Address review feedback: do-while condition preservation and URL scheme validation

Agent-Logs-Url: https://github.com/github/spec-kit/sessions/72a7bb5d-071f-4d67-a507-7e1abae2384d

Co-authored-by: mnriem <15701806+mnriem@users.noreply.github.com>

Author: Copilot

src/specify_cli/workflows/catalog.py

@@ -319,9 +319,19 @@ def _fetch_single_catalog(
             except (json.JSONDecodeError, OSError):
                 pass
 
-        # Fetch from URL
+        # Fetch from URL — validate scheme before opening
+        from urllib.parse import urlparse
         from urllib.request import urlopen
 
+        parsed = urlparse(entry.url)
+        is_localhost = parsed.hostname in ("localhost", "127.0.0.1", "::1")
+        if parsed.scheme != "https" and not (
+            parsed.scheme == "http" and is_localhost
+        ):
+            raise WorkflowCatalogError(
+                f"Refusing to fetch catalog from non-HTTPS URL: {entry.url}"
+            )
+
         try:
             with urlopen(entry.url, timeout=30) as resp:  # noqa: S310
                 data = json.loads(resp.read().decode("utf-8"))

src/specify_cli/workflows/steps/do_while/__init__.py

@@ -12,19 +12,25 @@ class DoWhileStep(StepBase):
 
     Continues while condition is truthy.  ``max_iterations`` is
     required as a safety cap.
+
+    The first invocation always returns the nested steps for execution.
+    The ``condition`` field is stored in the output so the engine can
+    evaluate it after the body runs and decide whether to re-invoke.
     """
 
     type_key = "do-while"
 
     def execute(self, config: dict[str, Any], context: StepContext) -> StepResult:
         max_iterations = config.get("max_iterations", 10)
         nested_steps = config.get("steps", [])
+        condition = config.get("condition", "false")
 
-        # Always execute at least once
+        # Always execute body at least once; the engine layer evaluates
+        # `condition` after each iteration to decide whether to loop.
         return StepResult(
             status=StepStatus.COMPLETED,
             output={
-                "condition_result": True,
+                "condition": condition,
                 "max_iterations": max_iterations,
                 "loop_type": "do-while",
             },

tests/test_workflows.py

@@ -640,6 +640,7 @@ def test_execute_always_runs_once(self):
         result = step.execute(config, ctx)
         assert len(result.next_steps) == 1
         assert result.output["loop_type"] == "do-while"
+        assert result.output["condition"] == "{{ false }}"
 
 
 class TestFanOutStep: