mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-12 20:29:10 +02:00
Skill import builds raw.githubusercontent.com URLs by hand and fetches them via fetchRawFile, which sent no Authorization header. GitHub API calls were authenticated by #2215 (doGitHubAPIGet/addGitHubAuthHeader) but the raw content download path was missed, so importing a skill from a private/internal GitHub repo listed the directory fine and then 404'd on the actual file download, surfacing as a generic 502. Attach the existing GITHUB_TOKEN bearer header in fetchRawFile, but only when the URL host is raw.githubusercontent.com. fetchRawFile is shared with clawhub.ai / skills.sh downloads, so the token must not leak to those hosts. The host gate is extracted into newRawFileRequest so it is unit-testable without a live round-trip. MUL-3496 Co-authored-by: J <j@multica.ai> Co-authored-by: multica-agent <github@multica.ai>
73 KiB
73 KiB