Promote authentication policy when saving tool receipts (#18246)
## Summary
If the user provides credentials for an index URL during tool install,
we strip the credentials. However, we now store the authentication
policy as `always` to ensure that if the user attempts to upgrade, and
we can't query the index, we correctly fail.
This won't cover credentials provided via keyring, but it will cover
embedded credentials and environment variables.
Closes https://github.com/astral-sh/uv/issues/18120.
