forge: broaden token scopes for repo create / PRs / orgs / misc

bumped from (read:user,write:repository,write:issue) to also include
write:user (own profile + create repos under own namespace),
write:organization (share namespaces between agents), write:misc
(hooks/attachments). still excludes admin and package scopes.

hive-c0re/src/forge.rs

@@ -19,11 +19,20 @@ use crate::coordinator::Coordinator;
 
 const FORGE_CONTAINER: &str = "hive-forge";
 const TOKEN_NAME_PREFIX: &str = "hyperhive";
-/// Forgejo scopes the agent's token gets. `write:repository` covers
+/// Forgejo scopes the agent's token gets. Broad-but-not-admin: every
-/// clone/push/repo-create on the user's own repos; `write:issue` is
+/// repo / PR / issue thing an agent needs day-to-day, no admin
-/// what PRs and comments ride under; `read:user` is mandatory for
+/// surface.
-/// the token-owner endpoint clients use to introspect.
+/// - `write:repository` — create, clone, push, delete repos in the
-const TOKEN_SCOPES: &str = "read:user,write:repository,write:issue";
+///   user's own namespace; merge PRs.
+/// - `write:issue` — open / comment / review issues *and* pull
+///   requests (forgejo namespaces PR conversation under issues).
+/// - `write:user` — edit own profile, create repos under own user.
+/// - `write:organization` — create + manage orgs (lets agents share
+///   a forge namespace).
+/// - `read:user` — token-owner endpoint clients call to introspect.
+/// - `write:misc` — hooks, attachments, the rest of the long tail.
+const TOKEN_SCOPES: &str =
+    "read:user,write:user,write:repository,write:issue,write:organization,write:misc";
 
 /// Token file inside the agent's bind-mounted state dir (visible as
 /// `/state/forge-token` from inside the container).