diff --git a/.gitea/scripts/main-red-watchdog.py b/.gitea/scripts/main-red-watchdog.py
index a8467456..e313b20c 100755
--- a/.gitea/scripts/main-red-watchdog.py
+++ b/.gitea/scripts/main-red-watchdog.py
@@ -581,7 +581,14 @@ def run_once(*, dry_run: bool = False) -> int:
         # from earlier SHAs only when we're actually green; pending
         # means CI hasn't finished and the prior issue might still be
         # accurate.
-        if status.get("state") == "success":
+        if status.get("state") in ("success", "pending"):
+            # Close stale main-red issues when main has no failures.
+            # `pending` is included because Gitea combined-state can stay
+            # `pending` even when all observable individual statuses are
+            # successful (some jobs still running). The `is_red()` check
+            # already confirmed 0 failures — closing on `pending` prevents
+            # stale issues from persisting across cron ticks while
+            # long-running jobs finish.
             closed = close_open_red_issues_for_other_shas(sha, dry_run=dry_run)
             if closed:
                 emit_loki_event(
@@ -589,10 +596,10 @@ def run_once(*, dry_run: bool = False) -> int:
                     [],
                 )
             print(f"::notice::main is GREEN at {sha[:10]} on {WATCH_BRANCH} "
-                  f"(closed {closed} stale issue(s))")
+                  f"(closed {closed} stale issue(s), combined={status.get('state')})")
         else:
-            print(f"::notice::main is PENDING at {sha[:10]} on {WATCH_BRANCH} "
-                  f"(combined state={status.get('state')!r}; no action)")
+            print(f"::notice::main is RED/ERROR at {sha[:10]} on {WATCH_BRANCH} "
+                  f"(combined state={status.get('state')!r})")
     return 0
 
 
diff --git a/.gitea/workflows/review-refire-comments.yml b/.gitea/workflows/review-refire-comments.yml
index eb1c6b69..0da5b762 100644
--- a/.gitea/workflows/review-refire-comments.yml
+++ b/.gitea/workflows/review-refire-comments.yml
@@ -70,7 +70,10 @@ jobs:
       - name: Refire qa-review status
         if: steps.classify.outputs.run_qa == 'true'
         env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+          # RFC_324_TEAM_READ_TOKEN is read-only (team membership read scope only).
+          # review-refire-status.sh POSTs to /statuses — requires write scope.
+          # SOP_TIER_CHECK_TOKEN carries write:repository + write:issue + read:organization.
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
           GITEA_HOST: git.moleculesai.app
           REPO: ${{ github.repository }}
           PR_NUMBER: ${{ github.event.issue.number }}
@@ -87,7 +90,10 @@ jobs:
       - name: Refire security-review status
         if: steps.classify.outputs.run_security == 'true'
         env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
+          # RFC_324_TEAM_READ_TOKEN is read-only (team membership read scope only).
+          # review-refire-status.sh POSTs to /statuses — requires write scope.
+          # SOP_TIER_CHECK_TOKEN carries write:repository + write:issue + read:organization.
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
           GITEA_HOST: git.moleculesai.app
           REPO: ${{ github.repository }}
           PR_NUMBER: ${{ github.event.issue.number }}