Fix PR gate trusting author_association for org membership

author_association comes back as CONTRIBUTOR or NONE for team-based
contributors (e.g. members of the Contributor team), so the gate was
auto-closing PRs from people who clearly have write access.

Replace the author_association check with a live permission lookup via
repos.getCollaboratorPermissionLevel, which resolves direct, team, and
org access in one call. PRs from anyone with write/maintain/admin now
bypass the gate.

scripts/pr-gate/github.ts

@@ -18,7 +18,6 @@ export async function getPR(
     number: data.number,
     body: data.body ?? null,
     user: { login: data.user?.login ?? "" },
-    author_association: data.author_association,
     labels: (data.labels ?? [])
       .map((l) => l.name ?? "")
       .filter((name) => name.length > 0),
@@ -37,6 +36,22 @@ export async function getPRFiles(
   return files.map((f) => ({ additions: f.additions, deletions: f.deletions }));
 }
 
+export async function getRepoPermission(
+  octokit: Octokit,
+  username: string,
+): Promise<string> {
+  try {
+    const { data } = await octokit.rest.repos.getCollaboratorPermissionLevel({
+      ...REPO,
+      username,
+    });
+    return data.permission;
+  } catch (err) {
+    if (isStatus(err, 404)) return "none";
+    throw err;
+  }
+}
+
 export async function getIssue(
   octokit: Octokit,
   issueNumber: number,