Phase 1: sync advisory issue labels

[brokemac79]

Summary

This PR implements Phase 1 of #66: ClawSweeper now projects selected issue-review conclusions into GitHub advisory labels during the existing apply/comment-sync path.

Functionally, this means maintainers can filter and route reviewed open issues from the GitHub issue list or project views without reading every full ClawSweeper comment first. The detailed comment remains the explanation and evidence. The labels are only routing signals.

What Changed

• Adds an owned advisory issue-label group for reproduction, missing-info, linked-PR, work-lane, product-decision, and security-review states.
• Syncs those labels only for open issues with complete, current kept-open ClawSweeper reports.
• Removes stale labels from that owned advisory group when the report state changes.
• Preserves unrelated labels and existing action/proof labels, including clawsweeper:autofix, clawsweeper:automerge, clawsweeper:human-review, clawsweeper:merge-ready, proof: sufficient, and mantis: telegram-visible-proof.
• Leaves close proposals alone so advisory label writes cannot update updated_at and accidentally stale a pending close decision.
• Keeps dry-run behavior non-mutating while still reporting that advisory labels would be synced.

Phase 1 Scope

This covers Phase 1 of #66.

Included:

• Advisory labels derived from existing structured report/frontmatter data.
• Label creation using the existing best-effort GitHub label creation pattern.
• Label add/remove sync during the existing apply/comment-sync path.
• Documentation for how the label projection works.
• Focused tests for label mapping, stale-label removal, dry-run behavior, stale/failed report guards, and processed-budget behavior.

Not included:

• No new workflow dispatch behavior.
• No repair PR creation behavior.
• No merge or close behavior changes.
• No maintainer action labels are auto-applied.
• No comment-prose scraping.

Safety Notes

Advisory labels are synced only from reports that are both complete and current. Failed reports, stale reports, pull requests, and close proposals are skipped for this label projection. This keeps the labels from becoming a source of accidental automation or stale routing state.

Validation

Passed locally on Node 24 / pnpm:

• pnpm run build:all
• pnpm run lint:src
• pnpm run lint:scripts
• pnpm run check:active-surface
• pnpm run check:limits
• node --test --test-name-pattern "advisory" test/clawsweeper.test.ts
• pnpm run test:unit (148 tests)
• pnpm exec oxfmt --check CHANGELOG.md README.md docs/work-lane.md package.json scripts/check-active-surface.ts src/command.ts src/commit-sweeper.ts src/clawsweeper.ts test/clawsweeper.test.ts
• git diff --check
• codex exec review --uncommitted --title "Phase 1 advisory issue labels" found no discrete correctness issues after fixes.

I also tried pnpm run test:repair; it still has existing Windows-local failures around CRLF-sensitive assertions and mocked tool lookup/hydration, unrelated to this Phase 1 label projection.