diff --git a/.github/workflows/benchmark-chatterbox-tts-onnx.yml b/.github/workflows/benchmark-chatterbox-tts-onnx.yml
index ffd96af03a..e4f0be4858 100644
--- a/.github/workflows/benchmark-chatterbox-tts-onnx.yml
+++ b/.github/workflows/benchmark-chatterbox-tts-onnx.yml
@@ -69,8 +69,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   benchmark-chatterbox:
-    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'release' && startsWith(github.event.release.tag_name, 'onnx-tts-v'))
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (github.event_name == 'workflow_dispatch' || (github.event_name == 'release' && startsWith(github.event.release.tag_name, 'onnx-tts-v')))
     runs-on: macos-14-xlarge
     environment: release
     timeout-minutes: 180
diff --git a/.github/workflows/benchmark-embed-llamacpp.yml b/.github/workflows/benchmark-embed-llamacpp.yml
index 89dfa45a76..e4212c113f 100644
--- a/.github/workflows/benchmark-embed-llamacpp.yml
+++ b/.github/workflows/benchmark-embed-llamacpp.yml
@@ -134,7 +134,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   benchmark:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ai-run-linux-gpu
     environment: release
     timeout-minutes: 180
@@ -412,4 +435,4 @@ jobs:
           path: |
             ${{ env.WORKDIR }}/benchmarks/server/server.log
             ${{ env.WORKDIR }}/logs/
-          retention-days: 90
\ No newline at end of file
+          retention-days: 90
diff --git a/.github/workflows/benchmark-llm-llamacpp.yml b/.github/workflows/benchmark-llm-llamacpp.yml
index 9ef74be39a..0bef3cc14d 100644
--- a/.github/workflows/benchmark-llm-llamacpp.yml
+++ b/.github/workflows/benchmark-llm-llamacpp.yml
@@ -178,7 +178,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   benchmark:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ai-run-linux-gpu
     environment: release
     timeout-minutes: 180
diff --git a/.github/workflows/benchmark-ocr-onnx.yml b/.github/workflows/benchmark-ocr-onnx.yml
index d8086813ee..a2ee9f6afb 100644
--- a/.github/workflows/benchmark-ocr-onnx.yml
+++ b/.github/workflows/benchmark-ocr-onnx.yml
@@ -31,6 +31,27 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   setup:
     runs-on: ubuntu-latest
     timeout-minutes: 10
@@ -59,8 +80,8 @@ jobs:
           fi
 
   build:
-    needs: setup
-    if: needs.setup.outputs.qvac_needed == 'true'
+    needs: [setup, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.setup.outputs.qvac_needed == 'true'
     runs-on: ubuntu-24.04
     environment: release
     timeout-minutes: 120
@@ -148,11 +169,8 @@ jobs:
           retention-days: 1
 
   evaluate:
-    needs: [setup, build]
-    if: |
-      always() &&
-      needs.setup.result == 'success' &&
-      (needs.build.result == 'success' || needs.build.result == 'skipped')
+    needs: [setup, build, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.setup.result == 'success' && (needs.build.result == 'success' || needs.build.result == 'skipped'))
     runs-on: ubuntu-24.04
     environment: release
     timeout-minutes: 180
diff --git a/.github/workflows/benchmark-performance-infer-llm-llamacpp.yml b/.github/workflows/benchmark-performance-infer-llm-llamacpp.yml
index 6745cd2ac1..b79f24d239 100644
--- a/.github/workflows/benchmark-performance-infer-llm-llamacpp.yml
+++ b/.github/workflows/benchmark-performance-infer-llm-llamacpp.yml
@@ -43,6 +43,27 @@ permissions:
   id-token: write
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   context:
     runs-on: ubuntu-latest
     outputs:
@@ -63,7 +84,8 @@ jobs:
           echo "ref=$ref" >> "$GITHUB_OUTPUT"
 
   prebuild:
-    needs: context
+    needs: [context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: write
       packages: write
@@ -76,8 +98,8 @@ jobs:
       ref: ${{ needs.context.outputs.ref }}
 
   desktop-benchmarks:
-    needs: [context, prebuild]
-    if: ${{ inputs.run_desktop }}
+    needs: [context, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && inputs.run_desktop
     permissions:
       contents: read
       packages: read
@@ -92,8 +114,8 @@ jobs:
       qvac_perf_only: true
 
   mobile-benchmarks:
-    needs: [context, prebuild]
-    if: ${{ inputs.run_mobile }}
+    needs: [context, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && inputs.run_mobile
     permissions:
       contents: read
       packages: read
@@ -112,8 +134,8 @@ jobs:
     # `if: always()` lets summarize run even when one of the benchmark
     # jobs was skipped via the run_desktop / run_mobile toggles or
     # failed mid-run; we still want the partial report.
-    needs: [context, desktop-benchmarks, mobile-benchmarks]
-    if: ${{ always() && needs.context.result == 'success' }}
+    needs: [context, desktop-benchmarks, mobile-benchmarks, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && always() && needs.context.result == 'success'
     runs-on: ubuntu-latest
     timeout-minutes: 10
     permissions:
diff --git a/.github/workflows/benchmark-performance-transcription-parakeet.yml b/.github/workflows/benchmark-performance-transcription-parakeet.yml
index ef281e3f50..1a6309f249 100644
--- a/.github/workflows/benchmark-performance-transcription-parakeet.yml
+++ b/.github/workflows/benchmark-performance-transcription-parakeet.yml
@@ -18,6 +18,27 @@ permissions:
   id-token: write
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   context:
     runs-on: ubuntu-latest
     outputs:
@@ -38,7 +59,8 @@ jobs:
           echo "ref=$ref" >> "$GITHUB_OUTPUT"
 
   prebuild:
-    needs: context
+    needs: [context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: write
       packages: write
@@ -51,7 +73,8 @@ jobs:
       ref: ${{ needs.context.outputs.ref }}
 
   desktop-benchmarks:
-    needs: [context, prebuild]
+    needs: [context, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: read
       packages: read
@@ -65,8 +88,8 @@ jobs:
       run_rtf_benchmarks: true
 
   summarize:
-    needs: [context, desktop-benchmarks]
-    if: always()
+    needs: [context, desktop-benchmarks, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && always()
     runs-on: ubuntu-latest
     permissions:
       contents: read
diff --git a/.github/workflows/benchmark-performance-transcription-whispercpp.yml b/.github/workflows/benchmark-performance-transcription-whispercpp.yml
index 10a347d1bb..a5bc3f6fc1 100644
--- a/.github/workflows/benchmark-performance-transcription-whispercpp.yml
+++ b/.github/workflows/benchmark-performance-transcription-whispercpp.yml
@@ -23,6 +23,27 @@ permissions:
   id-token: write
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   context:
     runs-on: ubuntu-latest
     outputs:
@@ -46,7 +67,8 @@ jobs:
           echo "include_desktop=${INPUT_INCLUDE_DESKTOP}" >> "$GITHUB_OUTPUT"
 
   prebuild:
-    needs: context
+    needs: [context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: write
       packages: write
@@ -59,8 +81,8 @@ jobs:
       ref: ${{ needs.context.outputs.ref }}
 
   desktop-benchmarks:
-    needs: [context, prebuild]
-    if: needs.context.outputs.include_desktop != 'false'
+    needs: [context, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.context.outputs.include_desktop != 'false'
     permissions:
       contents: read
       packages: read
@@ -73,10 +95,9 @@ jobs:
       run_integration_tests: false
       run_rtf_benchmarks: true
 
-
   summarize:
-    needs: [context, desktop-benchmarks]
-    if: always()
+    needs: [context, desktop-benchmarks, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && always()
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -96,7 +117,6 @@ jobs:
           path: benchmark-artifacts/desktop
           merge-multiple: true
 
-
       - name: Generate consolidated benchmark report
         run: |
           node scripts/perf-report/aggregate-whisper-rtf.js \
diff --git a/.github/workflows/benchmark-performance-tts-onnx.yml b/.github/workflows/benchmark-performance-tts-onnx.yml
index d3fbeaf0cd..166dad0cae 100644
--- a/.github/workflows/benchmark-performance-tts-onnx.yml
+++ b/.github/workflows/benchmark-performance-tts-onnx.yml
@@ -53,6 +53,27 @@ permissions:
   id-token: write
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   context:
     runs-on: ubuntu-latest
     outputs:
@@ -91,7 +112,8 @@ jobs:
           echo "include_desktop=${INPUT_INCLUDE_DESKTOP}" >> "$GITHUB_OUTPUT"
 
   prebuild:
-    needs: context
+    needs: [context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: write
       packages: write
@@ -104,8 +126,8 @@ jobs:
       ref: ${{ needs.context.outputs.ref }}
 
   desktop-benchmarks:
-    needs: [context, prebuild]
-    if: needs.context.outputs.include_desktop != 'false'
+    needs: [context, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.context.outputs.include_desktop != 'false'
     runs-on: ${{ matrix.os }}
     environment: release
     timeout-minutes: 180
@@ -532,8 +554,8 @@ jobs:
           if-no-files-found: ignore
 
   summarize:
-    needs: [context, desktop-benchmarks]
-    if: always()
+    needs: [context, desktop-benchmarks, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && always()
     runs-on: ubuntu-latest
     permissions:
       contents: read
diff --git a/.github/workflows/benchmark-supertonic-tts-onnx.yml b/.github/workflows/benchmark-supertonic-tts-onnx.yml
index f2b7f4491c..262f702c26 100644
--- a/.github/workflows/benchmark-supertonic-tts-onnx.yml
+++ b/.github/workflows/benchmark-supertonic-tts-onnx.yml
@@ -51,8 +51,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   benchmark-supertonic:
-    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'release' && startsWith(github.event.release.tag_name, 'onnx-tts-v'))
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (github.event_name == 'workflow_dispatch' || (github.event_name == 'release' && startsWith(github.event.release.tag_name, 'onnx-tts-v')))
     runs-on: macos-14-xlarge
     environment: release
     timeout-minutes: 180
diff --git a/.github/workflows/benchmark-transcription-parakeet.yml b/.github/workflows/benchmark-transcription-parakeet.yml
index ca28218f84..88ad9c8896 100644
--- a/.github/workflows/benchmark-transcription-parakeet.yml
+++ b/.github/workflows/benchmark-transcription-parakeet.yml
@@ -27,6 +27,27 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   generate-matrix:
     runs-on: ai-run-linux
     outputs:
@@ -117,7 +138,8 @@ jobs:
           echo "$MATRIX" | jq .
 
   benchmark-parakeet:
-    needs: generate-matrix
+    needs: [generate-matrix, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ai-run-linux
     environment: release
     timeout-minutes: 1440
diff --git a/.github/workflows/benchmark-transcription-whispercpp.yml b/.github/workflows/benchmark-transcription-whispercpp.yml
index 460ffe1583..847b8bc41b 100644
--- a/.github/workflows/benchmark-transcription-whispercpp.yml
+++ b/.github/workflows/benchmark-transcription-whispercpp.yml
@@ -84,6 +84,27 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   generate-matrix:
     runs-on: ubuntu-latest
     outputs:
@@ -228,7 +249,8 @@ jobs:
           echo "$MATRIX" | jq .
 
   benchmark-whispercpp:
-    needs: generate-matrix
+    needs: [generate-matrix, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-latest
     environment: release
     timeout-minutes: 1440
diff --git a/.github/workflows/benchmark-translation-nmtcpp.yml b/.github/workflows/benchmark-translation-nmtcpp.yml
index 30718151de..ddd03d4c74 100644
--- a/.github/workflows/benchmark-translation-nmtcpp.yml
+++ b/.github/workflows/benchmark-translation-nmtcpp.yml
@@ -106,6 +106,27 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   setup:
     runs-on: ubuntu-latest
     timeout-minutes: 10
@@ -149,7 +170,8 @@ jobs:
           echo "datasets_cache_key=$datasets_cache_key" >> $GITHUB_OUTPUT
 
   build:
-    needs: setup
+    needs: [setup, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-22.04
     environment: release
     timeout-minutes: 60
@@ -315,11 +337,8 @@ jobs:
           retention-days: 1
 
   evaluate:
-    needs: [setup, build]
-    if: |
-      always() &&
-      needs.setup.result == 'success' &&
-      (needs.build.result == 'success' || needs.build.result == 'skipped')
+    needs: [setup, build, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.setup.result == 'success' && (needs.build.result == 'success' || needs.build.result == 'skipped'))
     runs-on: ubuntu-24.04
     environment: release
     timeout-minutes: 120
@@ -414,7 +433,7 @@ jobs:
             echo "AWS PATH: $aws_path"
             if aws s3 cp "$aws_path/" "$temp_dir/" --recursive; then
               echo "Successfully downloaded model for $model_pair from S3 (using $s3_pair)"
-              
+
               # Find the latest date directory and move files up
               date_dir=$(find "$temp_dir" -mindepth 1 -maxdepth 1 -type d | sort -r | head -1)
               if [ -n "$date_dir" ]; then
@@ -442,7 +461,7 @@ jobs:
                     echo "Renamed ggml-opus-$model_pair.bin to model_f16.bin"
                   fi
                 fi
-                
+
                 # Verify the model file exists
                 if [ -f "qvac_models/$model_pair/model_f16.bin" ]; then
                   echo "Model verified: $(ls -lh qvac_models/$model_pair/model_f16.bin)"
@@ -471,15 +490,15 @@ jobs:
           if [ "${{ inputs.use_pivot }}" = "true" ]; then
             src_lang="${pair%-*}"
             trg_lang="${pair#*-}"
-            
+
             # Check if this is a non-English pair
             if [ "$src_lang" != "en" ] && [ "$trg_lang" != "en" ]; then
               echo "Pivot translation enabled for non-English pair $pair"
               echo "Downloading pivot models: ${src_lang}-en and en-${trg_lang}"
-              
+
               # Download source-to-English model
               download_model "${src_lang}-en"
-              
+
               # Download English-to-target model
               download_model "en-${trg_lang}"
             fi
diff --git a/.github/workflows/cpp-lint.yaml b/.github/workflows/cpp-lint.yaml
index 0760564b48..7a097db937 100644
--- a/.github/workflows/cpp-lint.yaml
+++ b/.github/workflows/cpp-lint.yaml
@@ -6,9 +6,7 @@ on:
       sha:
         required: false
         description: >-
-          Base ref/SHA to diff against for clang-format. When empty (e.g. on
-          workflow_dispatch runs without a PR context), the workflow falls
-          back to `github.event.before` and finally to `HEAD~1`.
+          Base ref/SHA to diff against for clang-format. When empty (e.g. on workflow_dispatch runs without a PR context), the workflow falls back to `github.event.before` and finally to `HEAD~1`.
         type: string
       pr_head_sha:
         required: false
@@ -25,7 +23,30 @@ on:
         default: true
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   cpp-lint:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-22.04
     environment: release
     permissions:
diff --git a/.github/workflows/cpp-test-coverage-bci-whispercpp.yml b/.github/workflows/cpp-test-coverage-bci-whispercpp.yml
index 1be7353400..4d57200227 100644
--- a/.github/workflows/cpp-test-coverage-bci-whispercpp.yml
+++ b/.github/workflows/cpp-test-coverage-bci-whispercpp.yml
@@ -27,7 +27,30 @@ env:
   WORKDIR: ${{ inputs.workdir || github.event.inputs.workdir }}
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   cpp-tests:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: read
       id-token: write
diff --git a/.github/workflows/cpp-test-coverage-transcription-parakeet.yml b/.github/workflows/cpp-test-coverage-transcription-parakeet.yml
index d55b5a2708..0035f13ede 100644
--- a/.github/workflows/cpp-test-coverage-transcription-parakeet.yml
+++ b/.github/workflows/cpp-test-coverage-transcription-parakeet.yml
@@ -16,7 +16,30 @@ env:
   PKG_DIR: packages/transcription-parakeet
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   cpp-tests:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: read
       id-token: write
diff --git a/.github/workflows/cpp-test-coverage-transcription-whispercpp.yml b/.github/workflows/cpp-test-coverage-transcription-whispercpp.yml
index f750d3f145..0ffeca571d 100644
--- a/.github/workflows/cpp-test-coverage-transcription-whispercpp.yml
+++ b/.github/workflows/cpp-test-coverage-transcription-whispercpp.yml
@@ -27,7 +27,30 @@ env:
   WORKDIR: ${{ inputs.workdir || github.event.inputs.workdir }}
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   cpp-tests:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: read
       id-token: write
@@ -83,17 +106,17 @@ jobs:
         working-directory: ${{ env.WORKDIR }}
         run: |
           mkdir -p models
-          
+
           echo "Downloading ggml-tiny.bin..."
           curl -L -o models/ggml-tiny.bin \
             "https://huggingface.co/ggerganov/whisper.cpp/resolve/main/ggml-tiny.bin" \
             --fail --silent --show-error --connect-timeout 30 --max-time 300
-          
+
           echo "Downloading ggml-silero VAD model..."
           curl -L -o models/ggml-silero-v5.1.2.bin \
             "https://huggingface.co/ggml-org/whisper-vad/resolve/main/ggml-silero-v5.1.2.bin" \
             --fail --silent --show-error --connect-timeout 30 --max-time 300
-          
+
           echo "Downloaded models:"
           ls -lha models/
 
diff --git a/.github/workflows/cpp-test-coverage-tts-ggml.yml b/.github/workflows/cpp-test-coverage-tts-ggml.yml
index f1d4c3dbae..f6034cc119 100644
--- a/.github/workflows/cpp-test-coverage-tts-ggml.yml
+++ b/.github/workflows/cpp-test-coverage-tts-ggml.yml
@@ -19,7 +19,30 @@ env:
   PKG_DIR: packages/tts-ggml
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   cpp-tests:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: read
       id-token: write
diff --git a/.github/workflows/cpp-test-coverage-tts-onnx.yml b/.github/workflows/cpp-test-coverage-tts-onnx.yml
index ce26df3eb0..98a8f10232 100644
--- a/.github/workflows/cpp-test-coverage-tts-onnx.yml
+++ b/.github/workflows/cpp-test-coverage-tts-onnx.yml
@@ -39,7 +39,30 @@ env:
   ENABLE_COVERAGE: ON
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   cpp-tests:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ${{ matrix.os }}
     environment: release
     name: ${{ matrix.platform }}-${{ matrix.arch }}-cpp-tests
diff --git a/.github/workflows/cpp-tests-diffusion.yml b/.github/workflows/cpp-tests-diffusion.yml
index cf1b57b1c8..4fd5ec0706 100644
--- a/.github/workflows/cpp-tests-diffusion.yml
+++ b/.github/workflows/cpp-tests-diffusion.yml
@@ -28,7 +28,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   test-cpp:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/cpp-tests-embed.yml b/.github/workflows/cpp-tests-embed.yml
index 2f907c56a8..f68da013f6 100644
--- a/.github/workflows/cpp-tests-embed.yml
+++ b/.github/workflows/cpp-tests-embed.yml
@@ -29,7 +29,30 @@ on:
         default: "packages/embed-llamacpp"
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   run-cpp-tests:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ${{ matrix.runner || matrix.os }}
     environment: release
     name: ${{ matrix.platform }}-${{ matrix.arch || 'x64' }}-cpp-tests
@@ -251,7 +274,6 @@ jobs:
             ${{ env.WORKDIR }}/build/test/unit/cpp-test-results.xml
           retention-days: 30
 
-
       - name: Coverage Summary
         if: ${{ matrix.os == 'ubuntu-24.04' && always() }}
         shell: bash
diff --git a/.github/workflows/cpp-tests-llm.yml b/.github/workflows/cpp-tests-llm.yml
index e3dde7188c..a18e40bbdc 100644
--- a/.github/workflows/cpp-tests-llm.yml
+++ b/.github/workflows/cpp-tests-llm.yml
@@ -28,7 +28,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   test-cpp:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     strategy:
       fail-fast: false
       matrix:
@@ -270,7 +293,6 @@ jobs:
             ${{ env.WORKDIR }}/build/test/unit/cpp-test-results.xml
           retention-days: 30
 
-
       - name: Coverage Summary
         if: ${{ matrix.os == 'ubuntu-24.04' && always() }}
         shell: bash
diff --git a/.github/workflows/docs-api-pipeline-e2e.yml b/.github/workflows/docs-api-pipeline-e2e.yml
index 67dd24c99a..65990d40ec 100644
--- a/.github/workflows/docs-api-pipeline-e2e.yml
+++ b/.github/workflows/docs-api-pipeline-e2e.yml
@@ -58,12 +58,7 @@ jobs:
         env:
           SDK_PATH: ${{ github.workspace }}/packages/sdk
         run: >
-          bun run scripts/generate-api-docs.ts
-          ${{ steps.sdk.outputs.version }}
-          --latest
-          --force-extract
-          --no-ai
-
+          bun run scripts/generate-api-docs.ts ${{ steps.sdk.outputs.version }} --latest --force-extract --no-ai #magic___^_^___line
       - name: Snapshot first run output
         run: |
           cp scripts/api-docs/api-data.json /tmp/api-data-run1.json
@@ -76,12 +71,7 @@ jobs:
         env:
           SDK_PATH: ${{ github.workspace }}/packages/sdk
         run: >
-          bun run scripts/generate-api-docs.ts
-          ${{ steps.sdk.outputs.version }}
-          --latest
-          --force-extract
-          --no-ai
-
+          bun run scripts/generate-api-docs.ts ${{ steps.sdk.outputs.version }} --latest --force-extract --no-ai #magic___^_^___line
       - name: Assert api-data.json is byte-identical across runs
         run: |
           diff -u /tmp/api-data-run1.json scripts/api-docs/api-data.json || {
diff --git a/.github/workflows/docs-post-merge-sync.yml b/.github/workflows/docs-post-merge-sync.yml
index 9b6b57b7de..457540479d 100644
--- a/.github/workflows/docs-post-merge-sync.yml
+++ b/.github/workflows/docs-post-merge-sync.yml
@@ -16,7 +16,30 @@ concurrency:
   cancel-in-progress: false
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   sync-docs:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-latest
     permissions:
       contents: write
diff --git a/.github/workflows/docs-release-pipeline.yml b/.github/workflows/docs-release-pipeline.yml
index 59e8fa83e5..f6551474a2 100644
--- a/.github/workflows/docs-release-pipeline.yml
+++ b/.github/workflows/docs-release-pipeline.yml
@@ -34,9 +34,31 @@ env:
   DOCS_DIR: docs/website
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   generate-and-publish:
+    needs: [label-gate]
     runs-on: ubuntu-latest
-    if: ${{ !vars.DOCS_SYNC_BOT_USER || github.actor != vars.DOCS_SYNC_BOT_USER }}
+    if: needs.label-gate.outputs.authorised == 'true' && (!vars.DOCS_SYNC_BOT_USER || github.actor != vars.DOCS_SYNC_BOT_USER)
 
     steps:
       # Dual checkout to close the race window where a PR landing on `main`
diff --git a/.github/workflows/integration-mobile-test-bci-whispercpp.yml b/.github/workflows/integration-mobile-test-bci-whispercpp.yml
index 5405e9041e..9cb007401e 100644
--- a/.github/workflows/integration-mobile-test-bci-whispercpp.yml
+++ b/.github/workflows/integration-mobile-test-bci-whispercpp.yml
@@ -41,12 +41,35 @@ on:
 env:
   NODE_VERSION: 'lts/*'
   ADDON_NAME: '@qvac/bci-whispercpp'
-  PREBUILD_ARTIFACT_PREFIX: 'bci-whispercpp-'  # Prefix for prebuild artifacts (matches prebuilds-bci-whispercpp.yml)
-  TEST_FRAMEWORK_REF: 'main'  # Branch/tag of qvac-test-addon-mobile framework
-  APP_BUNDLE_ID: 'io.tether.test.qvac'  # Bundle ID for the test app (shared across addons)
+  PREBUILD_ARTIFACT_PREFIX: 'bci-whispercpp-' # Prefix for prebuild artifacts (matches prebuilds-bci-whispercpp.yml)
+  TEST_FRAMEWORK_REF: 'main' # Branch/tag of qvac-test-addon-mobile framework
+  APP_BUNDLE_ID: 'io.tether.test.qvac' # Bundle ID for the test app (shared across addons)
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   build-and-test:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     name: Build ${{ matrix.platform }} and Run E2E Tests
     runs-on: ${{ matrix.runner }}
     environment: release
diff --git a/.github/workflows/integration-mobile-test-decoder-audio.yml b/.github/workflows/integration-mobile-test-decoder-audio.yml
index fe0c8905b1..2dfd8bfd58 100644
--- a/.github/workflows/integration-mobile-test-decoder-audio.yml
+++ b/.github/workflows/integration-mobile-test-decoder-audio.yml
@@ -41,7 +41,30 @@ env:
   APP_BUNDLE_ID: "io.tether.test.qvac" # Bundle ID for the test app (same for all addons)
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   build-and-test:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     name: Build ${{ matrix.platform }} and Run E2E Tests
     runs-on: ${{ matrix.runner }}
     environment: release
@@ -959,18 +982,18 @@ jobs:
           while [ $ATTEMPT -le $MAX_ATTEMPTS ]; do
             STATUS=$(aws devicefarm get-upload --arn "$SPEC_UPLOAD_ARN" --query "upload.status" --output text)
             echo "Test spec status (attempt $ATTEMPT/$MAX_ATTEMPTS): $STATUS"
-            
+
             if [ "$STATUS" = "SUCCEEDED" ]; then
               echo "✅ Test spec upload successful"
               break
             fi
-            
+
             if [ "$STATUS" = "FAILED" ]; then
               echo "❌ Test spec upload failed"
               aws devicefarm get-upload --arn "$SPEC_UPLOAD_ARN"
               exit 1
             fi
-            
+
             sleep 5
             ATTEMPT=$((ATTEMPT + 1))
           done
@@ -1009,187 +1032,7 @@ jobs:
 
       - name: Monitor Test Run
         id: monitor_run
-        run: |
-          RUN_ARN="${{ steps.schedule_run.outputs.run_arn }}"
-          echo "📊 Monitoring test run: $RUN_ARN"
-          echo ""
-
-          MAX_WAIT_TIME=3600  # 60 minutes (audio decoding should be faster than LLM inference)
-          ELAPSED=0
-
-          while true; do
-            STATUS=$(aws devicefarm get-run --arn "$RUN_ARN" --query 'run.status' --output text)
-            RESULT=$(aws devicefarm get-run --arn "$RUN_ARN" --query 'run.result' --output text)
-            
-            echo "⏳ Run status: $STATUS (Result: $RESULT) - Elapsed: ${ELAPSED}s"
-            
-            if [[ "$STATUS" == "COMPLETED" ]]; then
-              echo ""
-              echo "✅ Test run completed!"
-              break
-            fi
-            
-            if [ $ELAPSED -ge $MAX_WAIT_TIME ]; then
-              echo ""
-              echo "❌ Timeout: Test run exceeded $MAX_WAIT_TIME seconds"
-              exit 1
-            fi
-            
-            sleep 30
-            ELAPSED=$((ELAPSED + 30))
-          done
-
-          # Get detailed results
-          RUN_DETAILS=$(aws devicefarm get-run --arn "$RUN_ARN" --output json)
-          RESULT=$(echo $RUN_DETAILS | jq -r '.run.result')
-          COUNTERS=$(echo $RUN_DETAILS | jq -r '.run.counters')
-
-          echo ""
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo "📊 FINAL TEST RESULTS"
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo "Result: $RESULT"
-          echo ""
-
-          # Get jobs (devices) and extract actual test names
-          echo "📱 Fetching detailed test results..."
-          JOBS=$(aws devicefarm list-jobs --arn "$RUN_ARN" --output json)
-
-          echo ""
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo "📋 YOUR TESTS (excluding Setup/Teardown)"
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo ""
-
-          DEVICE_COUNT=0
-          USER_TEST_COUNT=0
-          USER_PASSED=0
-          USER_FAILED=0
-          FAILED_TEST_DETAILS=()
-
-          # Extract project ID and run ID from RUN_ARN for console links
-          # RUN_ARN format: arn:aws:devicefarm:us-west-2:ACCOUNT:run:PROJECT_ID/RUN_ID
-          PROJECT_ID=$(echo "$RUN_ARN" | sed -n 's/.*:run:\([^/]*\)\/.*/\1/p')
-          RUN_ID=$(echo "$RUN_ARN" | sed -n 's/.*:run:[^/]*\/\(.*\)/\1/p')
-
-          # Process each device/job
-          for JOB_ARN in $(echo "$JOBS" | jq -r '.jobs[].arn'); do
-            DEVICE_COUNT=$((DEVICE_COUNT + 1))
-            JOB_DETAILS=$(aws devicefarm get-job --arn "$JOB_ARN" --output json)
-            DEVICE_NAME=$(echo "$JOB_DETAILS" | jq -r '.job.device.name // "Unknown Device"')
-            JOB_RESULT=$(echo "$JOB_DETAILS" | jq -r '.job.result // "UNKNOWN"')
-            JOB_ID=$(echo "$JOB_ARN" | sed -n 's/.*:job:[^/]*\/[^/]*\/\(.*\)/\1/p')
-            
-            # Build console link (no region param needed when region is in subdomain)
-            CONSOLE_LINK="https://us-west-2.console.aws.amazon.com/devicefarm/home#/mobile/projects/${PROJECT_ID}/runs/${RUN_ID}/jobs/${JOB_ID}"
-            
-            if [ "$JOB_RESULT" = "PASSED" ]; then
-              echo "   ✅ $DEVICE_NAME: PASSED"
-              USER_PASSED=$((USER_PASSED + 1))
-            else
-              echo "   ❌ $DEVICE_NAME: $JOB_RESULT"
-              USER_FAILED=$((USER_FAILED + 1))
-              FAILED_TEST_DETAILS+=("❌ $DEVICE_NAME: $JOB_RESULT")
-              FAILED_TEST_DETAILS+=("   📎 View logs: $CONSOLE_LINK")
-            fi
-            
-            USER_TEST_COUNT=$((USER_TEST_COUNT + 1))
-            echo ""
-          done
-
-          # Show AWS Device Farm console link for the entire run
-          echo ""
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo "🔗 AWS DEVICE FARM LINKS"
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo ""
-          echo "📊 Full Run Details:"
-          echo "   https://us-west-2.console.aws.amazon.com/devicefarm/home#/mobile/projects/${PROJECT_ID}/runs/${RUN_ID}"
-          echo ""
-          echo "💡 Tip: Click the link above, then select a device to view:"
-          echo "   • Video recording of the test"
-          echo "   • Screenshots"  
-          echo "   • Device logs"
-          echo "   • Test spec output (shows individual test results)"
-          echo ""
-
-          # Summary
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo "📊 SUMMARY"
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo ""
-          echo "Devices tested: $DEVICE_COUNT"
-          echo "  ✅ Passed: $USER_PASSED"
-          echo "  ❌ Failed: $USER_FAILED"
-          echo ""
-          echo "📋 What these tests verify:"
-          echo "   The E2E tests run on Device Farm check that your app:"
-          echo "   1. Shows 'INITIALIZED' after startup"
-          echo "   2. Runs all test functions from test/mobile/*.cjs"
-          echo "   3. Reports PASS/FAIL for each test function"
-          echo ""
-          echo "💡 If a test times out but the video shows PASS:"
-          echo "   → The app test passed, but E2E gave up waiting too early"
-          echo "   → Check timeout settings in qvac-test-addon-mobile"
-          echo ""
-          echo "Device Farm Counters (includes Setup/Teardown):"
-          echo "$COUNTERS" | jq '.'
-          echo ""
-
-          if [ ${#FAILED_TEST_DETAILS[@]} -gt 0 ]; then
-            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-            echo "❌ FAILED TESTS"
-            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-            for failed_info in "${FAILED_TEST_DETAILS[@]}"; do
-              echo "$failed_info"
-            done
-            echo ""
-          fi
-
-          # Save for PR comment
-          echo "test_result=$RESULT" >> $GITHUB_OUTPUT
-          echo "test_counters<<EOF" >> $GITHUB_OUTPUT
-          echo "$COUNTERS" >> $GITHUB_OUTPUT
-          echo "EOF" >> $GITHUB_OUTPUT
-
-          # Extract test counts
-          TOTAL=$(echo $COUNTERS | jq -r '.total // 0')
-          PASSED=$(echo $COUNTERS | jq -r '.passed // 0')
-          FAILED=$(echo $COUNTERS | jq -r '.failed // 0')
-          SKIPPED=$(echo $COUNTERS | jq -r '.skipped // 0')
-
-          echo "test_total=$TOTAL" >> $GITHUB_OUTPUT
-          echo "test_passed=$PASSED" >> $GITHUB_OUTPUT
-          echo "test_failed=$FAILED" >> $GITHUB_OUTPUT
-          echo "test_skipped=$SKIPPED" >> $GITHUB_OUTPUT
-
-          # Also save user test counts
-          echo "user_test_count=$USER_TEST_COUNT" >> $GITHUB_OUTPUT
-          echo "user_test_passed=$USER_PASSED" >> $GITHUB_OUTPUT
-          echo "user_test_failed=$USER_FAILED" >> $GITHUB_OUTPUT
-
-          # Determine if tests passed or failed
-          # Red status (exit 1) if:
-          #   1. Device Farm overall result is not PASSED, OR
-          #   2. Any of your tests failed
-          # Green status (exit 0) only if all tests passed
-
-          if [[ "$RESULT" != "PASSED" ]] || [ $USER_FAILED -gt 0 ]; then
-            echo ""
-            echo "❌ Device Farm tests failed"
-            if [[ "$RESULT" != "PASSED" ]]; then
-              echo "   Device Farm result: $RESULT"
-            fi
-            echo "   Your tests: $USER_PASSED passed, $USER_FAILED failed (out of $USER_TEST_COUNT total)"
-            echo "   Device Farm total: $TOTAL | Passed: $PASSED | Failed: $FAILED | Skipped: $SKIPPED"
-            exit 1
-          fi
-
-          echo ""
-          echo "✅ All Device Farm tests passed!"
-          echo "   Your tests: $USER_PASSED passed (out of $USER_TEST_COUNT total)"
-          echo "   Device Farm total: $TOTAL | Passed: $PASSED | Failed: $FAILED | Skipped: $SKIPPED"
-
+        run: "RUN_ARN=\"${{ steps.schedule_run.outputs.run_arn }}\"\necho \"📊 Monitoring test run: $RUN_ARN\"\necho \"\"\n    #magic___^_^___line\nMAX_WAIT_TIME=3600  # 60 minutes (audio decoding should be faster than LLM inference)\nELAPSED=0\n    #magic___^_^___line\nwhile true; do\n  STATUS=$(aws devicefarm get-run --arn \"$RUN_ARN\" --query 'run.status' --output text)\n  RESULT=$(aws devicefarm get-run --arn \"$RUN_ARN\" --query 'run.result' --output text)\n    #magic___^_^___line\n  echo \"⏳ Run status: $STATUS (Result: $RESULT) - Elapsed: ${ELAPSED}s\"\n    #magic___^_^___line\n  if [[ \"$STATUS\" == \"COMPLETED\" ]]; then\n    echo \"\"\n    echo \"✅ Test run completed!\"\n    break\n  fi\n    #magic___^_^___line\n  if [ $ELAPSED -ge $MAX_WAIT_TIME ]; then\n    echo \"\"\n    echo \"❌ Timeout: Test run exceeded $MAX_WAIT_TIME seconds\"\n    exit 1\n  fi\n    #magic___^_^___line\n  sleep 30\n  ELAPSED=$((ELAPSED + 30))\ndone\n    #magic___^_^___line\n# Get detailed results\nRUN_DETAILS=$(aws devicefarm get-run --arn \"$RUN_ARN\" --output json)\nRESULT=$(echo $RUN_DETAILS | jq -r '.run.result')\nCOUNTERS=$(echo $RUN_DETAILS | jq -r '.run.counters')\n    #magic___^_^___line\necho \"\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"📊 FINAL TEST RESULTS\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"Result: $RESULT\"\necho \"\"\n    #magic___^_^___line\n# Get jobs (devices) and extract actual test names\necho \"📱 Fetching detailed test results...\"\nJOBS=$(aws devicefarm list-jobs --arn \"$RUN_ARN\" --output json)\n    #magic___^_^___line\necho \"\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"📋 YOUR TESTS (excluding Setup/Teardown)\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"\"\n    #magic___^_^___line\nDEVICE_COUNT=0\nUSER_TEST_COUNT=0\nUSER_PASSED=0\nUSER_FAILED=0\nFAILED_TEST_DETAILS=()\n    #magic___^_^___line\n# Extract project ID and run ID from RUN_ARN for console links\n# RUN_ARN format: arn:aws:devicefarm:us-west-2:ACCOUNT:run:PROJECT_ID/RUN_ID\nPROJECT_ID=$(echo \"$RUN_ARN\" | sed -n 's/.*:run:\\([^/]*\\)\\/.*/\\1/p')\nRUN_ID=$(echo \"$RUN_ARN\" | sed -n 's/.*:run:[^/]*\\/\\(.*\\)/\\1/p')\n    #magic___^_^___line\n# Process each device/job\nfor JOB_ARN in $(echo \"$JOBS\" | jq -r '.jobs[].arn'); do\n  DEVICE_COUNT=$((DEVICE_COUNT + 1))\n  JOB_DETAILS=$(aws devicefarm get-job --arn \"$JOB_ARN\" --output json)\n  DEVICE_NAME=$(echo \"$JOB_DETAILS\" | jq -r '.job.device.name // \"Unknown Device\"')\n  JOB_RESULT=$(echo \"$JOB_DETAILS\" | jq -r '.job.result // \"UNKNOWN\"')\n  JOB_ID=$(echo \"$JOB_ARN\" | sed -n 's/.*:job:[^/]*\\/[^/]*\\/\\(.*\\)/\\1/p')\n    #magic___^_^___line\n  # Build console link (no region param needed when region is in subdomain)\n  CONSOLE_LINK=\"https://us-west-2.console.aws.amazon.com/devicefarm/home#/mobile/projects/${PROJECT_ID}/runs/${RUN_ID}/jobs/${JOB_ID}\"\n    #magic___^_^___line\n  if [ \"$JOB_RESULT\" = \"PASSED\" ]; then\n    echo \"   ✅ $DEVICE_NAME: PASSED\"\n    USER_PASSED=$((USER_PASSED + 1))\n  else\n    echo \"   ❌ $DEVICE_NAME: $JOB_RESULT\"\n    USER_FAILED=$((USER_FAILED + 1))\n    FAILED_TEST_DETAILS+=(\"❌ $DEVICE_NAME: $JOB_RESULT\")\n    FAILED_TEST_DETAILS+=(\"   📎 View logs: $CONSOLE_LINK\")\n  fi\n    #magic___^_^___line\n  USER_TEST_COUNT=$((USER_TEST_COUNT + 1))\n  echo \"\"\ndone\n    #magic___^_^___line\n# Show AWS Device Farm console link for the entire run\necho \"\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"🔗 AWS DEVICE FARM LINKS\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"\"\necho \"📊 Full Run Details:\"\necho \"   https://us-west-2.console.aws.amazon.com/devicefarm/home#/mobile/projects/${PROJECT_ID}/runs/${RUN_ID}\"\necho \"\"\necho \"💡 Tip: Click the link above, then select a device to view:\"\necho \"   • Video recording of the test\"\necho \"   • Screenshots\"  \necho \"   • Device logs\"\necho \"   • Test spec output (shows individual test results)\"\necho \"\"\n    #magic___^_^___line\n# Summary\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"📊 SUMMARY\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"\"\necho \"Devices tested: $DEVICE_COUNT\"\necho \"  ✅ Passed: $USER_PASSED\"\necho \"  ❌ Failed: $USER_FAILED\"\necho \"\"\necho \"📋 What these tests verify:\"\necho \"   The E2E tests run on Device Farm check that your app:\"\necho \"   1. Shows 'INITIALIZED' after startup\"\necho \"   2. Runs all test functions from test/mobile/*.cjs\"\necho \"   3. Reports PASS/FAIL for each test function\"\necho \"\"\necho \"💡 If a test times out but the video shows PASS:\"\necho \"   → The app test passed, but E2E gave up waiting too early\"\necho \"   → Check timeout settings in qvac-test-addon-mobile\"\necho \"\"\necho \"Device Farm Counters (includes Setup/Teardown):\"\necho \"$COUNTERS\" | jq '.'\necho \"\"\n    #magic___^_^___line\nif [ ${#FAILED_TEST_DETAILS[@]} -gt 0 ]; then\n  echo \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\n  echo \"❌ FAILED TESTS\"\n  echo \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\n  for failed_info in \"${FAILED_TEST_DETAILS[@]}\"; do\n    echo \"$failed_info\"\n  done\n  echo \"\"\nfi\n    #magic___^_^___line\n# Save for PR comment\necho \"test_result=$RESULT\" >> $GITHUB_OUTPUT\necho \"test_counters<<EOF\" >> $GITHUB_OUTPUT\necho \"$COUNTERS\" >> $GITHUB_OUTPUT\necho \"EOF\" >> $GITHUB_OUTPUT\n    #magic___^_^___line\n# Extract test counts\nTOTAL=$(echo $COUNTERS | jq -r '.total // 0')\nPASSED=$(echo $COUNTERS | jq -r '.passed // 0')\nFAILED=$(echo $COUNTERS | jq -r '.failed // 0')\nSKIPPED=$(echo $COUNTERS | jq -r '.skipped // 0')\n    #magic___^_^___line\necho \"test_total=$TOTAL\" >> $GITHUB_OUTPUT\necho \"test_passed=$PASSED\" >> $GITHUB_OUTPUT\necho \"test_failed=$FAILED\" >> $GITHUB_OUTPUT\necho \"test_skipped=$SKIPPED\" >> $GITHUB_OUTPUT\n    #magic___^_^___line\n# Also save user test counts\necho \"user_test_count=$USER_TEST_COUNT\" >> $GITHUB_OUTPUT\necho \"user_test_passed=$USER_PASSED\" >> $GITHUB_OUTPUT\necho \"user_test_failed=$USER_FAILED\" >> $GITHUB_OUTPUT\n    #magic___^_^___line\n# Determine if tests passed or failed\n# Red status (exit 1) if:\n#   1. Device Farm overall result is not PASSED, OR\n#   2. Any of your tests failed\n# Green status (exit 0) only if all tests passed\n    #magic___^_^___line\nif [[ \"$RESULT\" != \"PASSED\" ]] || [ $USER_FAILED -gt 0 ]; then\n  echo \"\"\n  echo \"❌ Device Farm tests failed\"\n  if [[ \"$RESULT\" != \"PASSED\" ]]; then\n    echo \"   Device Farm result: $RESULT\"\n  fi\n  echo \"   Your tests: $USER_PASSED passed, $USER_FAILED failed (out of $USER_TEST_COUNT total)\"\n  echo \"   Device Farm total: $TOTAL | Passed: $PASSED | Failed: $FAILED | Skipped: $SKIPPED\"\n  exit 1\nfi\n    #magic___^_^___line\necho \"\"\necho \"✅ All Device Farm tests passed!\"\necho \"   Your tests: $USER_PASSED passed (out of $USER_TEST_COUNT total)\"\necho \"   Device Farm total: $TOTAL | Passed: $PASSED | Failed: $FAILED | Skipped: $SKIPPED\"\n    #magic___^_^___line\n"
       - name: Refresh AWS credentials for log download
         if: always() && steps.schedule_run.outputs.run_arn
         uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # 6.0.0
diff --git a/.github/workflows/integration-mobile-test-diffusion-cpp.yml b/.github/workflows/integration-mobile-test-diffusion-cpp.yml
index 494c1c94d2..939611a7ea 100644
--- a/.github/workflows/integration-mobile-test-diffusion-cpp.yml
+++ b/.github/workflows/integration-mobile-test-diffusion-cpp.yml
@@ -33,7 +33,30 @@ env:
   ADDON_WORKDIR: "addon/packages/diffusion-cpp"
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   build-and-test:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     name: Build ${{ matrix.platform }} and Run E2E Tests
     environment: release
     runs-on: ${{ matrix.runner }}
@@ -889,7 +912,7 @@ jobs:
         run: |
           echo "📝 Creating test spec for custom environment mode..."
           echo "Platform: ${{ matrix.platform }}"
-          
+
           # Create platform-specific test spec using printf for precise control
           # NOTE: Both platforms use a 'before' hook in the wdio config to click the button
           # This ensures a single Appium session for reliability (no session handoff issues)
@@ -913,11 +936,11 @@ jobs:
             # Increased timeout to 30 minutes (1800000ms) for long-running LLM tests
             WDIO_CONFIG='exports.config={runner:"local",hostname:"127.0.0.1",port:4723,path:"/wd/hub",specs:["*.spec.js","*.test.js"],maxInstances:1,bail:0,capabilities:[{platformName:"iOS","appium:automationName":"XCUITest","appium:bundleId":"'${{ env.APP_BUNDLE_ID }}'","appium:newCommandTimeout":300,"appium:noReset":true,"appium:forceAppLaunch":false,"appium:usePrebuiltWDA":true,"appium:wdaLocalPort":8100,"appium:showIOSLog":true,"appium:realDeviceLogger":"/usr/local/lib/node_modules/appium/node_modules/deviceconsole/deviceconsole"}],logLevel:"debug",waitforTimeout:120000,connectionRetryTimeout:30000,connectionRetryCount:3,services:[],framework:"mocha",reporters:["spec"],mochaOpts:{ui:"bdd",timeout:1800000},before:async function(capabilities,specs,browser){const BUNDLE_ID="'${{ env.APP_BUNDLE_ID }}'";global.appCrashed=false;global.flushBareLog=async function(reason){try{var _h=require("http");var lb64=await new Promise(function(ok,fail){var bd=JSON.stringify({path:"@"+BUNDLE_ID+":documents/bare_console.log"});var rq=_h.request({hostname:"127.0.0.1",port:4723,path:"/wd/hub/session/"+browser.sessionId+"/appium/device/pull_file",method:"POST",headers:{"Content-Type":"application/json","Content-Length":Buffer.byteLength(bd)}},function(rs){var d="";rs.on("data",function(c){d+=c;});rs.on("end",function(){try{ok(JSON.parse(d).value);}catch(e){fail(e);}});});rq.on("error",fail);rq.write(bd);rq.end();});var logTxt=Buffer.from(lb64,"base64").toString();var logDir=process.env.DEVICEFARM_LOG_DIR||".";require("fs").writeFileSync(logDir+"/bare_console.log",logTxt);console.log("[bare-log] "+reason+" flush ok ("+logTxt.length+" bytes)");}catch(e){console.log("[bare-log] "+reason+" flush failed: "+e.message);}};global.checkAppCrash=async(stage)=>{try{const state=await browser.queryAppState(BUNDLE_ID);console.log("["+stage+"] App state: "+state+" (4=foreground,3=background,1=not running)");if(state<3){console.error("\\n🛑 APP CRASHED at "+stage+"! State="+state);console.error("Check device logs for BareKit/native errors.\\n");global.appCrashed=true;setTimeout(function(){process.exit(1);},5000);try{await browser.pause(1500);await Promise.race([global.flushBareLog("crash-"+stage),new Promise(function(_,rj){setTimeout(function(){rj(new Error("bare-log flush timed out"));},3000);})]);}catch(_){}}return state;}catch(e){console.log("["+stage+"] queryAppState error: "+e.message);return-1;}};console.log("Checking initial app state...");await global.checkAppCrash("startup");console.log("Waiting for app to initialize...");await browser.pause(5000);await global.checkAppCrash("after-pause");const initText=await browser.$("-ios predicate string:label CONTAINS \"INITIALIZED\"");await initText.waitForDisplayed({timeout:60000});await global.checkAppCrash("after-init");console.log("App initialized, clicking Run Automated Tests...");const button=await browser.$("-ios predicate string:label CONTAINS \"Run Automated Tests\"");await button.waitForDisplayed({timeout:15000});await button.click();console.log("Button clicked!");await browser.pause(5000);await global.checkAppCrash("after-click");},after:async function(result,capabilities,specs){console.log("[bare-log] Waiting for log flush...");await browser.pause(3000);if(global.flushBareLog)await global.flushBareLog("after");try{const fs=require("fs");const path=require("path");const artifactDir=path.resolve(process.cwd(),"tests","artifacts");const remoteArtifactDir="@'${{ env.APP_BUNDLE_ID }}':documents/test/generated-images/";const artifactPath=path.join(artifactDir,"ios-generated-images.zip");fs.mkdirSync(artifactDir,{recursive:true});if(typeof browser.pullFolder!=="function"){console.log("No iOS generated image artifacts collected: browser.pullFolder is not available");return;}console.log("Attempting to pull generated images from "+remoteArtifactDir);const folderData=await browser.pullFolder(remoteArtifactDir);fs.writeFileSync(artifactPath,Buffer.from(folderData,"base64"));console.log("Saved generated image artifacts to "+artifactPath);}catch(e){console.log("No iOS generated image artifacts collected: "+e.message);}},afterTest:async function(test,context,{error}){if(global.appCrashed)return;await global.checkAppCrash("after-test:"+test.title);}};'
           fi
-          
+
           # Base64 encode the wdio config to safely embed in YAML
           # Note: macOS base64 doesn't support -w flag (no line wrapping by default)
           WDIO_CONFIG_B64=$(echo "$WDIO_CONFIG" | base64 | tr -d '\n')
-          
+
           # Create test spec YAML using printf to avoid variable expansion issues
           {
             printf 'version: 0.1\n'
@@ -949,14 +972,14 @@ jobs:
             printf '      - echo "Creating wdio config for Device Farm..."\n'
             printf '      - echo "%s" | base64 -d > tests/wdio.config.devicefarm.js\n' "$WDIO_CONFIG_B64"
             printf '      - cat tests/wdio.config.devicefarm.js\n'
-          
+
           # iOS-specific WebDriverAgent configuration (only for iOS platform)
           if [ "${{ matrix.platform }}" == "iOS" ]; then
             printf '      - echo "🔧 Configuring WebDriverAgent for iOS..."\n'
             printf '      - export DEVICEFARM_APPIUM_WDA_DERIVED_DATA_PATH=$DEVICEFARM_APPIUM_WDA_DERIVED_DATA_PATH_V9\n'
             printf '      - echo "WDA Path: $DEVICEFARM_APPIUM_WDA_DERIVED_DATA_PATH"\n'
           fi
-          
+
             printf '      - echo "🚀 Starting Appium server..."\n'
             printf '      - export APPIUM_BASE_PATH=/wd/hub\n'
             printf '      - |\n'
@@ -997,7 +1020,7 @@ jobs:
             printf '      - echo "Verifying Appium is still running..."\n'
             printf '      - ps aux | grep appium | grep -v grep || echo "⚠️  Appium process not found"\n'
             printf '      - curl -s http://127.0.0.1:4723/wd/hub/status || echo "⚠️  Appium status check failed"\n'
-          
+
             printf '      - echo "Starting wdio test execution..."\n'
             printf '      - node node_modules/@wdio/cli/bin/wdio.js run tests/wdio.config.devicefarm.js\n'
             printf '\n'
@@ -1017,7 +1040,7 @@ jobs:
             printf '        else\n'
             printf '          echo "No tests/artifacts directory found"\n'
             printf '        fi\n'
-          
+
           # iOS-specific: Output captured device logs
           if [ "${{ matrix.platform }}" == "iOS" ]; then
             printf '      - echo ""\n'
@@ -1037,25 +1060,25 @@ jobs:
             printf 'artifacts:\n'
             printf '  - $DEVICEFARM_LOG_DIR\n'
           } > testspec.yml
-          
+
           echo "Generated test spec:"
           echo "===================="
           cat testspec.yml
           echo "===================="
-          
+
           echo "📤 Uploading test spec to Device Farm..."
           SPEC_RESPONSE=$(aws devicefarm create-upload \
             --project-arn "${{ secrets.LLM_AWS_DEVICE_FARM_PROJECT_ARN }}" \
             --name "testspec.yml" \
             --type "APPIUM_NODE_TEST_SPEC" \
             --output json)
-          
+
           SPEC_UPLOAD_URL=$(echo $SPEC_RESPONSE | jq -r '.upload.url')
           SPEC_UPLOAD_ARN=$(echo $SPEC_RESPONSE | jq -r '.upload.arn')
           echo "test_spec_arn=$SPEC_UPLOAD_ARN" >> $GITHUB_OUTPUT
-          
+
           curl -T testspec.yml "$SPEC_UPLOAD_URL"
-          
+
           # Wait for processing
           echo "⏳ Waiting for test spec to be processed..."
           MAX_ATTEMPTS=20
@@ -1063,18 +1086,18 @@ jobs:
           while [ $ATTEMPT -le $MAX_ATTEMPTS ]; do
             STATUS=$(aws devicefarm get-upload --arn "$SPEC_UPLOAD_ARN" --query "upload.status" --output text)
             echo "Test spec status (attempt $ATTEMPT/$MAX_ATTEMPTS): $STATUS"
-            
+
             if [ "$STATUS" = "SUCCEEDED" ]; then
               echo "✅ Test spec upload successful"
               break
             fi
-            
+
             if [ "$STATUS" = "FAILED" ]; then
               echo "❌ Test spec upload failed"
               aws devicefarm get-upload --arn "$SPEC_UPLOAD_ARN"
               exit 1
             fi
-            
+
             sleep 5
             ATTEMPT=$((ATTEMPT + 1))
           done
@@ -1087,19 +1110,19 @@ jobs:
           else
             POOL_ARN="${{ secrets.LLM_IOS_DEVICE_POOL_ARN }}"
           fi
-          
+
           # Set run name based on trigger
           if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
             RUN_NAME="Manual-${{ github.run_number }}-${{ matrix.platform }}"
           else
             RUN_NAME="PR-${{ github.event.pull_request.number || github.run_number }}-${{ matrix.platform }}"
           fi
-          
+
           echo "🚀 Scheduling Device Farm test run..."
           echo "Platform: ${{ matrix.platform }}"
           echo "Device Pool ARN: $POOL_ARN"
           echo "Run Name: $RUN_NAME"
-          
+
           RUN_ARN=$(aws devicefarm schedule-run \
             --project-arn "${{ secrets.LLM_AWS_DEVICE_FARM_PROJECT_ARN }}" \
             --device-pool-arn "$POOL_ARN" \
@@ -1107,193 +1130,13 @@ jobs:
             --name "$RUN_NAME" \
             --test type=APPIUM_NODE,testPackageArn="${{ steps.upload_test_package.outputs.test_package_upload_arn }}",testSpecArn="${{ steps.upload_test_spec.outputs.test_spec_arn }}" \
             --query 'run.arn' --output text)
-          
+
           echo "run_arn=$RUN_ARN" >> $GITHUB_OUTPUT
           echo "✅ Test run scheduled: $RUN_ARN"
 
       - name: Monitor Test Run
         id: monitor_run
-        run: |
-          RUN_ARN="${{ steps.schedule_run.outputs.run_arn }}"
-          echo "📊 Monitoring test run: $RUN_ARN"
-          echo ""
-          
-          MAX_WAIT_TIME=7200  # 120 minutes
-          ELAPSED=0
-          
-          while true; do
-            STATUS=$(aws devicefarm get-run --arn "$RUN_ARN" --query 'run.status' --output text)
-            RESULT=$(aws devicefarm get-run --arn "$RUN_ARN" --query 'run.result' --output text)
-            
-            echo "⏳ Run status: $STATUS (Result: $RESULT) - Elapsed: ${ELAPSED}s"
-            
-            if [[ "$STATUS" == "COMPLETED" ]]; then
-              echo ""
-              echo "✅ Test run completed!"
-              break
-            fi
-            
-            if [ $ELAPSED -ge $MAX_WAIT_TIME ]; then
-              echo ""
-              echo "❌ Timeout: Test run exceeded $MAX_WAIT_TIME seconds"
-              exit 1
-            fi
-            
-            sleep 30
-            ELAPSED=$((ELAPSED + 30))
-          done
-          
-          # Get detailed results
-          RUN_DETAILS=$(aws devicefarm get-run --arn "$RUN_ARN" --output json)
-          RESULT=$(echo $RUN_DETAILS | jq -r '.run.result')
-          COUNTERS=$(echo $RUN_DETAILS | jq -r '.run.counters')
-          
-          echo ""
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo "📊 FINAL TEST RESULTS"
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo "Result: $RESULT"
-          echo ""
-          
-          # Get jobs (devices) and extract actual test names
-          echo "📱 Fetching detailed test results..."
-          JOBS=$(aws devicefarm list-jobs --arn "$RUN_ARN" --output json)
-          
-          echo ""
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo "📋 YOUR TESTS (excluding Setup/Teardown)"
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo ""
-          
-          DEVICE_COUNT=0
-          USER_TEST_COUNT=0
-          USER_PASSED=0
-          USER_FAILED=0
-          FAILED_TEST_DETAILS=()
-          
-          # Extract project ID and run ID from RUN_ARN for console links
-          # RUN_ARN format: arn:aws:devicefarm:us-west-2:ACCOUNT:run:PROJECT_ID/RUN_ID
-          PROJECT_ID=$(echo "$RUN_ARN" | sed -n 's/.*:run:\([^/]*\)\/.*/\1/p')
-          RUN_ID=$(echo "$RUN_ARN" | sed -n 's/.*:run:[^/]*\/\(.*\)/\1/p')
-          
-          # Process each device/job
-          for JOB_ARN in $(echo "$JOBS" | jq -r '.jobs[].arn'); do
-            DEVICE_COUNT=$((DEVICE_COUNT + 1))
-            JOB_DETAILS=$(aws devicefarm get-job --arn "$JOB_ARN" --output json)
-            DEVICE_NAME=$(echo "$JOB_DETAILS" | jq -r '.job.device.name // "Unknown Device"')
-            JOB_RESULT=$(echo "$JOB_DETAILS" | jq -r '.job.result // "UNKNOWN"')
-            JOB_ID=$(echo "$JOB_ARN" | sed -n 's/.*:job:[^/]*\/[^/]*\/\(.*\)/\1/p')
-            
-            # Build console link (no region param needed when region is in subdomain)
-            CONSOLE_LINK="https://us-west-2.console.aws.amazon.com/devicefarm/home#/mobile/projects/${PROJECT_ID}/runs/${RUN_ID}/jobs/${JOB_ID}"
-            
-            if [ "$JOB_RESULT" = "PASSED" ]; then
-              echo "   ✅ $DEVICE_NAME: PASSED"
-              USER_PASSED=$((USER_PASSED + 1))
-            else
-              echo "   ❌ $DEVICE_NAME: $JOB_RESULT"
-              USER_FAILED=$((USER_FAILED + 1))
-              FAILED_TEST_DETAILS+=("❌ $DEVICE_NAME: $JOB_RESULT")
-              FAILED_TEST_DETAILS+=("   📎 View logs: $CONSOLE_LINK")
-            fi
-            
-            USER_TEST_COUNT=$((USER_TEST_COUNT + 1))
-            echo ""
-          done
-          
-          # Show AWS Device Farm console link for the entire run
-          echo ""
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo "🔗 AWS DEVICE FARM LINKS"
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo ""
-          echo "📊 Full Run Details:"
-          echo "   https://us-west-2.console.aws.amazon.com/devicefarm/home#/mobile/projects/${PROJECT_ID}/runs/${RUN_ID}"
-          echo ""
-          echo "💡 Tip: Click the link above, then select a device to view:"
-          echo "   • Video recording of the test"
-          echo "   • Screenshots"  
-          echo "   • Device logs"
-          echo "   • Test spec output (shows individual test results)"
-          echo ""
-          
-          # Summary
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo "📊 SUMMARY"
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo ""
-          echo "Devices tested: $DEVICE_COUNT"
-          echo "  ✅ Passed: $USER_PASSED"
-          echo "  ❌ Failed: $USER_FAILED"
-          echo ""
-          echo "📋 What these tests verify:"
-          echo "   The E2E tests run on Device Farm check that your app:"
-          echo "   1. Shows 'INITIALIZED' after startup"
-          echo "   2. Runs all test functions from test/mobile/*.cjs"
-          echo "   3. Reports PASS/FAIL for each test function"
-          echo ""
-          echo "💡 If a test times out but the video shows PASS:"
-          echo "   → The app test passed, but E2E gave up waiting too early"
-          echo "   → Check timeout settings in qvac-test-addon-mobile"
-          echo ""
-          echo "Device Farm Counters (includes Setup/Teardown):"
-          echo "$COUNTERS" | jq '.'
-          echo ""
-          
-          if [ ${#FAILED_TEST_DETAILS[@]} -gt 0 ]; then
-            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-            echo "❌ FAILED TESTS"
-            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-            for failed_info in "${FAILED_TEST_DETAILS[@]}"; do
-              echo "$failed_info"
-            done
-            echo ""
-          fi
-          
-          # Save for PR comment
-          echo "test_result=$RESULT" >> $GITHUB_OUTPUT
-          echo "test_counters<<EOF" >> $GITHUB_OUTPUT
-          echo "$COUNTERS" >> $GITHUB_OUTPUT
-          echo "EOF" >> $GITHUB_OUTPUT
-          
-          # Extract test counts
-          TOTAL=$(echo $COUNTERS | jq -r '.total // 0')
-          PASSED=$(echo $COUNTERS | jq -r '.passed // 0')
-          FAILED=$(echo $COUNTERS | jq -r '.failed // 0')
-          SKIPPED=$(echo $COUNTERS | jq -r '.skipped // 0')
-          
-          echo "test_total=$TOTAL" >> $GITHUB_OUTPUT
-          echo "test_passed=$PASSED" >> $GITHUB_OUTPUT
-          echo "test_failed=$FAILED" >> $GITHUB_OUTPUT
-          echo "test_skipped=$SKIPPED" >> $GITHUB_OUTPUT
-          
-          # Also save user test counts
-          echo "user_test_count=$USER_TEST_COUNT" >> $GITHUB_OUTPUT
-          echo "user_test_passed=$USER_PASSED" >> $GITHUB_OUTPUT
-          echo "user_test_failed=$USER_FAILED" >> $GITHUB_OUTPUT
-          
-          # Determine if tests passed or failed
-          # Red status (exit 1) if:
-          #   1. Device Farm overall result is not PASSED, OR
-          #   2. Any of your tests failed
-          # Green status (exit 0) only if all tests passed
-          
-          if [[ "$RESULT" != "PASSED" ]] || [ $USER_FAILED -gt 0 ]; then
-            echo ""
-            echo "❌ Device Farm tests failed"
-            if [[ "$RESULT" != "PASSED" ]]; then
-              echo "   Device Farm result: $RESULT"
-            fi
-            echo "   Your tests: $USER_PASSED passed, $USER_FAILED failed (out of $USER_TEST_COUNT total)"
-            echo "   Device Farm total: $TOTAL | Passed: $PASSED | Failed: $FAILED | Skipped: $SKIPPED"
-            exit 1
-          fi
-          
-          echo ""
-          echo "✅ All Device Farm tests passed!"
-          echo "   Your tests: $USER_PASSED passed (out of $USER_TEST_COUNT total)"
-          echo "   Device Farm total: $TOTAL | Passed: $PASSED | Failed: $FAILED | Skipped: $SKIPPED"
-
+        run: "RUN_ARN=\"${{ steps.schedule_run.outputs.run_arn }}\"\necho \"📊 Monitoring test run: $RUN_ARN\"\necho \"\"\n    #magic___^_^___line\nMAX_WAIT_TIME=7200  # 120 minutes\nELAPSED=0\n    #magic___^_^___line\nwhile true; do\n  STATUS=$(aws devicefarm get-run --arn \"$RUN_ARN\" --query 'run.status' --output text)\n  RESULT=$(aws devicefarm get-run --arn \"$RUN_ARN\" --query 'run.result' --output text)\n    #magic___^_^___line\n  echo \"⏳ Run status: $STATUS (Result: $RESULT) - Elapsed: ${ELAPSED}s\"\n    #magic___^_^___line\n  if [[ \"$STATUS\" == \"COMPLETED\" ]]; then\n    echo \"\"\n    echo \"✅ Test run completed!\"\n    break\n  fi\n    #magic___^_^___line\n  if [ $ELAPSED -ge $MAX_WAIT_TIME ]; then\n    echo \"\"\n    echo \"❌ Timeout: Test run exceeded $MAX_WAIT_TIME seconds\"\n    exit 1\n  fi\n    #magic___^_^___line\n  sleep 30\n  ELAPSED=$((ELAPSED + 30))\ndone\n    #magic___^_^___line\n# Get detailed results\nRUN_DETAILS=$(aws devicefarm get-run --arn \"$RUN_ARN\" --output json)\nRESULT=$(echo $RUN_DETAILS | jq -r '.run.result')\nCOUNTERS=$(echo $RUN_DETAILS | jq -r '.run.counters')\n    #magic___^_^___line\necho \"\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"📊 FINAL TEST RESULTS\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"Result: $RESULT\"\necho \"\"\n    #magic___^_^___line\n# Get jobs (devices) and extract actual test names\necho \"📱 Fetching detailed test results...\"\nJOBS=$(aws devicefarm list-jobs --arn \"$RUN_ARN\" --output json)\n    #magic___^_^___line\necho \"\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"📋 YOUR TESTS (excluding Setup/Teardown)\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"\"\n    #magic___^_^___line\nDEVICE_COUNT=0\nUSER_TEST_COUNT=0\nUSER_PASSED=0\nUSER_FAILED=0\nFAILED_TEST_DETAILS=()\n    #magic___^_^___line\n# Extract project ID and run ID from RUN_ARN for console links\n# RUN_ARN format: arn:aws:devicefarm:us-west-2:ACCOUNT:run:PROJECT_ID/RUN_ID\nPROJECT_ID=$(echo \"$RUN_ARN\" | sed -n 's/.*:run:\\([^/]*\\)\\/.*/\\1/p')\nRUN_ID=$(echo \"$RUN_ARN\" | sed -n 's/.*:run:[^/]*\\/\\(.*\\)/\\1/p')\n    #magic___^_^___line\n# Process each device/job\nfor JOB_ARN in $(echo \"$JOBS\" | jq -r '.jobs[].arn'); do\n  DEVICE_COUNT=$((DEVICE_COUNT + 1))\n  JOB_DETAILS=$(aws devicefarm get-job --arn \"$JOB_ARN\" --output json)\n  DEVICE_NAME=$(echo \"$JOB_DETAILS\" | jq -r '.job.device.name // \"Unknown Device\"')\n  JOB_RESULT=$(echo \"$JOB_DETAILS\" | jq -r '.job.result // \"UNKNOWN\"')\n  JOB_ID=$(echo \"$JOB_ARN\" | sed -n 's/.*:job:[^/]*\\/[^/]*\\/\\(.*\\)/\\1/p')\n    #magic___^_^___line\n  # Build console link (no region param needed when region is in subdomain)\n  CONSOLE_LINK=\"https://us-west-2.console.aws.amazon.com/devicefarm/home#/mobile/projects/${PROJECT_ID}/runs/${RUN_ID}/jobs/${JOB_ID}\"\n    #magic___^_^___line\n  if [ \"$JOB_RESULT\" = \"PASSED\" ]; then\n    echo \"   ✅ $DEVICE_NAME: PASSED\"\n    USER_PASSED=$((USER_PASSED + 1))\n  else\n    echo \"   ❌ $DEVICE_NAME: $JOB_RESULT\"\n    USER_FAILED=$((USER_FAILED + 1))\n    FAILED_TEST_DETAILS+=(\"❌ $DEVICE_NAME: $JOB_RESULT\")\n    FAILED_TEST_DETAILS+=(\"   📎 View logs: $CONSOLE_LINK\")\n  fi\n    #magic___^_^___line\n  USER_TEST_COUNT=$((USER_TEST_COUNT + 1))\n  echo \"\"\ndone\n    #magic___^_^___line\n# Show AWS Device Farm console link for the entire run\necho \"\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"🔗 AWS DEVICE FARM LINKS\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"\"\necho \"📊 Full Run Details:\"\necho \"   https://us-west-2.console.aws.amazon.com/devicefarm/home#/mobile/projects/${PROJECT_ID}/runs/${RUN_ID}\"\necho \"\"\necho \"💡 Tip: Click the link above, then select a device to view:\"\necho \"   • Video recording of the test\"\necho \"   • Screenshots\"  \necho \"   • Device logs\"\necho \"   • Test spec output (shows individual test results)\"\necho \"\"\n    #magic___^_^___line\n# Summary\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"📊 SUMMARY\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"\"\necho \"Devices tested: $DEVICE_COUNT\"\necho \"  ✅ Passed: $USER_PASSED\"\necho \"  ❌ Failed: $USER_FAILED\"\necho \"\"\necho \"📋 What these tests verify:\"\necho \"   The E2E tests run on Device Farm check that your app:\"\necho \"   1. Shows 'INITIALIZED' after startup\"\necho \"   2. Runs all test functions from test/mobile/*.cjs\"\necho \"   3. Reports PASS/FAIL for each test function\"\necho \"\"\necho \"💡 If a test times out but the video shows PASS:\"\necho \"   → The app test passed, but E2E gave up waiting too early\"\necho \"   → Check timeout settings in qvac-test-addon-mobile\"\necho \"\"\necho \"Device Farm Counters (includes Setup/Teardown):\"\necho \"$COUNTERS\" | jq '.'\necho \"\"\n    #magic___^_^___line\nif [ ${#FAILED_TEST_DETAILS[@]} -gt 0 ]; then\n  echo \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\n  echo \"❌ FAILED TESTS\"\n  echo \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\n  for failed_info in \"${FAILED_TEST_DETAILS[@]}\"; do\n    echo \"$failed_info\"\n  done\n  echo \"\"\nfi\n    #magic___^_^___line\n# Save for PR comment\necho \"test_result=$RESULT\" >> $GITHUB_OUTPUT\necho \"test_counters<<EOF\" >> $GITHUB_OUTPUT\necho \"$COUNTERS\" >> $GITHUB_OUTPUT\necho \"EOF\" >> $GITHUB_OUTPUT\n    #magic___^_^___line\n# Extract test counts\nTOTAL=$(echo $COUNTERS | jq -r '.total // 0')\nPASSED=$(echo $COUNTERS | jq -r '.passed // 0')\nFAILED=$(echo $COUNTERS | jq -r '.failed // 0')\nSKIPPED=$(echo $COUNTERS | jq -r '.skipped // 0')\n    #magic___^_^___line\necho \"test_total=$TOTAL\" >> $GITHUB_OUTPUT\necho \"test_passed=$PASSED\" >> $GITHUB_OUTPUT\necho \"test_failed=$FAILED\" >> $GITHUB_OUTPUT\necho \"test_skipped=$SKIPPED\" >> $GITHUB_OUTPUT\n    #magic___^_^___line\n# Also save user test counts\necho \"user_test_count=$USER_TEST_COUNT\" >> $GITHUB_OUTPUT\necho \"user_test_passed=$USER_PASSED\" >> $GITHUB_OUTPUT\necho \"user_test_failed=$USER_FAILED\" >> $GITHUB_OUTPUT\n    #magic___^_^___line\n# Determine if tests passed or failed\n# Red status (exit 1) if:\n#   1. Device Farm overall result is not PASSED, OR\n#   2. Any of your tests failed\n# Green status (exit 0) only if all tests passed\n    #magic___^_^___line\nif [[ \"$RESULT\" != \"PASSED\" ]] || [ $USER_FAILED -gt 0 ]; then\n  echo \"\"\n  echo \"❌ Device Farm tests failed\"\n  if [[ \"$RESULT\" != \"PASSED\" ]]; then\n    echo \"   Device Farm result: $RESULT\"\n  fi\n  echo \"   Your tests: $USER_PASSED passed, $USER_FAILED failed (out of $USER_TEST_COUNT total)\"\n  echo \"   Device Farm total: $TOTAL | Passed: $PASSED | Failed: $FAILED | Skipped: $SKIPPED\"\n  exit 1\nfi\n    #magic___^_^___line\necho \"\"\necho \"✅ All Device Farm tests passed!\"\necho \"   Your tests: $USER_PASSED passed (out of $USER_TEST_COUNT total)\"\necho \"   Device Farm total: $TOTAL | Passed: $PASSED | Failed: $FAILED | Skipped: $SKIPPED\"\n    #magic___^_^___line\n"
       - name: Refresh AWS credentials for log download
         if: always() && steps.schedule_run.outputs.run_arn
         uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # 6.0.0
diff --git a/.github/workflows/integration-mobile-test-embed-llamacpp.yml b/.github/workflows/integration-mobile-test-embed-llamacpp.yml
index ffdb69edbc..38c3c2fba0 100644
--- a/.github/workflows/integration-mobile-test-embed-llamacpp.yml
+++ b/.github/workflows/integration-mobile-test-embed-llamacpp.yml
@@ -30,18 +30,41 @@ on:
 env:
   NODE_VERSION: 'lts/*'
   ADDON_NAME: '@qvac/embed-llamacpp'
-  PREBUILD_ARTIFACT_PREFIX: 'llama-cpp-'  # Prefix for prebuild artifacts
-  TEST_FRAMEWORK_REF: 'main'              # Branch/tag of qvac-test-addon-mobile framework
-  APP_BUNDLE_ID: 'io.tether.test.qvac'    # Bundle ID for the test app (same for all addons)
+  PREBUILD_ARTIFACT_PREFIX: 'llama-cpp-' # Prefix for prebuild artifacts
+  TEST_FRAMEWORK_REF: 'main' # Branch/tag of qvac-test-addon-mobile framework
+  APP_BUNDLE_ID: 'io.tether.test.qvac' # Bundle ID for the test app (same for all addons)
   ADDON_DIR: 'packages/embed-llamacpp'
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   build-and-test:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     name: Build ${{ matrix.platform }} and Run E2E Tests
     runs-on: ${{ matrix.runner }}
     environment: release
     timeout-minutes: 120
-    continue-on-error: true  # Don't block PR merges if tests fail
+    continue-on-error: true # Don't block PR merges if tests fail
     permissions:
       contents: read
       packages: read
@@ -754,34 +777,34 @@ jobs:
         run: |
           echo "📦 Packaging e2e tests..."
           cd e2e
-          
+
           # Install dependencies before packing
           npm install
-          
+
           # Create tarball
           npm pack
-          
+
           # Create zip with test files only (no node_modules - will be installed on Device Farm)
           ZIP_NAME="e2e-tests-${{ matrix.platform }}.zip"
           zip -r "$ZIP_NAME" \
             package.json \
             tests/ \
             *.tgz
-          
+
           echo "📦 Package contents (excluding node_modules):"
           unzip -l "$ZIP_NAME" | head -20
-          
+
           # Verify zip was created
           if [ ! -f "$ZIP_NAME" ]; then
             echo "❌ ERROR: Failed to create test package zip"
             exit 1
           fi
-          
+
           SIZE=$(du -h "$ZIP_NAME" | cut -f1)
           echo "✅ Test package created: $ZIP_NAME (Size: $SIZE)"
-          
+
           mv "$ZIP_NAME" "$GITHUB_WORKSPACE/"
-          
+
           # Upload test package to AWS Device Farm
           echo "📤 Uploading test package to AWS Device Farm..."
           UPLOAD_RESPONSE=$(aws devicefarm create-upload \
@@ -789,26 +812,26 @@ jobs:
             --name "$ZIP_NAME" \
             --type "APPIUM_NODE_TEST_PACKAGE" \
             --output json)
-          
+
           if [ $? -ne 0 ]; then
             echo "❌ Error creating test package upload in Device Farm"
             echo "Response: $UPLOAD_RESPONSE"
             exit 1
           fi
-          
+
           TEST_UPLOAD_URL=$(echo $UPLOAD_RESPONSE | jq -r '.upload.url')
           TEST_UPLOAD_ARN=$(echo $UPLOAD_RESPONSE | jq -r '.upload.arn')
           echo "test_package_upload_arn=$TEST_UPLOAD_ARN" >> $GITHUB_OUTPUT
           echo "Test package upload ARN: $TEST_UPLOAD_ARN"
-          
+
           echo "Uploading to: $TEST_UPLOAD_URL"
           curl -T "$GITHUB_WORKSPACE/$ZIP_NAME" "$TEST_UPLOAD_URL"
-          
+
           if [ $? -ne 0 ]; then
             echo "❌ Error uploading test package using curl"
             exit 1
           fi
-          
+
           # Wait for processing
           echo "⏳ Waiting for test package to be processed..."
           MAX_ATTEMPTS=30
@@ -816,22 +839,22 @@ jobs:
           while [ $ATTEMPT -le $MAX_ATTEMPTS ]; do
             STATUS=$(aws devicefarm get-upload --arn "$TEST_UPLOAD_ARN" --query "upload.status" --output text)
             echo "Test package status (attempt $ATTEMPT/$MAX_ATTEMPTS): $STATUS"
-            
+
             if [ "$STATUS" = "SUCCEEDED" ]; then
               echo "✅ Test package upload successful"
               break
             fi
-            
+
             if [ "$STATUS" = "FAILED" ]; then
               echo "❌ Test package upload failed"
               aws devicefarm get-upload --arn "$TEST_UPLOAD_ARN"
               exit 1
             fi
-            
+
             sleep 10
             ATTEMPT=$((ATTEMPT + 1))
           done
-          
+
           if [ $ATTEMPT -gt $MAX_ATTEMPTS ]; then
             echo "❌ Timeout waiting for test package processing"
             exit 1
@@ -842,7 +865,7 @@ jobs:
         run: |
           echo "📝 Creating test spec for custom environment mode..."
           echo "Platform: ${{ matrix.platform }}"
-          
+
           # Create platform-specific test spec using printf for precise control
           # NOTE: Both platforms use a 'before' hook in the wdio config to click the button
           # This ensures a single Appium session for reliability (no session handoff issues)
@@ -866,11 +889,11 @@ jobs:
             # Increased timeout to 30 minutes (1800000ms) for long-running embedding tests
             WDIO_CONFIG='exports.config={runner:"local",hostname:"127.0.0.1",port:4723,path:"/wd/hub",specs:["*.spec.js","*.test.js"],maxInstances:1,bail:0,capabilities:[{platformName:"iOS","appium:automationName":"XCUITest","appium:bundleId":"'${{ env.APP_BUNDLE_ID }}'","appium:newCommandTimeout":300,"appium:noReset":true,"appium:forceAppLaunch":false,"appium:usePrebuiltWDA":true,"appium:wdaLocalPort":8100,"appium:showIOSLog":true,"appium:realDeviceLogger":"/usr/local/lib/node_modules/appium/node_modules/deviceconsole/deviceconsole"}],logLevel:"debug",waitforTimeout:120000,connectionRetryTimeout:30000,connectionRetryCount:3,services:[],framework:"mocha",reporters:["spec"],mochaOpts:{ui:"bdd",timeout:1800000},before:async function(capabilities,specs,browser){const BUNDLE_ID="'${{ env.APP_BUNDLE_ID }}'";global.appCrashed=false;global.flushBareLog=async function(reason){try{var _h=require("http");var lb64=await new Promise(function(ok,fail){var bd=JSON.stringify({path:"@"+BUNDLE_ID+":documents/bare_console.log"});var rq=_h.request({hostname:"127.0.0.1",port:4723,path:"/wd/hub/session/"+browser.sessionId+"/appium/device/pull_file",method:"POST",headers:{"Content-Type":"application/json","Content-Length":Buffer.byteLength(bd)}},function(rs){var d="";rs.on("data",function(c){d+=c;});rs.on("end",function(){try{ok(JSON.parse(d).value);}catch(e){fail(e);}});});rq.on("error",fail);rq.write(bd);rq.end();});var logTxt=Buffer.from(lb64,"base64").toString();var logDir=process.env.DEVICEFARM_LOG_DIR||".";require("fs").writeFileSync(logDir+"/bare_console.log",logTxt);console.log("[bare-log] "+reason+" flush ok ("+logTxt.length+" bytes)");}catch(e){console.log("[bare-log] "+reason+" flush failed: "+e.message);}};global.checkAppCrash=async(stage)=>{try{const state=await browser.queryAppState(BUNDLE_ID);console.log("["+stage+"] App state: "+state+" (4=foreground,3=background,1=not running)");if(state<3){console.error("\\n🛑 APP CRASHED at "+stage+"! State="+state);console.error("Check device logs for BareKit/native errors.\\n");global.appCrashed=true;setTimeout(function(){process.exit(1);},5000);try{await browser.pause(1500);await Promise.race([global.flushBareLog("crash-"+stage),new Promise(function(_,rj){setTimeout(function(){rj(new Error("bare-log flush timed out"));},3000);})]);}catch(_){}}return state;}catch(e){console.log("["+stage+"] queryAppState error: "+e.message);return-1;}};console.log("Checking initial app state...");await global.checkAppCrash("startup");console.log("Waiting for app to initialize...");await browser.pause(5000);await global.checkAppCrash("after-pause");const initText=await browser.$("-ios predicate string:label CONTAINS \"INITIALIZED\"");await initText.waitForDisplayed({timeout:60000});await global.checkAppCrash("after-init");console.log("App initialized, clicking Run Automated Tests...");const button=await browser.$("-ios predicate string:label CONTAINS \"Run Automated Tests\"");await button.waitForDisplayed({timeout:15000});await button.click();console.log("Button clicked!");await browser.pause(5000);await global.checkAppCrash("after-click");},after:async function(){console.log("[bare-log] Waiting for log flush...");await browser.pause(3000);if(global.flushBareLog)await global.flushBareLog("after");},afterTest:async function(test,context,{error}){if(global.appCrashed)return;await global.checkAppCrash("after-test:"+test.title);}};'
           fi
-          
+
           # Base64 encode the wdio config to safely embed in YAML
           # Note: macOS base64 doesn't support -w flag (no line wrapping by default)
           WDIO_CONFIG_B64=$(echo "$WDIO_CONFIG" | base64 | tr -d '\n')
-          
+
           # Create test spec YAML using printf to avoid variable expansion issues
           {
             printf 'version: 0.1\n'
@@ -902,14 +925,14 @@ jobs:
             printf '      - echo "Creating wdio config for Device Farm..."\n'
             printf '      - echo "%s" | base64 -d > tests/wdio.config.devicefarm.js\n' "$WDIO_CONFIG_B64"
             printf '      - cat tests/wdio.config.devicefarm.js\n'
-          
+
           # iOS-specific WebDriverAgent configuration (only for iOS platform)
           if [ "${{ matrix.platform }}" == "iOS" ]; then
             printf '      - echo "🔧 Configuring WebDriverAgent for iOS..."\n'
             printf '      - export DEVICEFARM_APPIUM_WDA_DERIVED_DATA_PATH=$DEVICEFARM_APPIUM_WDA_DERIVED_DATA_PATH_V9\n'
             printf '      - echo "WDA Path: $DEVICEFARM_APPIUM_WDA_DERIVED_DATA_PATH"\n'
           fi
-          
+
             printf '      - echo "🚀 Starting Appium server..."\n'
             printf '      - export APPIUM_BASE_PATH=/wd/hub\n'
             printf '      - |\n'
@@ -950,14 +973,14 @@ jobs:
             printf '      - echo "Verifying Appium is still running..."\n'
             printf '      - ps aux | grep appium | grep -v grep || echo "⚠️  Appium process not found"\n'
             printf '      - curl -s http://127.0.0.1:4723/wd/hub/status || echo "⚠️  Appium status check failed"\n'
-          
+
             printf '      - echo "Starting wdio test execution..."\n'
             printf '      - node node_modules/@wdio/cli/bin/wdio.js run tests/wdio.config.devicefarm.js\n'
             printf '\n'
             printf '  post_test:\n'
             printf '    commands:\n'
             printf '      - echo "Test completed"\n'
-          
+
           # iOS-specific: Output captured device logs
           if [ "${{ matrix.platform }}" == "iOS" ]; then
             printf '      - echo ""\n'
@@ -977,25 +1000,25 @@ jobs:
             printf 'artifacts:\n'
             printf '  - $DEVICEFARM_LOG_DIR\n'
           } > testspec.yml
-          
+
           echo "Generated test spec:"
           echo "===================="
           cat testspec.yml
           echo "===================="
-          
+
           echo "📤 Uploading test spec to Device Farm..."
           SPEC_RESPONSE=$(aws devicefarm create-upload \
             --project-arn "${{ secrets.AWS_DEVICE_FARM_PROJECT_ARN_LLAMACPP_EMBED }}" \
             --name "testspec.yml" \
             --type "APPIUM_NODE_TEST_SPEC" \
             --output json)
-          
+
           SPEC_UPLOAD_URL=$(echo $SPEC_RESPONSE | jq -r '.upload.url')
           SPEC_UPLOAD_ARN=$(echo $SPEC_RESPONSE | jq -r '.upload.arn')
           echo "test_spec_arn=$SPEC_UPLOAD_ARN" >> $GITHUB_OUTPUT
-          
+
           curl -T testspec.yml "$SPEC_UPLOAD_URL"
-          
+
           # Wait for processing
           echo "⏳ Waiting for test spec to be processed..."
           MAX_ATTEMPTS=20
@@ -1003,18 +1026,18 @@ jobs:
           while [ $ATTEMPT -le $MAX_ATTEMPTS ]; do
             STATUS=$(aws devicefarm get-upload --arn "$SPEC_UPLOAD_ARN" --query "upload.status" --output text)
             echo "Test spec status (attempt $ATTEMPT/$MAX_ATTEMPTS): $STATUS"
-            
+
             if [ "$STATUS" = "SUCCEEDED" ]; then
               echo "✅ Test spec upload successful"
               break
             fi
-            
+
             if [ "$STATUS" = "FAILED" ]; then
               echo "❌ Test spec upload failed"
               aws devicefarm get-upload --arn "$SPEC_UPLOAD_ARN"
               exit 1
             fi
-            
+
             sleep 5
             ATTEMPT=$((ATTEMPT + 1))
           done
@@ -1027,19 +1050,19 @@ jobs:
           else
             POOL_ARN="${{ secrets.IOS_DEVICE_POOL_ARN_LLAMACPP_EMBED }}"
           fi
-          
+
           # Set run name based on trigger
           if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
             RUN_NAME="Manual-${{ github.run_number }}-${{ matrix.platform }}"
           else
             RUN_NAME="PR-${{ github.event.pull_request.number || github.run_number }}-${{ matrix.platform }}"
           fi
-          
+
           echo "🚀 Scheduling Device Farm test run..."
           echo "Platform: ${{ matrix.platform }}"
           echo "Device Pool ARN: $POOL_ARN"
           echo "Run Name: $RUN_NAME"
-          
+
           RUN_ARN=$(aws devicefarm schedule-run \
             --project-arn "${{ secrets.AWS_DEVICE_FARM_PROJECT_ARN_LLAMACPP_EMBED }}" \
             --device-pool-arn "$POOL_ARN" \
@@ -1047,193 +1070,13 @@ jobs:
             --name "$RUN_NAME" \
             --test type=APPIUM_NODE,testPackageArn="${{ steps.upload_test_package.outputs.test_package_upload_arn }}",testSpecArn="${{ steps.upload_test_spec.outputs.test_spec_arn }}" \
             --query 'run.arn' --output text)
-          
+
           echo "run_arn=$RUN_ARN" >> $GITHUB_OUTPUT
           echo "✅ Test run scheduled: $RUN_ARN"
 
