fix(docs): address review feedback on architecture clarity and path consistency

- Clarify SPAWN exits vs HANDOFF continues in architecture diagram (S1)
- Add 'read' to toolsAllow in architecture snippet to match cron config (G2)
- Rephrase safety invariant 6 to clarify workers may push/manage labels (G3)
- Add reserved Rule 1 placeholder to explain numbering gap (S2)
- Clarify Rule 10 skip behavior for already-assigned PRs (S3)
- Standardize invariants checker path to full workspace path (G4/G5)
- Add note explaining SKILL.md deployment to workspace path (G1)

DEV_LOOP_HEALTH.md

@@ -1,104 +1,50 @@
-# Dev Loop Health Check — 2026-05-15 09:00 UTC
+# Dev Loop Health Check — 2026-05-15 03:33 UTC
 
-## Status: ✅ FIXES COMPLETED & PUSHED
+## Status: ✅ ACTIVE WORK COMPLETED
 
-### Summary
-- **Main branch:** current (30fe48d)
-- **Recent work:** issue-130 self-review findings fixed and pushed
-- **Active worktrees:** 
-  - issue-130 (review-bot-issue-130-work): Fixes completed, awaiting manual next steps
-
-### Test Results (issue-130 worktree)
-- All packages: **PASS** ✅ (7/7 packages)
+### Test Results
+- All packages: **PASS** ✅ (6/6, fresh -count=1 run)
 - Build: ✅ successful
-- Vet: ✅ clean (not run in this cycle)
+- Vet: ✅ clean
 
-### Coverage (issue-130 worktree post-fix)
+### Coverage (current)
 
 | Package | Coverage |
 |---------|----------|
 | budget | 91.8% |
-| cmd/review-bot | 36.8% |
-| gitea | 79.9% |
-| github | 79.9% |
-| internal/netutil | 85.7% |
+| cmd/review-bot | 46.1% |
+| gitea | 85.2% |
+| github | 86.3% |
 | llm | 81.3% |
-| review | 91.5% |
-| **Total** | **70.4%** |
+| review | 92.0% |
+
+### PR #138 Status
+
+- **Branch:** issue-137
+- **Feature:** feat(#137): add doc-map input for path-scoped doc injection
+- **Review status:** ✅ All 3 bots approved (sonnet, gpt, security)
+- **Review findings addressed:**
+  - Fixed package comment collision in `review/docmap.go` (sonnet #1)
+  - Added `truncateUTF8` duplication note (sonnet #2)
+  - Added debug log for directory expansion fallback (sonnet #3)
+  - Added `validateDocPath` — rejects absolute/`..` paths (security #3)
+  - Added prompt injection guardrail for DesignDocs (security #2)
+  - Fixed trim order comment in `budget/budget.go` (gpt #1)
+  - Fixed `globMatch` comment to say `filepath.Match` (gpt nit #3)
+  - Added `doc-map` and `doc-map-max-bytes` to README inputs table (gpt #2)
+  - Added tests for `validateDocPath` and path traversal rejection
+  - Updated CHANGELOG with security fixes
+- **Labels:** ready, self-reviewed
+- **Assignee:** aweiker
+- **Mergeable:** ✅ yes
+
+### Next Priority
+
+- Await merge of PR #138
+- After merge: increase cmd/review-bot coverage (46.1% → target 60%+)
+- Issue #132+: PR Submission feature
+- `github.Client.DismissReview` method referenced but missing — file issue
 
 ---
 
-## Completed in This Cycle
-
-### Issue #130: Self-Review Fixes ✅
-
-**Branch:** review-bot-issue-130-work  
-**Status:** ✅ ALL FINDINGS ADDRESSED & PUSHED
-
-**Fixes Applied:**
-1. ✅ Added VCS_TYPE env var export to action.yml Run step
-2. ✅ Fixed README CLI example and env var table (VCS-agnostic format)
-3. ✅ Renamed vcsReviewComment.NewPosition → NewLine with clearer semantics  
-4. ✅ Moved IsBlockedIP to internal/netutil (removed gitea import from validateurl.go)
-
-**Commits:**
-- 5e20dba fix(#130): pass VCS_TYPE env var from action.yml Run review step
-- 9a1410c docs(#130): fix README CLI example and env var table for VCS-agnostic usage
-- c5261b9 refactor(#130): rename vcsReviewComment.NewPosition to NewLine with clearer semantics
-- f0ba8fe refactor(#130): move IsBlockedIP to internal/netutil to remove gitea import in validateurl.go
-- 24d4dcb chore(#130): mark self-review findings as addressed in TODO.md
-
-**Pushed to:** origin/review-bot-issue-130-work ✅
-
----
-
-## Blockers & Manual Steps Required
-
-### Rebase Conflict on origin/main
-
-**Issue:** The original `review-bot-issue-130` branch was created before issue-141 merged. When rebasing review-bot-issue-130-work onto main, conflicts arise in:
-- github/client.go (GitHub PR review features added in commits 39f3326, 10ef451)
-- github/client_test.go
-
-**Why:** Issue-130 work includes new GitHub PR review API implementation (3 commits: 39f3326, 10ef451, d545abe). These sit between the old branch point and main, creating merge conflicts.
-
-**Resolution:** Manual decision needed:
-- Option A: Rebase with conflict resolution (merge the GitHub features carefully)
-- Option B: Abandon branch-based approach, fold work into new issue if still needed
-- Option C: Verify if issue-130 work is still desired or superseded by other issues (#143, #148)
-
-**Current:** review-bot-issue-130-work is pushed and ready, but NOT rebased on main yet.
-
----
-
-## Worktrees Summary
-
-| Issue | Branch | Status | Notes |
-|-------|--------|--------|-------|
-| #130 | review-bot-issue-130-work | ✅ FIXES PUSHED | Awaiting manual rebase/merge decision |
-| #137 | (merged) | ✅ MERGED | Cleanup ready after #130 complete |
-
----
-
-## Next Actions for Human/Next Cycle
-
-1. Decide on issue-130 path forward (rebase, abandon, or consolidate)
-2. If rebasing: resolve conflicts in github/client.go and github/client_test.go
-3. Once rebased: run self-review, address findings, mark ready
-4. Clean up merged worktrees (#137)
-5. Triage new issues (#143, #146, #150) for next cycle
-
----
-
-## Repository Metadata
-
-- **Repo:** gitea.weiker.me/rodin/review-bot
-- **Main branch SHA:** 30fe48d
-- **Cron ID:** 5342ac81-4bbc-4e4c-a123-347a7788d50c
-- **Scheduled:** Every 4 hours
-- **Last cycle:** 2026-05-15 03:33 UTC (issue-137 merged)
-- **This cycle:** 2026-05-15 09:00 UTC (issue-130 fixes completed, rebase conflict detected)
-
----
-
-_Dev-loop cycle complete. Awaiting human decision on issue-130 rebase/merge strategy._
+_Dev-loop cycle complete at 03:33 UTC._