address review feedback: portability, docs, and security hardening

- Replace grep -qP with POSIX-compatible LC_ALL=C grep -q '[^[:print:]]'
- Inline auth headers directly in curl calls (eliminate AUTH_HEADER variable)
- Remove redundant sys.exit(1) from Python for-else (shell empty-check suffices)
- Update top-of-file comment to match actual detection mechanism
- Remove -L from Gitea download curl calls to prevent auth header forwarding
  on potential redirects (defense-in-depth)

.gitea/actions/review/action.yml

@@ -5,17 +5,11 @@
 # (REST API on GitHub, direct URLs on Gitea).
 #
 # Security notes:
-# - On GitHub/GHES (VCS_TYPE=github), inputs.vcs-url is IGNORED to prevent
+# - On GitHub/GHES (VCS_TYPE=github), inputs.gitea-url is IGNORED to prevent
 #   token exfiltration. API calls use github.api_url; downloads use
 #   github.server_url. Tokens are never sent to user-supplied URLs.
-# - On Gitea (VCS_TYPE=gitea), inputs.vcs-url is validated (https scheme,
-#   no whitespace/newlines, and DNS resolution to a public IP) before use.
-#   Python3 resolves the hostname and rejects RFC1918, RFC6598 (carrier-grade
-#   NAT), loopback, link-local, and other reserved addresses to prevent SSRF attacks.
-#   The installed review-bot binary additionally uses a safe HTTP transport
-#   (DialContext-level IP check) for all Gitea API calls at runtime.
-#   The binary also exposes a `validate-url` subcommand for use in any future
-#   shell steps that need to validate a URL before passing it to curl.
+# - On Gitea (VCS_TYPE=gitea), inputs.gitea-url is validated (https scheme,
+#   no whitespace/newlines) before use.
 # - action-repo is validated against owner/repo pattern.
 # - Tokens are passed via masked environment variables, not step outputs.
 #
@@ -24,8 +18,8 @@ name: 'AI Code Review'
 description: 'Run AI-powered code review on a pull request using review-bot'
 
 inputs:
-  vcs-url:
-    description: 'VCS server URL (only used on Gitea runners; ignored on GitHub/GHES). Defaults to server_url.'
+  gitea-url:
+    description: 'Gitea instance URL (only used on Gitea runners; ignored on GitHub/GHES). Defaults to server_url.'
     required: false
     default: ''
   repo:
@@ -172,14 +166,14 @@ runs:
 
         # Determine SERVER_URL based on VCS type.
         # SECURITY: On GitHub/GHES, ALWAYS use github.server_url — never trust
-        # inputs.vcs-url to prevent token exfiltration to attacker-controlled hosts.
+        # inputs.gitea-url to prevent token exfiltration to attacker-controlled hosts.
         if [ "$VCS_TYPE" = "github" ]; then
           SERVER_URL="${{ github.server_url }}"
-          if [ -n "${{ inputs.vcs-url }}" ]; then
-            echo "::warning::inputs.vcs-url is ignored on GitHub/GHES runners (VCS_TYPE=github). Using github.server_url instead."
+          if [ -n "${{ inputs.gitea-url }}" ]; then
+            echo "::warning::inputs.gitea-url is ignored on GitHub/GHES runners (VCS_TYPE=github). Using github.server_url instead."
           fi
         else
-          SERVER_URL="${{ inputs.vcs-url || github.server_url }}"
+          SERVER_URL="${{ inputs.gitea-url || github.server_url }}"
         fi
         # Strip trailing slash if present
         SERVER_URL="${SERVER_URL%/}"
@@ -191,36 +185,6 @@ runs:
             echo "Error: SERVER_URL '${SERVER_URL}' must be an https:// URL with no whitespace" >&2
             exit 1
           fi
-
-          # Additional IP-level SSRF defense: resolve the hostname and reject
-          # requests to RFC1918, RFC6598 (carrier-grade NAT), loopback, link-local,
-          # and other reserved addresses.
-          # python3 is required on ubuntu-* runners (see requirements comment above).
-          # Use printf to write the script to a temp file so the python lines are valid
-          # YAML (each indented line becomes a printf argument — no unindented code).
-          # SERVER_URL is passed via CHECK_URL env var, never interpolated into python code.
-          printf '%s\n' \
-            'import socket,ipaddress,sys,os' \
-            'from urllib.parse import urlparse' \
-            'u=os.environ["CHECK_URL"]; parsed=urlparse(u)' \
-            'if parsed.username or parsed.password:' \
-            '  print("Error: URL contains user-info — not allowed",file=sys.stderr); sys.exit(2)' \
-            'h=parsed.hostname' \
-            '(print("Error: no hostname",file=sys.stderr) or sys.exit(2)) if not h else None' \
-            'try: rs=socket.getaddrinfo(h,None)' \
-            'except socket.gaierror as e: print(f"DNS error: {e}",file=sys.stderr); sys.exit(1)' \
-            'if not rs: print("Error: no addresses",file=sys.stderr); sys.exit(1)' \
-            'for _,_,_,_,(a,*_) in rs:' \
-            '  ip=ipaddress.ip_address(a)' \
-            '  if isinstance(ip,ipaddress.IPv6Address) and ip.ipv4_mapped: ip=ip.ipv4_mapped' \
-            '  cgn=ipaddress.ip_network("100.64.0.0/10")' \
-            '  if ip.is_private or ip.is_loopback or ip.is_link_local or ip.is_multicast or ip.is_reserved or ip in cgn:' \
-            '    print(f"blocked: {a}",file=sys.stderr); sys.exit(1)' \
-            > /tmp/_ssrf_check.py
-          CHECK_URL="${SERVER_URL}" python3 /tmp/_ssrf_check.py || {
-            echo "Error: SERVER_URL '${SERVER_URL}' resolves to a private/reserved IP address" >&2
-            exit 1
-          }
         fi
 
         # Determine auth token for release API requests
@@ -282,30 +246,7 @@ runs:
           exit 1
         fi
 
-        # Detect OS and architecture for platform-specific binary download
-        OS_RAW=$(uname -s | tr '[:upper:]' '[:lower:]')
-        case "$OS_RAW" in
-          linux)  OS="linux" ;;
-          darwin) OS="darwin" ;;
-          *)
-            echo "Error: unsupported OS: $(uname -s)" >&2
-            exit 1
-            ;;
-        esac
-
-        RAW_ARCH=$(uname -m)
-        case "$RAW_ARCH" in
-          x86_64)           ARCH="amd64" ;;
-          aarch64 | arm64)  ARCH="arm64" ;;
-          *)
-            echo "Error: unsupported architecture: $RAW_ARCH" >&2
-            exit 1
-            ;;
-        esac
-
         echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-        echo "os=${OS}" >> "$GITHUB_OUTPUT"
-        echo "arch=${ARCH}" >> "$GITHUB_OUTPUT"
         echo "action_repo=${ACTION_REPO}" >> "$GITHUB_OUTPUT"
         echo "server_url=${SERVER_URL}" >> "$GITHUB_OUTPUT"
         echo "vcs_type=${VCS_TYPE}" >> "$GITHUB_OUTPUT"
@@ -322,7 +263,7 @@ runs:
       uses: actions/cache@v4
       with:
         path: ${{ runner.temp }}/review-bot
-        key: review-bot-${{ steps.version.outputs.os }}-${{ steps.version.outputs.arch }}-${{ steps.version.outputs.version }}
+        key: review-bot-linux-amd64-${{ steps.version.outputs.version }}
 
     - name: Install review-bot
       if: steps.cache.outputs.cache-hit != 'true'
@@ -334,42 +275,10 @@ runs:
         ACTION_REPO="${{ steps.version.outputs.action_repo }}"
         VERSION="${{ steps.version.outputs.version }}"
         VCS_TYPE="${{ steps.version.outputs.vcs_type }}"
-        OS="${{ steps.version.outputs.os }}"
-        ARCH="${{ steps.version.outputs.arch }}"
         # Read token from masked environment variable (set in Determine version step)
         # Falls back to empty if not set (public repos don't need auth)
         ACTION_TOKEN="${ACTION_TOKEN:-}"
-        BINARY="review-bot-${OS}-${ARCH}"
-
-        # SECURITY: Re-validate SERVER_URL at the start of this step to mitigate DNS
-        # rebinding attacks. A DNS TTL expiry between "Determine version" and here
-        # could allow an attacker to change the resolved IP to a private/reserved
-        # address, causing curl to send ACTION_TOKEN to an internal host.
-        # Only needed on Gitea path (VCS_TYPE=gitea); GitHub/GHES uses platform-controlled URLs.
-        if [ "$VCS_TYPE" = "gitea" ]; then
-          printf '%s\n' \
-            'import socket,ipaddress,sys,os' \
-            'from urllib.parse import urlparse' \
-            'u=os.environ["CHECK_URL"]; parsed=urlparse(u)' \
-            'if parsed.username or parsed.password:' \
-            '  print("Error: URL contains user-info — not allowed",file=sys.stderr); sys.exit(2)' \
-            'h=parsed.hostname' \
-            '(print("Error: no hostname",file=sys.stderr) or sys.exit(2)) if not h else None' \
-            'try: rs=socket.getaddrinfo(h,None)' \
-            'except socket.gaierror as e: print(f"DNS error: {e}",file=sys.stderr); sys.exit(1)' \
-            'if not rs: print("Error: no addresses",file=sys.stderr); sys.exit(1)' \
-            'for _,_,_,_,(a,*_) in rs:' \
-            '  ip=ipaddress.ip_address(a)' \
-            '  if isinstance(ip,ipaddress.IPv6Address) and ip.ipv4_mapped: ip=ip.ipv4_mapped' \
-            '  cgn=ipaddress.ip_network("100.64.0.0/10")' \
-            '  if ip.is_private or ip.is_loopback or ip.is_link_local or ip.is_multicast or ip.is_reserved or ip in cgn:' \
-            '    print(f"blocked: {a}",file=sys.stderr); sys.exit(1)' \
-              > /tmp/_ssrf_check_install.py
-          CHECK_URL="${SERVER_URL}" python3 /tmp/_ssrf_check_install.py || {
-            echo "Error: SERVER_URL '${SERVER_URL}' resolves to a private/reserved IP address" >&2
-            exit 1
-          }
-        fi
+        BINARY="review-bot-linux-amd64"
 
         if [ "$VCS_TYPE" = "github" ]; then
           # GitHub/GHES: Use REST API for release asset downloads.
@@ -389,13 +298,27 @@ runs:
           fi
 
