repo case.
   - username: testuser
-    provider: gitea
+    provider: forgejo/gitea
     path: /test-owner/test-repo
     operations: PUSH
 
   # admin APPROVE grants for LDAP setup (admin approves via dashboard).
   - username: admin
-    provider: gitea
+    provider: forgejo/gitea
     path: /test-owner/test-repo
     operations: REVIEW
   - username: admin
-    provider: gitea
+    provider: forgejo/gitea
     path: /otherorg/*
     path-type: GLOB
     operations: REVIEW
@@ -153,7 +153,7 @@ rules:
         - FETCH
         - PUSH
       providers:
-        - gitea
+        - forgejo/gitea
       slugs:
         - /test-owner/test-repo
         - /test-owner/test-repo-2
@@ -163,15 +163,15 @@ rules:
         - FETCH
         - PUSH
       providers:
-        - gitea
+        - forgejo/gitea
       owners:
         - otherorg
     - enabled: true
       order: 120
       operations:
         - FETCH
       providers:
-        - github
+        - github/github.com
       owners:
         - finos
 
@@ -185,7 +185,7 @@ rules:
         - FETCH
         - PUSH
       providers:
-        - gitea
+        - forgejo/gitea
       slugs:
         - /otherorg/other-secret
 
@@ -196,7 +196,7 @@ rules:
       operations:
         - PUSH
       providers:
-        - gitea
+        - forgejo/gitea
       names:
         - "*-readonly"
         - "*-archived"
@@ -208,6 +208,6 @@ rules:
       operations:
         - PUSH
       providers:
-        - gitea
+        - forgejo/gitea
       names:
         - "regex:(?i)(^|-)secret(-|$).*"

docker/git-proxy-ldap.yml

@@ -29,7 +29,7 @@ users:
     emails:
       - testuser@example.com
     scm-identities:
-      - provider: gitea
+      - provider: forgejo/gitea
         username: test-user
   - username: admin
     password-hash: "{noop}unused"

docker/git-proxy-local.yml

@@ -17,11 +17,11 @@ users:
 # admin can push and approve on the Gitea test repos.
 permissions:
   - username: admin
-    provider: gitea
+    provider: forgejo/gitea
     path: /test-owner/test-repo
     operations: PUSH_AND_REVIEW
   - username: admin
-    provider: gitea
+    provider: forgejo/gitea
     path: /otherorg/*
     path-type: GLOB
     operations: PUSH_AND_REVIEW

docker/git-proxy-oidc.yml

@@ -45,7 +45,7 @@ users:
     emails:
       - testuser@example.com
     scm-identities:
-      - provider: gitea
+      - provider: forgejo/gitea
         username: test-user
   - username: admin
     password-hash: "{noop}unused"
@@ -57,20 +57,20 @@ users:
 # Mirrors docker-default: testuser pushes, admin approves via dashboard.
 permissions:
   - username: testuser
-    provider: gitea
+    provider: forgejo/gitea
     path: /test-owner/test-repo
     operations: PUSH
   - username: testuser
-    provider: gitea
+    provider: forgejo/gitea
     path: /otherorg/*
     path-type: GLOB
     operations: PUSH
   - username: admin
-    provider: gitea
+    provider: forgejo/gitea
     path: /test-owner/test-repo
     operations: REVIEW
   - username: admin
-    provider: gitea
+    provider: forgejo/gitea
     path: /otherorg/*
     path-type: GLOB
     operations: REVIEW

git-proxy-java-core/src/main/java/org/finos/gitproxy/config/InMemoryFilterConfigurationSource.java

@@ -177,7 +177,7 @@ public static String formatForOperation(String title, String message, AnsiColor
     }
 
     private static String formatTitle(String content) {
-        return "\n\n" + content + "\n";
+        return "\n" + content + "\n";
     }
 
     private static String formatMessage(String content) {