fix(github): address self-review findings from 1194bc75

- Handle io.ReadAll error on error body read (client.go:265)
- Remove unused State field from commitStatusResponse (pr.go)
- Guard via slice access in defaultCheckRedirect (client.go:117)
- Move GetFileContentAtRef from pr.go to files.go (logical home)

github/client.go

@@ -114,6 +114,11 @@ func defaultCheckRedirect(req *http.Request, via []*http.Request) error {
 	if len(via) >= 10 {
 		return fmt.Errorf("stopped after 10 redirects")
 	}
+	// Guard: net/http guarantees len(via) >= 1 but this is undocumented;
+	// defend against zero-length to avoid panic on index out of range.
+	if len(via) == 0 {
+		return nil
+	}
 	prev := via[len(via)-1]
 	// Reject protocol downgrade: HTTPS→HTTP leaks request metadata over plaintext.
 	if prev.URL.Scheme == "https" && req.URL.Scheme == "http" {
@@ -262,7 +267,10 @@ func (c *Client) doRequest(ctx context.Context, method, reqURL string, accept st
 			return body, nil
 		}
 
-		errBody, _ := io.ReadAll(io.LimitReader(resp.Body, maxErrorBodyBytes))
+		errBody, readErr := io.ReadAll(io.LimitReader(resp.Body, maxErrorBodyBytes))
+		if readErr != nil && len(errBody) == 0 {
+			errBody = []byte(fmt.Sprintf("[error reading response body: %v]", readErr))
+		}
 		resp.Body.Close()
 
 		lastErr = &APIError{StatusCode: resp.StatusCode, Body: string(errBody)}