flow-next-opencode-plan-review

SUSPICIOUS. The workflow is broadly consistent with plan review, but it requires executing a repo-bundled `flowctl` binary and optionally driving external review CLIs/services with repo content. That unverifiable bundled executable creates a mandatory high supply-chain risk, even without clear evidence of credential theft or outright malicious behavior.