fix: address review feedback on PRReader implementation

- Add maxFileContentSize (10 MB) limit to decodeBase64Content to prevent
  resource exhaustion from oversized file content (security MINOR)
- Fix reversed NewClient arg order in TestGetFileContentAtRef_DotSegmentError
  (GPT MINOR + Sonnet NIT)
- Remove 'waiting' from mapCheckRunStatus conclusion cases since it is a
  status value not a conclusion, update comment (GPT NIT)
- Add TestDecodeBase64Content_SizeLimit test

github/files_test.go

@@ -68,7 +68,7 @@ func TestGetFileContentAtRef_DotSegmentError(t *testing.T) {
 	}))
 	defer srv.Close()
 
-	c := NewClient(srv.URL, "token")
+	c := NewClient("token", srv.URL)
 	_, err := c.GetFileContentAtRef(context.Background(), "owner", "repo", "foo/../bar.go", "main")
 	if err == nil {
 		t.Fatal("expected error for path with dot-segments")
@@ -77,3 +77,20 @@ func TestGetFileContentAtRef_DotSegmentError(t *testing.T) {
 		t.Errorf("expected 'invalid file path' error, got: %v", err)
 	}
 }
+
+func TestDecodeBase64Content_SizeLimit(t *testing.T) {
+	t.Parallel()
+	// Create base64 content that would decode to > maxFileContentSize.
+	// maxFileContentSize is 10MB. Base64 of 11MB worth of zeros.
+	// We just need something big enough to trigger the estimated size check.
+	// 14MB of base64 chars (decodes to ~10.5MB).
+	huge := strings.Repeat("A", 14*1024*1024)
+	_, err := decodeBase64Content(huge)
+	if err == nil {
+		t.Fatal("expected error for oversized content")
+	}
+	if !strings.Contains(err.Error(), "too large") {
+		t.Errorf("expected 'too large' error, got: %v", err)
+	}
+}
+