ci(claude): fix yq expression in auth-gate-invariants validator

[heskew]

Summary

Every PR has been failing `Auth gate invariants / validate` with:

```
=== Validating .github/workflows/claude-issue-to-pr.yml ===
Error: .github/workflows/claude-issue-to-pr.yml: authorize job has no step setting USERS_TO_CHECK env var ...
Error: Process completed with exit code 1.
```

…even on workflows that clearly set `USERS_TO_CHECK`. Reproduced locally — the validator's check uses jq's `// empty` keyword, but the runner's yq is mikefarah/yq (Go), which doesn't have it. yq's lexer rejects the expression; `2>/dev/null` swallowed the error; the variable came back empty; the existence check tripped on every workflow.

Fix

Rewrite the yq expression in idiomatic mikefarah/yq syntax:

• before: `yq -r '[.jobs.authorize.steps[].env.USERS_TO_CHECK // empty] | .[0] // ""' "$f" 2>/dev/null`
• after: `yq -r '.jobs.authorize.steps[].env.USERS_TO_CHECK | select(. != null)' "$f" 2>/dev/null | head -1`

`select(. != null)` skips steps without the env var; `head -1` collapses the per-step stream to a single value (or empty) for the `[ -n ]` check.

Verified locally with mikefarah/yq v4.53.2 against all three harper `claude-*.yml` workflows — all pass.

Out of scope (followups)

• The `2>/dev/null` swallowed a real yq error. Worth either dropping the suppression or capturing stderr for diagnostics when the expression returns empty.
• `ci(claude): mirror harper auth-gate + marker-based edit + script extraction oauth#68` (mirror) carries the same bug; needs a copy of this fix.

Test plan

• Push to a PR after this lands → confirm `Auth gate invariants / validate` passes.
• Merge oauth#68 with the same fix mirrored.

🤖 Generated with Claude Code

[claude]

Reviewed; no blockers found.