ci(claude): migrate claude-review.yml to caller of HarperFast/ai-review-prompts reusable

[heskew]

Summary

Mirror of `HarperFast/harper#478`. Same caller-migration applied to oauth.

Replaces oauth's inline ~510-line `claude-review.yml` with a ~75-line caller of the reusable in `HarperFast/ai-review-prompts#8` (pinned at `0a5ccbc6...` = ai-review-prompts `main` 2026-05-05). The single `uses:` ref pin controls workflow logic + layer files + scripts + auth-gate behavior. Internal repo, same-day pin.

oauth-specific via `repo-specific-checks`

• `REVIEW_LAYERS` includes `repo-type/plugin`.
• `## Repo-specific checks (OAuth plugin)` block: CSRF state tokens, redirect URI validation, provider-of-record enforcement, session field preservation, path length bounds.

What's deleted

Three scripts now owned by the reusable:

• `.github/scripts/compose-review-scope.sh`
• `.github/scripts/find-prior-review-comment.sh`
• `.github/scripts/log-review-to-ai-review-log.sh`

What's kept

Three scripts still used by inline mention / issue-to-pr workflows:

• `.github/scripts/authorize-claude-workflow.sh`
• `.github/scripts/parse-claude-mention.sh`
• `.github/scripts/validate-auth-gate-invariants.sh` (mirror of the harper-side update — enforces SHA-pinned `uses:` refs on caller-pattern workflows)

What's NOT in this PR

• `claude-mention.yml` / `claude-issue-to-pr.yml` stay inline. Reusables for those land later as Day 2 of revised Plan A.

Test plan

• YAML parses for the new caller and updated validator.
• `bash .github/scripts/validate-auth-gate-invariants.sh` against all three claude-*.yml: all pass; `claude-review.yml` recognized as caller-pattern with SHA pin enforced.
• Push to a PR after this lands → confirm review runs end-to-end via the reusable; output matches what oauth's inline workflow produced.
• Confirm `Auth gate invariants / validate` still passes on this PR (it modifies `claude-*.yml` so the validator runs).

🤖 Generated with Claude Code