fix(gitea-bot): add write:organization scope so bot can create repos

Without this the bot PAT 403s on POST /orgs/{org}/repos, which is
the single most important operation — creating new project repos
inside the workspace's Gitea org.

Made-with: Cursor

lib/gitea.ts

@@ -199,7 +199,17 @@ export async function createAccessTokenFor(opts: {
   name: string;
   scopes?: string[];
 }): Promise<{ id: number; name: string; sha1: string; token_last_eight: string }> {
-  const { username, password, name, scopes = ['write:repository', 'write:issue', 'write:user'] } = opts;
+  const {
+    username,
+    password,
+    name,
+    scopes = [
+      'write:repository',
+      'write:issue',
+      'write:user',
+      'write:organization',
+    ],
+  } = opts;
   const basic = Buffer.from(`${username}:${password}`).toString('base64');
   const url = `${GITEA_API_URL}/api/v1/users/${username}/tokens`;
   const res = await fetch(url, {

lib/workspaces.ts

@@ -297,7 +297,12 @@ export async function ensureWorkspaceProvisioned(workspace: VibnWorkspace): Prom
           username: botUsername,
           password,
           name: `vibn-${workspace.slug}-${Date.now().toString(36)}`,
-          scopes: ['write:repository', 'write:issue', 'write:user'],
+          scopes: [
+            'write:repository',
+            'write:issue',
+            'write:user',
+            'write:organization',
+          ],
         });
         botTokenEncrypted = encryptSecret(pat.sha1);
       }