Problem

There is an authentication asymmetry between folder-level and file-level dependency downloads:

Users with gh auth login, macOS Keychain, or any git credential helper configured can download folder deps from private repos without setting GITHUB_APM_PAT. But targeting a single file from the same repo fails with an auth error.

This violates the principle of least surprise — if git clone works, downloading one file should also work.

Root Cause

• _clone_with_fallback() (line 395-462) relaxes GIT_ASKPASS/GIT_CONFIG_* when no token is present, allowing OS credential helpers to provide auth
• _download_github_file() (line 675-768) uses only self.github_token (from GITHUB_APM_PAT/GITHUB_TOKEN env vars) — no SSH, no credential helper fallback

Solution

1. Add GH_TOKEN to token precedence for modules (catches gh CLI users)
2. Add git credential fill as a last-resort token resolver — the same mechanism git uses internally, platform-agnostic, cached per host
3. Improve error messages to mention gh auth login as a zero-config fix

Related: #319