refactor: extract magic numbers to named constants

cmd/entire/cli/explain.go

@@ -837,7 +837,7 @@ func computeReachableFromMain(repo *git.Repository) map[plumbing.Hash]bool {
 	}
 
 	// Walk main's first-parent chain to build the set
-	_ = walkFirstParentCommits(repo, mainBranchHash, 1000, func(c *object.Commit) error { //nolint:errcheck // Best-effort
+	_ = walkFirstParentCommits(repo, mainBranchHash, strategy.MaxCommitTraversalDepth, func(c *object.Commit) error { //nolint:errcheck // Best-effort
 		reachableFromMain[c.Hash] = true
 		return nil
 	})

cmd/entire/cli/rewind.go

@@ -1098,7 +1098,7 @@ func countCommitsBetween(repo *git.Repository, ancestor, descendant plumbing.Has
 	count := 0
 	current := descendant
 
-	for count < 1000 { // Safety limit
+	for count < strategy.MaxCommitTraversalDepth { // Safety limit
 		if current == ancestor {
 			return count, nil
 		}

cmd/entire/cli/strategy/common.go

@@ -33,6 +33,10 @@ const (
 	StrategyNameManualCommit = "manual-commit"
 )
 
+// MaxCommitTraversalDepth is the safety limit for walking git commit history.
+// Prevents unbounded traversal in repositories with very long histories.
+const MaxCommitTraversalDepth = 1000
+
 // errStop is a sentinel error used to break out of git log iteration.
 // Shared across strategies that iterate through git commits.
 // NOTE: A similar sentinel exists in checkpoint/temporary.go - this is intentional.
@@ -74,7 +78,7 @@ func EnsureSetup() error {
 
 // IsAncestorOf checks if commit is an ancestor of (or equal to) target.
 // Returns true if target can reach commit by following parent links.
-// Limits search to 1000 commits to avoid excessive traversal.
+// Limits search to MaxCommitTraversalDepth commits to avoid excessive traversal.
 func IsAncestorOf(repo *git.Repository, commit, target plumbing.Hash) bool {
 	if commit == target {
 		return true
@@ -90,7 +94,7 @@ func IsAncestorOf(repo *git.Repository, commit, target plumbing.Hash) bool {
 	count := 0
 	_ = iter.ForEach(func(c *object.Commit) error { //nolint:errcheck // Best-effort search, errors are non-fatal
 		count++
-		if count > 1000 {
+		if count > MaxCommitTraversalDepth {
 			return errStop
 		}
 		if c.Hash == commit {

cmd/entire/cli/strategy/manual_commit_condensation.go

@@ -746,7 +746,8 @@ func generateContextFromPrompts(prompts []string) []byte {
 	for i, prompt := range prompts {
 		// Truncate very long prompts for readability.
 		// Use rune-based truncation to avoid splitting multi-byte UTF-8 characters (e.g. CJK).
-		displayPrompt := stringutil.TruncateRunes(prompt, 500, "...")
+		const maxDisplayPromptRunes = 500
+		displayPrompt := stringutil.TruncateRunes(prompt, maxDisplayPromptRunes, "...")
 		fmt.Fprintf(&buf, "### Prompt %d\n\n", i+1)
 		buf.WriteString(displayPrompt)
 		buf.WriteString("\n\n")

redact/redact.go

@@ -24,6 +24,9 @@ var secretPattern = regexp.MustCompile(`[A-Za-z0-9+_=-]{10,}`)
 // and tokens which tend to have entropy well above 5.0.
 const entropyThreshold = 4.5
 
+// RedactedPlaceholder is the replacement text used for redacted secrets.
+const RedactedPlaceholder = "REDACTED"
+
 var (
 	gitleaksDetector     *detect.Detector
 	gitleaksDetectorOnce sync.Once
@@ -118,7 +121,7 @@ func String(s string) string {
 	prev := 0
 	for _, r := range merged {
 		b.WriteString(s[prev:r.start])
-		b.WriteString("REDACTED")
+		b.WriteString(RedactedPlaceholder)
 		prev = r.end
 	}
 	b.WriteString(s[prev:])