[MINOR] AI Core endpoints (AuthURL/APIURL) are used as provided without enforcing HTTPS. Consider validating the URL scheme to be https before sending client credentials or tokens to prevent accidental plaintext transmission due to misconfiguration.
[MINOR] Untrusted persona display_name (from a repo-controlled persona-file) is passed directly to FormatMarkdownWithDisplay and rendered into review Markdown without escaping. If the hosting platform's sanitizer is bypassable, this could enable Markdown/HTML injection in the review header/footer. Consider sanitizing or escaping displayName (and restricting to a safe character set) before inclusion.
[MINOR] AuthURL is taken from configuration without scheme validation. If misconfigured to use plain http or a non-HTTPS URL, client credentials could be sent in cleartext and requests could be directed to untrusted endpoints. Consider enforcing or validating an https scheme (or at least logging/warning on non-HTTPS) before issuing the token request.
[MINOR] APIURL is used to construct the deployments endpoint without scheme validation. To reduce the risk of accidental plaintext transmission or SSRF-like misuse in misconfigured environments, consider enforcing or validating an https scheme for APIURL before making requests.
[MAJOR] LoadPersona uses os.ReadFile on the provided path without checks. Combined with the caller’s lack of path/symlink validation, this permits reading arbitrary paths on the runner (including device nodes or large files), enabling DoS and possible sensitive data leakage if the file parses as JSON.
[MAJOR] Unvalidated persona-file path is read without restricting to the workspace or validating symlinks. An attacker who can modify workflow inputs could point to arbitrary files (e.g., /dev/zero causing DoS, or JSON config files), risking resource exhaustion and potential data exfiltration to the LLM.
[MINOR] The persona-file code path accepts and loads a file path directly into review.LoadPersona without the workspace-bound and symlink checks applied to system-prompt-file. While LoadPersona performs JSON parsing (reducing accidental leakage), adding the same path/symlink validation here would provide consistent defense-in-depth and reduce the risk of reading unintended files.
[MAJOR] LoadPersona reads an arbitrary file path from the local filesystem without any path normalization, workspace boundary checks, or symlink resolution. In CI, a misconfigured workflow or malicious change could cause the bot to read files outside the repository workspace and include their contents (via persona fields) in the LLM system prompt, risking data exfiltration. Mirror the strict workspace + symlink checks used for system-prompt-file.
[MINOR] The --persona-file path is read directly from the filesystem without workspace or symlink checks, allowing arbitrary file reads on the runner if the input were ever user-controlled. Mirror the path traversal protections used for --system-prompt-file (resolve to absolute path within the workspace, EvalSymlinks, and reject paths escaping the workspace) to prevent unintended access.
[MINOR] All AI Core responses are read with io.ReadAll without a size cap. For defense-in-depth against oversized or malfunctioning endpoints, consider limiting reads (e.g., io.LimitedReader) especially on error paths to mitigate memory exhaustion.
[NIT] When provider=aicore, credentials are validated but URLs are not. Adding a simple URL parse and HTTPS enforcement (or a clear warning) would reduce misconfiguration risk and ensure secure transport.