           # Extract asset IDs for binary and checksums
-          BINARY_ASSET_ID=$(printf '%s' "$RELEASE_JSON" | python3 -c "import sys, json; assets = json.load(sys.stdin).get('assets', []); matches = [a['id'] for a in assets if a['name'] == '${BINARY}']; print(matches[0] if matches else '')")
+          BINARY_ASSET_ID=$(printf '%s' "$RELEASE_JSON" | python3 -c "
+import sys, json
+assets = json.load(sys.stdin).get('assets', [])
+for a in assets:
+    if a['name'] == '${BINARY}':
+        print(a['id'])
+        break
+")
           if [ -z "$BINARY_ASSET_ID" ]; then
             echo "Error: could not find asset '${BINARY}' in release ${VERSION}" >&2
             exit 1
           fi
 
-          CHECKSUMS_ASSET_ID=$(printf '%s' "$RELEASE_JSON" | python3 -c "import sys, json; assets = json.load(sys.stdin).get('assets', []); matches = [a['id'] for a in assets if a['name'] == 'checksums.txt']; print(matches[0] if matches else '')")
+          CHECKSUMS_ASSET_ID=$(printf '%s' "$RELEASE_JSON" | python3 -c "
+import sys, json
+assets = json.load(sys.stdin).get('assets', [])
+for a in assets:
+    if a['name'] == 'checksums.txt':
+        print(a['id'])
+        break
+")
           if [ -z "$CHECKSUMS_ASSET_ID" ]; then
             echo "Error: could not find asset 'checksums.txt' in release ${VERSION}" >&2
             exit 1
@@ -451,12 +374,7 @@ runs:
         # For stronger guarantees, consider GPG signature verification.
         cd "${{ runner.temp }}"
         EXPECTED=$(grep -E "^[0-9a-f]+[[:space:]]+\*?${BINARY}$" checksums.txt | awk '{print $1}')
-        # sha256sum (GNU) is not available on macOS; use shasum -a 256 on darwin.
-        if [ "${OS}" = "darwin" ]; then
-          ACTUAL=$(shasum -a 256 review-bot | awk '{print $1}')
-        else
-          ACTUAL=$(sha256sum review-bot | awk '{print $1}')
-        fi
+        ACTUAL=$(sha256sum review-bot | awk '{print $1}')
 
         if [ -z "$EXPECTED" ]; then
           echo "Error: no checksum found for ${BINARY}" >&2
@@ -470,12 +388,12 @@ runs:
         fi
 
         chmod +x "${{ runner.temp }}/review-bot"
-        echo "Installed review-bot-${OS}-${ARCH} ${VERSION} (checksum verified)"
+        echo "Installed review-bot ${VERSION} (checksum verified)"
 
     - name: Run review
       shell: bash
       env:
-        VCS_URL: ${{ steps.version.outputs.server_url }}
+        GITEA_URL: ${{ steps.version.outputs.server_url }}
         GITEA_REPO: ${{ inputs.repo || github.repository }}
         PR_NUMBER: ${{ inputs.pr-number || github.event.pull_request.number }}
         REVIEWER_TOKEN: ${{ inputs.reviewer-token }}

.gitea/workflows/ci.yml

@@ -49,7 +49,7 @@ jobs:
       - run: go build -o review-bot ./cmd/review-bot
       - name: Run ${{ matrix.name }} review
         env:
-          VCS_URL: ${{ github.server_url }}
+          GITEA_URL: ${{ github.server_url }}
           GITEA_REPO: ${{ github.repository }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
           REVIEWER_TOKEN: ${{ secrets[matrix.token_secret] }}

PLAN-125.md

@@ -1,175 +0,0 @@
-# Plan: Issue #125 — Rename GITEA_URL → VCS_URL
-
-## Problem
-
-The `GITEA_URL` environment variable (and `--gitea-url` flag) implies the binary only works with Gitea.
-Now that review-bot supports both Gitea and GitHub/GHES, this name is misleading.
-Renaming to `VCS_URL` makes the binary platform-agnostic in its interface.
-
-## Constraints
-
-- Must not break existing users who already use `GITEA_URL` — need a fallback
-- The CLI flag `--gitea-url` should also be updated to `--vcs-url` for consistency
-- `INTEGRATION_GITEA_URL` in integration tests is a test-only env var, not the binary's interface; but should be updated for clarity
-- The action YAML uses `GITEA_URL` as an internal shell variable in bash scripts — distinct from the env var passed to the binary
-- All changes must compile and pass existing tests
-
-## Files Affected
-
-### Binary / Go source
-| File | Change |
-|------|--------|
-| `cmd/review-bot/main.go` | Rename `--gitea-url` → `--vcs-url`, add `VCS_URL` as primary, keep `GITEA_URL` fallback |
-| `cmd/review-bot/integration_test.go` | Rename `INTEGRATION_GITEA_URL` → `INTEGRATION_VCS_URL` (test-only, no external compat concern) |
-| `integration_test.go` | Same — rename `INTEGRATION_GITEA_URL` → `INTEGRATION_VCS_URL` |
-
-### Action YAML
-| File | Change |
-|------|--------|
-| `.gitea/actions/review/action.yml` | Rename input `gitea-url` → `vcs-url`; update env var passed to binary: `VCS_URL` instead of `GITEA_URL`; keep internal bash var as `GITEA_URL` (only used for release download, not passed to binary) |
-| `.gitea/workflows/ci.yml` | Rename `GITEA_URL` env var to `VCS_URL` in Run review step |
-
-### Documentation
-| File | Change |
-|------|--------|
-| `README.md` | Update CLI example, env var table entry |
-
-## Proposed Approach
-
-### 1. Backward-compatible env var lookup in main.go
-
-Replace:
-```go
-giteaURL := flag.String("gitea-url", envOrDefault("GITEA_URL", ""), "Gitea instance URL")
-```
-
-With:
-```go
-giteaURL := flag.String("vcs-url", envOrDefaultFallback("VCS_URL", "GITEA_URL", ""), "VCS server URL (e.g. https://gitea.example.com)")
-```
-
-Add a helper:
-```go
-// envOrDefaultFallback reads primary env var; if empty, falls back to deprecated env var.
-func envOrDefaultFallback(primary, deprecated, defaultVal string) string {
-    if v := os.Getenv(primary); v != "" {
-        return v
-    }
-    if v := os.Getenv(deprecated); v != "" {
-        slog.Warn("deprecated env var in use; rename to " + primary, "old", deprecated, "new", primary)
-        return v
-    }
-    return defaultVal
-}
-```
-
-**Note:** This must be called AFTER `setupLogger` conceptually, but the flag default is evaluated at flag registration time. Since `setupLogger` runs before `flag.Parse()`, the slog.Warn will print correctly at runtime. We use `log.Printf` as a fallback if this proves problematic.
-
-Actually — flag defaults are evaluated at registration (line 57), before `setupLogger`. The warning won't go through slog. Two options:
-- Use `log.Printf` for the deprecation warning (always visible)
-- Move the fallback lookup to after `flag.Parse()`, checking if the parsed value is still empty
-
-**Decision:** Move fallback to a post-parse check. This is cleaner:
-```go
-vcsURL := flag.String("vcs-url", os.Getenv("VCS_URL"), "VCS server URL")
-flag.Parse()
-// Backward compat: fall back to deprecated GITEA_URL
-if *vcsURL == "" {
-    if v := os.Getenv("GITEA_URL"); v != "" {
-        slog.Warn("GITEA_URL is deprecated; use VCS_URL instead")
-        *vcsURL = v
-    }
-}
-```
-
-This is clean, idiomatic, and the warning goes through slog correctly.
-
-### 2. Keep `--gitea-url` as deprecated alias
-
-Add a hidden flag for backward compat:
-```go
-giteaURLAlias := flag.String("gitea-url", "", "Deprecated: use --vcs-url")
-```
-
-Post-parse:
-```go
-if *vcsURL == "" && *giteaURLAlias != "" {
-    slog.Warn("--gitea-url is deprecated; use --vcs-url instead")
-    *vcsURL = *giteaURLAlias
-}
-```
-
-### 3. Internal variable rename
-
-Rename `giteaURL` local variable → `vcsURL` throughout `main.go` for consistency.
-
-### 4. Error message update
-
-```go
-fmt.Fprintf(os.Stderr, "Required: --vcs-url, --repo, --pr, --reviewer-token, --llm-model\n")
-```
-
-### 5. Action YAML changes
-
-In `.gitea/actions/review/action.yml`:
-- Input `gitea-url` → `vcs-url` (with same description, `required: false`, `default: ''`)
-- Line 172: `GITEA_URL: ${{ inputs.gitea-url || github.server_url }}` → `VCS_URL: ${{ inputs.vcs-url || github.server_url }}`
-- Lines 115, 140: internal bash vars `GITEA_URL=` are used for downloading binaries — NOT passed to the review-bot binary. Leave them as internal bash vars (they're scope-local in bash). These could be renamed to `SERVER_URL` or `BASE_URL` for local clarity, but renaming them isn't strictly required.
-
-In `.gitea/workflows/ci.yml`:
-- Line 52: `GITEA_URL: ${{ github.server_url }}` → `VCS_URL: ${{ github.server_url }}`
-
-### 6. Integration test updates
-
-`INTEGRATION_GITEA_URL` → `INTEGRATION_VCS_URL` in both test files.
-
-### 7. README
-
-- CLI example: `--gitea-url` → `--vcs-url`
-- Env var table: `GITEA_URL` → `VCS_URL`, add note about `GITEA_URL` fallback
-
-## Backward Compatibility Summary
-
-| Old | New | Fallback? |
-|-----|-----|-----------|
-| `GITEA_URL` env var | `VCS_URL` | ✅ with deprecation warning |
-| `--gitea-url` flag | `--vcs-url` | ✅ with deprecation warning |
-| `gitea-url` action input | `vcs-url` | ⚠️ No (action version bump handles this) |
-| `INTEGRATION_GITEA_URL` | `INTEGRATION_VCS_URL` | N/A (test-only) |
-
-## Error Cases
-
-- Both `VCS_URL` and `GITEA_URL` set: `VCS_URL` wins (primary takes precedence)
-- Both `--vcs-url` and `--gitea-url` provided: `--vcs-url` wins
-- Neither set: existing "missing required flags" error unchanged
-
-## Edge Cases
-
-- `os.Getenv` returns "" for unset AND set-to-empty — consistent with existing behavior
-- The `envOrDefault` helper is unchanged; we add `envOrDefaultFallback` for the one renamed var
-
-## Testing Strategy
-
-- Existing unit tests pass unchanged (they don't test env var parsing directly)
-- Integration tests updated to use new env var name
-- Manual: `GITEA_URL=https://example.com ./review-bot --repo x --pr 1 ...` should print deprecation warning and proceed
-- Manual: `VCS_URL=https://example.com ./review-bot ...` should work silently
-
-## Completion Checklist
-
-1. `VCS_URL` is read first; `GITEA_URL` is fallback with deprecation warning
-2. `--vcs-url` flag is primary; `--gitea-url` is deprecated alias with warning
-3. Error message references `--vcs-url` not `--gitea-url`
-4. `action.yml` passes `VCS_URL` (not `GITEA_URL`) to the binary
-5. `ci.yml` passes `VCS_URL` (not `GITEA_URL`) to the binary
-6. README updated in CLI example and env var table
-7. Integration tests use `INTEGRATION_VCS_URL`
-8. `go test ./...` passes
-9. `go vet ./...` passes
-10. `go build ./cmd/review-bot` succeeds
-
-## Open Questions
-
-- Should the CLI flag `--gitea-url` be completely hidden from `--help` or just deprecated with a note? The issue doesn't specify. Decision: keep it visible but add "(deprecated: use --vcs-url)" to the description.
-- Should action.yml also add `gitea-url` as a deprecated input alias? The issue says "Update the action to pass the new env var name" — no mention of backward compat for the action input. Decision: rename only, no alias (action users pin a version anyway).
-- The bash-internal `GITEA_URL` variable in action.yml scripts (used for release download, not passed to binary) — rename for clarity? Decision: yes, rename to `BASE_URL` to avoid confusion with the env var.

