ci(claude): grant pull-requests/issues write so reviews are actually posted

Both Claude workflows had only read-level scopes, so the auto-review
job ran for ~3 minutes per PR and silently dropped its findings — the
post-buffered-inline-comments step reported "No buffered inline
comments" because GitHub denied the API write. Same with the on-demand
@claude responder.

  claude-code-review.yml: pull-requests read -> write
  claude.yml:             pull-requests read -> write
                          issues read -> write

Deliberately keeping `contents: read` everywhere — Claude advises,
doesn't commit. If we ever want @claude-driven code edits, we'd add
that scope explicitly to the on-demand workflow only.

.github/workflows/claude-code-review.yml

@@ -19,9 +19,12 @@ jobs:
     #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
 
     runs-on: ubuntu-latest
+    # `pull-requests: write` lets Claude post the review summary and
+    # inline comments — read-only was a no-op for us. No `contents:
+    # write`: Claude advises, doesn't commit.
     permissions:
       contents: read
-      pull-requests: read
+      pull-requests: write
       issues: read
       id-token: write
 

.github/workflows/claude.yml

@@ -18,10 +18,13 @@ jobs:
       (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
       (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
     runs-on: ubuntu-latest
+    # `pull-requests: write` + `issues: write` so Claude can actually
+    # answer @claude mentions with a comment instead of just thinking
+    # silently. No `contents: write`: Claude advises, doesn't commit.
     permissions:
       contents: read
-      pull-requests: read
-      issues: read
+      pull-requests: write
+      issues: write
       id-token: write
       actions: read # Required for Claude to read CI results on PRs
     steps: