fix(feeds): address Greptile P1 + P2 on validate-rss-feeds.mjs

P1: FAIL message claimed "4 allowlist mirrors" but the codebase enforces 5
(scripts/shared/rss-allowed-domains.json was missing from the list).
A developer following the message would skip that mirror and hit a
puzzling secondary failure from the `test:data` scripts/shared parity
check. Listed all 5 mirrors.

P2: The isConfigDrift predicate was prefix-matching against literal
copies of the error message strings thrown by assertCiAllowed and
fetchFeed. A future reword at either throwing site (e.g. dropping the
"(--ci)" annotation, rewording the redirect error) would silently
reclassify config drift as third-party rot, demoting a hard fail to a
soft warning. Centralised the sentinel strings as a frozen
CONFIG_DRIFT_REASONS object that both the throwing sites and the
classifier consume — rename a reason and BOTH consumers move in
lockstep. INVALID_URL is also now properly classified as config drift
(was previously falling through to soft-fail despite being an actor-
fixable bug in feeds.ts).

Tested:
  - End-to-end run: 512 OK / 9 stale / 7 dead / 13 empty, EXIT=0
  - Classifier unit test: all 8 representative cases correct
    (4 config-drift reasons → true, 4 third-party reasons → false)

Author: koala73

scripts/validate-rss-feeds.mjs

@@ -14,6 +14,18 @@ const FETCH_TIMEOUT = 15_000;
 const CONCURRENCY = 10;
 const STALE_DAYS = 30;
 
+// Sentinel error-message prefixes for the SSRF/config guardrails. Centralised so
+// the throwing sites (assertCiAllowed, fetchFeed) and the isConfigDrift
+// classifier can never drift apart — rename a reason, BOTH consumers update in
+// lockstep. Without this, an innocuous reword (e.g. dropping `(--ci)`) would
+// silently reclassify hard failures as soft warnings.
+const CONFIG_DRIFT_REASONS = Object.freeze({
+  INVALID_URL: 'Invalid URL',
+  NON_HTTPS: 'Non-https scheme rejected in --ci mode:',
+  HOST_NOT_ALLOWED: 'Host not in allowlist (--ci):',
+  TOO_MANY_REDIRECTS: 'Too many redirects',
+});
+
 // --ci flag hardens the validator for trusted-context CI runs (push-to-main
 // + schedule workflow). NOT enabled in PR CI — PR CI never runs this script
 // because PR contributors can rewrite feeds.ts to make GitHub runners hit
@@ -95,13 +107,13 @@ function assertCiAllowed(rawUrl) {
   try {
     parsed = new URL(rawUrl);
   } catch {
-    throw new Error('Invalid URL');
+    throw new Error(CONFIG_DRIFT_REASONS.INVALID_URL);
   }
   if (parsed.protocol !== 'https:') {
-    throw new Error(`Non-https scheme rejected in --ci mode: ${parsed.protocol}`);
+    throw new Error(`${CONFIG_DRIFT_REASONS.NON_HTTPS} ${parsed.protocol}`);
   }
   if (!isAllowedDomain(parsed.hostname)) {
-    throw new Error(`Host not in allowlist (--ci): ${parsed.hostname}`);
+    throw new Error(`${CONFIG_DRIFT_REASONS.HOST_NOT_ALLOWED} ${parsed.hostname}`);
   }
   return parsed;
 }
@@ -144,7 +156,7 @@ async function fetchFeed(url) {
       // the headers handshake is what we wanted bounded per hop.
       return await resp.text();
     }
-    throw new Error('Too many redirects');
+    throw new Error(CONFIG_DRIFT_REASONS.TOO_MANY_REDIRECTS);
   }
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), FETCH_TIMEOUT);
@@ -300,26 +312,26 @@ async function main() {
 
   // Exit policy:
   //   HARD-FAIL on config/SSRF-guard drift — these are bugs the maintainer can fix.
-  //     ("Host not in allowlist", "Non-https scheme rejected", "Too many redirects")
+  //     Reasons enumerated in CONFIG_DRIFT_REASONS (top of file). Both the throwing
+  //     sites and this classifier consume the same constants so a future reword
+  //     can't silently demote a hard fail to a warning.
   //   SOFT-FAIL (exit 0 with warning) on third-party state — third-party 4xx/timeouts,
   //     STALE feeds, EMPTY feeds. These rot naturally; failing the build on them
   //     produces 100% CI noise and the prior workflow proved no one acts on it.
   //   Promoting third-party failures to hard-fail requires a registry-cleanup PR
   //   first; revisit once the long tail is groomed.
   const isConfigDrift = (r) =>
-    typeof r.detail === 'string' && (
-      r.detail.startsWith('Host not in allowlist') ||
-      r.detail.startsWith('Non-https scheme rejected') ||
-      r.detail === 'Too many redirects'
-    );
+    typeof r.detail === 'string' &&
+    Object.values(CONFIG_DRIFT_REASONS).some(prefix => r.detail.startsWith(prefix));
   const configDrift = dead.filter(isConfigDrift);
   const thirdPartyDead = dead.filter(r => !isConfigDrift(r));
 
   if (configDrift.length) {
     console.error(
       `\nFAIL: ${configDrift.length} feed(s) violate the CI guardrails ` +
-      `(allowlist drift or plaintext URL). Fix src/config/feeds.ts and/or the 4 ` +
+      `(allowlist drift or plaintext URL). Fix src/config/feeds.ts and/or the 5 ` +
       `allowlist mirrors (shared/rss-allowed-domains.json, .cjs, ` +
+      `scripts/shared/rss-allowed-domains.json, ` +
       `api/_rss-allowed-domains.js, vite.config.ts:RSS_PROXY_ALLOWED_DOMAINS).`
     );
     process.exit(1);