diff --git a/hive-c0re/src/forge.rs b/hive-c0re/src/forge.rs
index e9b7db8..3014dce 100644
--- a/hive-c0re/src/forge.rs
+++ b/hive-c0re/src/forge.rs
@@ -19,11 +19,20 @@ use crate::coordinator::Coordinator;
 
 const FORGE_CONTAINER: &str = "hive-forge";
 const TOKEN_NAME_PREFIX: &str = "hyperhive";
-/// Forgejo scopes the agent's token gets. `write:repository` covers
-/// clone/push/repo-create on the user's own repos; `write:issue` is
-/// what PRs and comments ride under; `read:user` is mandatory for
-/// the token-owner endpoint clients use to introspect.
-const TOKEN_SCOPES: &str = "read:user,write:repository,write:issue";
+/// Forgejo scopes the agent's token gets. Broad-but-not-admin: every
+/// repo / PR / issue thing an agent needs day-to-day, no admin
+/// surface.
+/// - `write:repository` — create, clone, push, delete repos in the
+///   user's own namespace; merge PRs.
+/// - `write:issue` — open / comment / review issues *and* pull
+///   requests (forgejo namespaces PR conversation under issues).
+/// - `write:user` — edit own profile, create repos under own user.
+/// - `write:organization` — create + manage orgs (lets agents share
+///   a forge namespace).
+/// - `read:user` — token-owner endpoint clients call to introspect.
+/// - `write:misc` — hooks, attachments, the rest of the long tail.
+const TOKEN_SCOPES: &str =
+    "read:user,write:user,write:repository,write:issue,write:organization,write:misc";
 
 /// Token file inside the agent's bind-mounted state dir (visible as
 /// `/state/forge-token` from inside the container).