feat: add custom Composer repository support for extension version checking

[pariweshsubedi]

Closes #587

• Add support for configuring custom Composer repositories (e.g. Packeton, Private Packagist, Satis) per shop to detect extension updates from private package sources
• Support Composer v1 (inline) and v2 (lazy provider) repository formats with none, HTTP Basic, and Bearer token authentication
• Credentials are encrypted at rest using the existing APP_SECRET encryption

How it works

1. Shop scrape runs as usual (fetch from shop API → check Shopware Store)
2. After scrape completes, if the shop has custom repos configured, a composer-check job is enqueued
3. The composer-check job reads unresolved extensions from shop_extension, fetches versions from each Composer repo, and updates matching rows with latestVersion and changelog

Changes

• Schema: New composer_repositories JSONB column on shop table (migration 0011)
• API: Zod-validated create/update endpoints with encrypted credentials
• Queue: New composer queue + composer-check job type + dedicated worker (concurrency 2)
• Scrape job: Inline composer check removed, replaced with job enqueue
• Service: composer-repo.service.ts — extracted Composer repo fetching logic
• Frontend: Repository management UI with auth type selection in Edit Shop

Testing performed

• make lint passes with no new warnings
• Manually tested adding, editing, and removing custom Composer repositories in the Edit Shop UI
• Tested all three auth types (none, HTTP Basic, Bearer token) — correct fields appear for each
• Verified repositories persist after page reload with URLs and auth types preserved
• Verified credentials (passwords, tokens) are not returned to the frontend after saving
• Verified saving an empty repository list works correctly

Suggested tests

• Verify extension versions are detected from a Composer v1 (inline) repository
• Verify extension versions are detected from a Composer v2 (lazy provider) repository
• Verify credentials are not returned to the frontend after saving
• Verify scraping still works for shops with no custom repositories configured
• Test with invalid repository URLs and verify graceful error handling

[shyim]

I would like to add a proper queue before and migrate to that before, we add those things as next

[pariweshsubedi]

Makes sense! Just to make sure, by "proper queue" do you mean moving the scrape jobs (both the hourly cron and the manual refresh)?

I'll hold off on this PR until the queue is in place. Is there an issue tracking the queuing feature?

[shyim]

I would like to parallelize using queue the scrapes. Still not sure which of those NPM packages we're gonna will use at the end: https://bullmq.io/

I expect to be done this week.

[shyim]

can you move this composer foo into an own typescript file.

[pariweshsubedi]

Extracted all Composer repository logic to api/src/modules/shop/composer-repo.service.ts

[shyim]

available-packages is optional in composer spec and does not require it.

[pariweshsubedi]

available-packages is now treated as optional. If it's present, we fetch only those packages. When absent, we fall through to process inline packages from packages.json.

[pariweshsubedi]

@shyim I added in some changes to move composer checks to the queue as well + some refactor. Can you have a look ?