chore(security): tighten Claude workflow trust boundary and permissions

## Parent
Part of #1276

## Summary
Tighten Claude automation trigger trust boundaries and apply least-privilege permissions.

## Problem
Current trigger/permission scope is broad enough that external contributor interactions may invoke privileged automation paths.

## Acceptance Criteria
- [ ] Reassess and tighten event author-association allowlist for `claude.yml`.
- [ ] Reduce job permissions to minimum required (`contents`, `issues`, `pull-requests`, etc.).
- [ ] Add explicit guardrails for untrusted contexts (forks, contributor-triggered events).
- [ ] Document trigger policy and expected maintainer usage.
- [ ] Verify no regression for intended maintainer workflows.

## Notes
Target practical security hardening with minimal maintainer friction.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(security): tighten Claude workflow trust boundary and permissions #1280

Parent

Summary

Problem

Acceptance Criteria

Notes

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

chore(security): tighten Claude workflow trust boundary and permissions #1280

Description

Parent

Summary

Problem

Acceptance Criteria

Notes

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions