feat: post AI review comments inline to actual files instead of single giant comment (#28)

* fix: post AI review comments inline to actual files instead of single giant comment

- Update postSuggestionsToGitHub() to post ALL suggestions as inline comments
- Create generateAllInlineComments() method to handle all confidence levels (≥50%)
- Increase resolvable suggestion limit from 5 to 8
- Add fallback handling for failed inline comments
- Simplify summary comment to avoid duplication with inline comments
- Standardize line_number field handling across services
- Add helper methods: getConfidenceLabel(), inferLineNumber()
- Update tests to match new inline comment behavior

Benefits:
- Better UX: suggestions appear exactly where they belong in code
- Contextual feedback: reviewers see suggestions while reading relevant code
- Uses GitHub's native inline comment and resolvable suggestion features
- Reduces noise from giant comment blocks
- Maintains all existing functionality with robust fallbacks

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* fix: correct emergency-controls workflow trigger syntax

The 'on' keyword should not be quoted in YAML workflow files.
This was causing GitHub Actions to incorrectly trigger the
emergency-controls workflow on push events instead of only
on manual workflow_dispatch.

* fix: prevent emergency-controls workflow from running on push events

Add explicit check for workflow_dispatch event type to ensure
emergency controls only run when manually triggered, never on
push or pull_request events.

* fix: resolve emergency-controls workflow timeout-minutes syntax error

- Remove invalid use of env context in timeout-minutes (not available at job level)
- Use hardcoded value of 10 minutes instead of fromJSON(env.EMERGENCY_TIMEOUT_MINUTES)
- Remove unused env section from workflow file

Fixes GitHub Actions error: 'Unrecognized named-value: env' in timeout-minutes

* fix: resolve npm audit security vulnerabilities

- Updated inquirer from ^8.2.5 to ^10.2.2 to resolve vulnerability chain
- Added npm override for tmp package to version 0.2.4 (fixes CVE for versions <=0.2.3)
- All tests passing, functionality verified
- npm audit now reports 0 vulnerabilities

Addresses security review findings from PR #28.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

---------

Co-authored-by: GitHub Action <[email protected]>
Co-authored-by: Claude <[email protected]>

Author: 3 people

.github/workflows/emergency-controls.yml

@@ -1,11 +1,7 @@
 ---
 name: Emergency Controls
 
-# Centralized timeout configuration
-env:
-  EMERGENCY_TIMEOUT_MINUTES: 10
-
-"on":
+on:
   workflow_dispatch:
     inputs:
       action:
@@ -35,6 +31,8 @@ permissions:
 
 jobs:
   verify-authorization:
+    # Only run on manual dispatch, never on push/PR events
+    if: github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
     outputs:
       authorized: ${{ steps.auth-check.outputs.authorized }}
@@ -62,7 +60,7 @@ jobs:
     needs: verify-authorization
     if: needs.verify-authorization.outputs.authorized == 'true'
     runs-on: ubuntu-latest
-    timeout-minutes: ${{ fromJSON(env.EMERGENCY_TIMEOUT_MINUTES) }}
+    timeout-minutes: 10
     steps:
       - name: Checkout
         uses: actions/checkout@v4