fix(security): remediate SonarQube vulnerabilities in discussions.go

[devin-ai-integration]

Closes: N/A — Addresses 6 SonarQube CRITICAL findings in pkg/github/discussions.go.

Summary

Remediates 6 SonarQube issues (4× S1192 duplicated string literals, 2× S3776 cognitive complexity) without changing any external behavior. All existing tests pass unmodified.

S1192 — Duplicated string literals → package-level constants

Constant	Literal	Occurrences
descRepoOwner	"Repository owner"	4
descRepoName	"Repository name"	4
errGQLClientFmt	"failed to get GitHub GQL client: %v"	4
categoryFmt	"category:%s"	3

S3776 — Cognitive complexity → extracted helpers

ListDiscussions (27 → 15): The two nearly-identical inline GraphQL query branches and their node-mapping loops were extracted into:

• discussionNode — shared struct type for GraphQL response nodes
• mapDiscussionNodesToIssues() — converts nodes to []*github.Issue
• queryDiscussionsWithCategory() / queryDiscussionsAll() — execute the filtered/unfiltered query respectively

ListDiscussionCategories (22 → 12): The four pagination-validation if-blocks were extracted into validatePaginationParams().

Tradeoffs

• Introduced a named discussionNode type that replaces the anonymous structs previously inlined in each GraphQL query. The githubv4 library uses reflection on struct field names and tags to build the query string, so named vs anonymous should produce identical queries — confirmed by all mock-based tests passing.
• validatePaginationParams returns a plain error instead of directly constructing mcp.NewToolResultError. The caller wraps it via .Error(), which is functionally equivalent since the original messages had no format verbs.

Human review checklist

• Verify that using the named discussionNode type in GraphQL query structs (instead of anonymous structs) does not change the generated GraphQL query shape. Tests pass, but worth a sanity check.
• Confirm the validatePaginationParams error messages match the originals exactly (they do — same string literals, just moved into fmt.Errorf).
• The categoryID intermediate variable and nil-check were collapsed into category != "". Confirm this is logically equivalent (it is, since categoryID was only set when category != "").

---

Link to Devin run: https://app.devin.ai/sessions/e78b576d8aad41b5b653f2e1a1af06ef
Requested by: @iancmoritz

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[sonarqubecloud]

Quality Gate failed

Failed conditions
12.7% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.