Escalate auth only on 401/403/404 during remote URL validation

[alex-feel]

Rework FileValidator.validate_remote_url to honor the lazy-auth contract: probe unauthenticated first and only escalate to authentication when the last HTTP response is 401, 403, or 404. Non-auth failures (SSL, DNS, 5xx, timeouts, 416 Range Not Satisfiable) no longer trigger auth prompts.

Change _check_with_head and _check_with_range to return tuple[bool, int | None] so the caller can gate escalation on the HTTP status code. Route escalation through AuthHeaderCache.resolve_and_cache when a cache is available so parallel validation threads serialize prompts via double-checked locking.

Add GitHub 404 disambiguation: before prompting, probe api.github.com/repos/{owner}/{repo} unauthenticated, and if the repo is confirmed public, treat the original 404 as a genuine missing file and skip the auth prompt. Classify *.github.io hostnames as non-repository so GitHub Pages URLs never trigger auth prompts.

Split get_auth_headers into resolve_credentials (pure, non-interactive) and prompt_for_credentials (interactive, isatty-guarded) to let non-interactive callers opt into resolution without risking prompts. Update the prompt wording to "Authentication required for {url}".

Update CLAUDE.md and the environment configuration guide to document the lazy-auth invariant, the SRP split, the repo type classification rules, and the GitHub 404 disambiguation behavior. Extend unit and e2e tests to cover the new escalation contract and the public-skills no-prompt path.

[github-actions]

Coverage report

Click to see where and how coverage changed

File	Statements	Missing	Coverage	Coverage (new stmts)	Lines missing
scripts
setup_environment.py					3106-3107, 3119, 3132, 3170, 3184-3186, 3262-3265, 3314-3318, 3613-3614, 3846, 3876-3877, 3886, 3892, 3898-3901, 4041-4042
Project Total

This report was generated by python-coverage-comment-action