test: verify permission check uses assigner, not issue author

[xmtp-coder-agent]

Resolves #91

Summary

The permission check for task creation already correctly uses the sender (the person who assigned the bot) rather than the issue author. This PR adds explicit test coverage for that behavior across three test files:

• create-task.test.ts: Verifies checkActorPermission is called with senderLogin (the assigner), and that tasks are created successfully when the assigner has write access regardless of who authored the issue.
• webhook-router.test.ts: Verifies the router extracts senderLogin/senderId from payload.sender, not payload.issue.user, when the two differ.
• handler-dispatcher.test.ts: Verifies Coder user resolution uses the sender's GitHub ID, not the issue author's.

Test plan

• All 195 tests pass
• bun run check (typecheck + lint + format + tests) passes
• New tests explicitly cover the scenario where an external user creates an issue and a maintainer assigns the bot

🤖 Generated with Claude Code

Note

Add tests to verify permission checks use the assigner's identity, not the issue author

• Adds a test in handler-dispatcher.test.ts asserting getCoderUserByGitHubId is called with senderId (the assigner) when dispatching create_task.
• Adds tests in create-task.test.ts asserting checkActorPermission uses senderLogin and that task creation proceeds based on assigner write access regardless of issue author.
• Adds a test in webhook-router.test.ts asserting senderLogin and senderId are derived from the webhook sender, not issue.user, for issues.assigned events.

^{Macroscope summarized c2e4e57.}