fix: bump Go to 1.25.11 for stdlib vulns; stop advisory review blocking PRs (#11)

## What

Two CI-health fixes surfaced while merging #9 and #10:

### 1. `vuln` was genuinely red — bump Go 1.25.10 → 1.25.11

`govulncheck` found two **reachable** stdlib vulnerabilities, newly
reachable once #9 added the dashboard HTTP server
(`internal/web/server.go:75`):

| Vuln | Package | Fixed in |
|------|---------|----------|
| GO-2026-5039 | `net/textproto` | go1.25.11 |
| GO-2026-5037 | `crypto/x509` | go1.25.11 |

Bumping the `go` directive to `1.25.11` clears both.

### 2. `review` step → `continue-on-error`

The `review` job (advisory `reviewforge` AI review) has been failing on
an **expired `GEMINI_API_KEY`**. It isn't a required check, but a hard
failure leaves a red ✗ and pushes PRs into `UNSTABLE`/`BLOCKED` merge
state. Marking the step `continue-on-error` keeps it informational
without gating merges.

> Note: this only stops it *blocking*. `GEMINI_API_KEY` still needs
renewing for reviews to actually run again.

## Verified locally (go1.25.11 toolchain)

- `go test -short ./...` — pass
- `govulncheck ./...` — **0 vulnerabilities affecting the code** (was 2)

Lint/test are unaffected by a go-directive bump and a workflow YAML
change.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: machado144

.github/workflows/pr.yml

@@ -53,7 +53,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+      # Advisory AI review — never block a PR on it (e.g. expired AI_API_KEY).
       - uses: AxeForging/reviewforge@main
+        continue-on-error: true
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           AI_PROVIDER: gemini

go.mod

@@ -1,6 +1,6 @@
 module github.com/AxeForging/aigate
 
-go 1.25.10
+go 1.25.11
 
 require (
 	github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2