claw
1e0959b077
CI / test (pull_request) Successful in 16s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 37s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m19s
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m47s
Add defaultCheckRedirect to both GitHub and Gitea clients that rejects: - HTTPS→HTTP protocol downgrades (prevents plaintext leakage) - Cross-host redirects entirely (prevents consuming untrusted responses) Same-host, same-or-upgraded-scheme redirects remain allowed. Both NewClient constructors wire the policy, and SetHTTPClient(nil) restores it. Callers providing a non-nil client are responsible for configuring their own safe redirect policy. Closes #95