       - name: Monitor Test Run
         id: monitor_run
-        run: |
-          RUN_ARN="${{ steps.schedule_run.outputs.run_arn }}"
-          echo "📊 Monitoring test run: $RUN_ARN"
-          echo ""
-          
-          MAX_WAIT_TIME=7200  # 120 minutes
-          ELAPSED=0
-          
-          while true; do
-            STATUS=$(aws devicefarm get-run --arn "$RUN_ARN" --query 'run.status' --output text)
-            RESULT=$(aws devicefarm get-run --arn "$RUN_ARN" --query 'run.result' --output text)
-            
-            echo "⏳ Run status: $STATUS (Result: $RESULT) - Elapsed: ${ELAPSED}s"
-            
-            if [[ "$STATUS" == "COMPLETED" ]]; then
-              echo ""
-              echo "✅ Test run completed!"
-              break
-            fi
-            
-            if [ $ELAPSED -ge $MAX_WAIT_TIME ]; then
-              echo ""
-              echo "❌ Timeout: Test run exceeded $MAX_WAIT_TIME seconds"
-              exit 1
-            fi
-            
-            sleep 30
-            ELAPSED=$((ELAPSED + 30))
-          done
-          
-          # Get detailed results
-          RUN_DETAILS=$(aws devicefarm get-run --arn "$RUN_ARN" --output json)
-          RESULT=$(echo $RUN_DETAILS | jq -r '.run.result')
-          COUNTERS=$(echo $RUN_DETAILS | jq -r '.run.counters')
-          
-          echo ""
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo "📊 FINAL TEST RESULTS"
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo "Result: $RESULT"
-          echo ""
-          
-          # Get jobs (devices) and extract actual test names
-          echo "📱 Fetching detailed test results..."
-          JOBS=$(aws devicefarm list-jobs --arn "$RUN_ARN" --output json)
-          
-          echo ""
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo "📋 YOUR TESTS (excluding Setup/Teardown)"
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo ""
-          
-          DEVICE_COUNT=0
-          USER_TEST_COUNT=0
-          USER_PASSED=0
-          USER_FAILED=0
-          FAILED_TEST_DETAILS=()
-          
-          # Extract project ID and run ID from RUN_ARN for console links
-          # RUN_ARN format: arn:aws:devicefarm:us-west-2:ACCOUNT:run:PROJECT_ID/RUN_ID
-          PROJECT_ID=$(echo "$RUN_ARN" | sed -n 's/.*:run:\([^/]*\)\/.*/\1/p')
-          RUN_ID=$(echo "$RUN_ARN" | sed -n 's/.*:run:[^/]*\/\(.*\)/\1/p')
-          
-          # Process each device/job
-          for JOB_ARN in $(echo "$JOBS" | jq -r '.jobs[].arn'); do
-            DEVICE_COUNT=$((DEVICE_COUNT + 1))
-            JOB_DETAILS=$(aws devicefarm get-job --arn "$JOB_ARN" --output json)
-            DEVICE_NAME=$(echo "$JOB_DETAILS" | jq -r '.job.device.name // "Unknown Device"')
-            JOB_RESULT=$(echo "$JOB_DETAILS" | jq -r '.job.result // "UNKNOWN"')
-            JOB_ID=$(echo "$JOB_ARN" | sed -n 's/.*:job:[^/]*\/[^/]*\/\(.*\)/\1/p')
-            
-            # Build console link (no region param needed when region is in subdomain)
-            CONSOLE_LINK="https://us-west-2.console.aws.amazon.com/devicefarm/home#/mobile/projects/${PROJECT_ID}/runs/${RUN_ID}/jobs/${JOB_ID}"
-            
-            if [ "$JOB_RESULT" = "PASSED" ]; then
-              echo "   ✅ $DEVICE_NAME: PASSED"
-              USER_PASSED=$((USER_PASSED + 1))
-            else
-              echo "   ❌ $DEVICE_NAME: $JOB_RESULT"
-              USER_FAILED=$((USER_FAILED + 1))
-              FAILED_TEST_DETAILS+=("❌ $DEVICE_NAME: $JOB_RESULT")
-              FAILED_TEST_DETAILS+=("   📎 View logs: $CONSOLE_LINK")
-            fi
-            
-            USER_TEST_COUNT=$((USER_TEST_COUNT + 1))
-            echo ""
-          done
-          
-          # Show AWS Device Farm console link for the entire run
-          echo ""
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo "🔗 AWS DEVICE FARM LINKS"
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo ""
-          echo "📊 Full Run Details:"
-          echo "   https://us-west-2.console.aws.amazon.com/devicefarm/home#/mobile/projects/${PROJECT_ID}/runs/${RUN_ID}"
-          echo ""
-          echo "💡 Tip: Click the link above, then select a device to view:"
-          echo "   • Video recording of the test"
-          echo "   • Screenshots"  
-          echo "   • Device logs"
-          echo "   • Test spec output (shows individual test results)"
-          echo ""
-          
-          # Summary
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo "📊 SUMMARY"
-          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-          echo ""
-          echo "Devices tested: $DEVICE_COUNT"
-          echo "  ✅ Passed: $USER_PASSED"
-          echo "  ❌ Failed: $USER_FAILED"
-          echo ""
-          echo "📋 What these tests verify:"
-          echo "   The E2E tests run on Device Farm check that your app:"
-          echo "   1. Shows 'INITIALIZED' after startup"
-          echo "   2. Runs all test functions from test/mobile/*.cjs"
-          echo "   3. Reports PASS/FAIL for each test function"
-          echo ""
-          echo "💡 If a test times out but the video shows PASS:"
-          echo "   → The app test passed, but E2E gave up waiting too early"
-          echo "   → Check timeout settings in qvac-test-addon-mobile"
-          echo ""
-          echo "Device Farm Counters (includes Setup/Teardown):"
-          echo "$COUNTERS" | jq '.'
-          echo ""
-          
-          if [ ${#FAILED_TEST_DETAILS[@]} -gt 0 ]; then
-            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-            echo "❌ FAILED TESTS"
-            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-            for failed_info in "${FAILED_TEST_DETAILS[@]}"; do
-              echo "$failed_info"
-            done
-            echo ""
-          fi
-          
-          # Save for PR comment
-          echo "test_result=$RESULT" >> $GITHUB_OUTPUT
-          echo "test_counters<<EOF" >> $GITHUB_OUTPUT
-          echo "$COUNTERS" >> $GITHUB_OUTPUT
-          echo "EOF" >> $GITHUB_OUTPUT
-          
-          # Extract test counts
-          TOTAL=$(echo $COUNTERS | jq -r '.total // 0')
-          PASSED=$(echo $COUNTERS | jq -r '.passed // 0')
-          FAILED=$(echo $COUNTERS | jq -r '.failed // 0')
-          SKIPPED=$(echo $COUNTERS | jq -r '.skipped // 0')
-          
-          echo "test_total=$TOTAL" >> $GITHUB_OUTPUT
-          echo "test_passed=$PASSED" >> $GITHUB_OUTPUT
-          echo "test_failed=$FAILED" >> $GITHUB_OUTPUT
-          echo "test_skipped=$SKIPPED" >> $GITHUB_OUTPUT
-          
-          # Also save user test counts
-          echo "user_test_count=$USER_TEST_COUNT" >> $GITHUB_OUTPUT
-          echo "user_test_passed=$USER_PASSED" >> $GITHUB_OUTPUT
-          echo "user_test_failed=$USER_FAILED" >> $GITHUB_OUTPUT
-          
-          # Determine if tests passed or failed
-          # Red status (exit 1) if:
-          #   1. Device Farm overall result is not PASSED, OR
-          #   2. Any of your tests failed
-          # Green status (exit 0) only if all tests passed
-          
-          if [[ "$RESULT" != "PASSED" ]] || [ $USER_FAILED -gt 0 ]; then
-            echo ""
-            echo "❌ Device Farm tests failed"
-            if [[ "$RESULT" != "PASSED" ]]; then
-              echo "   Device Farm result: $RESULT"
-            fi
-            echo "   Your tests: $USER_PASSED passed, $USER_FAILED failed (out of $USER_TEST_COUNT total)"
-            echo "   Device Farm total: $TOTAL | Passed: $PASSED | Failed: $FAILED | Skipped: $SKIPPED"
-            exit 1
-          fi
-          
-          echo ""
-          echo "✅ All Device Farm tests passed!"
-          echo "   Your tests: $USER_PASSED passed (out of $USER_TEST_COUNT total)"
-          echo "   Device Farm total: $TOTAL | Passed: $PASSED | Failed: $FAILED | Skipped: $SKIPPED"
-
+        run: "RUN_ARN=\"${{ steps.schedule_run.outputs.run_arn }}\"\necho \"📊 Monitoring test run: $RUN_ARN\"\necho \"\"\n    #magic___^_^___line\nMAX_WAIT_TIME=7200  # 120 minutes\nELAPSED=0\n    #magic___^_^___line\nwhile true; do\n  STATUS=$(aws devicefarm get-run --arn \"$RUN_ARN\" --query 'run.status' --output text)\n  RESULT=$(aws devicefarm get-run --arn \"$RUN_ARN\" --query 'run.result' --output text)\n    #magic___^_^___line\n  echo \"⏳ Run status: $STATUS (Result: $RESULT) - Elapsed: ${ELAPSED}s\"\n    #magic___^_^___line\n  if [[ \"$STATUS\" == \"COMPLETED\" ]]; then\n    echo \"\"\n    echo \"✅ Test run completed!\"\n    break\n  fi\n    #magic___^_^___line\n  if [ $ELAPSED -ge $MAX_WAIT_TIME ]; then\n    echo \"\"\n    echo \"❌ Timeout: Test run exceeded $MAX_WAIT_TIME seconds\"\n    exit 1\n  fi\n    #magic___^_^___line\n  sleep 30\n  ELAPSED=$((ELAPSED + 30))\ndone\n    #magic___^_^___line\n# Get detailed results\nRUN_DETAILS=$(aws devicefarm get-run --arn \"$RUN_ARN\" --output json)\nRESULT=$(echo $RUN_DETAILS | jq -r '.run.result')\nCOUNTERS=$(echo $RUN_DETAILS | jq -r '.run.counters')\n    #magic___^_^___line\necho \"\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"📊 FINAL TEST RESULTS\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"Result: $RESULT\"\necho \"\"\n    #magic___^_^___line\n# Get jobs (devices) and extract actual test names\necho \"📱 Fetching detailed test results...\"\nJOBS=$(aws devicefarm list-jobs --arn \"$RUN_ARN\" --output json)\n    #magic___^_^___line\necho \"\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"📋 YOUR TESTS (excluding Setup/Teardown)\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"\"\n    #magic___^_^___line\nDEVICE_COUNT=0\nUSER_TEST_COUNT=0\nUSER_PASSED=0\nUSER_FAILED=0\nFAILED_TEST_DETAILS=()\n    #magic___^_^___line\n# Extract project ID and run ID from RUN_ARN for console links\n# RUN_ARN format: arn:aws:devicefarm:us-west-2:ACCOUNT:run:PROJECT_ID/RUN_ID\nPROJECT_ID=$(echo \"$RUN_ARN\" | sed -n 's/.*:run:\\([^/]*\\)\\/.*/\\1/p')\nRUN_ID=$(echo \"$RUN_ARN\" | sed -n 's/.*:run:[^/]*\\/\\(.*\\)/\\1/p')\n    #magic___^_^___line\n# Process each device/job\nfor JOB_ARN in $(echo \"$JOBS\" | jq -r '.jobs[].arn'); do\n  DEVICE_COUNT=$((DEVICE_COUNT + 1))\n  JOB_DETAILS=$(aws devicefarm get-job --arn \"$JOB_ARN\" --output json)\n  DEVICE_NAME=$(echo \"$JOB_DETAILS\" | jq -r '.job.device.name // \"Unknown Device\"')\n  JOB_RESULT=$(echo \"$JOB_DETAILS\" | jq -r '.job.result // \"UNKNOWN\"')\n  JOB_ID=$(echo \"$JOB_ARN\" | sed -n 's/.*:job:[^/]*\\/[^/]*\\/\\(.*\\)/\\1/p')\n    #magic___^_^___line\n  # Build console link (no region param needed when region is in subdomain)\n  CONSOLE_LINK=\"https://us-west-2.console.aws.amazon.com/devicefarm/home#/mobile/projects/${PROJECT_ID}/runs/${RUN_ID}/jobs/${JOB_ID}\"\n    #magic___^_^___line\n  if [ \"$JOB_RESULT\" = \"PASSED\" ]; then\n    echo \"   ✅ $DEVICE_NAME: PASSED\"\n    USER_PASSED=$((USER_PASSED + 1))\n  else\n    echo \"   ❌ $DEVICE_NAME: $JOB_RESULT\"\n    USER_FAILED=$((USER_FAILED + 1))\n    FAILED_TEST_DETAILS+=(\"❌ $DEVICE_NAME: $JOB_RESULT\")\n    FAILED_TEST_DETAILS+=(\"   📎 View logs: $CONSOLE_LINK\")\n  fi\n    #magic___^_^___line\n  USER_TEST_COUNT=$((USER_TEST_COUNT + 1))\n  echo \"\"\ndone\n    #magic___^_^___line\n# Show AWS Device Farm console link for the entire run\necho \"\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"🔗 AWS DEVICE FARM LINKS\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"\"\necho \"📊 Full Run Details:\"\necho \"   https://us-west-2.console.aws.amazon.com/devicefarm/home#/mobile/projects/${PROJECT_ID}/runs/${RUN_ID}\"\necho \"\"\necho \"💡 Tip: Click the link above, then select a device to view:\"\necho \"   • Video recording of the test\"\necho \"   • Screenshots\"  \necho \"   • Device logs\"\necho \"   • Test spec output (shows individual test results)\"\necho \"\"\n    #magic___^_^___line\n# Summary\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"📊 SUMMARY\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"\"\necho \"Devices tested: $DEVICE_COUNT\"\necho \"  ✅ Passed: $USER_PASSED\"\necho \"  ❌ Failed: $USER_FAILED\"\necho \"\"\necho \"📋 What these tests verify:\"\necho \"   The E2E tests run on Device Farm check that your app:\"\necho \"   1. Shows 'INITIALIZED' after startup\"\necho \"   2. Runs all test functions from test/mobile/*.cjs\"\necho \"   3. Reports PASS/FAIL for each test function\"\necho \"\"\necho \"💡 If a test times out but the video shows PASS:\"\necho \"   → The app test passed, but E2E gave up waiting too early\"\necho \"   → Check timeout settings in qvac-test-addon-mobile\"\necho \"\"\necho \"Device Farm Counters (includes Setup/Teardown):\"\necho \"$COUNTERS\" | jq '.'\necho \"\"\n    #magic___^_^___line\nif [ ${#FAILED_TEST_DETAILS[@]} -gt 0 ]; then\n  echo \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\n  echo \"❌ FAILED TESTS\"\n  echo \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\n  for failed_info in \"${FAILED_TEST_DETAILS[@]}\"; do\n    echo \"$failed_info\"\n  done\n  echo \"\"\nfi\n    #magic___^_^___line\n# Save for PR comment\necho \"test_result=$RESULT\" >> $GITHUB_OUTPUT\necho \"test_counters<<EOF\" >> $GITHUB_OUTPUT\necho \"$COUNTERS\" >> $GITHUB_OUTPUT\necho \"EOF\" >> $GITHUB_OUTPUT\n    #magic___^_^___line\n# Extract test counts\nTOTAL=$(echo $COUNTERS | jq -r '.total // 0')\nPASSED=$(echo $COUNTERS | jq -r '.passed // 0')\nFAILED=$(echo $COUNTERS | jq -r '.failed // 0')\nSKIPPED=$(echo $COUNTERS | jq -r '.skipped // 0')\n    #magic___^_^___line\necho \"test_total=$TOTAL\" >> $GITHUB_OUTPUT\necho \"test_passed=$PASSED\" >> $GITHUB_OUTPUT\necho \"test_failed=$FAILED\" >> $GITHUB_OUTPUT\necho \"test_skipped=$SKIPPED\" >> $GITHUB_OUTPUT\n    #magic___^_^___line\n# Also save user test counts\necho \"user_test_count=$USER_TEST_COUNT\" >> $GITHUB_OUTPUT\necho \"user_test_passed=$USER_PASSED\" >> $GITHUB_OUTPUT\necho \"user_test_failed=$USER_FAILED\" >> $GITHUB_OUTPUT\n    #magic___^_^___line\n# Determine if tests passed or failed\n# Red status (exit 1) if:\n#   1. Device Farm overall result is not PASSED, OR\n#   2. Any of your tests failed\n# Green status (exit 0) only if all tests passed\n    #magic___^_^___line\nif [[ \"$RESULT\" != \"PASSED\" ]] || [ $USER_FAILED -gt 0 ]; then\n  echo \"\"\n  echo \"❌ Device Farm tests failed\"\n  if [[ \"$RESULT\" != \"PASSED\" ]]; then\n    echo \"   Device Farm result: $RESULT\"\n  fi\n  echo \"   Your tests: $USER_PASSED passed, $USER_FAILED failed (out of $USER_TEST_COUNT total)\"\n  echo \"   Device Farm total: $TOTAL | Passed: $PASSED | Failed: $FAILED | Skipped: $SKIPPED\"\n  exit 1\nfi\n    #magic___^_^___line\necho \"\"\necho \"✅ All Device Farm tests passed!\"\necho \"   Your tests: $USER_PASSED passed (out of $USER_TEST_COUNT total)\"\necho \"   Device Farm total: $TOTAL | Passed: $PASSED | Failed: $FAILED | Skipped: $SKIPPED\"\n    #magic___^_^___line\n"
       - name: Refresh AWS credentials for log download
         if: always() && steps.schedule_run.outputs.run_arn
         uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # 6.0.0
diff --git a/.github/workflows/integration-mobile-test-llm-llamacpp.yml b/.github/workflows/integration-mobile-test-llm-llamacpp.yml
index db588f393f..3c2119f927 100644
--- a/.github/workflows/integration-mobile-test-llm-llamacpp.yml
+++ b/.github/workflows/integration-mobile-test-llm-llamacpp.yml
@@ -63,7 +63,30 @@ env:
   ADDON_WORKDIR: "addon/packages/llm-llamacpp"
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   build-and-test:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     name: Build ${{ matrix.platform }} and Run E2E Tests
     runs-on: ${{ matrix.runner }}
     environment: release
@@ -966,7 +989,7 @@ jobs:
             BUNDLE_ID="${{ env.APP_BUNDLE_ID }}"
             WDIO_CONFIG="$WDIO_IOS"
           fi
-          
+
           WDIO_B64=$(echo "$WDIO_CONFIG" | base64 | tr -d '\n')
 
           generate_spec() {
diff --git a/.github/workflows/integration-mobile-test-ocr-onnx.yml b/.github/workflows/integration-mobile-test-ocr-onnx.yml
index d9019bb2d0..032912a7d9 100644
--- a/.github/workflows/integration-mobile-test-ocr-onnx.yml
+++ b/.github/workflows/integration-mobile-test-ocr-onnx.yml
@@ -39,7 +39,30 @@ env:
   PKG_DIR: packages/ocr-onnx
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   build-and-test:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     name: Build ${{ matrix.platform }} and Run E2E Tests
     runs-on: ${{ matrix.runner }}
     environment: release
diff --git a/.github/workflows/integration-mobile-test-transcription-parakeet.yml b/.github/workflows/integration-mobile-test-transcription-parakeet.yml
index ca1bd0288e..d71e490525 100644
--- a/.github/workflows/integration-mobile-test-transcription-parakeet.yml
+++ b/.github/workflows/integration-mobile-test-transcription-parakeet.yml
@@ -69,7 +69,30 @@ env:
   TEST_FRAMEWORK_DIR: test-framework
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   build-and-test:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     name: Build ${{ matrix.platform }} and Run E2E Tests
     runs-on: ${{ matrix.runner }}
     environment: release
diff --git a/.github/workflows/integration-mobile-test-transcription-whispercpp.yml b/.github/workflows/integration-mobile-test-transcription-whispercpp.yml
index f8f871e4b7..ab0eb27a41 100644
--- a/.github/workflows/integration-mobile-test-transcription-whispercpp.yml
+++ b/.github/workflows/integration-mobile-test-transcription-whispercpp.yml
@@ -36,12 +36,35 @@ on:
 env:
   NODE_VERSION: 'lts/*'
   ADDON_NAME: '@qvac/transcription-whispercpp'
-  PREBUILD_ARTIFACT_PREFIX: 'whisper-cpp-'  # Prefix for prebuild artifacts (matches prebuilds.yaml)
-  TEST_FRAMEWORK_REF: 'main'  # Branch/tag of qvac-test-addon-mobile framework
-  APP_BUNDLE_ID: 'io.tether.test.qvac'  # Bundle ID for the test app (same for all addons)
+  PREBUILD_ARTIFACT_PREFIX: 'whisper-cpp-' # Prefix for prebuild artifacts (matches prebuilds.yaml)
+  TEST_FRAMEWORK_REF: 'main' # Branch/tag of qvac-test-addon-mobile framework
+  APP_BUNDLE_ID: 'io.tether.test.qvac' # Bundle ID for the test app (same for all addons)
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   build-and-test:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     name: Build ${{ matrix.platform }} and Run E2E Tests
     runs-on: ${{ matrix.runner }}
     environment: release
@@ -49,7 +72,7 @@ jobs:
     permissions:
       contents: read
       packages: read
-      pull-requests: write  # Allow commenting on PRs
+      pull-requests: write # Allow commenting on PRs
       id-token: write
     strategy:
       fail-fast: false
@@ -57,7 +80,7 @@ jobs:
         include:
           - platform: Android
             os: ubuntu-24.04
-            runner: ai-run-linux  # Self-hosted runner to avoid Maven Central 403 issues
+            runner: ai-run-linux # Self-hosted runner to avoid Maven Central 403 issues
           - platform: iOS
             os: macos-14
             runner: macos-14
diff --git a/.github/workflows/integration-mobile-test-translation-nmtcpp.yml b/.github/workflows/integration-mobile-test-translation-nmtcpp.yml
index ea41fb7feb..638220840a 100644
--- a/.github/workflows/integration-mobile-test-translation-nmtcpp.yml
+++ b/.github/workflows/integration-mobile-test-translation-nmtcpp.yml
@@ -39,7 +39,30 @@ env:
   PKG_DIR: packages/translation-nmtcpp
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   build-and-test:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     name: Build ${{ matrix.platform }} and Run E2E Tests
     runs-on: ${{ matrix.runner }}
     environment: release
@@ -564,7 +587,7 @@ jobs:
             echo "apk_path=$APK_ABSOLUTE_PATH" >> $GITHUB_OUTPUT
             echo "app_type=ANDROID_APP" >> $GITHUB_OUTPUT
             echo "app_name=test-app-${{ matrix.platform }}.apk" >> $GITHUB_OUTPUT
-            
+
             # Clean up build intermediates to free disk space
             echo "Cleaning up build intermediates..."
             rm -rf android/app/build/intermediates
@@ -1053,8 +1076,6 @@ jobs:
             # bare_console.log file to harvest from Customer_Artifacts.zip.
           fi
 
