feat: add comprehensive user permission controls for Claude workflows

- Add multi-level permission checking for issue implementation workflow
- Support multiple permission strategies: privileged users, admins only, combined, org-based
- Add permission validation with detailed error messages
- Restrict code review workflow to privileged users and repository members
- Create permission configuration file (.github/claude-config.json)
- Add comprehensive permission documentation

Permission strategies available:
- Privileged users only (most restrictive)
- Repository admins only
- Admins OR privileged users (default)
- Organization members with write access
- Everyone with write access (least restrictive)

Current configuration:
- Issue implementation: admins OR privileged users (bastiaan, xtr-dev-team)
- Code reviews: privileged users and repository members only

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

.github/CLAUDE_PERMISSIONS.md

@@ -0,0 +1,212 @@
+# Claude Workflow Permissions
+
+This document explains how to configure user permissions for Claude automation workflows.
+
+## Current Configuration
+
+### Issue Implementation Workflow
+- **Strategy**: `adminOrPrivileged` - Repository admins OR privileged users
+- **Privileged Users**: `bastiaan`, `xtr-dev-team`
+- **Access Check**: Validates permissions before any Claude implementation
+
+### Code Review Workflow
+- **Strategy**: `privilegedUsers` - Only users in privileged list
+- **Applies to**: Pull request reviews
+- **Scope**: PRs created by privileged users only
+
+## Permission Strategies
+
+### 1. Privileged Users Only
+```javascript
+const isAllowed = privilegedUsers.includes(username);
+```
+- Most restrictive
+- Only specific users can use Claude
+- Best for sensitive repositories
+
+### 2. Admins Only
+```javascript
+const isAllowed = collaborator.permission === 'admin';
+```
+- Repository administrators only
+- Automatic based on GitHub permissions
+- Good for small teams
+
+### 3. Admin OR Privileged (Current)
+```javascript
+const isAllowed = hasAdminAccess || isPrivilegedUser;
+```
+- Repository admins OR users in privileged list
+- Flexible access control
+- **Currently active strategy**
+
+### 4. Organization Members with Write Access
+```javascript
+const isAllowed = isOrgMember && hasWriteAccess;
+```
+- Organization members with write/admin permissions
+- Good for larger organizations
+
+### 5. Everyone with Access
+```javascript
+const isAllowed = hasWriteAccess;
+```
+- Any collaborator with write access
+- Least restrictive option
+
+## How to Change Permissions
+
+### Option A: Edit Privileged Users List
+1. Open `.github/workflows/claude-implement-issue.yml`
+2. Find the `privilegedUsers` array (line ~32)
+3. Add or remove usernames:
+```javascript
+const privilegedUsers = [
+  'bastiaan',
+  'xtr-dev-team',
+  'new-user',        // Add new users here
+  'another-user'
+];
+```
+
+### Option B: Change Permission Strategy
+1. Open `.github/workflows/claude-implement-issue.yml`
+2. Find line ~77: `const isAllowed = allowedByAdminOrPrivileged;`
+3. Replace with your preferred strategy:
+```javascript
+// Only privileged users
+const isAllowed = allowedByUserList;
+
+// Only admins
+const isAllowed = allowedByAdminAccess;
+
+// Admin + privileged users (current)
+const isAllowed = allowedByAdminOrPrivileged;
+
+// Organization members with write access
+const isAllowed = allowedByOrgAndWrite;
+```
+
+### Option C: Custom Logic
+Add your own permission logic:
+```javascript
+// Example: Allow specific teams
+const allowedTeams = ['core-team', 'senior-devs'];
+const userTeams = await github.rest.teams.listForUser({
+  org: context.repo.owner,
+  username: username
+});
+const isInAllowedTeam = userTeams.data.some(team =>
+  allowedTeams.includes(team.slug)
+);
+
+const isAllowed = hasAdminAccess || isInAllowedTeam;
+```
+
+## Code Review Permissions
+
+The code review workflow uses a simpler approach with GitHub's built-in author associations:
+
+```yaml
+if: |
+  contains(fromJSON('["bastiaan", "xtr-dev-team"]'), github.event.pull_request.user.login) ||
+  github.event.pull_request.author_association == 'OWNER' ||
+  github.event.pull_request.author_association == 'MEMBER'
+```
+
+### Author Associations:
+- `OWNER` - Repository owner
+- `MEMBER` - Organization member
+- `COLLABORATOR` - Repository collaborator
+- `CONTRIBUTOR` - Has contributed to the repository
+- `FIRST_TIME_CONTRIBUTOR` - First-time contributor
+- `NONE` - No association
+
+## Testing Permissions
+
+### Test Access for a User
+1. Create a test issue
+2. Have the user comment `@claude implement`
+3. Check the workflow logs for permission results
+
+### Debug Permission Issues
+1. Go to **Actions** tab
+2. Click on the failed workflow run
+3. Expand "Check user permissions" step
+4. Review the permission details in logs
+
+## Error Messages
+
+### Access Denied
+```
+❌ Access Denied: Claude implementation is restricted to privileged users only.
+
+Your access level: write
+Privileged user: No
+Organization member: Yes
+
+Contact a repository administrator for access.
+```
+
+### Permission Details
+The error message shows:
+- Current repository permission level
+- Whether user is in privileged list
+- Organization membership status
+
+## Security Considerations
+
+### Best Practices
+1. **Start Restrictive**: Begin with privileged users only
+2. **Regular Audits**: Review privileged user list regularly
+3. **Monitor Usage**: Check workflow logs for unexpected access attempts
+4. **Team-based Access**: Consider using GitHub teams for larger organizations
+
+### Risks
+- **Over-permissive**: Too many users can increase costs and misuse
+- **Under-permissive**: Blocks legitimate development work
+- **Stale Permissions**: Former team members with lingering access
+
+## Configuration Examples
+
+### Small Team (2-5 developers)
+```javascript
+const privilegedUsers = ['owner', 'lead-dev'];
+const isAllowed = allowedByAdminOrPrivileged;
+```
+
+### Medium Team (5-15 developers)
+```javascript
+const privilegedUsers = ['owner', 'lead-dev', 'senior-dev1', 'senior-dev2'];
+const isAllowed = allowedByAdminOrPrivileged;
+```
+
+### Large Organization
+```javascript
+// Use organization membership + write access
+const isAllowed = allowedByOrgAndWrite;
+```
+
+### Open Source Project
+```javascript
+// Only maintainers
+const privilegedUsers = ['maintainer1', 'maintainer2'];
+const isAllowed = allowedByUserList;
+```
+
+## Troubleshooting
+
+### Common Issues
+1. **User not in list**: Add username to `privilegedUsers` array
+2. **Wrong permission level**: User needs write access minimum
+3. **Organization issues**: Verify org membership if using org-based permissions
+4. **Case sensitivity**: Usernames are case-sensitive
+
+### Quick Fixes
+- **Add user**: Edit workflow file, add to privileged users
+- **Temporary access**: Change strategy to `allowedByAdminAccess` temporarily
+- **Emergency access**: Repository admins always have access with `adminOrPrivileged` strategy
+
+---
+
+**Note**: Changes to workflow files require a commit to take effect. Test permissions after any modifications.