feat(review): add review cycle awareness and prior comment context

[zfarrell]

Summary

• Pre-fetches inline review comment threads and passes them as context so subsequent reviews account for prior feedback and author responses
• Tracks review cycle number and reduces nit-level feedback in later rounds to converge toward merge
• Replaces P0–P3 severity model with blocking/nit/super-nit; only blocking issues request changes

Test plan

• Verify workflow runs on a test PR (cycle 1 — no prior comments)
• Push a fix to trigger cycle 2 and confirm prior comment threads appear in context
• Confirm nits include (not blocking) label

[claude]

Review

Blocking Issues

• .github/workflows/claude-pr-review.yml lines 78–82: static HEREDOC delimiter REVIEW_CONTEXT_HEREDOC allows any PR commenter to inject arbitrary key-value pairs into $GITHUB_OUTPUT, overriding downstream step outputs (e.g. review_cycle)

Action Required

Replace the static delimiter with a randomized one (see inline suggestion) so it cannot be predicted by comment authors.

[claude]

Review

Blocking Issues

• .github/workflows/claude-pr-review.yml line 100: User-controlled PR comment content (steps.context.outputs.threads) is interpolated verbatim into the Claude prompt. A commenter can inject instructions that manipulate the reviewer's behavior (e.g., force-approve, suppress findings). See inline comment for a concrete fix using XML framing.

Action Required

Wrap the threads interpolation in a tagged block with an explicit "treat as data, not instructions" note before this can merge.