-
-
           # Create test spec YAML using printf to avoid variable expansion issues
           {
             printf 'version: 0.1\n'
diff --git a/.github/workflows/integration-mobile-test-tts-ggml.yml b/.github/workflows/integration-mobile-test-tts-ggml.yml
index 18e11bd374..47198f9a5b 100644
--- a/.github/workflows/integration-mobile-test-tts-ggml.yml
+++ b/.github/workflows/integration-mobile-test-tts-ggml.yml
@@ -79,6 +79,27 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   # NOTE: continue-on-error: true mirrors integration-test-tts-ggml.yml
   # and parakeet's matching workflow.  on-pr-tts-ggml.yml's merge-guard
   # treats `success || skipped` as a pass, so a hard Device Farm failure
@@ -87,6 +108,8 @@ jobs:
   # mobile pipeline (Device Farm provisioning, signing, runner pool
   # availability) is stable enough to make a hard gate cheap.
   build-and-test:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     name: Build ${{ matrix.platform }} and Run E2E Tests
     runs-on: ${{ matrix.runner }}
     environment: release
diff --git a/.github/workflows/integration-mobile-test-tts-onnx.yml b/.github/workflows/integration-mobile-test-tts-onnx.yml
index 240aa5d307..4d17af6dd8 100644
--- a/.github/workflows/integration-mobile-test-tts-onnx.yml
+++ b/.github/workflows/integration-mobile-test-tts-onnx.yml
@@ -45,7 +45,30 @@ env:
   TEST_FRAMEWORK_DIR: test-framework
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   build-and-test:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     name: Build ${{ matrix.platform }} and Run E2E Tests (${{ matrix.variant }})
     runs-on: ${{ matrix.runner }}
     environment: release
@@ -319,7 +342,7 @@ jobs:
         working-directory: ${{ env.ADDON_DIR }}
         run: |
           echo "Injecting CHATTERBOX_VARIANT=${{ matrix.variant }} into mobile runtime"
-          
+
           # Create a patch to mock os.getEnv for our specific variable
           echo "
           const os = require('bare-os');
@@ -330,7 +353,7 @@ jobs:
             return originalGetEnv ? originalGetEnv.call(this, key) : undefined;
           };
           " > test/mobile/inject-env.cjs
-          
+
           # Prepend this patch to the integration runtime wrapper
           cat test/mobile/integration-runtime.cjs >> test/mobile/inject-env.cjs
           mv test/mobile/inject-env.cjs test/mobile/integration-runtime.cjs
@@ -473,7 +496,7 @@ jobs:
             echo "apk_path=$APK_ABSOLUTE_PATH" >> $GITHUB_OUTPUT
             echo "app_type=ANDROID_APP" >> $GITHUB_OUTPUT
             echo "app_name=test-app-${{ matrix.platform }}.apk" >> $GITHUB_OUTPUT
-            
+
             # Clean up build intermediates to free disk space
             echo "Cleaning up build intermediates..."
             rm -rf android/app/build/intermediates
@@ -802,18 +825,18 @@ jobs:
           while [ $ATTEMPT -le $MAX_ATTEMPTS ]; do
             STATUS=$(aws devicefarm get-upload --arn "$APP_UPLOAD_ARN" --query "upload.status" --output text)
             echo "Status (attempt $ATTEMPT/$MAX_ATTEMPTS): $STATUS"
-            
+
             if [ "$STATUS" = "SUCCEEDED" ]; then
               echo "✅ App upload successful"
               break
             fi
-            
+
             if [ "$STATUS" = "FAILED" ]; then
               echo "❌ Upload failed"
               aws devicefarm get-upload --arn "$APP_UPLOAD_ARN"
               exit 1
             fi
-            
+
             sleep 10
             ATTEMPT=$((ATTEMPT + 1))
           done
@@ -909,18 +932,18 @@ jobs:
           while [ $ATTEMPT -le $MAX_ATTEMPTS ]; do
             STATUS=$(aws devicefarm get-upload --arn "$TEST_UPLOAD_ARN" --query "upload.status" --output text)
             echo "Test package status (attempt $ATTEMPT/$MAX_ATTEMPTS): $STATUS"
-            
+
             if [ "$STATUS" = "SUCCEEDED" ]; then
               echo "✅ Test package upload successful"
               break
             fi
-            
+
             if [ "$STATUS" = "FAILED" ]; then
               echo "❌ Test package upload failed"
               aws devicefarm get-upload --arn "$TEST_UPLOAD_ARN"
               exit 1
             fi
-            
+
             sleep 10
             ATTEMPT=$((ATTEMPT + 1))
           done
@@ -1096,18 +1119,18 @@ jobs:
           while [ $ATTEMPT -le $MAX_ATTEMPTS ]; do
             STATUS=$(aws devicefarm get-upload --arn "$SPEC_UPLOAD_ARN" --query "upload.status" --output text)
             echo "Test spec status (attempt $ATTEMPT/$MAX_ATTEMPTS): $STATUS"
-            
+
             if [ "$STATUS" = "SUCCEEDED" ]; then
               echo "✅ Test spec upload successful"
               break
             fi
-            
+
             if [ "$STATUS" = "FAILED" ]; then
               echo "❌ Test spec upload failed"
               aws devicefarm get-upload --arn "$SPEC_UPLOAD_ARN"
               exit 1
             fi
-            
+
             sleep 5
             ATTEMPT=$((ATTEMPT + 1))
           done
diff --git a/.github/workflows/integration-test-bci-whispercpp.yml b/.github/workflows/integration-test-bci-whispercpp.yml
index a53aad54c1..ffea45f8dc 100644
--- a/.github/workflows/integration-test-bci-whispercpp.yml
+++ b/.github/workflows/integration-test-bci-whispercpp.yml
@@ -30,7 +30,30 @@ on:
         type: string
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   run-integration-tests:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     timeout-minutes: 60
     continue-on-error: true
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/integration-test-decoder-audio.yml b/.github/workflows/integration-test-decoder-audio.yml
index acc7214357..16e479ecc3 100644
--- a/.github/workflows/integration-test-decoder-audio.yml
+++ b/.github/workflows/integration-test-decoder-audio.yml
@@ -15,7 +15,30 @@ on:
         default: "packages/decoder-audio"
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   run-integration-tests:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ${{ matrix.os }}
     environment: release
     name: test-${{ matrix.platform }}-${{ matrix.arch }}
diff --git a/.github/workflows/integration-test-diffusion-cpp.yml b/.github/workflows/integration-test-diffusion-cpp.yml
index 8d28fecdac..48aab37b97 100644
--- a/.github/workflows/integration-test-diffusion-cpp.yml
+++ b/.github/workflows/integration-test-diffusion-cpp.yml
@@ -22,7 +22,30 @@ on:
         required: true
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   run-integration-tests:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     timeout-minutes: ${{ matrix.timeout || 360 }}
     continue-on-error: true
     runs-on: ${{ matrix.runner }}
diff --git a/.github/workflows/integration-test-embed-llamacpp.yml b/.github/workflows/integration-test-embed-llamacpp.yml
index 98877b1e40..af9fca924f 100644
--- a/.github/workflows/integration-test-embed-llamacpp.yml
+++ b/.github/workflows/integration-test-embed-llamacpp.yml
@@ -21,7 +21,30 @@ on:
         required: true
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   run-integration-tests:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ${{ matrix.runner || matrix.os }}
     environment: release
     name: ${{ matrix.platform }}-${{ matrix.arch }}-integration-tests
diff --git a/.github/workflows/integration-test-llm-llamacpp.yml b/.github/workflows/integration-test-llm-llamacpp.yml
index 4a803dab49..8c66635887 100644
--- a/.github/workflows/integration-test-llm-llamacpp.yml
+++ b/.github/workflows/integration-test-llm-llamacpp.yml
@@ -54,7 +54,30 @@ on:
         default: false
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   run-integration-tests:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     timeout-minutes: ${{ matrix.timeout_minutes || 360 }}
     continue-on-error: true
     runs-on: ${{ matrix.runner }}
diff --git a/.github/workflows/integration-test-ocr-onnx.yml b/.github/workflows/integration-test-ocr-onnx.yml
index 9c33c119b2..1abdef5c75 100644
--- a/.github/workflows/integration-test-ocr-onnx.yml
+++ b/.github/workflows/integration-test-ocr-onnx.yml
@@ -30,7 +30,30 @@ env:
   PKG_DIR: packages/ocr-onnx
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   run-integration-tests:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     continue-on-error: true
     runs-on: ${{ matrix.os }}
     environment: release
diff --git a/.github/workflows/integration-test-transcription-parakeet.yml b/.github/workflows/integration-test-transcription-parakeet.yml
index ad52a4dd83..b16a7bf755 100644
--- a/.github/workflows/integration-test-transcription-parakeet.yml
+++ b/.github/workflows/integration-test-transcription-parakeet.yml
@@ -32,7 +32,30 @@ on:
         default: true
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   run-integration-tests:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     timeout-minutes: 60
     continue-on-error: true
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/integration-test-transcription-whispercpp.yml b/.github/workflows/integration-test-transcription-whispercpp.yml
index c0011dc402..be2a1ed5a7 100644
--- a/.github/workflows/integration-test-transcription-whispercpp.yml
+++ b/.github/workflows/integration-test-transcription-whispercpp.yml
@@ -54,7 +54,30 @@ on:
         type: string
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   run-integration-tests:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     timeout-minutes: 60
     continue-on-error: true
     runs-on: ${{ matrix.os }}
@@ -101,8 +124,7 @@ jobs:
             platform: win32
             arch: x64
             benchmark_matrix_json: >-
-              [{"modelFile":"ggml-tiny.bin","useGPU":false,"backendHint":"cpu"},{"modelFile":"ggml-tiny.bin","useGPU":true,"backendHint":"directml"}]
-
+              [{"modelFile":"ggml-tiny.bin","useGPU":false,"backendHint":"cpu"},{"modelFile":"ggml-tiny.bin","useGPU":true,"backendHint":"directml"}] #magic___^_^___line
     steps:
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # 6.3.0
@@ -221,7 +243,7 @@ jobs:
         run: npm run test:stand-alone:gpu
         env:
           GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}
-          
+
       - name: Run RTF benchmark (Unix)
         if: ${{ always() && matrix.platform != 'win32' && inputs.run_rtf_benchmarks != false }}
         continue-on-error: true
diff --git a/.github/workflows/integration-test-translation-nmtcpp.yml b/.github/workflows/integration-test-translation-nmtcpp.yml
index 8c49ae7c3b..767cf7c5fc 100644
--- a/.github/workflows/integration-test-translation-nmtcpp.yml
+++ b/.github/workflows/integration-test-translation-nmtcpp.yml
@@ -27,7 +27,30 @@ env:
   PKG_DIR: packages/qvac-lib-infer-nmtcpp
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   run-integration-tests:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     timeout-minutes: 60
     runs-on: ${{ matrix.os }}
     environment: release
@@ -131,7 +154,7 @@ jobs:
         run: |
           sudo apt-get update
           sudo apt-get install -y mesa-vulkan-drivers
-      
+
       - if: ${{ matrix.platform == 'win32' }}
         name: Install AWS CLI on self-hosted Windows runner
         shell: powershell
diff --git a/.github/workflows/integration-test-tts-ggml.yml b/.github/workflows/integration-test-tts-ggml.yml
index a662dc970a..0eba8213ba 100644
--- a/.github/workflows/integration-test-tts-ggml.yml
+++ b/.github/workflows/integration-test-tts-ggml.yml
@@ -40,6 +40,27 @@ permissions:
   packages: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   # NOTE: continue-on-error: true mirrors the early-days landing posture
   # we use for parakeet's matching workflow.  The on-pr-tts-ggml.yml
   # merge-guard treats this job's `success || skipped` as a pass, so a
@@ -49,6 +70,8 @@ jobs:
   # change merge-guard to require `success`) once the addon's flake
   # surface is small enough to make a hard gate cheap.
   run-integration-tests:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     timeout-minutes: 60
     continue-on-error: true
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/integration-test-tts-onnx.yml b/.github/workflows/integration-test-tts-onnx.yml
index 153ce578ed..26e708382a 100644
--- a/.github/workflows/integration-test-tts-onnx.yml
+++ b/.github/workflows/integration-test-tts-onnx.yml
@@ -128,8 +128,30 @@ on:
         type: boolean
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   run-integration-tests:
-    if: ${{ inputs.run_integration_tests != false }}
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && inputs.run_integration_tests != false
     continue-on-error: true
     runs-on: ${{ matrix.os }}
     environment: release
@@ -223,7 +245,8 @@ jobs:
           if-no-files-found: ignore
 
   run-supertonic-desktop-benchmarks:
-    if: ${{ inputs.run_supertonic_desktop_benchmarks == true }}
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && inputs.run_supertonic_desktop_benchmarks == true
     continue-on-error: true
     runs-on: ${{ matrix.os }}
     environment: release
@@ -668,8 +691,8 @@ jobs:
           if-no-files-found: ignore
 
   summarize-supertonic-desktop-benchmarks:
-    if: ${{ always() && inputs.run_supertonic_desktop_benchmarks == true }}
-    needs: run-supertonic-desktop-benchmarks
+    if: needs.label-gate.outputs.authorised == 'true' && always() && inputs.run_supertonic_desktop_benchmarks == true
+    needs: [run-supertonic-desktop-benchmarks, label-gate]
     runs-on: ubuntu-latest
     permissions:
       contents: read
diff --git a/.github/workflows/on-merge-bci-whispercpp.yml b/.github/workflows/on-merge-bci-whispercpp.yml
index 323dcf9216..0810c63117 100644
--- a/.github/workflows/on-merge-bci-whispercpp.yml
+++ b/.github/workflows/on-merge-bci-whispercpp.yml
@@ -34,6 +34,27 @@ permissions:
   id-token: write
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   publish-logic:
     runs-on: ubuntu-latest
     outputs:
@@ -85,8 +106,7 @@ jobs:
   release-merge-guard:
     name: Release Merge Guard
     if: >-
-      (github.event_name == 'push' || github.event_name == 'workflow_dispatch') &&
-      startsWith(github.ref_name, 'release-')
+      (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -103,12 +123,8 @@ jobs:
           changelog-path: packages/bci-whispercpp/CHANGELOG.md
 
   build:
-    needs: publish-logic
-    if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_release == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true')
     permissions:
       contents: write
       packages: write
@@ -124,9 +140,7 @@ jobs:
   publish-gpr:
     needs: [build, publish-logic]
     if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+      needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true'
     continue-on-error: true
     outputs:
       published_version: ${{ steps.capture_version.outputs.published_version }}
@@ -194,12 +208,8 @@ jobs:
           fi
 
   publish-npm:
-    needs: [build, publish-logic, release-merge-guard]
-    if: >-
-      !cancelled() &&
-      needs.build.result == 'success' &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    needs: [build, publish-logic, release-merge-guard, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     outputs:
       published_version: ${{ steps.capture_version.outputs.published_version }}
     runs-on: ubuntu-latest
@@ -298,8 +308,8 @@ jobs:
       packages: read
       id-token: write
     uses: ./.github/workflows/integration-test-bci-whispercpp.yml
-    needs: post-build-gate
-    if: needs.post-build-gate.outputs.should_run_tests == 'true'
+    needs: [post-build-gate, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.post-build-gate.outputs.should_run_tests == 'true'
     secrets: inherit
     with:
       repository: ${{ github.repository }}
@@ -308,8 +318,8 @@ jobs:
 
   mobile-integration-tests:
     uses: ./.github/workflows/integration-mobile-test-bci-whispercpp.yml
-    needs: post-build-gate
-    if: needs.post-build-gate.outputs.should_run_tests == 'true'
+    needs: [post-build-gate, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.post-build-gate.outputs.should_run_tests == 'true'
     permissions:
       contents: read
       packages: read
diff --git a/.github/workflows/on-merge-decoder-audio.yml b/.github/workflows/on-merge-decoder-audio.yml
index 91789373d7..aff59ccda0 100644
--- a/.github/workflows/on-merge-decoder-audio.yml
+++ b/.github/workflows/on-merge-decoder-audio.yml
@@ -33,6 +33,27 @@ permissions:
   id-token: write
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   publish-logic:
     runs-on: ubuntu-latest
     outputs:
@@ -91,8 +112,7 @@ jobs:
   release-merge-guard:
     name: Release Merge Guard
     if: >-
-      (github.event_name == 'push' || github.event_name == 'workflow_dispatch') &&
-      startsWith(github.ref_name, 'release-')
+      (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -109,12 +129,8 @@ jobs:
           changelog-path: packages/decoder-audio/CHANGELOG.md
 
   run-integration-tests:
-    needs: publish-logic
-    if: |
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_release == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true')
     uses: ./.github/workflows/integration-test-decoder-audio.yml
     secrets: inherit
     with:
@@ -123,17 +139,13 @@ jobs:
       workdir: "packages/decoder-audio"
 
   mobile-integration-tests:
-    needs: publish-logic
+    needs: [publish-logic, label-gate]
     permissions:
       contents: read
       packages: read
       pull-requests: write
       id-token: write
-    if: |
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_release == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true')
     uses: ./.github/workflows/integration-mobile-test-decoder-audio.yml
     secrets: inherit
     with:
@@ -142,11 +154,8 @@ jobs:
       workdir: "packages/decoder-audio"
 
   publish-gpr:
-    needs: [publish-logic, run-integration-tests, mobile-integration-tests]
-    if: |
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, run-integration-tests, mobile-integration-tests, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true')
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -168,11 +177,8 @@ jobs:
           name-suffix: "-mono"
 
   publish-release-npm:
-    needs: [publish-logic, release-merge-guard, run-integration-tests, mobile-integration-tests]
-    if: |
-      !cancelled() &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      needs.release-merge-guard.result == 'success'
+    needs: [publish-logic, release-merge-guard, run-integration-tests, mobile-integration-tests, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && !cancelled() && needs.publish-logic.outputs.publish_release == 'true' && needs.release-merge-guard.result == 'success'
     runs-on: ubuntu-latest
     environment: npm
     outputs:
diff --git a/.github/workflows/on-merge-diffusion-cpp.yml b/.github/workflows/on-merge-diffusion-cpp.yml
index 923f7ad287..2660dec828 100644
--- a/.github/workflows/on-merge-diffusion-cpp.yml
+++ b/.github/workflows/on-merge-diffusion-cpp.yml
@@ -41,7 +41,30 @@ permissions:
   id-token: write
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   publish-logic:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-latest
     environment: release
     outputs:
@@ -91,10 +114,9 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   release-merge-guard:
+    needs: [label-gate]
     name: Release Merge Guard
-    if: >-
-      (github.event_name == 'push' || github.event_name == 'workflow_dispatch') &&
-      startsWith(github.ref_name, 'release-')
+    if: needs.label-gate.outputs.authorised == 'true' && ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-'))
     runs-on: ubuntu-latest
     environment: release
     steps:
@@ -113,12 +135,8 @@ jobs:
 
   # Build prebuilds (build + merge only, no publishing)
   build:
-    needs: publish-logic
-    if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_release == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true')
     permissions:
       contents: write
       packages: write
@@ -131,11 +149,8 @@ jobs:
 
   # Publish to GitHub Package Registry (GPR) for non-release branches
   publish-gpr:
-    needs: [build, publish-logic]
-    if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [build, publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true')
     continue-on-error: true
     runs-on: ubuntu-latest
     environment: release
@@ -179,12 +194,8 @@ jobs:
 
   # Publish to NPM for release branches
   publish-npm:
-    needs: [build, publish-logic, release-merge-guard]
-    if: >-
-      !cancelled() &&
-      needs.build.result == 'success' &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    needs: [build, publish-logic, release-merge-guard, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     runs-on: ubuntu-latest
     environment: npm
     outputs:
@@ -239,9 +250,7 @@ jobs:
   publish-release:
     needs: [publish-npm]
     if: >-
-      !cancelled() &&
-      needs.publish-npm.result == 'success' &&
-      needs.publish-npm.outputs.published_version != ''
+      !cancelled() && needs.publish-npm.result == 'success' && needs.publish-npm.outputs.published_version != ''
     permissions:
       contents: write
     uses: ./.github/workflows/create-github-release.yml
diff --git a/.github/workflows/on-merge-embed-llamacpp.yml b/.github/workflows/on-merge-embed-llamacpp.yml
index 80cd8fee79..0d925b1631 100644
--- a/.github/workflows/on-merge-embed-llamacpp.yml
+++ b/.github/workflows/on-merge-embed-llamacpp.yml
@@ -34,7 +34,30 @@ permissions:
   id-token: write
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   publish-logic:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-latest
     environment: release
     outputs:
@@ -84,10 +107,9 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   release-merge-guard:
+    needs: [label-gate]
     name: Release Merge Guard
-    if: >-
-      (github.event_name == 'push' || github.event_name == 'workflow_dispatch') &&
-      startsWith(github.ref_name, 'release-')
+    if: needs.label-gate.outputs.authorised == 'true' && ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-'))
     runs-on: ubuntu-latest
     environment: release
     steps:
@@ -106,12 +128,8 @@ jobs:
 
   # Build prebuilds (build + merge only, no publishing)
   build:
-    needs: publish-logic
-    if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_release == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true')
     permissions:
       contents: write
       packages: write
@@ -124,11 +142,8 @@ jobs:
 
   # Publish to GitHub Package Registry (GPR) for non-release branches
   publish-gpr:
-    needs: [build, publish-logic]
-    if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [build, publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true')
     continue-on-error: true
     runs-on: ubuntu-latest
     environment: release
@@ -160,12 +175,8 @@ jobs:
 
   # Publish to NPM for release branches
   publish-npm:
-    needs: [build, publish-logic, release-merge-guard]
-    if: >-
-      !cancelled() &&
-      needs.build.result == 'success' &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    needs: [build, publish-logic, release-merge-guard, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     runs-on: ubuntu-latest
     environment: npm
     outputs:
@@ -206,9 +217,7 @@ jobs:
   publish-release:
     needs: [publish-npm]
     if: >-
-      !cancelled() &&
-      needs.publish-npm.result == 'success' &&
-      needs.publish-npm.outputs.published_version != ''
+      !cancelled() && needs.publish-npm.result == 'success' && needs.publish-npm.outputs.published_version != ''
     permissions:
       contents: write
     uses: ./.github/workflows/create-github-release.yml
diff --git a/.github/workflows/on-merge-llm-llamacpp.yml b/.github/workflows/on-merge-llm-llamacpp.yml
index cb5f0a3abf..7005e72edb 100644
--- a/.github/workflows/on-merge-llm-llamacpp.yml
+++ b/.github/workflows/on-merge-llm-llamacpp.yml
@@ -40,9 +40,31 @@ permissions:
   packages: read
   id-token: write
 
-
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   publish-logic:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-latest
     environment: release
     outputs:
@@ -92,10 +114,9 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   release-merge-guard:
+    needs: [label-gate]
     name: Release Merge Guard
-    if: >-
-      (github.event_name == 'push' || github.event_name == 'workflow_dispatch') &&
-      startsWith(github.ref_name, 'release-')
+    if: needs.label-gate.outputs.authorised == 'true' && ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-'))
     runs-on: ubuntu-latest
     environment: release
     steps:
@@ -114,12 +135,8 @@ jobs:
 
   # Build prebuilds (build + merge only, no publishing)
   build:
-    needs: publish-logic
-    if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_release == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true')
     permissions:
       contents: write
       packages: write
@@ -132,11 +149,8 @@ jobs:
 
   # Publish to GitHub Package Registry (GPR) for non-release branches
   publish-gpr:
-    needs: [build, publish-logic]
-    if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [build, publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true')
     continue-on-error: true
     runs-on: ubuntu-latest
     environment: release
@@ -180,12 +194,8 @@ jobs:
 
   # Publish to NPM for release branches
   publish-npm:
-    needs: [build, publish-logic, release-merge-guard]
-    if: >-
-      !cancelled() &&
-      needs.build.result == 'success' &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    needs: [build, publish-logic, release-merge-guard, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     runs-on: ubuntu-latest
     environment: npm
     outputs:
@@ -240,9 +250,7 @@ jobs:
   publish-release:
     needs: [publish-npm]
     if: >-
-      !cancelled() &&
-      needs.publish-npm.result == 'success' &&
-      needs.publish-npm.outputs.published_version != ''
+      !cancelled() && needs.publish-npm.result == 'success' && needs.publish-npm.outputs.published_version != ''
     permissions:
       contents: write
     uses: ./.github/workflows/create-github-release.yml
diff --git a/.github/workflows/on-merge-ocr-onnx.yml b/.github/workflows/on-merge-ocr-onnx.yml
index 048b08ecfb..36b2d5c935 100644
--- a/.github/workflows/on-merge-ocr-onnx.yml
+++ b/.github/workflows/on-merge-ocr-onnx.yml
@@ -37,7 +37,30 @@ permissions:
   id-token: write
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   publish-logic:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-latest
     environment: release
     outputs:
@@ -87,10 +110,9 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   release-merge-guard:
+    needs: [label-gate]
     name: Release Merge Guard
-    if: >-
-      (github.event_name == 'push' || github.event_name == 'workflow_dispatch') &&
-      startsWith(github.ref_name, 'release-')
+    if: needs.label-gate.outputs.authorised == 'true' && ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-'))
     runs-on: ubuntu-latest
     environment: release
     steps:
@@ -108,18 +130,8 @@ jobs:
           changelog-path: packages/ocr-onnx/CHANGELOG.md
 
   build:
-    needs: [publish-logic, release-merge-guard]
-    if: >-
-      !cancelled() &&
-      (
-        needs.publish-logic.outputs.publish_main == 'true' ||
-        needs.publish-logic.outputs.publish_feature == 'true' ||
-        needs.publish-logic.outputs.publish_tmp == 'true' ||
-        (
-          needs.publish-logic.outputs.publish_release == 'true' &&
-          needs.release-merge-guard.result == 'success'
-        )
-      )
+    needs: [publish-logic, release-merge-guard, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (!cancelled() && ( needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true' || ( needs.publish-logic.outputs.publish_release == 'true' && needs.release-merge-guard.result == 'success' ) ))
     permissions:
       contents: write
       packages: write
@@ -131,9 +143,7 @@ jobs:
   publish-gpr:
     needs: [build, publish-logic]
     if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+      needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true'
     continue-on-error: true
     outputs:
       published_version: ${{ steps.publish.outputs.npm_published_version }}
@@ -165,12 +175,8 @@ jobs:
           name-suffix: "-mono"
 
   publish-npm:
-    needs: [build, publish-logic, release-merge-guard]
-    if: >-
-      !cancelled() &&
-      needs.build.result == 'success' &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    needs: [build, publish-logic, release-merge-guard, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     continue-on-error: false
     outputs:
       published_version: ${{ steps.publish.outputs.npm_published_version }}
@@ -254,8 +260,8 @@ jobs:
       packages: read
       id-token: write
     uses: ./.github/workflows/integration-test-ocr-onnx.yml
-    needs: post-build-gate
-    if: needs.post-build-gate.outputs.should_run_tests == 'true'
+    needs: [post-build-gate, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.post-build-gate.outputs.should_run_tests == 'true'
     secrets: inherit
     with:
       repository: ${{ github.repository }}
diff --git a/.github/workflows/on-merge-onnx.yml b/.github/workflows/on-merge-onnx.yml
index 2f228f04b0..a65e91beaf 100644
--- a/.github/workflows/on-merge-onnx.yml
+++ b/.github/workflows/on-merge-onnx.yml
@@ -37,7 +37,30 @@ permissions:
   id-token: write
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   publish-logic:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-latest
     environment: release
     outputs:
@@ -87,10 +110,9 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   release-merge-guard:
+    needs: [label-gate]
     name: Release Merge Guard
-    if: >-
-      (github.event_name == 'push' || github.event_name == 'workflow_dispatch') &&
-      startsWith(github.ref_name, 'release-')
+    if: needs.label-gate.outputs.authorised == 'true' && ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-'))
     runs-on: ubuntu-latest
     environment: release
     steps:
@@ -108,12 +130,8 @@ jobs:
           changelog-path: packages/onnx/CHANGELOG.md
 
   build:
-    needs: publish-logic
-    if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_release == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true')
     permissions:
       contents: write
       packages: write
@@ -125,9 +143,7 @@ jobs:
   publish-gpr:
     needs: [build, publish-logic]
     if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+      needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true'
     continue-on-error: true
     outputs:
       published_version: ${{ steps.publish.outputs.npm_published_version }}
@@ -159,12 +175,8 @@ jobs:
           name-suffix: "-mono"
 
   publish-npm:
-    needs: [build, publish-logic, release-merge-guard]
-    if: >-
-      !cancelled() &&
-      needs.build.result == 'success' &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    needs: [build, publish-logic, release-merge-guard, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     outputs:
       published_version: ${{ steps.publish.outputs.npm_published_version }}
     runs-on: ubuntu-latest
@@ -207,9 +219,7 @@ jobs:
   publish-release:
     needs: [publish-npm]
     if: >-
-      !cancelled() &&
-      needs.publish-npm.result == 'success' &&
-      needs.publish-npm.outputs.published_version != ''
+      !cancelled() && needs.publish-npm.result == 'success' && needs.publish-npm.outputs.published_version != ''
     permissions:
       contents: write
     uses: ./.github/workflows/create-github-release-onnx.yml
diff --git a/.github/workflows/on-merge-transcription-parakeet.yml b/.github/workflows/on-merge-transcription-parakeet.yml
index 2e8ae4b782..ee829fad17 100644
--- a/.github/workflows/on-merge-transcription-parakeet.yml
+++ b/.github/workflows/on-merge-transcription-parakeet.yml
@@ -34,7 +34,30 @@ permissions:
   id-token: write
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   publish-logic:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-latest
     environment: release
     outputs:
@@ -84,10 +107,9 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   release-merge-guard:
+    needs: [label-gate]
     name: Release Merge Guard
-    if: >-
-      (github.event_name == 'push' || github.event_name == 'workflow_dispatch') &&
-      startsWith(github.ref_name, 'release-')
+    if: needs.label-gate.outputs.authorised == 'true' && ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-'))
     runs-on: ubuntu-latest
     environment: release
     steps:
@@ -106,12 +128,8 @@ jobs:
 
   # Build prebuilds (build + merge only, no publishing)
   build:
-    needs: publish-logic
-    if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_release == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true')
     permissions:
       contents: write
       packages: write
@@ -128,9 +146,7 @@ jobs:
   publish-gpr:
     needs: [build, publish-logic]
     if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+      needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true'
     continue-on-error: true
     runs-on: ubuntu-latest
     outputs:
@@ -188,12 +204,8 @@ jobs:
 
   # Publish to NPM for release branches
   publish-npm:
-    needs: [build, publish-logic, release-merge-guard]
-    if: >-
-      !cancelled() &&
-      needs.build.result == 'success' &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    needs: [build, publish-logic, release-merge-guard, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     runs-on: ubuntu-latest
     environment: npm
     outputs:
@@ -244,9 +256,7 @@ jobs:
   publish-release:
     needs: [publish-npm]
     if: >-
-      !cancelled() &&
-      needs.publish-npm.result == 'success' &&
-      needs.publish-npm.outputs.published_version != ''
+      !cancelled() && needs.publish-npm.result == 'success' && needs.publish-npm.outputs.published_version != ''
     permissions:
       contents: write
     uses: ./.github/workflows/create-github-release.yml
@@ -284,8 +294,8 @@ jobs:
       packages: read
       id-token: write
     uses: ./.github/workflows/integration-test-transcription-parakeet.yml
-    needs: post-build-gate
-    if: needs.post-build-gate.outputs.should_run_tests == 'true'
+    needs: [post-build-gate, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.post-build-gate.outputs.should_run_tests == 'true'
     secrets: inherit
     with:
       repository: ${{ github.repository }}
@@ -293,8 +303,8 @@ jobs:
 
   mobile-integration-tests:
     uses: ./.github/workflows/integration-mobile-test-transcription-parakeet.yml
-    needs: post-build-gate
-    if: needs.post-build-gate.outputs.should_run_tests == 'true'
+    needs: [post-build-gate, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.post-build-gate.outputs.should_run_tests == 'true'
     permissions:
       contents: read
       packages: read
diff --git a/.github/workflows/on-merge-transcription-whispercpp.yml b/.github/workflows/on-merge-transcription-whispercpp.yml
index 2815cadf56..3ac4d391a6 100644
--- a/.github/workflows/on-merge-transcription-whispercpp.yml
+++ b/.github/workflows/on-merge-transcription-whispercpp.yml
@@ -34,6 +34,27 @@ permissions:
   id-token: write
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   publish-logic:
     runs-on: ubuntu-latest
     outputs:
@@ -85,8 +106,7 @@ jobs:
   release-merge-guard:
     name: Release Merge Guard
     if: >-
-      (github.event_name == 'push' || github.event_name == 'workflow_dispatch') &&
-      startsWith(github.ref_name, 'release-')
+      (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -103,12 +123,8 @@ jobs:
           changelog-path: packages/transcription-whispercpp/CHANGELOG.md
 
   build:
-    needs: publish-logic
-    if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_release == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true')
     permissions:
       contents: write
       packages: write
@@ -124,9 +140,7 @@ jobs:
   publish-gpr:
     needs: [build, publish-logic]
     if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+      needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true'
     continue-on-error: true
     outputs:
       published_version: ${{ steps.capture_version.outputs.published_version }}
@@ -194,12 +208,8 @@ jobs:
           fi
 
   publish-npm:
-    needs: [build, publish-logic, release-merge-guard]
-    if: >-
-      !cancelled() &&
-      needs.build.result == 'success' &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    needs: [build, publish-logic, release-merge-guard, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     outputs:
       published_version: ${{ steps.capture_version.outputs.published_version }}
     runs-on: ubuntu-latest
@@ -297,8 +307,8 @@ jobs:
       packages: read
       id-token: write
     uses: ./.github/workflows/integration-test-transcription-whispercpp.yml
-    needs: post-build-gate
-    if: needs.post-build-gate.outputs.should_run_tests == 'true'
+    needs: [post-build-gate, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.post-build-gate.outputs.should_run_tests == 'true'
     secrets: inherit
     with:
       repository: ${{ github.repository }}
@@ -307,8 +317,8 @@ jobs:
 
   mobile-integration-tests:
     uses: ./.github/workflows/integration-mobile-test-transcription-whispercpp.yml
-    needs: post-build-gate
-    if: needs.post-build-gate.outputs.should_run_tests == 'true'
+    needs: [post-build-gate, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.post-build-gate.outputs.should_run_tests == 'true'
     permissions:
       contents: read
       packages: read
@@ -323,8 +333,8 @@ jobs:
     name: Trigger Benchmark (Whispercpp)
     runs-on: ubuntu-latest
     environment: release
-    needs: post-build-gate
-    if: "!cancelled() && needs.post-build-gate.outputs.should_run_tests == 'true'"
+    needs: [post-build-gate, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && !cancelled() && needs.post-build-gate.outputs.should_run_tests == 'true'
     steps:
       - name: Trigger benchmark workflow
         env:
diff --git a/.github/workflows/on-merge-translation-nmtcpp.yml b/.github/workflows/on-merge-translation-nmtcpp.yml
index 7d89f3e150..bcde29181a 100644
--- a/.github/workflows/on-merge-translation-nmtcpp.yml
+++ b/.github/workflows/on-merge-translation-nmtcpp.yml
@@ -36,7 +36,30 @@ permissions:
   id-token: write
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   publish-logic:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-latest
     environment: release
     outputs:
@@ -86,10 +109,9 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   release-merge-guard:
+    needs: [label-gate]
     name: Release Merge Guard
-    if: >-
-      (github.event_name == 'push' || github.event_name == 'workflow_dispatch') &&
-      startsWith(github.ref_name, 'release-')
+    if: needs.label-gate.outputs.authorised == 'true' && ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-'))
     runs-on: ubuntu-latest
     environment: release
     steps:
@@ -107,18 +129,8 @@ jobs:
           changelog-path: packages/translation-nmtcpp/CHANGELOG.md
 
   build:
-    needs: [publish-logic, release-merge-guard]
-    if: >-
-      !cancelled() &&
-      (
-        needs.publish-logic.outputs.publish_main == 'true' ||
-        needs.publish-logic.outputs.publish_feature == 'true' ||
-        needs.publish-logic.outputs.publish_tmp == 'true' ||
-        (
-          needs.publish-logic.outputs.publish_release == 'true' &&
-          needs.release-merge-guard.result == 'success'
-        )
-      )
+    needs: [publish-logic, release-merge-guard, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (!cancelled() && ( needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true' || ( needs.publish-logic.outputs.publish_release == 'true' && needs.release-merge-guard.result == 'success' ) ))
     permissions:
       contents: write
       packages: write
@@ -130,9 +142,7 @@ jobs:
   publish-gpr:
     needs: [build, publish-logic]
     if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+      needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true'
     continue-on-error: true
     outputs:
       published_version: ${{ steps.publish.outputs.npm_published_version }}
@@ -164,12 +174,8 @@ jobs:
           name-suffix: "-mono"
 
   publish-npm:
-    needs: [build, publish-logic, release-merge-guard]
-    if: >-
-      !cancelled() &&
-      needs.build.result == 'success' &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    needs: [build, publish-logic, release-merge-guard, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     continue-on-error: false
     outputs:
       published_version: ${{ steps.publish.outputs.npm_published_version }}
@@ -251,8 +257,8 @@ jobs:
       packages: read
       id-token: write
     uses: ./.github/workflows/integration-test-translation-nmtcpp.yml
-    needs: post-build-gate
-    if: needs.post-build-gate.outputs.should_run_tests == 'true'
+    needs: [post-build-gate, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.post-build-gate.outputs.should_run_tests == 'true'
     secrets: inherit
     with:
       repository: ${{ github.repository }}
diff --git a/.github/workflows/on-merge-tts-ggml.yml b/.github/workflows/on-merge-tts-ggml.yml
index 1fc636a64c..9898b52ce4 100644
--- a/.github/workflows/on-merge-tts-ggml.yml
+++ b/.github/workflows/on-merge-tts-ggml.yml
@@ -34,7 +34,30 @@ permissions:
   id-token: write
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   publish-logic:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-latest
     environment: release
     outputs:
@@ -84,10 +107,9 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   release-merge-guard:
+    needs: [label-gate]
     name: Release Merge Guard
-    if: >-
-      (github.event_name == 'push' || github.event_name == 'workflow_dispatch') &&
-      startsWith(github.ref_name, 'release-')
+    if: needs.label-gate.outputs.authorised == 'true' && ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-'))
     runs-on: ubuntu-latest
     environment: release
     steps:
@@ -105,12 +127,8 @@ jobs:
           changelog-path: packages/tts-ggml/CHANGELOG.md
 
   build:
-    needs: publish-logic
-    if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_release == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true')
     permissions:
       contents: write
       packages: write
@@ -126,9 +144,7 @@ jobs:
   publish-gpr:
     needs: [build, publish-logic]
     if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+      needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true'
     continue-on-error: true
     runs-on: ubuntu-latest
     outputs:
@@ -185,12 +201,8 @@ jobs:
           fi
 
   publish-npm:
-    needs: [build, publish-logic, release-merge-guard]
-    if: >-
-      !cancelled() &&
-      needs.build.result == 'success' &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    needs: [build, publish-logic, release-merge-guard, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     runs-on: ubuntu-latest
     environment: npm
     outputs:
@@ -240,9 +252,7 @@ jobs:
   publish-release:
     needs: [publish-npm]
     if: >-
-      !cancelled() &&
-      needs.publish-npm.result == 'success' &&
-      needs.publish-npm.outputs.published_version != ''
+      !cancelled() && needs.publish-npm.result == 'success' && needs.publish-npm.outputs.published_version != ''
     permissions:
       contents: write
     uses: ./.github/workflows/create-github-release.yml
@@ -280,8 +290,8 @@ jobs:
       packages: read
       id-token: write
     uses: ./.github/workflows/integration-test-tts-ggml.yml
-    needs: post-build-gate
-    if: needs.post-build-gate.outputs.should_run_tests == 'true'
+    needs: [post-build-gate, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.post-build-gate.outputs.should_run_tests == 'true'
     secrets: inherit
     with:
       repository: ${{ github.repository }}
@@ -289,8 +299,8 @@ jobs:
 
   mobile-integration-tests:
     uses: ./.github/workflows/integration-mobile-test-tts-ggml.yml
-    needs: post-build-gate
-    if: needs.post-build-gate.outputs.should_run_tests == 'true'
+    needs: [post-build-gate, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.post-build-gate.outputs.should_run_tests == 'true'
     permissions:
       contents: read
       packages: read
diff --git a/.github/workflows/on-merge-tts-onnx.yml b/.github/workflows/on-merge-tts-onnx.yml
index 5fa3ed2bdd..1d0adbf95b 100644
--- a/.github/workflows/on-merge-tts-onnx.yml
+++ b/.github/workflows/on-merge-tts-onnx.yml
@@ -34,7 +34,30 @@ permissions:
   id-token: write
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   publish-logic:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-latest
     environment: release
     outputs:
@@ -84,10 +107,9 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   release-merge-guard:
+    needs: [label-gate]
     name: Release Merge Guard
-    if: >-
-      (github.event_name == 'push' || github.event_name == 'workflow_dispatch') &&
-      startsWith(github.ref_name, 'release-')
+    if: needs.label-gate.outputs.authorised == 'true' && ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-'))
     runs-on: ubuntu-latest
     environment: release
     steps:
@@ -105,12 +127,8 @@ jobs:
           changelog-path: packages/tts-onnx/CHANGELOG.md
 
   build:
-    needs: publish-logic
-    if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_release == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true')
     permissions:
       contents: write
       packages: write
@@ -126,9 +144,7 @@ jobs:
   publish-gpr:
     needs: [build, publish-logic]
     if: >-
-      needs.publish-logic.outputs.publish_main == 'true' ||
-      needs.publish-logic.outputs.publish_feature == 'true' ||
-      needs.publish-logic.outputs.publish_tmp == 'true'
+      needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true'
     outputs:
       published_version: ${{ steps.publish.outputs.npm_published_version }}
     runs-on: ubuntu-latest
@@ -158,12 +174,8 @@ jobs:
           name-suffix: "-mono"
 
   publish-npm:
-    needs: [build, publish-logic, release-merge-guard]
-    if: >-
-      !cancelled() &&
-      needs.build.result == 'success' &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    needs: [build, publish-logic, release-merge-guard, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     outputs:
       published_version: ${{ steps.capture_version.outputs.published_version }}
     runs-on: ubuntu-latest
@@ -217,9 +229,7 @@ jobs:
   publish-release:
     needs: [publish-npm]
     if: >-
-      !cancelled() &&
-      needs.publish-npm.result == 'success' &&
-      needs.publish-npm.outputs.published_version != ''
+      !cancelled() && needs.publish-npm.result == 'success' && needs.publish-npm.outputs.published_version != ''
     permissions:
       contents: write
     uses: ./.github/workflows/create-github-release.yml
@@ -257,8 +267,8 @@ jobs:
       packages: read
       id-token: write
     uses: ./.github/workflows/integration-test-tts-onnx.yml
-    needs: post-build-gate
-    if: needs.post-build-gate.outputs.should_run_tests == 'true'
+    needs: [post-build-gate, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.post-build-gate.outputs.should_run_tests == 'true'
     secrets: inherit
     with:
       repository: ${{ github.repository }}
@@ -267,8 +277,8 @@ jobs:
 
   mobile-integration-tests:
     uses: ./.github/workflows/integration-mobile-test-tts-onnx.yml
-    needs: post-build-gate
-    if: needs.post-build-gate.outputs.should_run_tests == 'true'
+    needs: [post-build-gate, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.post-build-gate.outputs.should_run_tests == 'true'
     permissions:
       contents: read
       packages: read
diff --git a/.github/workflows/on-pr-bci-whispercpp.yml b/.github/workflows/on-pr-bci-whispercpp.yml
index 5f304d0c04..e1de50bb15 100644
--- a/.github/workflows/on-pr-bci-whispercpp.yml
+++ b/.github/workflows/on-pr-bci-whispercpp.yml
@@ -70,6 +70,27 @@ jobs:
         with:
           github-token: ${{ github.token }}
 
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   context:
     needs: authorize
     if: needs.authorize.outputs.allowed == 'true'
@@ -133,8 +154,8 @@ jobs:
           echo "  workdir=$workdir"
 
   sanity-checks:
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: [authorize, context]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, label-gate]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -151,8 +172,8 @@ jobs:
           workdir: ${{ needs.context.outputs.workdir }}
 
   cpp-lint:
-    needs: [authorize, context]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     uses: ./.github/workflows/cpp-lint.yaml
     secrets: inherit
     with:
@@ -168,8 +189,8 @@ jobs:
       pull-requests: write
       actions: read
       id-token: write
-    needs: [authorize, context]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     uses: ./.github/workflows/cpp-test-coverage-bci-whispercpp.yml
     secrets: inherit
     with:
@@ -182,8 +203,8 @@ jobs:
       packages: write
       pull-requests: write
       id-token: write
-    needs: [authorize, context]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     uses: ./.github/workflows/prebuilds-bci-whispercpp.yml
     secrets: inherit
     with:
@@ -195,8 +216,8 @@ jobs:
       contents: read
       packages: read
       id-token: write
-    needs: [authorize, context, prebuild]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     uses: ./.github/workflows/integration-test-bci-whispercpp.yml
     secrets: inherit
     with:
@@ -210,8 +231,8 @@ jobs:
       packages: read
       pull-requests: write
       id-token: write
-    needs: [authorize, context, prebuild]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     uses: ./.github/workflows/integration-mobile-test-bci-whispercpp.yml
     secrets: inherit
     with:
diff --git a/.github/workflows/on-pr-close-bci-whispercpp.yml b/.github/workflows/on-pr-close-bci-whispercpp.yml
index f1113a8e34..06cc577455 100644
--- a/.github/workflows/on-pr-close-bci-whispercpp.yml
+++ b/.github/workflows/on-pr-close-bci-whispercpp.yml
@@ -32,10 +32,7 @@ on:
         default: true
 
 run-name: >-
-  Delete NPM Versions (bci-whispercpp)
-  v=${{ inputs.version }}
-  pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }}
-  dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }}
+  Delete NPM Versions (bci-whispercpp) v=${{ inputs.version }} pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }}
 
 permissions:
   contents: read
diff --git a/.github/workflows/on-pr-close-decoder-audio.yml b/.github/workflows/on-pr-close-decoder-audio.yml
index 91a695a0c3..412816141d 100644
--- a/.github/workflows/on-pr-close-decoder-audio.yml
+++ b/.github/workflows/on-pr-close-decoder-audio.yml
@@ -32,10 +32,7 @@ on:
         default: true
 
 run-name: >-
-  Delete NPM Versions (decoder-audio)
-  v=${{ inputs.version }}
-  pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }}
-  dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }}
+  Delete NPM Versions (decoder-audio) v=${{ inputs.version }} pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }}
 
 permissions:
   contents: read
diff --git a/.github/workflows/on-pr-close-diffusion-cpp.yml b/.github/workflows/on-pr-close-diffusion-cpp.yml
index 7aa9a622fe..85c87e96d2 100644
--- a/.github/workflows/on-pr-close-diffusion-cpp.yml
+++ b/.github/workflows/on-pr-close-diffusion-cpp.yml
@@ -59,4 +59,4 @@ jobs:
       pattern: ${{ inputs.pattern }}
       packages: ${{ inputs.packages }}
       dry-run: ${{ inputs.dry-run || true }}
-    
+
diff --git a/.github/workflows/on-pr-close-embed-llamacpp.yml b/.github/workflows/on-pr-close-embed-llamacpp.yml
index 85d1983c7c..28ede684ee 100644
--- a/.github/workflows/on-pr-close-embed-llamacpp.yml
+++ b/.github/workflows/on-pr-close-embed-llamacpp.yml
@@ -31,15 +31,33 @@ on:
         default: true
 
 run-name: >-
-  Delete NPM Versions
-  v=${{ inputs.version }}
-  pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }}
-  dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }}
+  Delete NPM Versions v=${{ inputs.version }} pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }}
 
 permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   print-context:
     runs-on: ubuntu-latest
     continue-on-error: true
@@ -54,6 +72,8 @@ jobs:
           GITHUB_CONTEXT: ${{ toJSON(github) }}
 
   delete-npm-versions-trigger:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       packages: write
     uses: ./.github/workflows/public-delete-npm-versions.yml
diff --git a/.github/workflows/on-pr-close-llm-llamacpp.yml b/.github/workflows/on-pr-close-llm-llamacpp.yml
index 39ca32b1ef..b33e58528e 100644
--- a/.github/workflows/on-pr-close-llm-llamacpp.yml
+++ b/.github/workflows/on-pr-close-llm-llamacpp.yml
@@ -34,7 +34,7 @@ run-name: Delete NPM Versions (llm-llamacpp) ${{ inputs.version }} ${{ inputs.pr
 
 permissions:
   contents: read
-  
+
 jobs:
   print-context-trigger:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/on-pr-close-ocr-onnx.yml b/.github/workflows/on-pr-close-ocr-onnx.yml
index 5a9c25a8d7..6cc31e96d4 100644
--- a/.github/workflows/on-pr-close-ocr-onnx.yml
+++ b/.github/workflows/on-pr-close-ocr-onnx.yml
@@ -32,7 +32,7 @@ run-name: Delete NPM Versions ${{ inputs.version }} ${{ inputs.pr-number }} ${{
 
 permissions:
   contents: read
-  
+
 jobs:
   print-context:
     runs-on: ubuntu-latest
@@ -56,4 +56,4 @@ jobs:
       pattern: ${{ inputs.pattern }}
       packages: ${{ inputs.packages }}
       dry-run: ${{ inputs.dry-run || true }}
-    
+
diff --git a/.github/workflows/on-pr-close-transcription-parakeet.yml b/.github/workflows/on-pr-close-transcription-parakeet.yml
index 3692e7ab8d..d6ba426308 100644
--- a/.github/workflows/on-pr-close-transcription-parakeet.yml
+++ b/.github/workflows/on-pr-close-transcription-parakeet.yml
@@ -32,10 +32,7 @@ on:
         default: true
 
 run-name: >-
-  Delete NPM Versions (parakeet)
-  v=${{ inputs.version }}
-  pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }}
-  dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }}
+  Delete NPM Versions (parakeet) v=${{ inputs.version }} pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }}
 
 permissions:
   contents: read
diff --git a/.github/workflows/on-pr-close-transcription-whispercpp.yml b/.github/workflows/on-pr-close-transcription-whispercpp.yml
index c2412bda33..85602de114 100644
--- a/.github/workflows/on-pr-close-transcription-whispercpp.yml
+++ b/.github/workflows/on-pr-close-transcription-whispercpp.yml
@@ -32,10 +32,7 @@ on:
         default: true
 
 run-name: >-
-  Delete NPM Versions (whispercpp)
-  v=${{ inputs.version }}
-  pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }}
-  dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }}
+  Delete NPM Versions (whispercpp) v=${{ inputs.version }} pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }}
 
 permissions:
   contents: read
diff --git a/.github/workflows/on-pr-close-tts-ggml.yml b/.github/workflows/on-pr-close-tts-ggml.yml
index 8ee487a25c..958448510f 100644
--- a/.github/workflows/on-pr-close-tts-ggml.yml
+++ b/.github/workflows/on-pr-close-tts-ggml.yml
@@ -32,10 +32,7 @@ on:
         default: true
 
 run-name: >-
-  Delete NPM Versions (tts-ggml)
-  v=${{ inputs.version }}
-  pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }}
-  dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }}
+  Delete NPM Versions (tts-ggml) v=${{ inputs.version }} pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }}
 
 permissions:
   contents: read
diff --git a/.github/workflows/on-pr-close-tts-onnx.yml b/.github/workflows/on-pr-close-tts-onnx.yml
index 3a89e04f75..f31958f83f 100644
--- a/.github/workflows/on-pr-close-tts-onnx.yml
+++ b/.github/workflows/on-pr-close-tts-onnx.yml
@@ -32,10 +32,7 @@ on:
         default: true
 
 run-name: >-
-  Delete NPM Versions (onnx-tts)
-  v=${{ inputs.version }}
-  pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }}
-  dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }}
+  Delete NPM Versions (onnx-tts) v=${{ inputs.version }} pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }}
 
 permissions:
   contents: read
diff --git a/.github/workflows/on-pr-decoder-audio.yml b/.github/workflows/on-pr-decoder-audio.yml
index e09e628814..1f9626f71f 100644
--- a/.github/workflows/on-pr-decoder-audio.yml
+++ b/.github/workflows/on-pr-decoder-audio.yml
@@ -70,6 +70,27 @@ jobs:
         with:
           github-token: ${{ github.token }}
 
