diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml
index cd2e6598..b5a2026b 100644
--- a/.github/workflows/auto-approve.yml
+++ b/.github/workflows/auto-approve.yml
@@ -50,9 +50,19 @@ jobs:
           HEAD_SHA=$(gh api repos/${{ github.repository }}/pulls/$PR_NUMBER --jq '.head.sha')
           echo "Head SHA: $HEAD_SHA"
 
-          # Check Claude review status
-          CLAUDE_STATUS=$(gh api repos/${{ github.repository }}/commits/$HEAD_SHA/check-runs --jq '.check_runs[] | select(.name == "claude-review") | .conclusion' | head -1)
+          # Check Claude review status and output
+          CLAUDE_CHECK=$(gh api repos/${{ github.repository }}/commits/$HEAD_SHA/check-runs --jq '.check_runs[] | select(.name == "claude-review")')
+          CLAUDE_STATUS=$(echo "$CLAUDE_CHECK" | jq -r '.conclusion' | head -1)
+          CLAUDE_OUTPUT=$(echo "$CLAUDE_CHECK" | jq -r '.output.summary // .output.text // ""' | head -1)
           echo "Claude review status: $CLAUDE_STATUS"
+          echo "Claude review output: $CLAUDE_OUTPUT"
+
+          # Check if Claude found no issues (exact message check)
+          CLAUDE_APPROVED="false"
+          if [ "$CLAUDE_STATUS" == "success" ] && echo "$CLAUDE_OUTPUT" | grep -q "No issues found. Checked for bugs and CLAUDE.md compliance"; then
+            CLAUDE_APPROVED="true"
+          fi
+          echo "Claude approved: $CLAUDE_APPROVED"
 
           # Check Unity Tests status (commit status, not check run)
           UNITY_STATUS=$(gh api repos/${{ github.repository }}/commits/$HEAD_SHA/status --jq '.statuses[] | select(.context == "Unity Tests") | .state' | head -1)
@@ -68,11 +78,11 @@ jobs:
           fi
 
           # Determine if we should approve
-          if [ "$CLAUDE_STATUS" == "success" ] && [ "$UNITY_STATUS" == "success" ]; then
-            echo "All required checks passed!"
+          if [ "$CLAUDE_APPROVED" == "true" ] && [ "$UNITY_STATUS" == "success" ]; then
+            echo "All required checks passed and Claude found no issues!"
             echo "should_approve=true" >> $GITHUB_OUTPUT
           else
-            echo "Required checks not yet passed"
+            echo "Required checks not yet passed or Claude found issues"
             echo "should_approve=false" >> $GITHUB_OUTPUT
           fi
 
@@ -102,6 +112,6 @@ jobs:
         run: |
           PR_NUMBER="${{ steps.pr.outputs.number }}"
 
-          gh pr review $PR_NUMBER --approve --body "Auto-approved: Claude review passed and Unity Tests passed (or were skipped for non-code changes)."
+          gh pr review $PR_NUMBER -R ${{ github.repository }} --approve --body "Auto-approved: Claude review found no issues and Unity Tests passed (or were skipped for non-code changes)."
 
           echo "PR #$PR_NUMBER approved!"
diff --git a/.github/workflows/pr-tests.yml b/.github/workflows/pr-tests.yml
index e3aed69c..65ceaa9d 100644
--- a/.github/workflows/pr-tests.yml
+++ b/.github/workflows/pr-tests.yml
@@ -12,15 +12,20 @@ concurrency:
   group: pr-tests-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+# Workflow-level permissions set to maximum needed by any job
+# Individual jobs further restrict to only what they need
 permissions:
   contents: read
-  pull-requests: write
+  checks: write
   statuses: write
+  pull-requests: write
 
 jobs:
   changes:
     name: Detect Changes
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       should_test: ${{ steps.filter.outputs.src }}
     steps:
@@ -75,6 +80,8 @@ jobs:
     needs: [changes, run-tests]
     runs-on: ubuntu-latest
     if: needs.changes.outputs.should_test == 'true' && needs.run-tests.result == 'success'
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
diff --git a/.github/workflows/unity-tests.yml b/.github/workflows/unity-tests.yml
index 135ece31..292e40ce 100644
--- a/.github/workflows/unity-tests.yml
+++ b/.github/workflows/unity-tests.yml
@@ -23,6 +23,7 @@ on:
         description: 'Test results summary'
         value: ${{ jobs.test.outputs.results }}
 
+# Workflow-level permissions for reusable workflow
 permissions:
   contents: read
   checks: write
diff --git a/.scorecard.yml b/.scorecard.yml
index 4a26ee47..c72229cf 100644
--- a/.scorecard.yml
+++ b/.scorecard.yml
@@ -37,3 +37,13 @@ annotations:
       - sast
     reasons:
       - reason: not-detected # CodeQL is configured but may not be recognized
+
+  # Token permissions: Write permissions required for CI functionality
+  # - checks: write - GameCI publishes test results as check runs
+  # - statuses: write - Setting commit status for branch protection
+  # - pull-requests: write - Commenting test results on PRs
+  # - contents: write - Release workflow creates tags and commits
+  - checks:
+      - token-permissions
+    reasons:
+      - reason: not-applicable # Write permissions required for test reporting and release automation