Add workflow permissions for security compliance

Co-authored-by: blackboxprogramming <118287761+blackboxprogramming@users.noreply.github.com>

.github/workflows/guardian-clone-vault.workflow.yml

@@ -14,6 +14,9 @@ on:
   schedule:
     - cron: '*/15 * * * *'  # Run every 15 minutes
 
+permissions:
+  contents: read
+
 env:
   AGENT_NAME: guardian-clone-vault
   AGENT_ROLE: sentinel

src/lucidia/generator.ts

@@ -152,6 +152,9 @@ on:
   schedule:
     - cron: '*/15 * * * *'  # Run every 15 minutes
 
+permissions:
+  contents: read
+
 env:
   AGENT_NAME: ${spawn}
   AGENT_ROLE: ${config.role}

tests/lucidia-generator.test.ts

@@ -62,6 +62,8 @@ describe("generateAgentWorkflow", () => {
     expect(workflow).toContain("AGENT_ROLE: sentinel");
     expect(workflow).toContain("workflow_dispatch:");
     expect(workflow).toContain("schedule:");
+    expect(workflow).toContain("permissions:");
+    expect(workflow).toContain("contents: read");
   });
 });