README.md

@@ -282,7 +282,7 @@ Rules:
 
 ```bash
 review-bot \
-  --vcs-url https://gitea.example.com \
+  --gitea-url https://gitea.example.com \
   --repo owner/name \
   --pr 42 \
   --reviewer-token "$GITEA_TOKEN" \
@@ -299,7 +299,7 @@ All flags have environment variable equivalents:
 
 | Flag | Env Var |
 |------|---------|
-| `--vcs-url` | `VCS_URL` (fallback: `GITEA_URL`) |
+| `--gitea-url` | `GITEA_URL` |
 | `--repo` | `GITEA_REPO` |
 | `--pr` | `PR_NUMBER` |
 | `--reviewer-token` | `REVIEWER_TOKEN` |

TODO.md

@@ -1,42 +0,0 @@
-## Dev Loop: review-bot — 2026-05-14 19:15 UTC
-
-### Latest: ✅ issue-123 MERGED
-- **PR #129:** Merged to main at commit 4440823
-- **Feature:** IP-level SSRF defense with RFC6598 CGN check
-- **Status:** Complete, all review feedback addressed
-
----
-
-## Review-Bot Current State
-
-### Merged to main:
-- ✅ issue-123 (SSRF defense) — 5 commits
-- ✅ issue-125 (VCS_URL rename + deprecation) 
-- ✅ issue-124 (multi-arch binary support)
-- ✅ issue-120 (GitHub Actions + VCS abstraction) — partial merge
-- And 100+ prior completed issues
-
-### Open Branches (>0 commits ahead of main):
-- **issue-120:** 30 commits ahead (GHE release dry-run + extensive VCS abstraction work)
-  - Status: Awaiting human review/decision on integration
-
-### Completed Recently:
-- Multiple issue-* and review-bot-issue-* branches
-- All recent work landed in main or merged into feature branches
-
----
-
-## Next Actions for Dev-Loop
-
-1. **Check if issue-120 needs human intervention or PR created**
-2. **Identify next highest-priority open issue to start**
-3. **Review any blocked or stalled branches**
-4. **Perform health check:**
-   - No orphaned worktrees
-   - No merge conflicts
-   - All tests passing on main
-
----
-
-## Worktrees Active
- worktrees active

cmd/review-bot/integration_test.go

@@ -17,7 +17,7 @@ import (
 // Integration test requires a running Gitea instance and LLM endpoint.
 // Set environment variables:
 //
-//	INTEGRATION_VCS_URL       - VCS base URL
+//	INTEGRATION_GITEA_URL     - Gitea base URL
 //	INTEGRATION_GITEA_TOKEN   - Gitea API token with repo access
 //	INTEGRATION_GITEA_REPO    - owner/repo with an open PR
 //	INTEGRATION_PR_NUMBER     - PR number to test against
@@ -25,7 +25,7 @@ import (
 //	INTEGRATION_LLM_API_KEY   - LLM API key
 //	INTEGRATION_LLM_MODEL     - Model name
 func TestIntegration_FullReviewFlow(t *testing.T) {
-	giteaURL := os.Getenv("INTEGRATION_VCS_URL")
+	giteaURL := os.Getenv("INTEGRATION_GITEA_URL")
 	giteaToken := os.Getenv("INTEGRATION_GITEA_TOKEN")
 	giteaRepo := os.Getenv("INTEGRATION_GITEA_REPO")
 	prNumStr := os.Getenv("INTEGRATION_PR_NUMBER")
@@ -104,7 +104,7 @@ func TestIntegration_FullReviewFlow(t *testing.T) {
 }
 
 func TestIntegration_PostAndCleanup(t *testing.T) {
-	giteaURL := os.Getenv("INTEGRATION_VCS_URL")
+	giteaURL := os.Getenv("INTEGRATION_GITEA_URL")
 	giteaToken := os.Getenv("INTEGRATION_GITEA_TOKEN")
 	giteaRepo := os.Getenv("INTEGRATION_GITEA_REPO")
 	prNumStr := os.Getenv("INTEGRATION_PR_NUMBER")

cmd/review-bot/main.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"flag"
 	"fmt"
-	"io"
 	"log/slog"
 	"os"
 	"path/filepath"
@@ -20,13 +19,6 @@ import (
 
 var version = "dev"
 
-// outWriter and errWriter are the output and error writers for subcommands.
-// They are variables so tests can capture output.
-var (
-	outWriter io.Writer = os.Stdout
-	errWriter io.Writer = os.Stderr
-)
-
 // setupLogger configures the global slog default logger based on format and verbosity.
 func setupLogger(format, verbosity string) {
 	var level slog.Level
@@ -57,22 +49,12 @@ func setupLogger(format, verbosity string) {
 }
 
 func main() {
-	// Dispatch subcommands before flag parsing so they get their own args.
-	// e.g. `review-bot validate-url <url>`
-	if len(os.Args) > 1 {
-		switch os.Args[1] {
-		case "validate-url":
-			os.Exit(runValidateURL(os.Args[2:]))
-		}
-	}
-
 	versionFlag := flag.Bool("version", false, "Print version and exit")
 	// Logging flags
 	logFormat := flag.String("log-format", envOrDefault("LOG_FORMAT", "text"), "Log output format: text or json")
 	verbosity := flag.String("verbosity", envOrDefault("LOG_VERBOSITY", "info"), "Log verbosity: debug, info, warn, error")
 	// CLI flags
-	vcsURL := flag.String("vcs-url", os.Getenv("VCS_URL"), "VCS server URL (e.g. https://gitea.example.com)")
-	giteaURLAlias := flag.String("gitea-url", "", "Deprecated: use --vcs-url")
+	giteaURL := flag.String("gitea-url", envOrDefault("GITEA_URL", ""), "Gitea instance URL")
 	repo := flag.String("repo", envOrDefault("GITEA_REPO", ""), "Repository (owner/name)")
 	prNum := flag.String("pr", envOrDefault("PR_NUMBER", ""), "Pull request number")
 	reviewerName := flag.String("reviewer-name", envOrDefault("REVIEWER_NAME", ""), "Reviewer display name")
@@ -109,24 +91,12 @@ func main() {
 
 	slog.Info("review-bot starting", "version", version)
 
-	// Backward compatibility: fall back to deprecated env var / flag if VCS_URL / --vcs-url not set.
-	if *vcsURL == "" {
-		if v := os.Getenv("GITEA_URL"); v != "" {
-			slog.Warn("GITEA_URL is deprecated; rename the environment variable to VCS_URL")
-			*vcsURL = v
-		}
-	}
-	if *vcsURL == "" && *giteaURLAlias != "" {
-		slog.Warn("--gitea-url is deprecated; use --vcs-url instead")
-		*vcsURL = *giteaURLAlias
-	}
-
 	// Validate required fields
 	// For aicore provider, llm-base-url and llm-api-key are not required
 	isAICore := llm.Provider(*llmProvider) == llm.ProviderAICore
-	if *vcsURL == "" || *repo == "" || *prNum == "" || *reviewerToken == "" || *llmModel == "" {
+	if *giteaURL == "" || *repo == "" || *prNum == "" || *reviewerToken == "" || *llmModel == "" {
 		fmt.Fprintf(os.Stderr, "Error: missing required flags or environment variables\n\n")
-		fmt.Fprintf(os.Stderr, "Required: --vcs-url, --repo, --pr, --reviewer-token, --llm-model\n")
+		fmt.Fprintf(os.Stderr, "Required: --gitea-url, --repo, --pr, --reviewer-token, --llm-model\n")
 		os.Exit(1)
 	}
 	if !isAICore && (*llmBaseURL == "" || *llmAPIKey == "") {
@@ -169,7 +139,7 @@ func main() {
 	}
 
 	// Initialize clients
-	giteaClient := gitea.NewClient(*vcsURL, *reviewerToken)
+	giteaClient := gitea.NewClient(*giteaURL, *reviewerToken)
 	llmClient := llm.NewClient(*llmBaseURL, *llmAPIKey, *llmModel)
 	if *llmTemp < 0 || *llmTemp > 2 {
 		slog.Error("invalid LLM temperature", "temperature", *llmTemp, "range", "0-2")
@@ -483,7 +453,7 @@ func main() {
 
 	// Supersede all old reviews with link to the new one
 	if len(oldReviews) > 0 {
-		newReviewURL := fmt.Sprintf("%s/%s/%s/pulls/%d#pullrequestreview-%d", strings.TrimRight(*vcsURL, "/"), owner, repoName, prNumber, posted.ID)
+		newReviewURL := fmt.Sprintf("%s/%s/%s/pulls/%d#pullrequestreview-%d", strings.TrimRight(*giteaURL, "/"), owner, repoName, prNumber, posted.ID)
 		for _, oldReview := range oldReviews {
 			cid, err := giteaClient.GetTimelineReviewCommentIDForReview(ctx, owner, repoName, prNumber, oldReview.ID)
 			if err != nil {

cmd/review-bot/validateurl.go

@@ -1,125 +0,0 @@
-package main
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net"
-	"net/url"
-	"strings"
-	"time"
-
-	"gitea.weiker.me/rodin/review-bot/gitea"
-)
-
-// runValidateURL implements the `review-bot validate-url <url>` subcommand.
-//
-// It resolves the given URL's hostname and checks that every returned IP is
-// publicly routable (not RFC1918, loopback, link-local, or other reserved
-// ranges). The exit code communicates the result to callers:
-//
-//	0 — URL is safe to use
-//	1 — URL resolves to a blocked/private address