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   context:
     needs: authorize
     if: needs.authorize.outputs.allowed == 'true'
@@ -133,8 +154,8 @@ jobs:
           echo "  workdir=$workdir"
 
   sanity-checks:
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: [authorize, context]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, label-gate]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -151,8 +172,8 @@ jobs:
           workdir: ${{ needs.context.outputs.workdir }}
 
   run-integration-tests:
-    needs: context
-    if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch'
+    needs: [context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch')
     permissions:
       contents: read
       packages: read
@@ -170,8 +191,8 @@ jobs:
       packages: read
       pull-requests: write # Allow commenting on PRs
       id-token: write
-    needs: context
-    if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch'
+    needs: [context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch')
     uses: ./.github/workflows/integration-mobile-test-decoder-audio.yml
     secrets: inherit
     with:
diff --git a/.github/workflows/on-pr-diffusion-cpp.yml b/.github/workflows/on-pr-diffusion-cpp.yml
index d788bb9dbf..23081be638 100644
--- a/.github/workflows/on-pr-diffusion-cpp.yml
+++ b/.github/workflows/on-pr-diffusion-cpp.yml
@@ -45,9 +45,30 @@ jobs:
         with:
           github-token: ${{ github.token }}
 
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   sanity-checks:
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: authorize
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, label-gate]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -64,8 +85,8 @@ jobs:
           workdir: packages/diffusion-cpp
 
   cpp-tests:
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: [authorize, sanity-checks]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, sanity-checks, label-gate]
     uses: ./.github/workflows/cpp-tests-diffusion.yml
     secrets: inherit
     with:
@@ -74,9 +95,9 @@ jobs:
       ref: ${{ github.event.pull_request.head.ref }}
 
   cpp-lint:
-    if: needs.authorize.outputs.allowed == 'true'
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     uses: ./.github/workflows/cpp-lint.yaml
-    needs: authorize
+    needs: [authorize, label-gate]
     secrets: inherit
     with:
       sha: ${{ github.event.pull_request.base.sha }}
@@ -112,8 +133,8 @@ jobs:
           workdir: packages/diffusion-cpp
 
   prebuild:
-    needs: [authorize, sanity-checks]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, sanity-checks, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     permissions:
       contents: write
       packages: write
@@ -126,8 +147,8 @@ jobs:
       ref: ${{ github.event.pull_request.head.ref }}
 
   run-integration-tests:
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: [authorize, prebuild]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, prebuild, label-gate]
     permissions:
       contents: read
       packages: read
@@ -144,8 +165,8 @@ jobs:
       packages: read
       pull-requests: write # Allow commenting on PRs
       id-token: write
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: [authorize, prebuild]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, prebuild, label-gate]
     uses: ./.github/workflows/integration-mobile-test-diffusion-cpp.yml
     secrets: inherit
     with:
@@ -153,17 +174,7 @@ jobs:
       ref: ${{ github.event.pull_request.head.ref }}
 
   merge-guard:
-    needs:
-      [
-        authorize,
-        run-integration-tests,
-        run-mobile-integration-tests,
-        sanity-checks,
-        prebuild,
-        cpp-tests,
-        cpp-lint,
-        ts-checks,
-      ]
+    needs: [authorize, run-integration-tests, run-mobile-integration-tests, sanity-checks, prebuild, cpp-tests, cpp-lint, ts-checks]
     if: always()
     uses: ./.github/workflows/public-pr.yml
     permissions:
diff --git a/.github/workflows/on-pr-embed-llamacpp.yml b/.github/workflows/on-pr-embed-llamacpp.yml
index 1cf5243698..8d681c8f38 100644
--- a/.github/workflows/on-pr-embed-llamacpp.yml
+++ b/.github/workflows/on-pr-embed-llamacpp.yml
@@ -40,6 +40,27 @@ jobs:
         with:
           github-token: ${{ github.token }}
 
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   verify-fabric-lockstep:
     if: needs.authorize.outputs.allowed == 'true'
     needs: [authorize]
@@ -56,8 +77,8 @@ jobs:
         run: 'echo "Verified qvac-fabric version: ${{ steps.lockstep.outputs.version }}"'
 
   sanity-checks:
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: [authorize, verify-fabric-lockstep]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, verify-fabric-lockstep, label-gate]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -74,8 +95,8 @@ jobs:
           workdir: packages/embed-llamacpp
 
   cpp-lint:
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: authorize
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, label-gate]
     uses: ./.github/workflows/cpp-lint.yaml
     secrets: inherit
     with:
@@ -88,8 +109,8 @@ jobs:
       contents: read
       packages: read
       pull-requests: write
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: [authorize, sanity-checks]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, sanity-checks, label-gate]
     uses: ./.github/workflows/cpp-tests-embed.yml
     secrets: inherit
     with:
@@ -131,8 +152,8 @@ jobs:
       packages: write
       pull-requests: write
       id-token: write
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: [authorize, sanity-checks]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, sanity-checks, label-gate]
     uses: ./.github/workflows/prebuilds-embed-llamacpp.yml
     secrets: inherit
     with:
@@ -140,8 +161,8 @@ jobs:
       ref: ${{ github.event.pull_request.head.ref }}
 
   integration-tests:
-    needs: [authorize, prebuild]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     permissions:
       contents: read
       packages: read
@@ -158,8 +179,8 @@ jobs:
       packages: read
       pull-requests: write # Allow commenting on PRs
       id-token: write
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: [authorize, prebuild]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, prebuild, label-gate]
     uses: ./.github/workflows/integration-mobile-test-embed-llamacpp.yml
     secrets: inherit
     with:
diff --git a/.github/workflows/on-pr-llm-llamacpp.yml b/.github/workflows/on-pr-llm-llamacpp.yml
index dbe8f9fabb..60411dec37 100644
--- a/.github/workflows/on-pr-llm-llamacpp.yml
+++ b/.github/workflows/on-pr-llm-llamacpp.yml
@@ -16,7 +16,7 @@ on:
       - "packages/llm-llamacpp/**"
       - ".github/workflows/*llamacpp-llm*.yml"
   workflow_dispatch:
-  
+
   workflow_call:
 
 permissions:
@@ -45,6 +45,27 @@ jobs:
         with:
           github-token: ${{ github.token }}
 
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   verify-fabric-lockstep:
     if: needs.authorize.outputs.allowed == 'true'
     needs: [authorize]
@@ -61,8 +82,8 @@ jobs:
         run: 'echo "Verified qvac-fabric version: ${{ steps.lockstep.outputs.version }}"'
 
   sanity-checks:
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: [authorize, verify-fabric-lockstep]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, verify-fabric-lockstep, label-gate]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -79,8 +100,8 @@ jobs:
           workdir: packages/llm-llamacpp
 
   cpp-tests:
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: [authorize, sanity-checks]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, sanity-checks, label-gate]
     uses: ./.github/workflows/cpp-tests-llm.yml
     secrets: inherit
     with:
@@ -89,9 +110,9 @@ jobs:
       ref: ${{ github.event.pull_request.head.ref }}
 
   cpp-lint:
-    if: needs.authorize.outputs.allowed == 'true'
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     uses: ./.github/workflows/cpp-lint.yaml
-    needs: authorize
+    needs: [authorize, label-gate]
     secrets: inherit
     with:
       sha: ${{ github.event.pull_request.base.sha }}
@@ -128,8 +149,8 @@ jobs:
           workdir: packages/llm-llamacpp
 
   prebuild:
-    needs: [authorize, sanity-checks]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, sanity-checks, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     permissions:
       contents: write
       packages: write
@@ -142,8 +163,8 @@ jobs:
       ref: ${{ github.event.pull_request.head.ref }}
 
   run-integration-tests:
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: [authorize, prebuild]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, prebuild, label-gate]
     permissions:
       contents: read
       packages: read
@@ -160,8 +181,8 @@ jobs:
       packages: read
       pull-requests: write # Allow commenting on PRs
       id-token: write
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: [authorize, prebuild]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, prebuild, label-gate]
     uses: ./.github/workflows/integration-mobile-test-llm-llamacpp.yml
     secrets: inherit
     with:
@@ -403,18 +424,7 @@ jobs:
           echo "" >> $GITHUB_STEP_SUMMARY
 
   merge-guard:
-    needs:
-      [
-        authorize,
-        verify-fabric-lockstep,
-        run-integration-tests,
-        run-mobile-integration-tests,
-        sanity-checks,
-        prebuild,
-        cpp-tests,
-        cpp-lint,
-        ts-checks,
-      ]
+    needs: [authorize, verify-fabric-lockstep, run-integration-tests, run-mobile-integration-tests, sanity-checks, prebuild, cpp-tests, cpp-lint, ts-checks]
     if: always()
     uses: ./.github/workflows/public-pr.yml
     with:
diff --git a/.github/workflows/on-pr-ocr-onnx.yml b/.github/workflows/on-pr-ocr-onnx.yml
index 00975b09fb..1ff41a3f39 100644
--- a/.github/workflows/on-pr-ocr-onnx.yml
+++ b/.github/workflows/on-pr-ocr-onnx.yml
@@ -42,6 +42,28 @@ jobs:
           github-token: ${{ github.token }}
 
   # Gate the workflow so label events (and other PR_target quirks) don't trigger unrelated packages.
+
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   changes:
     runs-on: ubuntu-latest
     outputs:
@@ -62,11 +84,8 @@ jobs:
               - ".github/workflows/*ocr*.yml"
 
   sanity-checks:
-    needs: [authorize, changes]
-    if: |
-      (needs.changes.outputs.pkg == 'true' &&
-       needs.authorize.outputs.allowed == 'true') ||
-      github.event_name == 'workflow_dispatch'
+    needs: [authorize, changes, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && ((needs.changes.outputs.pkg == 'true' && needs.authorize.outputs.allowed == 'true') || github.event_name == 'workflow_dispatch')
     runs-on: ubuntu-22.04
     env:
       VCPKG_BINARY_SOURCES: "clear;files,${{ github.workspace }}/packages/ocr-onnx/vcpkg/cache,readwrite"
@@ -157,8 +176,8 @@ jobs:
           fi
 
   cpp-lint:
-    needs: [authorize, changes]
-    if: needs.authorize.outputs.allowed == 'true' || github.event_name == 'workflow_dispatch'
+    needs: [authorize, changes, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true' || github.event_name == 'workflow_dispatch')
     uses: ./.github/workflows/cpp-lint.yaml
     secrets: inherit
     with:
@@ -172,13 +191,8 @@ jobs:
       pull-requests: write
       packages: write
       id-token: write
-    needs: [authorize, changes]
-    if: |
-      (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch') &&
-      (
-        github.event_name == 'workflow_dispatch' ||
-        needs.authorize.outputs.allowed == 'true'
-      )
+    needs: [authorize, changes, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && ((needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch') && ( github.event_name == 'workflow_dispatch' || needs.authorize.outputs.allowed == 'true' ))
     uses: ./.github/workflows/prebuilds-ocr-onnx.yml
     secrets: inherit
     with:
@@ -190,13 +204,8 @@ jobs:
       contents: read
       packages: read
       id-token: write
-    needs: [authorize, changes, prebuild]
-    if: |
-      (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch') &&
-      (
-        github.event_name == 'workflow_dispatch' ||
-        needs.authorize.outputs.allowed == 'true'
-      )
+    needs: [authorize, changes, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && ((needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch') && ( github.event_name == 'workflow_dispatch' || needs.authorize.outputs.allowed == 'true' ))
     uses: ./.github/workflows/integration-test-ocr-onnx.yml
     secrets: inherit
     with:
@@ -209,13 +218,8 @@ jobs:
       packages: read
       pull-requests: write # Allow commenting on PRs
       id-token: write
-    needs: [authorize, changes, prebuild]
-    if: |
-      (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch') &&
-      (
-        github.event_name == 'workflow_dispatch' ||
-        needs.authorize.outputs.allowed == 'true'
-      )
+    needs: [authorize, changes, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && ((needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch') && ( github.event_name == 'workflow_dispatch' || needs.authorize.outputs.allowed == 'true' ))
     uses: ./.github/workflows/integration-mobile-test-ocr-onnx.yml
     secrets: inherit
     with:
diff --git a/.github/workflows/on-pr-onnx.yml b/.github/workflows/on-pr-onnx.yml
index a6e4de0968..3024cc13ee 100644
--- a/.github/workflows/on-pr-onnx.yml
+++ b/.github/workflows/on-pr-onnx.yml
@@ -42,6 +42,28 @@ jobs:
           github-token: ${{ github.token }}
 
   # Gate the workflow so label events (and other PR_target quirks) don't trigger unrelated packages.
+
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   changes:
     runs-on: ubuntu-latest
     outputs:
@@ -62,11 +84,8 @@ jobs:
               - ".github/workflows/*onnx*.yml"
 
   sanity-checks:
-    needs: [authorize, changes]
-    if: |
-      (needs.changes.outputs.pkg == 'true' &&
-       needs.authorize.outputs.allowed == 'true') ||
-      github.event_name == 'workflow_dispatch'
+    needs: [authorize, changes, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && ((needs.changes.outputs.pkg == 'true' && needs.authorize.outputs.allowed == 'true') || github.event_name == 'workflow_dispatch')
     runs-on: ubuntu-22.04
     permissions:
       contents: read
@@ -154,8 +173,8 @@ jobs:
           fi
 
   cpp-lint:
-    needs: [authorize, changes]
-    if: needs.authorize.outputs.allowed == 'true' || github.event_name == 'workflow_dispatch'
+    needs: [authorize, changes, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true' || github.event_name == 'workflow_dispatch')
     uses: ./.github/workflows/cpp-lint.yaml
     secrets: inherit
     with:
@@ -169,13 +188,8 @@ jobs:
       packages: write
       pull-requests: write
       id-token: write
-    needs: [authorize, changes]
-    if: |
-      (needs.changes.outputs.pkg == 'true') &&
-      (
-        github.event_name == 'workflow_dispatch' ||
-        needs.authorize.outputs.allowed == 'true'
-      )
+    needs: [authorize, changes, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && ((needs.changes.outputs.pkg == 'true') && ( github.event_name == 'workflow_dispatch' || needs.authorize.outputs.allowed == 'true' ))
     uses: ./.github/workflows/prebuilds-onnx.yml
     secrets: inherit
     with:
diff --git a/.github/workflows/on-pr-test-sdk.yml b/.github/workflows/on-pr-test-sdk.yml
index 1035b520de..295d52ddf7 100644
--- a/.github/workflows/on-pr-test-sdk.yml
+++ b/.github/workflows/on-pr-test-sdk.yml
@@ -26,6 +26,27 @@ permissions:
   packages: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   resolve-config:
     runs-on: ubuntu-latest
     outputs:
@@ -75,8 +96,8 @@ jobs:
           fi
 
   run-tests:
-    needs: resolve-config
-    if: needs.resolve-config.outputs.should-run == 'true'
+    needs: [resolve-config, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.resolve-config.outputs.should-run == 'true'
     uses: ./.github/workflows/test-sdk.yml
     with:
       targets: all
diff --git a/.github/workflows/on-pr-transcription-parakeet.yml b/.github/workflows/on-pr-transcription-parakeet.yml
index e3104df735..f0904ba3d1 100644
--- a/.github/workflows/on-pr-transcription-parakeet.yml
+++ b/.github/workflows/on-pr-transcription-parakeet.yml
@@ -61,6 +61,27 @@ jobs:
         with:
           github-token: ${{ github.token }}
 
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   context:
     needs: authorize
     if: needs.authorize.outputs.allowed == 'true'
@@ -118,8 +139,8 @@ jobs:
           echo "  run_verify=$run_verify"
 
   sanity-checks:
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: [authorize, context]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, label-gate]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -136,8 +157,8 @@ jobs:
           workdir: ${{ github.workspace }}/packages/transcription-parakeet
 
   cpp-lint:
-    needs: context
-    if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch'
+    needs: [context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch')
     uses: ./.github/workflows/cpp-lint.yaml
     secrets: inherit
     with:
@@ -153,8 +174,8 @@ jobs:
       pull-requests: write
       id-token: write
       actions: read
-    needs: context
-    if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch'
+    needs: [context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch')
     uses: ./.github/workflows/cpp-test-coverage-transcription-parakeet.yml
     secrets: inherit
     with:
@@ -167,8 +188,8 @@ jobs:
       packages: write
       pull-requests: write
       id-token: write
-    needs: context
-    if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch'
+    needs: [context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch')
     uses: ./.github/workflows/prebuilds-transcription-parakeet.yml
     secrets: inherit
     with:
@@ -180,8 +201,8 @@ jobs:
       contents: read
       packages: read
       id-token: write
-    needs: [context, prebuild]
-    if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch'
+    needs: [context, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch')
     uses: ./.github/workflows/integration-test-transcription-parakeet.yml
     secrets: inherit
     with:
@@ -194,8 +215,8 @@ jobs:
       packages: read
       pull-requests: write
       id-token: write
-    needs: [context, prebuild]
-    if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch'
+    needs: [context, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch')
     uses: ./.github/workflows/integration-mobile-test-transcription-parakeet.yml
     secrets: inherit
     with:
@@ -203,8 +224,8 @@ jobs:
       ref: ${{ needs.context.outputs.ref }}
 
   combine-unified-performance-report:
-    needs: [context, run-integration-tests, run-mobile-integration-tests]
-    if: always() && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch')
+    needs: [context, run-integration-tests, run-mobile-integration-tests, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch'))
     runs-on: ubuntu-latest
     permissions:
       contents: read
diff --git a/.github/workflows/on-pr-transcription-whispercpp.yml b/.github/workflows/on-pr-transcription-whispercpp.yml
index 110c432d59..7f9523e2a6 100644
--- a/.github/workflows/on-pr-transcription-whispercpp.yml
+++ b/.github/workflows/on-pr-transcription-whispercpp.yml
@@ -70,6 +70,27 @@ jobs:
         with:
           github-token: ${{ github.token }}
 
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   context:
     needs: authorize
     if: needs.authorize.outputs.allowed == 'true'
@@ -133,8 +154,8 @@ jobs:
           echo "  workdir=$workdir"
 
   sanity-checks:
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: [authorize, context]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, label-gate]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -151,8 +172,8 @@ jobs:
           workdir: ${{ needs.context.outputs.workdir }}
 
   cpp-lint:
-    needs: [authorize, context]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     uses: ./.github/workflows/cpp-lint.yaml
     secrets: inherit
     with:
@@ -168,8 +189,8 @@ jobs:
       pull-requests: write
       actions: read
       id-token: write
-    needs: [authorize, context]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     uses: ./.github/workflows/cpp-test-coverage-transcription-whispercpp.yml
     secrets: inherit
     with:
@@ -182,8 +203,8 @@ jobs:
       packages: write
       pull-requests: write
       id-token: write
-    needs: [authorize, context]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     uses: ./.github/workflows/prebuilds-transcription-whispercpp.yml
     secrets: inherit
     with:
@@ -195,8 +216,8 @@ jobs:
       contents: read
       packages: read
       id-token: write
-    needs: [authorize, context, prebuild]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     uses: ./.github/workflows/integration-test-transcription-whispercpp.yml
     secrets: inherit
     with:
@@ -210,8 +231,8 @@ jobs:
       packages: read
       pull-requests: write # Allow commenting on PRs
       id-token: write
-    needs: [authorize, context, prebuild]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     uses: ./.github/workflows/integration-mobile-test-transcription-whispercpp.yml
     secrets: inherit
     with:
diff --git a/.github/workflows/on-pr-translation-nmtcpp.yml b/.github/workflows/on-pr-translation-nmtcpp.yml
index 6a870dc6a1..2bd4200eea 100644
--- a/.github/workflows/on-pr-translation-nmtcpp.yml
+++ b/.github/workflows/on-pr-translation-nmtcpp.yml
@@ -43,6 +43,27 @@ jobs:
         with:
           github-token: ${{ github.token }}
 
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   changes:
     if: github.event_name != 'workflow_dispatch'
     runs-on: ubuntu-latest
@@ -73,8 +94,8 @@ jobs:
         run: 'echo "Verified qvac-fabric version: ${{ steps.lockstep.outputs.version }}"'
 
   sanity-checks:
-    needs: [authorize, changes, verify-fabric-lockstep]
-    if: always() && ((needs.changes.outputs.pkg == 'true' && needs.authorize.outputs.allowed == 'true') || github.event_name == 'workflow_dispatch')
+    needs: [authorize, changes, verify-fabric-lockstep, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && ((needs.changes.outputs.pkg == 'true' && needs.authorize.outputs.allowed == 'true') || github.event_name == 'workflow_dispatch'))
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -113,11 +134,8 @@ jobs:
         run: npm run test:dts
 
   cpp-lint:
-    needs: [authorize, changes, sanity-checks]
-    if: |
-      always() &&
-       needs.authorize.outputs.allowed == 'true' &&
-      (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch')
+    needs: [authorize, changes, sanity-checks, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.authorize.outputs.allowed == 'true' && (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch'))
     uses: ./.github/workflows/cpp-lint.yaml
     secrets: inherit
     with:
@@ -126,16 +144,13 @@ jobs:
       workdir: packages/translation-nmtcpp
 
   cpp-tests:
-    needs: [authorize, changes, sanity-checks]
+    needs: [authorize, changes, sanity-checks, label-gate]
     permissions:
       contents: read
       packages: read
       pull-requests: write
       id-token: write
-    if: |
-      always() &&
-      needs.authorize.outputs.allowed == 'true' &&
-      (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch')
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.authorize.outputs.allowed == 'true' && (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch'))
     uses: ./.github/workflows/reusable-cpp-tests-translation-nmtcpp.yml
     secrets: inherit
     with:
@@ -148,11 +163,8 @@ jobs:
       packages: write
       pull-requests: write
       id-token: write
-    needs: [authorize, changes, sanity-checks]
-    if: |
-      always() &&
-      needs.authorize.outputs.allowed == 'true' &&
-      (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch')
+    needs: [authorize, changes, sanity-checks, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.authorize.outputs.allowed == 'true' && (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch'))
     uses: ./.github/workflows/prebuilds-translation-nmtcpp.yml
     secrets: inherit
     with:
@@ -160,11 +172,8 @@ jobs:
       ref: ${{ github.event.pull_request.head.ref }}
 
   run-integration-tests:
-    needs: [authorize, changes, sanity-checks, prebuild]
-    if: |
-      always() &&
-      needs.authorize.outputs.allowed == 'true' &&
-      (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch')
+    needs: [authorize, changes, sanity-checks, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.authorize.outputs.allowed == 'true' && (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch'))
     permissions:
       contents: read
       packages: read
@@ -181,11 +190,8 @@ jobs:
       packages: read
       pull-requests: write # Allow commenting on PRs
       id-token: write
-    needs: [authorize, changes, sanity-checks, prebuild]
-    if: |
-      always() &&
-      needs.authorize.outputs.allowed == 'true' &&
-      (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch')
+    needs: [authorize, changes, sanity-checks, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.authorize.outputs.allowed == 'true' && (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch'))
     uses: ./.github/workflows/integration-mobile-test-translation-nmtcpp.yml
     secrets: inherit
     with:
@@ -193,19 +199,7 @@ jobs:
       ref: ${{ github.event.pull_request.head.ref }}
 
   merge-guard:
-    needs:
-      [
-        authorize,
-        changes,
-        verify-fabric-lockstep,
-        sanity-checks,
-        ts-checks,
-        cpp-lint,
-        cpp-tests,
-        prebuild,
-        run-integration-tests,
-        run-mobile-integration-tests,
-      ]
+    needs: [authorize, changes, verify-fabric-lockstep, sanity-checks, ts-checks, cpp-lint, cpp-tests, prebuild, run-integration-tests, run-mobile-integration-tests]
     if: always() && (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch')
     uses: ./.github/workflows/public-pr.yml
     with:
diff --git a/.github/workflows/on-pr-tts-ggml.yml b/.github/workflows/on-pr-tts-ggml.yml
index 25dda7deab..4e8f69f4f9 100644
--- a/.github/workflows/on-pr-tts-ggml.yml
+++ b/.github/workflows/on-pr-tts-ggml.yml
@@ -61,6 +61,27 @@ jobs:
         with:
           github-token: ${{ github.token }}
 
