fix: bug: hire-an-agent does not add the new agent as collaborator on the project repo (#856)

hire-an-agent now adds the new Forgejo user as a `write` collaborator on
`$FORGE_REPO` right after the token step, mirroring the collaborator setup
lib/forge-setup.sh applies to the canonical bot users. Without this, a
freshly hired agent's PATCH to assign itself an issue returned 403 Forbidden
and the dev-agent polled forever logging "claim lost to <none>".

issue_claim() now captures the PATCH HTTP status via `-w '%{http_code}'`
instead of swallowing failures with `curl -sf ... || return 1`. A 403 (or
any non-2xx) now surfaces a distinct log line naming the code — the missing
collaborator root cause would have been diagnosable in seconds instead of
minutes.

Also updates the lib-issue-claim bats mock to handle the new `-w` flag and
adds a regression test covering the HTTP-error log surfacing path.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

lib/hire-agent.sh

@@ -229,6 +229,37 @@ disinto_hire_an_agent() {
     export "${pass_var}=${user_pass}"
   fi
 
+  # Step 1.6: Add the new agent as a write collaborator on the project repo (#856).
+  # Without this, PATCH /issues/{n} {assignees:[agent]} returns 403 Forbidden and
+  # the dev-agent polls forever logging "claim lost to <none> — skipping" (see
+  # issue_claim()'s post-PATCH verify).  Mirrors the collaborator setup applied
+  # to the canonical bot users in lib/forge-setup.sh.  Idempotent: Forgejo's PUT
+  # returns 204 whether the user is being added for the first time or already a
+  # collaborator at the same permission.
+  if [ -n "${FORGE_REPO:-}" ]; then
+    echo ""
+    echo "Step 1.6: Adding '${agent_name}' as write collaborator on '${FORGE_REPO}'..."
+    local collab_code
+    collab_code=$(curl -s -o /dev/null -w '%{http_code}' -X PUT \
+      -H "Authorization: token ${admin_token}" \
+      -H "Content-Type: application/json" \
+      "${forge_url}/api/v1/repos/${FORGE_REPO}/collaborators/${agent_name}" \
+      -d '{"permission":"write"}')
+    case "$collab_code" in
+      204|201|200)
+        echo "  ${agent_name} is a write collaborator on ${FORGE_REPO} (HTTP ${collab_code})"
+        ;;
+      *)
+        echo "  Warning: failed to add '${agent_name}' as collaborator on '${FORGE_REPO}' (HTTP ${collab_code})" >&2
+        echo "  The agent will not be able to claim issues until this is fixed." >&2
+        ;;
+    esac
+  else
+    echo ""
+    echo "Step 1.6: FORGE_REPO not set — skipping collaborator step" >&2
+    echo "  Warning: the agent will not be able to claim issues on the project repo" >&2
+  fi
+
   # Step 2: Create .profile repo on Forgejo
   echo ""
   echo "Step 2: Creating '${agent_name}/.profile' repo (if not exists)..."

lib/issue-lifecycle.sh

@@ -126,11 +126,21 @@ issue_claim() {
   # Assign to self BEFORE adding in-progress label (issue #471).
   # This ordering ensures the assignee is set by the time other pollers
   # see the in-progress label, reducing the stale-detection race window.
-  curl -sf -X PATCH \
+  #
+  # Capture the HTTP status instead of silently swallowing failures (#856).
+  # A 403 here means the bot user is not a write collaborator on the repo —
+  # previously the silent failure fell through to the post-PATCH verify which
+  # only reported "claim lost to <none>", hiding the real root cause.
+  local patch_code
+  patch_code=$(curl -s -o /dev/null -w '%{http_code}' -X PATCH \
     -H "Authorization: token ${FORGE_TOKEN}" \
     -H "Content-Type: application/json" \
     "${FORGE_API}/issues/${issue}" \
-    -d "{\"assignees\":[\"${me}\"]}" >/dev/null 2>&1 || return 1
+    -d "{\"assignees\":[\"${me}\"]}")
+  if [ "$patch_code" != "201" ] && [ "$patch_code" != "200" ]; then
+    _ilc_log "issue #${issue} PATCH assignee failed: HTTP ${patch_code} (403 = missing write collaborator permission on ${FORGE_REPO:-repo})"
+    return 1
+  fi
 
   # Verify the PATCH stuck.  Forgejo's assignees PATCH is last-write-wins, so
   # under concurrent claims from multiple dev agents two invocations can both