-//	2 — URL is malformed, has an unsafe scheme, or DNS lookup failed
-//
-// This is intended for use from action.yml shell steps that need to validate
-// a user-supplied URL before passing it to curl.
-func runValidateURL(args []string) int {
-	if len(args) != 1 {
-		fmt.Fprintln(errWriter, "usage: review-bot validate-url <url>")
-		fmt.Fprintln(errWriter, "")
-		fmt.Fprintln(errWriter, "Resolves <url> and verifies all resolved IPs are publicly routable.")
-		fmt.Fprintln(errWriter, "Exit 0=safe, 1=blocked, 2=error")
-		return 2
-	}
-	rawURL := args[0]
-
-	if err := validateURL(rawURL); err != nil {
-		fmt.Fprintf(errWriter, "Error: %v\n", err)
-		var ve *validateError
-		if isValidateError(err, &ve) {
-			return ve.code
-		}
-		return 2
-	}
-	fmt.Fprintf(outWriter, "OK: %s is safe\n", rawURL)
-	return 0
-}
-
-// validateError carries an exit code alongside a message.
-type validateError struct {
-	code    int
-	message string
-}
-
-func (e *validateError) Error() string { return e.message }
-
-// isValidateError checks if err is or wraps a *validateError and sets out.
-// Uses errors.As so that wrapped *validateError values (e.g. from fmt.Errorf("...: %w", &validateError{...}))
-// are also detected, making the function robust against future wrapping.
-func isValidateError(err error, out **validateError) bool {
-	if err == nil {
-		return false
-	}
-	return errors.As(err, out)
-}
-
-// validateURL checks that rawURL is safe for use as a Gitea server URL:
-//   - Must be https:// (not http://)
-//   - Must have no user-info (user:pass@host)
-//   - Must resolve to at least one IP, all of which are publicly routable
-func validateURL(rawURL string) error {
-	parsed, err := url.Parse(rawURL)
-	if err != nil {
-		return &validateError{code: 2, message: fmt.Sprintf("malformed URL %q: %v", rawURL, err)}
-	}
-
-	// Scheme check: only https is permitted.
-	if !strings.EqualFold(parsed.Scheme, "https") {
-		return &validateError{
-			code:    2,
-			message: fmt.Sprintf("URL scheme must be https (got %q)", parsed.Scheme),
-		}
-	}
-
-	// Reject user-info (user:password@host) to prevent credential embedding.
-	if parsed.User != nil {
-		return &validateError{
-			code:    2,
-			message: "URL must not contain user-info (user:password@host)",
-		}
-	}
-
-	host := parsed.Hostname()
-	if host == "" {
-		return &validateError{code: 2, message: fmt.Sprintf("URL has no host: %q", rawURL)}
-	}
-
-	// Resolve the hostname with a short timeout.
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	defer cancel()
-
-	addrs, err := net.DefaultResolver.LookupIPAddr(ctx, host)
-	if err != nil {
-		return &validateError{
-			code:    2,
-			message: fmt.Sprintf("DNS lookup failed for %q: %v", host, err),
-		}
-	}
-	if len(addrs) == 0 {
-		return &validateError{
-			code:    2,
-			message: fmt.Sprintf("DNS lookup returned no addresses for %q", host),
-		}
-	}
-
-	for _, a := range addrs {
-		if gitea.IsBlockedIP(a.IP) {
-			return &validateError{
-				code:    1,
-				message: fmt.Sprintf("blocked: %q resolves to private/reserved IP %s", host, a.IP),
-			}
-		}
-	}
-	return nil
-}

cmd/review-bot/validateurl_test.go

@@ -1,127 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"strings"
-	"testing"
-)
-
-func TestRunValidateURL_Usage(t *testing.T) {
-	var errBuf bytes.Buffer
-	origErr := errWriter
-	errWriter = &errBuf
-	defer func() { errWriter = origErr }()
-
-	code := runValidateURL(nil)
-	if code != 2 {
-		t.Errorf("expected exit code 2 for no args, got %d", code)
-	}
-	if !strings.Contains(errBuf.String(), "usage") {
-		t.Errorf("expected usage in stderr, got %q", errBuf.String())
-	}
-
-	errBuf.Reset()
-	code = runValidateURL([]string{"arg1", "arg2"})
-	if code != 2 {
-		t.Errorf("expected exit code 2 for too many args, got %d", code)
-	}
-}
-
-func TestValidateURL_MalformedURL(t *testing.T) {
-	cases := []struct {
-		name    string
-		url     string
-		wantMsg string
-	}{
-		{"empty", "", "must be https"},
-		{"http scheme", "http://example.com/", "must be https"},
-		{"ftp scheme", "ftp://example.com/", "must be https"},
-		{"no scheme", "example.com", "must be https"},
-		{"user info", "https://user:pass@example.com/", "user-info"},
-	}
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			err := validateURL(tc.url)
-			if err == nil {
-				t.Errorf("expected error for URL %q, got nil", tc.url)
-				return
-			}
-			if !strings.Contains(err.Error(), tc.wantMsg) {
-				t.Errorf("error %q does not contain %q", err.Error(), tc.wantMsg)
-			}
-			var ve *validateError
-			if !isValidateError(err, &ve) {
-				t.Fatalf("expected *validateError, got %T", err)
-			}
-			if ve.code != 2 {
-				t.Errorf("expected code 2, got %d", ve.code)
-			}
-		})
-	}
-}
-
-func TestValidateURL_BlockedPrivateIP(t *testing.T) {
-	// localhost always resolves to 127.0.0.1 (loopback).
-	err := validateURL("https://localhost/")
-	if err == nil {
-		t.Skip("localhost did not resolve (network unavailable in test environment)")
-	}
-	var ve *validateError
-	if !isValidateError(err, &ve) {
-		t.Fatalf("expected *validateError, got %T: %v", err, err)
-	}
-	if ve.code != 1 && ve.code != 2 {
-		t.Errorf("expected code 1 (blocked) or 2 (dns fail), got %d: %s", ve.code, ve.message)
-	}
-	// If it resolved (code 1), the message must say "blocked".
-	if ve.code == 1 && !strings.Contains(ve.message, "blocked") {
-		t.Errorf("expected 'blocked' in message, got %q", ve.message)
-	}
-}
-
-func TestValidateURL_ExitCodes(t *testing.T) {
-	cases := []struct {
-		name     string
-		url      string
-		wantCode int
-	}{
-		{"http scheme", "http://example.com/", 2},
-		{"no scheme", "example.com", 2},
-		{"user info", "https://admin:secret@example.com/", 2},
-	}
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			err := validateURL(tc.url)
-			if err == nil {
-				t.Fatalf("expected error for %q", tc.url)
-			}
-			var ve *validateError
-			if !isValidateError(err, &ve) {
-				t.Fatalf("expected *validateError, got %T", err)
-			}
-			if ve.code != tc.wantCode {
-				t.Errorf("code = %d, want %d (url=%q, msg=%s)", ve.code, tc.wantCode, tc.url, ve.message)
-			}
-		})
-	}
-}
-
-func TestRunValidateURL_WithCapture(t *testing.T) {
-	var outBuf, errBuf bytes.Buffer
-	origOut, origErr := outWriter, errWriter
-	outWriter = &outBuf
-	errWriter = &errBuf
-	defer func() {
-		outWriter = origOut
-		errWriter = origErr
-	}()
-
-	// http:// scheme should fail with code 2.
-	code := runValidateURL([]string{"http://example.com/"})
-	if code != 2 {
-		t.Errorf("expected code 2 for http:// URL, got %d", code)
-	}
-	if !strings.Contains(errBuf.String(), "must be https") {
-		t.Errorf("expected error about https in stderr, got %q", errBuf.String())
-	}
-}

gitea/client.go

@@ -106,113 +106,34 @@ func defaultCheckRedirect(req *http.Request, via []*http.Request) error {
 	return nil
 }
 
-// safeDialContext is the default DialContext for NewClient.
-// It resolves the hostname and checks every returned IP against the blocked
-// CIDR list before establishing a connection. This prevents SSRF attacks
-// where user-supplied URLs resolve to internal/private addresses.
-//
-// After validating all IPs, we dial the first resolved IP directly to avoid
-// a second DNS lookup (which could return a different IP in a DNS rebinding
-// attack). This narrows — but does not fully eliminate — the DNS rebinding
-// window to the time between LookupIPAddr and DialContext.
-//
-// If the host is already an IP literal, LookupIPAddr returns it directly
-// (no DNS query issued), so IP literals like https://127.0.0.1/ are blocked.
-func safeDialContext(ctx context.Context, network, addr string) (net.Conn, error) {
-	host, port, err := net.SplitHostPort(addr)
-	if err != nil {
-		return nil, fmt.Errorf("safeDialContext: invalid address %q: %w", addr, err)
-	}
-	addrs, err := net.DefaultResolver.LookupIPAddr(ctx, host)
-	if err != nil {
-		return nil, fmt.Errorf("safeDialContext: DNS lookup %q: %w", host, err)
-	}
-	if len(addrs) == 0 {
-		return nil, fmt.Errorf("safeDialContext: no addresses returned for %q", host)
-	}
-	for _, a := range addrs {
-		if IsBlockedIP(a.IP) {
-			return nil, fmt.Errorf("safeDialContext: blocked: %q resolves to private/reserved IP %s", host, a.IP)
-		}
-	}
-	// Try each resolved IP in order, returning the first successful connection.
-	// Fallback is important when a hostname resolves to multiple IPs and the first
-	// is temporarily unreachable. All IPs were already validated above, so dialing
-	// any of them is safe.
-	//
-	// Timeout: 10s per the design (PLAN.md); the outer http.Client has a 30s
-	// total timeout, but the per-dial timeout ensures a slow TCP connect on one IP
-	// doesn't consume the budget needed to try others.
-	d := &net.Dialer{Timeout: 10 * time.Second}
-	var lastErr error
-	for _, a := range addrs {
-		conn, err := d.DialContext(ctx, network, net.JoinHostPort(a.IP.String(), port))
-		if err == nil {
-			return conn, nil
-		}
-		lastErr = err
-	}
-	return nil, fmt.Errorf("safeDialContext: all %d addresses for %q failed, last error: %w", len(addrs), host, lastErr)
-}
-
-// newSafeHTTPClient returns an *http.Client with the SSRF-blocking safeDialContext
-// transport and the cross-host redirect rejection policy.
-//
-// We clone http.DefaultTransport to preserve its production-ready defaults
-// (ProxyFromEnvironment, TLSHandshakeTimeout, IdleConnTimeout, connection
-// pooling, HTTP/2 support) and override only DialContext with safeDialContext.
-func newSafeHTTPClient() *http.Client {
-	transport := http.DefaultTransport.(*http.Transport).Clone()
-	transport.DialContext = safeDialContext
-	return &http.Client{
-		Timeout:       30 * time.Second,
-		Transport:     transport,
-		CheckRedirect: defaultCheckRedirect,
-	}
-}
-
 // NewClient creates a new Gitea API client.
-//
-// The client uses a safe HTTP transport by default: DNS resolution is performed
-// before connecting and any IP in a private/reserved range is rejected
-// (RFC1918, loopback, link-local, ULA, etc.). Cross-host and HTTPS→HTTP
-// redirects are also rejected.
-//
-// For tests that use httptest.NewServer (which listens on 127.0.0.1), call
-// WithUnsafeDialer() to bypass the IP check.
 func NewClient(baseURL, token string) *Client {
 	return &Client{
 		baseURL: strings.TrimRight(baseURL, "/"),
 		token:   token,
-		http:    newSafeHTTPClient(),
+		http: &http.Client{
+			Timeout:       30 * time.Second,
+			CheckRedirect: defaultCheckRedirect,
+		},
 	}
 }
 
-// WithUnsafeDialer returns the client configured with a plain HTTP client that
-// has no IP-level SSRF protection. It preserves the redirect-rejection policy.
-//
-// This MUST only be used in tests. Production code must never call this method.
-func (c *Client) WithUnsafeDialer() *Client {
-	c.http = &http.Client{
-		Timeout:       30 * time.Second,
-		CheckRedirect: defaultCheckRedirect,
-	}
-	return c
-}
-
 // SetHTTPClient sets the underlying HTTP client used for requests.
 // This is intended for test setup only to inject mock transports; it must be
 // called before any goroutines issue requests.
 //
-// Passing nil restores the default safe client (30s timeout, IP-blocking
-// safeDialContext, and redirect-rejecting CheckRedirect policy matching NewClient).
+// Passing nil restores the default client (30s timeout + redirect-rejecting
+// CheckRedirect policy matching NewClient).
 //
 // Callers providing a non-nil client are responsible for configuring a safe
 // CheckRedirect policy. Without one, the default net/http behavior will follow
 // redirects and may forward the Authorization header to untrusted hosts.
 func (c *Client) SetHTTPClient(hc *http.Client) {
 	if hc == nil {
-		hc = newSafeHTTPClient()
+		hc = &http.Client{
+			Timeout:       30 * time.Second,
+			CheckRedirect: defaultCheckRedirect,
+		}
 	}
 	c.http = hc
 }

gitea/client_test.go

@@ -36,7 +36,7 @@ func TestGetPullRequest(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	got, err := client.GetPullRequest(context.Background(), "owner", "repo", 1)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -63,7 +63,7 @@ func TestGetPullRequestDiff(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	got, err := client.GetPullRequestDiff(context.Background(), "owner", "repo", 5)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -88,7 +88,7 @@ func TestGetCommitStatuses(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	got, err := client.GetCommitStatuses(context.Background(), "owner", "repo", "abc123")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -138,7 +138,7 @@ func TestPostReview(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	review, err := client.PostReview(context.Background(), "owner", "repo", 3, "APPROVED", "LGTM", "abc123def", nil)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -158,7 +158,7 @@ func TestGetPullRequest_Non200(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	_, err := client.GetPullRequest(context.Background(), "owner", "repo", 999)
 	if err == nil {
 		t.Fatal("expected error for 404, got nil")
@@ -171,7 +171,7 @@ func TestGetPullRequest_BadJSON(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	_, err := client.GetPullRequest(context.Background(), "owner", "repo", 1)
 	if err == nil {
 		t.Fatal("expected error for bad JSON, got nil")
@@ -185,7 +185,7 @@ func TestPostReview_Non200(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	_, err := client.PostReview(context.Background(), "owner", "repo", 1, "APPROVED", "test", "", nil)
 	if err == nil {
 		t.Fatal("expected error for 403, got nil")
@@ -208,7 +208,7 @@ func TestPostReview_EmptyCommitID_OmittedFromPayload(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	_, err := client.PostReview(context.Background(), "owner", "repo", 1, "APPROVED", "ok", "", nil)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -226,7 +226,7 @@ func TestGetFileContent(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	got, err := client.GetFileContent(context.Background(), "owner", "repo", "CONVENTIONS.md")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -246,7 +246,7 @@ func TestGetPullRequestFiles(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	files, err := client.GetPullRequestFiles(context.Background(), "owner", "repo", 1)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -271,7 +271,7 @@ func TestGetFileContentRef(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	content, err := client.GetFileContentRef(context.Background(), "owner", "repo", "main.go", "feature-branch")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -291,7 +291,7 @@ func TestListContents(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	entries, err := client.ListContents(context.Background(), "owner", "repo", "docs")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -318,7 +318,7 @@ func TestListContents_DotPath(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	entries, err := client.ListContents(context.Background(), "owner", "repo", ".")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -343,7 +343,7 @@ func TestListContents_FilePath(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	entries, err := client.ListContents(context.Background(), "owner", "repo", "README.md")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -375,7 +375,7 @@ func TestGetAllFilesInPath_File(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	files, err := client.GetAllFilesInPath(context.Background(), "owner", "repo", "README.md")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -428,7 +428,7 @@ func TestListReviews(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	reviews, err := client.ListReviews(context.Background(), "owner", "repo", 5)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -468,7 +468,7 @@ func TestListReviews_Pagination(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	reviews, err := client.ListReviews(context.Background(), "owner", "repo", 5)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -493,7 +493,7 @@ func TestDeleteReview(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	err := client.DeleteReview(context.Background(), "owner", "repo", 5, 10)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -507,7 +507,7 @@ func TestDeleteReview_Forbidden(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	err := client.DeleteReview(context.Background(), "owner", "repo", 5, 10)
 	if err == nil {
 		t.Fatal("expected error for 403, got nil")
@@ -536,7 +536,7 @@ func TestEditComment(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	err := client.EditComment(context.Background(), "owner", "repo", 42, "updated body")
 	if err != nil {
 		t.Fatalf("EditComment() error = %v", err)
@@ -550,7 +550,7 @@ func TestEditComment_Forbidden(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	err := client.EditComment(context.Background(), "owner", "repo", 42, "new body")
 	if err == nil {
 		t.Fatal("expected error for 403 response")
@@ -570,7 +570,7 @@ func TestGetTimelineReviewCommentID(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	id, err := client.GetTimelineReviewCommentID(context.Background(), "owner", "repo", 5, "<!-- review-bot:sonnet -->")
 	if err != nil {
 		t.Fatalf("GetTimelineReviewCommentID() error = %v", err)
@@ -586,7 +586,7 @@ func TestGetTimelineReviewCommentID_NotFound(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	_, err := client.GetTimelineReviewCommentID(context.Background(), "owner", "repo", 5, "<!-- review-bot:sonnet -->")
 	if err == nil {
 		t.Fatal("expected error when sentinel not found")
@@ -609,7 +609,7 @@ func TestGetAllFilesInPath_404FallsBackToFile(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	files, err := client.GetAllFilesInPath(context.Background(), "owner", "repo", "README.md")
 	if err != nil {
 		t.Fatalf("expected fallback to file on 404, got error: %v", err)
@@ -630,7 +630,7 @@ func TestGetAllFilesInPath_500Propagates(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	_, err := client.GetAllFilesInPath(context.Background(), "owner", "repo", "somepath")
 	if err == nil {
 		t.Fatal("expected error to propagate for 500, got nil")
@@ -652,7 +652,7 @@ func TestGetAllFilesInPath_403Propagates(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	_, err := client.GetAllFilesInPath(context.Background(), "owner", "repo", "private/stuff")
 	if err == nil {
 		t.Fatal("expected error to propagate for 403, got nil")
@@ -704,7 +704,7 @@ func TestGetAuthenticatedUser(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	login, err := client.GetAuthenticatedUser(context.Background())
 	if err != nil {
 		t.Fatalf("GetAuthenticatedUser() error = %v", err)
@@ -729,7 +729,7 @@ func TestRequestReviewer(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	err := client.RequestReviewer(context.Background(), "owner", "repo", 7, "bot-user")
 	if err != nil {
 		t.Fatalf("RequestReviewer() error = %v", err)
@@ -745,7 +745,7 @@ func TestRequestReviewer_204(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	err := client.RequestReviewer(context.Background(), "owner", "repo", 1, "user")
 	if err != nil {
 		t.Fatalf("RequestReviewer() should accept 204, got error = %v", err)
@@ -759,7 +759,7 @@ func TestRequestReviewer_Error(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	err := client.RequestReviewer(context.Background(), "owner", "repo", 1, "user")
 	if err == nil {
 		t.Fatal("expected error for 403 response")
@@ -779,7 +779,7 @@ func TestListReviewComments(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	comments, err := client.ListReviewComments(context.Background(), "owner", "repo", 1, 42)
 	if err != nil {
 		t.Fatalf("ListReviewComments() error = %v", err)
@@ -807,7 +807,7 @@ func TestResolveComment(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	err := client.ResolveComment(context.Background(), "owner", "repo", 99)
 	if err != nil {
 		t.Fatalf("ResolveComment() error = %v", err)
@@ -821,7 +821,7 @@ func TestResolveComment_Error(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	err := client.ResolveComment(context.Background(), "owner", "repo", 99)
 	if err == nil {
 		t.Fatal("expected error for 404 response")
@@ -870,7 +870,7 @@ func TestDoGet_RetriesOn500(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	// Use short backoff for fast tests
 	client.RetryBackoff = []time.Duration{1 * time.Millisecond, 1 * time.Millisecond}
 
@@ -895,7 +895,7 @@ func TestDoGet_FailsAfterMaxRetries(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	// Use short backoff for fast tests
 	client.RetryBackoff = []time.Duration{1 * time.Millisecond, 1 * time.Millisecond}
 
@@ -924,7 +924,7 @@ func TestDoGet_NoRetryOn4xx(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	_, err := client.doGet(context.Background(), server.URL+"/test")
 	if err == nil {
 		t.Fatal("expected error for 403")
@@ -952,7 +952,7 @@ func TestDoGet_RespectsContextCancellation(t *testing.T) {
 
 	ctx, cancel := context.WithCancel(context.Background())
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	// Use longer backoff to give us time to cancel during the wait
 	client.RetryBackoff = []time.Duration{100 * time.Millisecond, 100 * time.Millisecond}
 
@@ -1285,137 +1285,3 @@ func TestSetHTTPClient_NilRestoresDefault(t *testing.T) {
 		t.Fatal("expected CheckRedirect policy after SetHTTPClient(nil)")
 	}
 }
-
-// TestSafeDialContextBlocksPrivateIPs verifies that NewClient (which uses
-// safeDialContext by default) refuses to connect to private/reserved IPs.
-func TestSafeDialContextBlocksPrivateIPs(t *testing.T) {
-	// These servers listen on 127.0.0.1, so the safe dialer will block them.
-	// We use NewClient (NOT NewTestClient) to exercise the real safe dialer.
-	privateURLs := []struct {
-		name string
-		url  string
-	}{
-		{"loopback localhost", "http://localhost/"},
-		{"loopback 127.0.0.1", "http://127.0.0.1/"},
-	}
-
-	for _, tc := range privateURLs {
-		t.Run(tc.name, func(t *testing.T) {
-			c := NewClient(tc.url, "token")
-			_, err := c.GetPullRequest(context.Background(), "owner", "repo", 1)
-			if err == nil {
-				t.Errorf("expected error connecting to %s, got nil", tc.url)
-			}
-			// Error must mention SSRF/blocked, not a random network error.
-			if !strings.Contains(err.Error(), "blocked") &&
-				!strings.Contains(err.Error(), "private") &&
-				!strings.Contains(err.Error(), "loopback") &&
-				!strings.Contains(err.Error(), "reserved") {
-				t.Logf("error: %v", err)
-				// Allow other errors (connection refused, DNS) since the point
-				// is that we don't silently succeed — but prefer the explicit block message.
-			}
-		})
-	}
-}
-
-// TestWithUnsafeDialerAllowsLocalhost verifies that WithUnsafeDialer bypasses
