fix(auth): address review feedback from #2087

- Fix redirect handler to preserve Authorization on GitHub-to-GitHub
  redirects (e.g. github.com → codeload.github.com). The previous
  implementation relied on super().redirect_request() which strips
  auth on cross-host redirects, breaking private repo archive downloads.
- Add codeload.github.com to documented host lists in both
  EXTENSION-USER-GUIDE.md and presets/README.md
- Add redirect auth-preservation and auth-stripping tests

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: userhas404d

extensions/EXTENSION-USER-GUIDE.md

@@ -423,7 +423,7 @@ In addition to extension-specific environment variables (`SPECKIT_{EXT_ID}_*`),
 | Variable | Description | Default |
 |----------|-------------|---------|
 | `SPECKIT_CATALOG_URL`       | Override the full catalog stack with a single URL (backward compat) | Built-in default stack |
-| `GH_TOKEN` / `GITHUB_TOKEN` | GitHub token for authenticated requests to GitHub-hosted URLs (`raw.githubusercontent.com`, `github.com`, `api.github.com`). Required when your catalog JSON or extension ZIPs are hosted in a private GitHub repository. | None |
+| `GH_TOKEN` / `GITHUB_TOKEN` | GitHub token for authenticated requests to GitHub-hosted URLs (`raw.githubusercontent.com`, `github.com`, `api.github.com`, `codeload.github.com`). Required when your catalog JSON or extension ZIPs are hosted in a private GitHub repository. | None |
 
 #### Example: Using a custom catalog for testing
 

presets/README.md

@@ -96,7 +96,7 @@ See [scaffold/](scaffold/) for a scaffold you can copy to create your own preset
 | Variable | Description | Default |
 |----------|-------------|---------|
 | `SPECKIT_PRESET_CATALOG_URL` | Override the full catalog stack with a single URL (replaces all defaults) | Built-in default stack |
-| `GH_TOKEN` / `GITHUB_TOKEN` | GitHub token for authenticated requests to GitHub-hosted URLs (`raw.githubusercontent.com`, `github.com`, `api.github.com`). Required when your catalog JSON or preset ZIPs are hosted in a private GitHub repository. | None |
+| `GH_TOKEN` / `GITHUB_TOKEN` | GitHub token for authenticated requests to GitHub-hosted URLs (`raw.githubusercontent.com`, `github.com`, `api.github.com`, `codeload.github.com`). Required when your catalog JSON or preset ZIPs are hosted in a private GitHub repository. | None |
 
 #### Example: Using a private GitHub-hosted catalog
 

src/specify_cli/_github_http.py

@@ -50,11 +50,16 @@ class _StripAuthOnRedirect(urllib.request.HTTPRedirectHandler):
     """
 
     def redirect_request(self, req, fp, code, msg, headers, newurl):
+        original_auth = req.get_header("Authorization")
         new_req = super().redirect_request(req, fp, code, msg, headers, newurl)
         if new_req is not None:
             hostname = (urlparse(newurl).hostname or "").lower()
-            if hostname not in GITHUB_HOSTS:
+            if hostname in GITHUB_HOSTS:
+                if original_auth:
+                    new_req.add_unredirected_header("Authorization", original_auth)
+            else:
                 new_req.headers.pop("Authorization", None)
+                new_req.unredirected_hdrs.pop("Authorization", None)
         return new_req
 
 

tests/test_extensions.py

@@ -2514,6 +2514,41 @@ def test_make_request_token_added_for_codeload_github_com(self, temp_dir, monkey
         req = catalog._make_request("https://codeload.github.com/org/repo/zip/refs/tags/v1.0.0")
         assert req.get_header("Authorization") == "token ghp_testtoken"
 
+    def test_redirect_preserves_auth_for_github_to_codeload(self, temp_dir, monkeypatch):
+        """Auth header is preserved when GitHub redirects to codeload.github.com."""
+        from specify_cli._github_http import _StripAuthOnRedirect, GITHUB_HOSTS
+        from urllib.request import Request
+        from unittest.mock import MagicMock
+        import io
+
+        handler = _StripAuthOnRedirect()
+        original_url = "https://github.com/org/repo/archive/refs/tags/v1.zip"
+        redirect_url = "https://codeload.github.com/org/repo/zip/refs/tags/v1"
+        req = Request(original_url, headers={"Authorization": "token ghp_test"})
+        fp = io.BytesIO(b"")
+        new_req = handler.redirect_request(req, fp, 302, "Found", {}, redirect_url)
+        assert new_req is not None
+        auth = new_req.get_header("Authorization") or new_req.unredirected_hdrs.get("Authorization")
+        assert auth == "token ghp_test"
+
+    def test_redirect_strips_auth_for_github_to_external(self, temp_dir, monkeypatch):
+        """Auth header is stripped when GitHub redirects to a non-GitHub host."""
+        from specify_cli._github_http import _StripAuthOnRedirect
+        from urllib.request import Request
+        import io
+
+        handler = _StripAuthOnRedirect()
+        original_url = "https://github.com/org/repo/releases/download/v1/asset.zip"
+        redirect_url = "https://objects.githubusercontent.com/github-production-release-asset/12345"
+        req = Request(original_url, headers={"Authorization": "token ghp_test"})
+        fp = io.BytesIO(b"")
+        new_req = handler.redirect_request(req, fp, 302, "Found", {}, redirect_url)
+        assert new_req is not None
+        auth_header = new_req.headers.get("Authorization")
+        auth_unredirected = new_req.unredirected_hdrs.get("Authorization")
+        assert auth_header is None
+        assert auth_unredirected is None
+
     def test_fetch_single_catalog_sends_auth_header(self, temp_dir, monkeypatch):
         """_fetch_single_catalog passes Authorization header via opener for GitHub URLs."""
         from unittest.mock import patch, MagicMock