audit: require curl dependencies to have a working HTTP mirror

[p-linnane]

brew audit already checks that curl dependencies list an HTTP mirror, since they can be fetched before ca-certificates is available and so need a source archive reachable over plain HTTP. It never checks that the mirror actually works, though, so a silently broken HTTP mirror still passes. Spotted by @cho-m after a recent libpsl update whose HTTP mirror (MacPorts) started 404ing while the audit stayed green.

This adds an online ResourceAuditor#audit_curl_dep_http_mirror, run only for stable specs of curl dependencies. It fetches each http:// mirror with --proto-redir =http so that an HTTPS redirect fails rather than masking a non-functional plain-HTTP path, then confirms the bytes match the resource checksum, reporting a problem only when no HTTP mirror works. It generalises the manual checksum check the xz formula currently performs in its test block.

---

• Have you followed our Contributing guidelines?
• Have you checked for other open Pull Requests for the same change?
• Have you explained what your changes do? Performance claims (e.g. "this is faster") must include Hyperfine benchmarks.
• Have you explained why you'd like these changes included, not just what they do?
• For bug fixes, have you given step-by-step brew commands to reproduce the bug?
• Have you written new tests (excluding integration tests)? Here's an example.
• Have you successfully run brew lgtm (style, typechecking and tests) locally?

---

• AI was used to generate or assist with generating this PR.

Drafted with Claude Code (Opus 4.8). I verified with brew lgtm and by confirming the new specs fail against the disabled check and pass with it.

---

[Copilot]

Pull request overview

This PR strengthens brew audit for curl dependencies by adding an online check that verifies at least one http:// mirror actually serves the expected bytes (matching the formula’s checksum) over plain HTTP, preventing broken mirrors from silently passing audit.

Changes:

• Add ResourceAuditor#audit_curl_dep_http_mirror to verify an HTTP mirror is reachable and matches the expected checksum (stable specs only, online audit).
• Refactor curl-dependency detection into a shared curl_dep? helper.
• Add formula_auditor_spec coverage for working, unreachable, wrong-checksum, and HTTPS-redirecting HTTP mirrors.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
Library/Homebrew/resource_auditor.rb	Adds the new curl-dependency HTTP mirror audit and refactors curl-dependency detection.
Library/Homebrew/test/formula_auditor_spec.rb	Adds specs exercising the new audit behavior for curl dependencies.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.