Source review prompt from base_sha (not PR head)

The prompt defines HOW the reviewer reviews. Sourcing it from the PR
head allowed a PR to silently change its own review rules. Read it
from base_sha via `git show` instead; the prefetch step has already
fetched that commit's tree.

Scope-limited intentionally: docs/methodology/REGISTRY.md and TODO.md
remain sourced from the PR head. The prompt itself instructs the
reviewer to recognize PR-added Note/Deviation labels in REGISTRY.md
and new entries in TODO.md as mitigations (`.github/codex/prompts/
pr_review.md:4,9,62,97`), so those files must reflect the PR's
edits to behave correctly. Only the review-rules file is moved.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: igerber

.github/workflows/ai_pr_review.yml

@@ -153,7 +153,14 @@ jobs:
           set -euo pipefail
           PROMPT=.github/codex/prompts/pr_review_compiled.md
 
-          cat .github/codex/prompts/pr_review.md > "$PROMPT"
+          # Source the review prompt from base_sha rather than the PR head.
+          # The prompt defines HOW the reviewer reviews; sourcing it from
+          # base prevents a PR from modifying its own review rules. (Note:
+          # docs/methodology/REGISTRY.md and TODO.md remain from the PR
+          # head intentionally - the prompt instructs the reviewer to
+          # recognize PR-added Note/Deviation labels and tracked TODOs as
+          # mitigations, so those must reflect the PR's edits.)
+          git show "${BASE_SHA}":.github/codex/prompts/pr_review.md > "$PROMPT"
 
           # Sanitize untrusted text so hostile content can't close the
           # wrapper tags and inject instructions to the reviewer.