fix: add --proto '=https' to remaining curl commands in install.sh and github-auth.sh (#2351)

Fixes #2350: Cloud agent scripts (AWS, GCP, Hetzner, Local, Sprite) already had this flag from prior fixes. This commit adds the missing --proto '=https' to user-facing curl instructions in sh/cli/install.sh (3 echo lines, 2 comment lines) and usage comments in sh/shared/github-auth.sh (3 comment lines) to prevent protocol downgrade attacks. Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-05-01 21:30:21 +00:00 · 2026-03-08 15:43:25 -07:00 · 2026-03-08 15:43:25 -07:00 · e11918be59
commit e11918be59
parent f159333ee9
2 changed files with 8 additions and 8 deletions
--- a/sh/shared/github-auth.sh
+++ b/sh/shared/github-auth.sh
@ -3,11 +3,11 @@
 # Executable directly via curl|bash; also sourceable using the CDN URL with eval.
 #
 # Usage (via curl|bash — recommended):
-#   curl -fsSL https://openrouter.ai/labs/spawn/shared/github-auth.sh | bash
-#   curl -fsSL https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/sh/shared/github-auth.sh | bash
+#   curl -fsSL --proto '=https' https://openrouter.ai/labs/spawn/shared/github-auth.sh | bash
+#   curl -fsSL --proto '=https' https://raw.githubusercontent.com/OpenRouterTeam/spawn/main/sh/shared/github-auth.sh | bash
 #
 # Usage (sourced using absolute path or CDN URL):
-#   eval "$(curl -fsSL https://openrouter.ai/labs/spawn/shared/github-auth.sh)"
+#   eval "$(curl -fsSL --proto '=https' https://openrouter.ai/labs/spawn/shared/github-auth.sh)"
 #   ensure_github_auth

 # ============================================================