[MINOR] Scheme comparison is case-sensitive (prev.URL.Scheme == "https" && req.URL.Scheme == "http"). A mixed/uppercase scheme in a redirect could bypass the downgrade check. Use strings.EqualFold or normalize schemes to lowercase before comparison.
[MINOR] Scheme comparison is case-sensitive (prev.URL.Scheme == "https" && req.URL.Scheme == "http"). If a server returns a Location with an uppercase or mixed-case scheme (e.g., "HTTP"), this may bypass the downgrade check depending on parsing behavior. Use strings.EqualFold or normalize schemes to lowercase before comparison.
[MINOR] fetchPatterns now treats an empty --patterns-files as 'fetch all files from repo root' and recursively aggregates all markdown/text/yaml files without size or count limits. An attacker-controlled patterns repo (or misconfiguration) could cause excessive memory/CPU usage and inflate prompt size, enabling a denial-of-service condition.
[MINOR] When constructing the supersede link for Gitea reviews, vcsURL is concatenated without scheme validation. Although this value is operator-provided and Gitea typically sanitizes Markdown links, validating that vcsURL starts with http/https before embedding would reduce the risk of an unsafe link (e.g., javascript:) if misconfigured.
[MINOR] doRequest accepts an arbitrary reqURL and unconditionally applies the Authorization header (line 167). If future internal callers inadvertently pass non-GitHub or user-influenced URLs (e.g., pre-signed S3 links), this could lead to SSRF and/or token leakage to third-party hosts. Consider constraining requests to c.baseURL or verifying the host before attaching Authorization.
[MINOR] doRequest accepts a full URL string. Although unexported, ensure that exported higher-level methods only construct URLs from the trusted baseURL (or enforce an allowlist) so this primitive cannot be used with untrusted user-provided URLs, which could otherwise enable SSRF if misused.
[MINOR] Authorization header is set on the client requests; while Go’s standard library drops Authorization on cross-host redirects in recent versions, consider explicitly configuring http.Client.CheckRedirect to prevent following cross-host redirects or to strip sensitive headers on redirects for defense-in-depth against token leakage.