fix: address review feedback on PRReader implementation

- Add maxFileContentSize (10 MB) limit to decodeBase64Content to prevent
  resource exhaustion from oversized file content (security MINOR)
- Fix reversed NewClient arg order in TestGetFileContentAtRef_DotSegmentError
  (GPT MINOR + Sonnet NIT)
- Remove 'waiting' from mapCheckRunStatus conclusion cases since it is a
  status value not a conclusion, update comment (GPT NIT)
- Add TestDecodeBase64Content_SizeLimit test

github/files.go

@@ -75,13 +75,26 @@ func escapePath(p string) (string, error) {
 	return strings.Join(encoded, "/"), nil
 }
 
+// maxFileContentSize is the maximum decoded file size (10 MB) to prevent
+// resource exhaustion when decoding base64 content from the API.
+const maxFileContentSize = 10 * 1024 * 1024
+
 // decodeBase64Content decodes base64-encoded content from the GitHub contents API.
 // GitHub returns base64 content with line breaks for formatting; we strip \r and \n before decoding.
+// Returns an error if the decoded content exceeds maxFileContentSize.
 func decodeBase64Content(encoded string) (string, error) {
 	cleaned := strings.NewReplacer("\n", "", "\r", "").Replace(encoded)
+	// Check estimated decoded size before allocating.
+	// Base64 encodes 3 bytes into 4 chars, so decoded ~ len*3/4.
+	if len(cleaned)*3/4 > maxFileContentSize {
+		return "", fmt.Errorf("file content too large: estimated %d bytes exceeds limit of %d", len(cleaned)*3/4, maxFileContentSize)
+	}
 	decoded, err := base64.StdEncoding.DecodeString(cleaned)
 	if err != nil {
 		return "", err
 	}
+	if len(decoded) > maxFileContentSize {
+		return "", fmt.Errorf("file content too large: %d bytes exceeds limit of %d", len(decoded), maxFileContentSize)
+	}
 	return string(decoded), nil
 }