[MINOR] The --base-url (VCS_BASE_URL) for the GitHub API is fully user-controlled and used with the reviewer token; while HTTPS is enforced and cross-host redirects strip Authorization, an attacker who can influence this configuration could direct requests (and thus tokens) to an arbitrary HTTPS endpoint. Consider allowlisting known GitHub Enterprise hosts or warning when the base URL differs from the default to reduce misconfiguration/exfiltration risk.
[MINOR] ListReviews and GetAuthenticatedUser use c.doGet (and DeleteReview uses c.doRequest). Ensure these helper methods enforce the same HTTPS-only constraint when a token is present as doJSONRequest does, to avoid accidental credential leakage if an http base URL is provided.
[MINOR] Potential log injection: extractSentinelName() returns untrusted content from review bodies, which is logged as "sibling_role" without escaping. An attacker-controlled sentinel (e.g., with newlines) could inject extra log lines when using text logging. Consider sanitizing/escaping newlines and control characters before logging or enforcing a stricter pattern when extracting the sentinel.