SOP_TIER_CHECK_TOKEN lacks read:organization scope, so
/teams/{id}/members/{user} returns 403 for all queries.
Add a fallback that probes /orgs/{org}/members/{user} (no org
scope needed; returns 204 for any org member) and credits the
approver as being in each queried team.
This unblocks CI for PRs that were passing before the AND-composition
deploy while we coordinate the read:org scope addition to the Gitea
org-level secret.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Root cause of internal#229 / core#229: bash case patterns like
\`*"managers"*\` have the outer quotes as LITERAL CHARACTERS in the
pattern, not delimiters. So \`managers"\` must appear literally after
\`*\`. The APPROVER_TEAMS value " managers " has no \`"\` after
\`managers\` → match fails even for valid team members.
Fix:
1. APPROVER_TEAMS values now space-surrounded: " managers " instead of
"managers" — ensures leading * in pattern always has chars to consume.
2. Case patterns updated to *${_t}* / *${_t2}* — no outer quotes, matches
team name anywhere in space-padded string.
3. Replaced shadowed loop var _t with _t2 in OR-gate loop for clarity.
Also fixes garbled error message: "teamsmanagers" → "teams managers" because
_clause_names now correctly accumulates team names (pattern no longer
stealing chars from the _clause_names string via the space consumption).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
