f05e58c847
Add gitea_submit_pr_review, the only tool that submits a Gitea PR review. It performs a review mutation (comment / approve / request_changes) only after every safety gate passes, and never merges. Gates (fail-closed at each step): 1. Validate action is comment | approve | request_changes. 2. Reuse gitea_check_pr_eligibility (#14) for authenticated-user lookup, active-profile lookup, PR-author lookup, self-approval block, and the profile-allowed-operation check. approve requires 'approve' eligibility, request_changes requires 'request_changes', comment requires 'review'. 3. Redundant self-approval block (auth user == PR author). 4. Optional expected_head_sha: refuse if the PR head has moved. 5. Only then POST /repos/{owner}/{repo}/pulls/{n}/reviews (formal review endpoint, so approvals/change-requests carry real review state). Output reports action, whether performed, authenticated user, profile name, PR author, PR number, head SHA checked, and reasons — never a token, auth header, or credential. Error text is scrubbed via _redact as defence in depth. Merge is intentionally not implemented (belongs to #16). Tests cover: self-author approve blocked, approve/request_changes/comment succeed only when eligible, unknown identity fail-closed, disallowed profile op blocked, head-SHA mismatch blocked, no mutation when gates fail, invalid action rejected, and secret redaction in output and error paths. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>