feat(labels): add gated apply-mode pilot

[ss-o]

Summary

• add gated --apply / --confirm-apply mode for canonical label create/update operations
• reject org-wide apply during the pilot
• preserve legacy and unknown labels; no deletion or issue/PR migration
• add a smoke test harness for refusal paths and apply-preview JSON
• document apply-mode pilot guardrails in the labels runbook

Safety model

Default behavior remains read-only.

Confirmed apply is intentionally constrained:

• requires explicit --repo values
• rejects --all-repos --apply
• requires --confirm-apply
• is limited to a temporary pilot allowlist unless --allow-non-pilot-repo is explicitly passed after maintainer approval
• only creates missing canonical labels and updates canonical label metadata
• does not delete labels
• does not migrate labels on issues or pull requests

Test Plan

• ruby -c scripts/labels-dry-run.rb
• scripts/test-labels-dry-run.sh
• scripts/labels-dry-run.rb --repo z-shell/.github --include-clean
• scripts/labels-dry-run.rb --repo z-shell/.github --json | ruby -rjson -e 'data=JSON.parse($stdin.read); abort unless data["mode"]=="dry-run"; abort unless data["repos_scanned"]==1'
• scripts/labels-dry-run.rb --repo z-shell/.github --apply --include-clean
• scripts/labels-dry-run.rb --repo z-shell/.github --apply --json | ruby -rjson -e 'data=JSON.parse($stdin.read); abort unless data["mode"]=="apply-preview"; abort if data["confirmed"]'
• scripts/labels-dry-run.rb --repo z-shell/zi --apply --json
• refusal checks for:
  • --all-repos --apply
  • --all-repos --apply --confirm-apply
  • --repo z-shell/zi --apply --confirm-apply
  • --repo z-shell/.github --confirm-apply

Refs #411.

[Copilot]

Pull request overview

This PR extends the existing label audit tooling by adding a tightly gated --apply / --confirm-apply pilot mode to create/update canonical labels only, while keeping default behavior read-only and documenting the operational guardrails.

Changes:

• Add gated apply-preview and confirmed-apply modes to scripts/labels-dry-run.rb, including pilot allowlist enforcement and JSON/Markdown mode metadata.
• Add a shell smoke-test harness to validate refusal paths and apply-preview JSON output.
• Update the labels runbook to document the apply-mode pilot constraints and example commands.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
scripts/test-labels-dry-run.sh	Adds a smoke-test script covering refusal paths and apply-preview JSON mode.
scripts/labels-dry-run.rb	Introduces apply-preview/confirmed apply support with pilot guardrails and planned operations output.
runbooks/labels.md	Documents apply-mode pilot guardrails and provides preview/confirmed command examples.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/z-shell/.github/labels
  • Triggering command: /usr/bin/gh gh api repos/z-shell/.github/labels?per_page=100 --paginate --jq .[] (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)