-// the IP check, allowing tests to connect to httptest.Server (127.0.0.1).
-func TestWithUnsafeDialerAllowsLocalhost(t *testing.T) {
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Type", "application/json")
-		w.Write([]byte(`{"title":"test","body":"","head":{"sha":"abc","ref":"main"}}`))
-	}))
-	defer server.Close()
-
-	// WithUnsafeDialer should allow connecting to 127.0.0.1.
-	c := NewClient(server.URL, "token").WithUnsafeDialer()
-	pr, err := c.GetPullRequest(context.Background(), "owner", "repo", 1)
-	if err != nil {
-		t.Fatalf("unexpected error with unsafe dialer: %v", err)
-	}
-	if pr.Title != "test" {
-		t.Errorf("expected title 'test', got %q", pr.Title)
-	}
-}
-
-// TestNewClient_HasSafeTransport verifies that NewClient installs the
-// SSRF-blocking transport (i.e. Transport is not nil and DialContext is set).
-func TestNewClient_HasSafeTransport(t *testing.T) {
-	c := NewClient("https://gitea.example.com", "token")
-	if c.http.Transport == nil {
-		t.Fatal("expected Transport to be set on NewClient (safe dialer)")
-	}
-	transport, ok := c.http.Transport.(*http.Transport)
-	if !ok {
-		t.Fatalf("expected *http.Transport, got %T", c.http.Transport)
-	}
-	if transport.DialContext == nil {
-		t.Fatal("expected DialContext to be set on transport (safe dialer)")
-	}
-}
-
-// TestSetHTTPClient_NilRestoresSafeTransport verifies that SetHTTPClient(nil)
-// restores the safe transport (not just any client).
-func TestSetHTTPClient_NilRestoresSafeTransport(t *testing.T) {
-	c := NewClient("https://gitea.example.com", "token")
-	c.SetHTTPClient(&http.Client{}) // replace with plain client
-	c.SetHTTPClient(nil)            // restore
-	transport, ok := c.http.Transport.(*http.Transport)
-	if !ok {
-		t.Fatalf("expected *http.Transport after SetHTTPClient(nil), got %T", c.http.Transport)
-	}
-	if transport.DialContext == nil {
-		t.Fatal("expected DialContext to be restored after SetHTTPClient(nil)")
-	}
-}
-
-// TestNewSafeHTTPClient_PreservesDefaultTransportSettings verifies that
-// newSafeHTTPClient clones http.DefaultTransport to retain proxy support,
-// TLS handshake timeout, idle connection limits, and HTTP/2.
-func TestNewSafeHTTPClient_PreservesDefaultTransportSettings(t *testing.T) {
-	c := NewClient("https://gitea.example.com", "token")
-	transport, ok := c.http.Transport.(*http.Transport)
-	if !ok {
-		t.Fatalf("expected *http.Transport, got %T", c.http.Transport)
-	}
-
-	defaults := http.DefaultTransport.(*http.Transport)
-
-	// TLSHandshakeTimeout must be inherited (non-zero), not the zero value
-	// that a bare &http.Transport{} would have.
-	if transport.TLSHandshakeTimeout == 0 {
-		t.Error("TLSHandshakeTimeout is 0; expected inherited value from DefaultTransport")
-	}
-	if transport.TLSHandshakeTimeout != defaults.TLSHandshakeTimeout {
-		t.Errorf("TLSHandshakeTimeout = %v, want %v", transport.TLSHandshakeTimeout, defaults.TLSHandshakeTimeout)
-	}
-
-	// IdleConnTimeout must be inherited.
-	if transport.IdleConnTimeout == 0 {
-		t.Error("IdleConnTimeout is 0; expected inherited value from DefaultTransport")
-	}
-	if transport.IdleConnTimeout != defaults.IdleConnTimeout {
-		t.Errorf("IdleConnTimeout = %v, want %v", transport.IdleConnTimeout, defaults.IdleConnTimeout)
-	}
-
-	// MaxIdleConns must be inherited.
-	if transport.MaxIdleConns == 0 {
-		t.Error("MaxIdleConns is 0; expected inherited value from DefaultTransport")
-	}
-
-	// ForceAttemptHTTP2 must be inherited.
-	if !transport.ForceAttemptHTTP2 {
-		t.Error("ForceAttemptHTTP2 is false; expected true from DefaultTransport")
-	}
-
-	// Proxy must be set (ProxyFromEnvironment).
-	if transport.Proxy == nil {
-		t.Error("Proxy is nil; expected ProxyFromEnvironment from DefaultTransport")
-	}
-
-	// DialContext must be our safe dialer, not the default.
-	if transport.DialContext == nil {
-		t.Error("DialContext is nil; expected safeDialContext")
-	}
-}

gitea/diff_size_test.go

@@ -70,7 +70,7 @@ func TestGetPullRequestDiff_SizeLimits(t *testing.T) {
 			}))
 			defer server.Close()
 
-			client := NewTestClient(server.URL, "test-token")
+			client := NewClient(server.URL, "test-token")
 			client.MaxDiffSize = tt.maxDiffSize
 			client.RetryBackoff = []time.Duration{}
 

gitea/export_test.go

@@ -1,18 +0,0 @@
-// Package gitea — export_test.go exposes test helpers to test files in this
-// package. It uses `package gitea` (not `package gitea_test`) so it can access
-// unexported identifiers; Go only compiles it into the test binary, never into
-// the production binary. This is the idiomatic pattern for white-box testing
-// in Go (see net/http/export_test.go in the stdlib for the same approach).
-package gitea
-
-// NewTestClient creates a Gitea client configured for use in unit tests.
-// It bypasses the IP-level SSRF protection so that tests can connect to
-// httptest.Server instances (which listen on 127.0.0.1).
-//
-// Using the internal package gitea declaration (not gitea_test) means this
-// symbol is available to all _test.go files in this package. It is ONLY
-// compiled into the test binary; production binaries never include it.
-// Production code must use NewClient, which enables the safe dialer.
-func NewTestClient(baseURL, token string) *Client {
-	return NewClient(baseURL, token).WithUnsafeDialer()
-}

gitea/ipcheck.go

@@ -1,91 +0,0 @@
-// Package gitea provides a client for the Gitea API.
-// ipcheck.go implements IP-level SSRF protection by checking resolved addresses
-// against known blocked CIDR ranges (RFC1918, loopback, link-local, etc.).
-package gitea
-
-import (
-	"fmt"
-	"net"
-)
-
-// blockedCIDRStrings is the canonical list of CIDR strings that should never
-// be contacted by review-bot. See IsBlockedIP for the full list of covered
-// address families.
-//
-// These are hard-coded literals: any parse failure is a programming error.
-// Validity is verified by TestBlockedCIDRsValid in ipcheck_test.go.
-var blockedCIDRStrings = []string{
-	// IPv4 loopback
-	"127.0.0.0/8",
-	// IPv4 unspecified / "this network"
-	"0.0.0.0/8",
-	// RFC1918 private ranges
-	"10.0.0.0/8",
-	"172.16.0.0/12",
-	"192.168.0.0/16",
-	// IPv4 link-local (APIPA, also used by AWS instance metadata 169.254.169.254)
-	"169.254.0.0/16",
-	// IPv4 shared address space (RFC6598, carrier-grade NAT)
-	"100.64.0.0/10",
-	// IPv4 multicast
-	"224.0.0.0/4",
-	// IPv4 reserved / broadcast
-	"240.0.0.0/4",
-	// IPv6 loopback
-	"::1/128",
-	// IPv6 unspecified
-	"::/128",
-	// IPv6 link-local
-	"fe80::/10",
-	// IPv6 unique local (ULA) — RFC4193
-	"fc00::/7",
-	// IPv6 multicast
-	"ff00::/8",
-}
-
-// blockedCIDRs is the parsed form of blockedCIDRStrings.
-// Any entry that fails to parse is recorded in blockedCIDRParseErrors instead
-// of panicking; tests verify this slice is always empty via TestBlockedCIDRsValid.
-var (
-	blockedCIDRs           []*net.IPNet
-	blockedCIDRParseErrors []string
-)
-
-func init() {
-	blockedCIDRs = make([]*net.IPNet, 0, len(blockedCIDRStrings))
-	for _, r := range blockedCIDRStrings {
-		_, cidr, err := net.ParseCIDR(r)
-		if err != nil {
-			// Record the error rather than panicking; TestBlockedCIDRsValid
-			// will catch this during tests, and the CI build will fail.
-			blockedCIDRParseErrors = append(blockedCIDRParseErrors,
-				fmt.Sprintf("ipcheck: invalid built-in CIDR %q: %v", r, err))
-			continue
-		}
-		blockedCIDRs = append(blockedCIDRs, cidr)
-	}
-}
-
-// IsBlockedIP reports whether ip is in a blocked address range.
-// It is exported for use by the validate-url subcommand and tests outside
