6670.Bugfix

Restored authentication to private indexes when [[source]] URLs use environment-variable placeholders. The GHSA-8xgg-v3jj-95m2 fix moved credentials off pip's argv onto a merged netrc, but write_credentials_netrc wrote our Pipfile-derived machine blocks BEFORE the appended user netrc — and netrc.authenticators() returns the LAST matching entry, so a stale system entry for the same host silently overrode the freshly-expanded creds. Our blocks now come AFTER the user's existing content. Additionally, the pylock.toml reader now runs expand_url_credentials over its sources so users with [pipenv] use_pylock = true see the same env-var expansion that Pipfile.lock reads have always had.