ci: harden workflows and sponsor code review config

.github/prompts/code-review.prompt.md

@@ -1,56 +0,0 @@
----
-agent: agent
-description: Comprehensive code quality and security review of the selected code or recent changes
----
-
-# Code Review
-
-Review the selected code (or the current diff if nothing is selected) across four dimensions. Only report issues you are **confident about** — flag uncertainty explicitly rather than guessing.
-
-## Dimensions
-
-### 1. Security (CRITICAL — block ship if found)
-- Hardcoded secrets, tokens, API keys, passwords
-- Missing input validation or sanitization at system boundaries
-- SQL/NoSQL injection risk (string interpolation in queries)
-- XSS risk (unsanitized HTML output)
-- Auth/authz checks missing or client-side only
-- Sensitive data in logs or error messages exposed to clients
-- Missing rate limiting on public endpoints
-
-### 2. Code Quality (HIGH)
-- Mutation of existing state instead of creating new objects
-- Functions over 50 lines or files over 800 lines
-- Nesting deeper than 4 levels
-- Duplicated logic that should be extracted
-- Misleading or non-descriptive names
-
-### 3. Error Handling (HIGH)
-- Silently swallowed errors (`catch {}`, empty catch blocks)
-- Missing error handling at async boundaries
-- Errors returned but not checked by callers
-- User-facing error messages leaking internal details
-
-### 4. Test Coverage (MEDIUM)
-- Missing tests for new logic
-- Tests that only test happy paths (missing error/edge cases)
-- Assertions that always pass
-
-## Output Format
-
-For each issue found:
-
-```
-**[CRITICAL|HIGH|MEDIUM|LOW]** — [File:Line if known]
-Issue: [What is wrong]
-Fix: [Concrete suggestion]
-```
-
-End with a summary:
-```
-## Summary
-- Critical: N
-- High: N
-- Medium: N
-- Approved to ship: yes / no (fix CRITICAL and HIGH first)
-```