feat(create_report): wire PDS service-auth and PDS-proxied checks (AC5, AC6)
Task 4: Add PdsXrpcClient plumbing and implement PDS check logic.
- Add pds_xrpc_client and pds_xrpc_client_override fields to LabelerOptions
- Add PdsServiceAuthRejected and PdsProxiedRejected diagnostics
- Implement AC5/AC6 logic: fetch session, compute subject, run mode-2 and
mode-3 checks
- Gate checks on --handle, --app-password, and --commit-report flags
- Distinguish labeler-side vs PDS-side failures via heuristic (UpstreamError,
502, 504 status codes)
- Add helper functions: fetch_session_and_did, fetch_service_auth_jwt
- Update pipeline to construct RealPdsXrpcClient from PDS endpoint
- Update all test suites to initialize new LabelerOptions fields
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
authored by