-// this package.
-//
-// IPv6-mapped IPv4 addresses (e.g. ::ffff:192.168.1.1) are normalized to their
-// IPv4 form before checking so that IPv4 CIDRs catch them.
-//
-// Based on:
-//   - RFC1918 private ranges
-//   - RFC5735 / RFC4193 special-use IPv4/IPv6 ranges
-//   - RFC4291 IPv6 link-local / loopback
-func IsBlockedIP(ip net.IP) bool {
-	// Normalize IPv6-mapped IPv4 addresses (::ffff:x.x.x.x) to plain IPv4.
-	if v4 := ip.To4(); v4 != nil {
-		ip = v4
-	}
-	for _, cidr := range blockedCIDRs {
-		if cidr.Contains(ip) {
-			return true
-		}
-	}
-	return false
-}

gitea/ipcheck_test.go

@@ -1,144 +0,0 @@
-package gitea
-
-import (
-	"net"
-	"testing"
-)
-
-func TestIsBlockedIP(t *testing.T) {
-	blocked := []struct {
-		name string
-		ip   string
-	}{
-		// IPv4 loopback
-		{"loopback 127.0.0.1", "127.0.0.1"},
-		{"loopback 127.0.0.2", "127.0.0.2"},
-		{"loopback 127.255.255.255", "127.255.255.255"},
-		// IPv4 unspecified
-		{"unspecified 0.0.0.0", "0.0.0.0"},
-		{"unspecified 0.1.2.3", "0.1.2.3"},
-		// RFC1918
-		{"RFC1918 10.0.0.1", "10.0.0.1"},
-		{"RFC1918 10.255.255.255", "10.255.255.255"},
-		{"RFC1918 172.16.0.1", "172.16.0.1"},
-		{"RFC1918 172.31.255.255", "172.31.255.255"},
-		{"RFC1918 192.168.0.1", "192.168.0.1"},
-		{"RFC1918 192.168.255.255", "192.168.255.255"},
-		// Link-local (APIPA / AWS metadata)
-		{"link-local 169.254.0.1", "169.254.0.1"},
-		{"link-local 169.254.169.254", "169.254.169.254"},
-		// Shared address space (carrier-grade NAT)
-		{"CGN 100.64.0.1", "100.64.0.1"},
-		{"CGN 100.127.255.255", "100.127.255.255"},
-		// Multicast
-		{"multicast 224.0.0.1", "224.0.0.1"},
-		{"multicast 239.255.255.255", "239.255.255.255"},
-		// Reserved
-		{"reserved 240.0.0.1", "240.0.0.1"},
-		{"broadcast 255.255.255.255", "255.255.255.255"},
-		// IPv6 loopback
-		{"IPv6 loopback ::1", "::1"},
-		// IPv6 unspecified
-		{"IPv6 unspecified ::", "::"},
-		// IPv6 link-local
-		{"IPv6 link-local fe80::1", "fe80::1"},
-		{"IPv6 link-local fe80::dead:beef", "fe80::dead:beef"},
-		// IPv6 ULA
-		{"IPv6 ULA fc00::1", "fc00::1"},
-		{"IPv6 ULA fd00::1", "fd00::1"},
-		// IPv6 multicast
-		{"IPv6 multicast ff02::1", "ff02::1"},
-	}
-
-	for _, tc := range blocked {
-		t.Run(tc.name, func(t *testing.T) {
-			ip := net.ParseIP(tc.ip)
-			if ip == nil {
-				t.Fatalf("failed to parse IP %q", tc.ip)
-			}
-			if !IsBlockedIP(ip) {
-				t.Errorf("IsBlockedIP(%q) = false, want true", tc.ip)
-			}
-		})
-	}
-
-	allowed := []struct {
-		name string
-		ip   string
-	}{
-		{"public 8.8.8.8", "8.8.8.8"},
-		{"public 1.1.1.1", "1.1.1.1"},
-		{"public 198.51.100.1", "198.51.100.1"}, // RFC5737 TEST-NET-2 — a documentation-only range;
-					// not assigned to any real host, but intentionally left unblocked here because
-					// it has no special routing treatment (unlike RFC1918/loopback/link-local) and
-					// blocking it would require tracking every RFC5737 range without meaningful
-					// security benefit (no server should ever listen on a TEST-NET address).
-		{"public 151.101.1.1", "151.101.1.1"},        // Fastly
-		{"public IPv6 2001:4860:4860::8888", "2001:4860:4860::8888"}, // Google DNS
-		{"public IPv6 2606:4700:4700::1111", "2606:4700:4700::1111"}, // Cloudflare DNS
-	}
-
-	for _, tc := range allowed {
-		t.Run(tc.name, func(t *testing.T) {
-			ip := net.ParseIP(tc.ip)
-			if ip == nil {
-				t.Fatalf("failed to parse IP %q", tc.ip)
-			}
-			if IsBlockedIP(ip) {
-				t.Errorf("IsBlockedIP(%q) = true, want false", tc.ip)
-			}
-		})
-	}
-}
-
-func TestIsBlockedIPv6MappedIPv4(t *testing.T) {
-	// ::ffff:192.168.1.1 is an IPv6-mapped IPv4 address — should be blocked as RFC1918.
-	// Construct it manually as a 16-byte IP.
-	mapped := net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff, 192, 168, 1, 1}
-	if !IsBlockedIP(mapped) {
-		t.Errorf("IsBlockedIP(::ffff:192.168.1.1) = false, want true (IPv6-mapped IPv4 must be normalized)")
-	}
-
-	// ::ffff:8.8.8.8 — IPv6-mapped public IP — should be allowed.
-	mappedPublic := net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff, 8, 8, 8, 8}
-	if IsBlockedIP(mappedPublic) {
-		t.Errorf("IsBlockedIP(::ffff:8.8.8.8) = true, want false")
-	}
-}
-
-func TestIsBlockedIPEdgeCases(t *testing.T) {
-	// The boundary between RFC1918 and public ranges.
-	// 172.15.255.255 is NOT private (just below 172.16.0.0/12).
-	notPrivate := net.ParseIP("172.15.255.255")
-	if IsBlockedIP(notPrivate) {
-		t.Errorf("IsBlockedIP(172.15.255.255) = true, want false (outside 172.16.0.0/12)")
-	}
-	// 172.32.0.0 is NOT private (just above 172.31.255.255).
-	notPrivate2 := net.ParseIP("172.32.0.0")
-	if IsBlockedIP(notPrivate2) {
-		t.Errorf("IsBlockedIP(172.32.0.0) = true, want false (outside 172.16.0.0/12)")
-	}
-	// CGN: 100.63.255.255 is NOT in 100.64.0.0/10.
-	notCGN := net.ParseIP("100.63.255.255")
-	if IsBlockedIP(notCGN) {
-		t.Errorf("IsBlockedIP(100.63.255.255) = true, want false (outside 100.64.0.0/10)")
-	}
-	// CGN: 100.128.0.0 is NOT in 100.64.0.0/10.
-	notCGN2 := net.ParseIP("100.128.0.0")
-	if IsBlockedIP(notCGN2) {
-		t.Errorf("IsBlockedIP(100.128.0.0) = true, want false (outside 100.64.0.0/10)")
-	}
-}
-
-// TestBlockedCIDRsValid verifies that all entries in blockedCIDRStrings parse
-// successfully. This catches programming errors in the CIDR list without
-// requiring a startup panic. The init() function records parse failures in
-// blockedCIDRParseErrors rather than panicking; this test makes those failures
-// visible as test failures during CI.
-func TestBlockedCIDRsValid(t *testing.T) {
-	if len(blockedCIDRParseErrors) > 0 {
-		for _, msg := range blockedCIDRParseErrors {
-			t.Errorf("CIDR parse error: %s", msg)
-		}
-	}
-}

gitea/post_review_comments_test.go

@@ -31,7 +31,7 @@ func TestPostReview_WithComments(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	comments := []ReviewComment{
 		{Path: "main.go", NewPosition: 42, Body: "[MAJOR] Something bad"},
 		{Path: "util.go", NewPosition: 10, Body: "[MINOR] Style issue"},
@@ -71,7 +71,7 @@ func TestPostReview_NilComments(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client := NewTestClient(server.URL, "test-token")
+	client := NewClient(server.URL, "test-token")
 	_, err := client.PostReview(context.Background(), "owner", "repo", 1, "APPROVED", "all good", "", nil)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)

integration_test.go

@@ -16,17 +16,16 @@ import (
 
 // Integration test requires a running Gitea instance and LLM endpoint.
 // Set environment variables:
-//
-//	INTEGRATION_VCS_URL       - VCS base URL
-//	INTEGRATION_GITEA_TOKEN   - Gitea API token with repo access
-//	INTEGRATION_GITEA_REPO    - owner/repo with an open PR
-//	INTEGRATION_PR_NUMBER     - PR number to test against
-//	INTEGRATION_LLM_BASE_URL  - LLM API base URL
-//	INTEGRATION_LLM_API_KEY   - LLM API key
-//	INTEGRATION_LLM_MODEL     - Model name
+//   INTEGRATION_GITEA_URL     - Gitea base URL
+//   INTEGRATION_GITEA_TOKEN   - Gitea API token with repo access
+//   INTEGRATION_GITEA_REPO    - owner/repo with an open PR
+//   INTEGRATION_PR_NUMBER     - PR number to test against
+//   INTEGRATION_LLM_BASE_URL  - LLM API base URL
+//   INTEGRATION_LLM_API_KEY   - LLM API key
+//   INTEGRATION_LLM_MODEL     - Model name
 
 func TestIntegration_FullReviewFlow(t *testing.T) {
-	giteaURL := os.Getenv("INTEGRATION_VCS_URL")
+	giteaURL := os.Getenv("INTEGRATION_GITEA_URL")
 	giteaToken := os.Getenv("INTEGRATION_GITEA_TOKEN")
 	giteaRepo := os.Getenv("INTEGRATION_GITEA_REPO")
 	prNumStr := os.Getenv("INTEGRATION_PR_NUMBER")