fix: address review feedback on PR #93

- Fix Retry-After slice mutation: copy c.RetryBackoff before modifying
  to prevent permanent mutation of the shared slice (sonnet#1, security#1)
- Cap Retry-After to 120s maximum to prevent excessive sleeps (security#2)
- Guard auth header: only set Authorization when token is non-empty (gpt#2)
- Fix GetFileContent doc comment to match actual behavior (sonnet#3, gpt#1)
- Remove dead 'in_progress/queued' case in mapCheckRunStatus (sonnet#4)
- Add testing.Short() guard to slow retry test (sonnet#5)
- Reject dot-segments in escapePath to prevent path traversal (security#3)
- Add regression tests for non-mutation and escapePath safety

github/files.go

@@ -11,8 +11,8 @@ import (
 	"gitea.weiker.me/rodin/review-bot/vcs"
 )
 
-// GetFileContent fetches a file from the default branch of a repo.
-// Delegates to GetFileContentAtRef with an empty ref.
+// GetFileContent fetches a file from a repo at the given ref.
+// Delegates to GetFileContentAtRef with the provided ref.
 func (c *Client) GetFileContent(ctx context.Context, owner, repo, path, ref string) (string, error) {
 	return c.GetFileContentAtRef(ctx, owner, repo, path, ref)
 }
@@ -47,12 +47,17 @@ func (c *Client) ListContents(ctx context.Context, owner, repo, path string) ([]
 
 // escapePath escapes each segment of a relative file path for use in URLs.
 // Slashes are preserved as path separators; other special characters are escaped.
+// Dot-segments ("." and "..") are removed to prevent path traversal.
 func escapePath(p string) string {
 	parts := strings.Split(p, "/")
-	for i, part := range parts {
-		parts[i] = url.PathEscape(part)
+	var clean []string
+	for _, part := range parts {
+		if part == "." || part == ".." || part == "" {
+			continue
+		}
+		clean = append(clean, url.PathEscape(part))
 	}
-	return strings.Join(parts, "/")
+	return strings.Join(clean, "/")
 }
 
 // decodeBase64Content decodes base64-encoded content from the GitHub contents API.