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   context:
     needs: authorize
     if: needs.authorize.outputs.allowed == 'true'
@@ -118,8 +139,8 @@ jobs:
           echo "  run_verify=$run_verify"
 
   sanity-checks:
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: [authorize, context]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, label-gate]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -136,8 +157,8 @@ jobs:
           workdir: ${{ github.workspace }}/packages/tts-ggml
 
   cpp-lint:
-    needs: context
-    if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch'
+    needs: [context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch')
     uses: ./.github/workflows/cpp-lint.yaml
     secrets: inherit
     with:
@@ -158,8 +179,8 @@ jobs:
       pull-requests: write
       id-token: write
       actions: read
-    needs: context
-    if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch'
+    needs: [context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch')
     uses: ./.github/workflows/cpp-test-coverage-tts-ggml.yml
     secrets: inherit
     with:
@@ -172,8 +193,8 @@ jobs:
       packages: write
       pull-requests: write
       id-token: write
-    needs: context
-    if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch'
+    needs: [context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch')
     uses: ./.github/workflows/prebuilds-tts-ggml.yml
     secrets: inherit
     with:
@@ -185,8 +206,8 @@ jobs:
       contents: read
       packages: read
       id-token: write
-    needs: [context, prebuild]
-    if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch'
+    needs: [context, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch')
     uses: ./.github/workflows/integration-test-tts-ggml.yml
     secrets: inherit
     with:
@@ -199,8 +220,8 @@ jobs:
       packages: read
       pull-requests: write
       id-token: write
-    needs: [context, prebuild]
-    if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch'
+    needs: [context, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch')
     uses: ./.github/workflows/integration-mobile-test-tts-ggml.yml
     secrets: inherit
     with:
diff --git a/.github/workflows/on-pr-tts-onnx.yml b/.github/workflows/on-pr-tts-onnx.yml
index 76ff417c4d..7132724c28 100644
--- a/.github/workflows/on-pr-tts-onnx.yml
+++ b/.github/workflows/on-pr-tts-onnx.yml
@@ -84,6 +84,27 @@ jobs:
         with:
           github-token: ${{ github.token }}
 
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   context:
     needs: authorize
     if: needs.authorize.outputs.allowed == 'true'
@@ -157,8 +178,8 @@ jobs:
           echo "  tts_integration_profile=$tts_integration_profile"
 
   sanity-checks:
-    if: needs.authorize.outputs.allowed == 'true'
-    needs: [authorize, context]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, label-gate]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -175,8 +196,8 @@ jobs:
           workdir: ${{ needs.context.outputs.workdir }}
 
   cpp-lint:
-    needs: [authorize, context]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     uses: ./.github/workflows/cpp-lint.yaml
     secrets: inherit
     with:
@@ -192,8 +213,8 @@ jobs:
       pull-requests: write
       id-token: write
       actions: read
-    needs: [authorize, context]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     uses: ./.github/workflows/cpp-test-coverage-tts-onnx.yml
     secrets: inherit
     with:
@@ -207,8 +228,8 @@ jobs:
       packages: write
       pull-requests: write
       id-token: write
-    needs: [authorize, context]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     uses: ./.github/workflows/prebuilds-tts-onnx.yml
     secrets: inherit
     with:
@@ -221,8 +242,8 @@ jobs:
       contents: read
       packages: read
       id-token: write
-    needs: [authorize, context, prebuild]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     uses: ./.github/workflows/integration-test-tts-onnx.yml
     secrets: inherit
     with:
@@ -238,8 +259,8 @@ jobs:
       packages: read
       pull-requests: write
       id-token: write
-    needs: [authorize, context, prebuild]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, context, prebuild, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     uses: ./.github/workflows/integration-mobile-test-tts-onnx.yml
     secrets: inherit
     with:
diff --git a/.github/workflows/on-publish-benchmark-translation-nmtcpp.yml b/.github/workflows/on-publish-benchmark-translation-nmtcpp.yml
index 4f92b7c8df..5eecddb03d 100644
--- a/.github/workflows/on-publish-benchmark-translation-nmtcpp.yml
+++ b/.github/workflows/on-publish-benchmark-translation-nmtcpp.yml
@@ -25,7 +25,30 @@ permissions:
   id-token: write
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   prepare:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-latest
     environment: release
     outputs:
@@ -60,7 +83,8 @@ jobs:
       contents: read
       packages: read
       id-token: write
-    needs: prepare
+    needs: [prepare, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     uses: ./.github/workflows/benchmark-translation-nmtcpp.yml
     secrets: inherit
     with:
diff --git a/.github/workflows/pr-models-validation-registry-server.yml b/.github/workflows/pr-models-validation-registry-server.yml
index 928a586145..71f1d2d8e6 100644
--- a/.github/workflows/pr-models-validation-registry-server.yml
+++ b/.github/workflows/pr-models-validation-registry-server.yml
@@ -41,6 +41,27 @@ jobs:
         with:
           github-token: ${{ github.token }}
 
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   detect-changes:
     needs: authorize
     runs-on: ubuntu-latest
@@ -185,13 +206,8 @@ jobs:
         run: npm install && npm run lint && npm run test:unit
 
   sync-staging:
-    needs: [detect-changes, validate-json, test]
-    if: |
-      always() &&
-      (github.event_name == 'push' || github.event_name == 'workflow_dispatch') &&
-      needs.detect-changes.outputs.models_changed == 'true' &&
-      needs.validate-json.result == 'success' &&
-      (needs.test.result == 'success' || needs.test.result == 'skipped')
+    needs: [detect-changes, validate-json, test, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && needs.detect-changes.outputs.models_changed == 'true' && needs.validate-json.result == 'success' && (needs.test.result == 'success' || needs.test.result == 'skipped'))
     runs-on: ubuntu-latest
     environment: release
     env:
@@ -239,7 +255,8 @@ jobs:
         timeout-minutes: 30
 
   smoke-test:
-    needs: sync-staging
+    needs: [sync-staging, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-latest
     env:
       QVAC_REGISTRY_CORE_KEY: ${{ secrets.QVAC_REGISTRY_CORE_KEY }}
diff --git a/.github/workflows/pr-test-inference-addon-cpp-js.yml b/.github/workflows/pr-test-inference-addon-cpp-js.yml
index fecea02121..73480367bf 100644
--- a/.github/workflows/pr-test-inference-addon-cpp-js.yml
+++ b/.github/workflows/pr-test-inference-addon-cpp-js.yml
@@ -87,21 +87,21 @@ jobs:
             name: win32-x64
             asan: false
             run_tests: true
-          # Android/iOS entries are build-only here.
-          # Disable for now to save CI time.
-          # - runner: ubuntu-24.04
-          #   platform: android
-          #   arch: arm64
-          #   name: android-arm64
-          #   flags: -D ANDROID_STL=c++_shared
-          #   asan: false
-          #   run_tests: false
-          # - runner: macos-15
-          #   platform: ios
-          #   arch: arm64
-          #   name: ios-arm64
-          #   asan: false
-          #   run_tests: false
+            # Android/iOS entries are build-only here.
+            # Disable for now to save CI time.
+            # - runner: ubuntu-24.04
+            #   platform: android
+            #   arch: arm64
+            #   name: android-arm64
+            #   flags: -D ANDROID_STL=c++_shared
+            #   asan: false
+            #   run_tests: false
+            # - runner: macos-15
+            #   platform: ios
+            #   arch: arm64
+            #   name: ios-arm64
+            #   asan: false
+            #   run_tests: false
     runs-on: ${{ matrix.runner }}
     name: js-${{ matrix.name }}
     permissions:
diff --git a/.github/workflows/prebuilds-bci-whispercpp.yml b/.github/workflows/prebuilds-bci-whispercpp.yml
index 49fd4a6b86..ec54d03439 100644
--- a/.github/workflows/prebuilds-bci-whispercpp.yml
+++ b/.github/workflows/prebuilds-bci-whispercpp.yml
@@ -29,7 +29,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   prebuild:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/prebuilds-diffusion-cpp.yml b/.github/workflows/prebuilds-diffusion-cpp.yml
index 6fa6420a01..3bbd84daff 100644
--- a/.github/workflows/prebuilds-diffusion-cpp.yml
+++ b/.github/workflows/prebuilds-diffusion-cpp.yml
@@ -30,7 +30,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   prebuild:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/prebuilds-embed-llamacpp.yml b/.github/workflows/prebuilds-embed-llamacpp.yml
index 08ecafb8c0..646bcf1716 100644
--- a/.github/workflows/prebuilds-embed-llamacpp.yml
+++ b/.github/workflows/prebuilds-embed-llamacpp.yml
@@ -38,7 +38,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   prebuild:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/prebuilds-llm-llamacpp.yml b/.github/workflows/prebuilds-llm-llamacpp.yml
index 5e3a001fb5..6397564447 100644
--- a/.github/workflows/prebuilds-llm-llamacpp.yml
+++ b/.github/workflows/prebuilds-llm-llamacpp.yml
@@ -38,7 +38,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   prebuild:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/prebuilds-ocr-onnx.yml b/.github/workflows/prebuilds-ocr-onnx.yml
index aef7f0637c..7d37e62949 100644
--- a/.github/workflows/prebuilds-ocr-onnx.yml
+++ b/.github/workflows/prebuilds-ocr-onnx.yml
@@ -30,7 +30,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   prebuild:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/prebuilds-onnx.yml b/.github/workflows/prebuilds-onnx.yml
index a10d3c9d67..4253695ef2 100644
--- a/.github/workflows/prebuilds-onnx.yml
+++ b/.github/workflows/prebuilds-onnx.yml
@@ -31,7 +31,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   prebuild:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/prebuilds-transcription-parakeet.yml b/.github/workflows/prebuilds-transcription-parakeet.yml
index b05a4ed99c..60c40b6c72 100644
--- a/.github/workflows/prebuilds-transcription-parakeet.yml
+++ b/.github/workflows/prebuilds-transcription-parakeet.yml
@@ -28,7 +28,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   prebuild:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/prebuilds-transcription-whispercpp.yml b/.github/workflows/prebuilds-transcription-whispercpp.yml
index d6002bfc4d..8754b3de93 100644
--- a/.github/workflows/prebuilds-transcription-whispercpp.yml
+++ b/.github/workflows/prebuilds-transcription-whispercpp.yml
@@ -29,7 +29,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   prebuild:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/prebuilds-translation-nmtcpp.yml b/.github/workflows/prebuilds-translation-nmtcpp.yml
index d25d84e418..5be05ba74d 100644
--- a/.github/workflows/prebuilds-translation-nmtcpp.yml
+++ b/.github/workflows/prebuilds-translation-nmtcpp.yml
@@ -30,7 +30,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   prebuild:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/prebuilds-tts-ggml.yml b/.github/workflows/prebuilds-tts-ggml.yml
index 9c65a1295f..446a574b28 100644
--- a/.github/workflows/prebuilds-tts-ggml.yml
+++ b/.github/workflows/prebuilds-tts-ggml.yml
@@ -28,7 +28,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   prebuild:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/prebuilds-tts-onnx.yml b/.github/workflows/prebuilds-tts-onnx.yml
index 46de9c0b5f..b1604c4974 100644
--- a/.github/workflows/prebuilds-tts-onnx.yml
+++ b/.github/workflows/prebuilds-tts-onnx.yml
@@ -30,7 +30,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   prebuild:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/public-delete-npm-versions.yml b/.github/workflows/public-delete-npm-versions.yml
index a8183a6eeb..a0e6e63d81 100644
--- a/.github/workflows/public-delete-npm-versions.yml
+++ b/.github/workflows/public-delete-npm-versions.yml
@@ -36,7 +36,30 @@ on:
 run-name: Delete NPM Versions ${{ inputs.version }} ${{ inputs.pr-number }} ${{ inputs.dry-run }}
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   delete-npm-versions:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
diff --git a/.github/workflows/public-reusable-npm.yml b/.github/workflows/public-reusable-npm.yml
index 99af6efa09..07afde8332 100644
--- a/.github/workflows/public-reusable-npm.yml
+++ b/.github/workflows/public-reusable-npm.yml
@@ -25,10 +25,32 @@ on:
         value: ${{ jobs.push-event.outputs.npm_publish_skipped }}
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   pull-request-event:
+    needs: [label-gate]
     runs-on: ubuntu-latest
     environment: npm
-    if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target' || inputs.debug_mode
+    if: needs.label-gate.outputs.authorised == 'true' && (github.event_name == 'pull_request' || github.event_name == 'pull_request_target' || inputs.debug_mode)
     permissions:
       contents: read
       packages: write
@@ -87,13 +109,13 @@ jobs:
         working-directory: ${{ inputs.workdir }}
         run: |
           PACKAGE_NAME=$(node -p "require('./package.json').name")
-          
+
           # Allow @qvac/* scoped packages
           if [[ "$PACKAGE_NAME" == @qvac/* ]]; then
             echo "✅ Package name is scoped: $PACKAGE_NAME"
             exit 0
           fi
-          
+
           # Allow specific unscoped packages
           ALLOWED_UNSCOPED=("qvac")
           for allowed in "${ALLOWED_UNSCOPED[@]}"; do
@@ -102,7 +124,7 @@ jobs:
               exit 0
             fi
           done
-          
+
           echo "::error title=Invalid package name::Package name must be @qvac/* or an allowed unscoped"
           exit 1
 
@@ -113,9 +135,10 @@ jobs:
           workdir: ${{ inputs.workdir }}
 
   push-event:
+    needs: [label-gate]
     runs-on: ubuntu-latest
     environment: npm
-    if: github.event_name == 'push' || inputs.caller_event_name == 'workflow_dispatch' || inputs.debug_mode
+    if: needs.label-gate.outputs.authorised == 'true' && (github.event_name == 'push' || inputs.caller_event_name == 'workflow_dispatch' || inputs.debug_mode)
     outputs:
       npm_published_version: ${{ steps.publish-npm.outputs.npm_published_version }}
       npm_publish_skipped: ${{ steps.publish-npm.outputs.npm_publish_skipped }}
diff --git a/.github/workflows/publish-registry-server.yml b/.github/workflows/publish-registry-server.yml
index c4838759a0..980d63d0f2 100644
--- a/.github/workflows/publish-registry-server.yml
+++ b/.github/workflows/publish-registry-server.yml
@@ -51,11 +51,31 @@ jobs:
         with:
           github-token: ${{ github.token }}
 
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   release-merge-guard-schema:
     name: Release Merge Guard (Schema)
     if: >-
-      github.event_name == 'push' &&
-      startsWith(github.ref_name, 'release-qvac-registry-schema')
+      github.event_name == 'push' && startsWith(github.ref_name, 'release-qvac-registry-schema')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -74,8 +94,7 @@ jobs:
   release-merge-guard-client:
     name: Release Merge Guard (Client)
     if: >-
-      github.event_name == 'push' &&
-      startsWith(github.ref_name, 'release-qvac-registry-client')
+      github.event_name == 'push' && startsWith(github.ref_name, 'release-qvac-registry-client')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -92,10 +111,10 @@ jobs:
           changelog-path: packages/registry-server/client/CHANGELOG.md
 
   detect-changes:
-    needs: [authorize]
+    needs: [authorize, label-gate]
     runs-on: ubuntu-latest
     environment: release
-    if: needs.authorize.outputs.allowed == 'true'
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     outputs:
       schema_changed: ${{ steps.filter.outputs.schema }}
       client_changed: ${{ steps.filter.outputs.client }}
@@ -207,13 +226,8 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   publish-schema-gpr:
-    needs: [authorize, detect-changes, publish-logic]
-    if: |
-      needs.authorize.outputs.allowed == 'true' &&
-      needs.detect-changes.outputs.schema_changed == 'true' &&
-      (needs.publish-logic.outputs.publish_feature == 'true' ||
-       needs.publish-logic.outputs.publish_main == 'true' ||
-       needs.publish-logic.outputs.publish_tmp == 'true')
+    needs: [authorize, detect-changes, publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true' && needs.detect-changes.outputs.schema_changed == 'true' && (needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_tmp == 'true'))
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -244,13 +258,8 @@ jobs:
           name-suffix: ${{ env.NAME_SUFFIX }}
 
   publish-schema-npm:
-    needs: [authorize, detect-changes, publish-logic, release-merge-guard-schema]
-    if: |
-      always() &&
-      needs.authorize.outputs.allowed == 'true' &&
-      needs.detect-changes.outputs.schema_changed == 'true' &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard-schema.result == 'success' || needs.release-merge-guard-schema.result == 'skipped')
+    needs: [authorize, detect-changes, publish-logic, release-merge-guard-schema, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.authorize.outputs.allowed == 'true' && needs.detect-changes.outputs.schema_changed == 'true' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard-schema.result == 'success' || needs.release-merge-guard-schema.result == 'skipped'))
     runs-on: ubuntu-latest
     environment: npm
     outputs:
@@ -317,10 +326,8 @@ jobs:
       workdir: "packages/registry-server/shared"
 
   lint-and-test:
-    needs: [authorize, detect-changes]
-    if: |
-      needs.authorize.outputs.allowed == 'true' &&
-      needs.detect-changes.outputs.client_changed == 'true'
+    needs: [authorize, detect-changes, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true' && needs.detect-changes.outputs.client_changed == 'true'
     permissions:
       contents: read
       packages: read
@@ -386,13 +393,8 @@ jobs:
         run: npm run typecheck
 
   publish-client-gpr:
-    needs: [authorize, detect-changes, publish-logic, lint-and-test]
-    if: |
-      needs.authorize.outputs.allowed == 'true' &&
-      needs.detect-changes.outputs.client_changed == 'true' &&
-      (needs.publish-logic.outputs.publish_feature == 'true' ||
-       needs.publish-logic.outputs.publish_main == 'true' ||
-       needs.publish-logic.outputs.publish_tmp == 'true')
+    needs: [authorize, detect-changes, publish-logic, lint-and-test, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true' && needs.detect-changes.outputs.client_changed == 'true' && (needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_tmp == 'true'))
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -425,13 +427,8 @@ jobs:
           name-suffix: ${{ env.NAME_SUFFIX }}
 
   publish-client-npm:
-    needs: [authorize, detect-changes, publish-logic, lint-and-test, release-merge-guard-client]
-    if: |
-      always() &&
-      needs.authorize.outputs.allowed == 'true' &&
-      needs.detect-changes.outputs.client_changed == 'true' &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard-client.result == 'success' || needs.release-merge-guard-client.result == 'skipped')
+    needs: [authorize, detect-changes, publish-logic, lint-and-test, release-merge-guard-client, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.authorize.outputs.allowed == 'true' && needs.detect-changes.outputs.client_changed == 'true' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard-client.result == 'success' || needs.release-merge-guard-client.result == 'skipped'))
     runs-on: ubuntu-latest
     environment: npm
     outputs:
@@ -486,4 +483,4 @@ jobs:
       release_name: "QVAC Registry Client"
       published_version: ${{ needs.publish-client-npm.outputs.published_version }}
       prev_sha: ${{ github.event.before }}
-      workdir: "packages/registry-server/client"
\ No newline at end of file
+      workdir: "packages/registry-server/client"
diff --git a/.github/workflows/publish-sdk.yml b/.github/workflows/publish-sdk.yml
index 9cdf3b2690..f766546026 100644
--- a/.github/workflows/publish-sdk.yml
+++ b/.github/workflows/publish-sdk.yml
@@ -59,11 +59,31 @@ jobs:
         with:
           github-token: ${{ github.token }}
 
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   release-merge-guard:
     name: Release Merge Guard
     if: >-
-      (github.event_name == 'push' || github.event_name == 'workflow_dispatch') &&
-      startsWith(github.ref_name, 'release-')
+      (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -80,8 +100,8 @@ jobs:
           changelog-path: packages/sdk/CHANGELOG.md
 
   build:
-    needs: [authorize]
-    if: needs.authorize.outputs.allowed == 'true'
+    needs: [authorize, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.authorize.outputs.allowed == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -216,7 +236,7 @@ jobs:
           name: dist
           path: ${{ env.WORKDIR }}/dist/
           retention-days: 1
-      
+
       - name: Determine version and tag
         id: version
         working-directory: ${{ env.WORKDIR }}
@@ -245,7 +265,6 @@ jobs:
       tag: ${{ steps.version.outputs.tag }}
       branch: ${{ steps.version.outputs.branch }}
 
-
   publish-logic:
     runs-on: ubuntu-latest
     outputs:
@@ -355,10 +374,8 @@ jobs:
 
   publish-npm:
     name: Publish to NPM
-    needs: [build, publish-logic, release-merge-guard]
-    if: >-
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    needs: [build, publish-logic, release-merge-guard, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     runs-on: ubuntu-latest
     environment: npm
     outputs:
@@ -397,7 +414,7 @@ jobs:
   # Create GitHub release only for actual releases (after NPM publish)
   publish-release:
     needs: [publish-npm]
-    if:  needs.publish-npm.result == 'success' && needs.publish-npm.outputs.published_version != ''
+    if: needs.publish-npm.result == 'success' && needs.publish-npm.outputs.published_version != ''
     permissions:
       contents: write
     uses: ./.github/workflows/create-github-release.yml
@@ -406,4 +423,4 @@ jobs:
       release_name: "QVAC SDK"
       published_version: ${{ needs.publish-npm.outputs.published_version }}
       prev_sha: ${{ github.event.before }}
-      workdir: "packages/sdk"
\ No newline at end of file
+      workdir: "packages/sdk"
diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml
index 229b48ad97..cde013b37f 100644
--- a/.github/workflows/release-pr.yml
+++ b/.github/workflows/release-pr.yml
@@ -70,4 +70,4 @@ jobs:
             --title "Release: v${{ steps.bump.outputs.version }}" \
             --body "Bumps version to \`v${{ steps.bump.outputs.version }}\`" \
             --base main \
-            --head ${{ steps.bump.outputs.branch }}
\ No newline at end of file
+            --head ${{ steps.bump.outputs.branch }}
diff --git a/.github/workflows/repository-dispatch-bci-whispercpp.yml b/.github/workflows/repository-dispatch-bci-whispercpp.yml
index da5ad34be5..c2641dfc2a 100644
--- a/.github/workflows/repository-dispatch-bci-whispercpp.yml
+++ b/.github/workflows/repository-dispatch-bci-whispercpp.yml
@@ -13,8 +13,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   dispatch:
-    if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main'
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main'
     runs-on: ubuntu-latest
     environment: release
     steps:
diff --git a/.github/workflows/repository-dispatch-sdk.yml b/.github/workflows/repository-dispatch-sdk.yml
index 8fedf1a974..076e04c5a1 100644
--- a/.github/workflows/repository-dispatch-sdk.yml
+++ b/.github/workflows/repository-dispatch-sdk.yml
@@ -13,8 +13,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   dispatch:
-    if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main'
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main'
     runs-on: ubuntu-latest
     environment: release
     steps:
diff --git a/.github/workflows/repository-dispatch-transcription-whispercpp.yml b/.github/workflows/repository-dispatch-transcription-whispercpp.yml
index dcdc2a085e..722906319d 100644
--- a/.github/workflows/repository-dispatch-transcription-whispercpp.yml
+++ b/.github/workflows/repository-dispatch-transcription-whispercpp.yml
@@ -13,8 +13,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   dispatch:
-    if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main'
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main'
     runs-on: ubuntu-latest
     environment: release
     steps:
diff --git a/.github/workflows/reusable-cpp-tests-translation-nmtcpp.yml b/.github/workflows/reusable-cpp-tests-translation-nmtcpp.yml
index 578253c89b..babcf7171e 100644
--- a/.github/workflows/reusable-cpp-tests-translation-nmtcpp.yml
+++ b/.github/workflows/reusable-cpp-tests-translation-nmtcpp.yml
@@ -1,7 +1,7 @@
 name: C++ Tests with Coverage (NMTCPP)
 
 on:
-  workflow_call:    
+  workflow_call:
     inputs:
       ref:
         description: "Git ref to checkout"
@@ -16,7 +16,30 @@ env:
   WORKDIR: packages/translation-nmtcpp
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   cpp-tests:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-24.04
     environment: release
     timeout-minutes: 90
diff --git a/.github/workflows/reusable-prebuilds.yml b/.github/workflows/reusable-prebuilds.yml
index 69e060baf9..ec71e35b60 100644
--- a/.github/workflows/reusable-prebuilds.yml
+++ b/.github/workflows/reusable-prebuilds.yml
@@ -29,13 +29,7 @@ on:
         default: "tetherto/qvac"
       artifact-name-prefix:
         description: >-
-          Optional prefix for the per-matrix prebuild artifact name. The
-          merged artifact is always uploaded under the well-known name
-          `prebuilds`, but downstream mobile-integration test workflows
-          download per-matrix artifacts via glob patterns built from this
-          prefix (see PREBUILD_ARTIFACT_PREFIX in
-          integration-mobile-test-*.yml), so it must match the convention
-          expected by the consumer.
+          Optional prefix for the per-matrix prebuild artifact name. The merged artifact is always uploaded under the well-known name `prebuilds`, but downstream mobile-integration test workflows download per-matrix artifacts via glob patterns built from this prefix (see PREBUILD_ARTIFACT_PREFIX in integration-mobile-test-*.yml), so it must match the convention expected by the consumer.
         type: string
         required: false
         default: ""
@@ -56,21 +50,13 @@ on:
         default: false
       extra-cmake-defines:
         description: >-
-          Additional cmake defines appended verbatim to `bare-make generate`
-          on every matrix entry. Space-separated. Example:
-          "-D VK_PROFILING=ON" to enable Vulkan profiling on the llamacpp
-          packages.
+          Additional cmake defines appended verbatim to `bare-make generate` on every matrix entry. Space-separated. Example: "-D VK_PROFILING=ON" to enable Vulkan profiling on the llamacpp packages.
         type: string
         required: false
         default: ""
       platform-cmake-defines:
         description: >-
-          Platform-conditional cmake defines, one entry per line in
-          `<platform>: <defines>` form. The matched platform's defines are
-          appended after `extra-cmake-defines`, so they can override common
-          defines if needed. Platforms without an entry contribute nothing.
-          Example:
-
+          Platform-conditional cmake defines, one entry per line in `<platform>: <defines>` form. The matched platform's defines are appended after `extra-cmake-defines`, so they can override common defines if needed. Platforms without an entry contribute nothing. Example: #magic___^_^___line
             platform-cmake-defines: |
               darwin: -D WHISPER_USE_METAL=ON
               ios: -D WHISPER_USE_METAL=ON
@@ -87,10 +73,7 @@ on:
         default: false
       setup-rust-toolchain:
         description: >-
-          Ensure a stable Rust toolchain plus the per-platform stdlib targets
-          required by native crates that ship Rust code (iOS / Android via
-          `rustup target add ...`). On Windows the action will bootstrap
-          rustup itself if it isn't already on PATH.
+          Ensure a stable Rust toolchain plus the per-platform stdlib targets required by native crates that ship Rust code (iOS / Android via `rustup target add ...`). On Windows the action will bootstrap rustup itself if it isn't already on PATH.
         type: boolean
         required: false
         default: false
@@ -99,7 +82,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   prebuild:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     permissions:
       contents: write
       pull-requests: write
@@ -315,9 +321,7 @@ jobs:
           find prebuilds -type f -name '*.a' -delete
 
       - name: Smoke check (tmp-*) package name & prebuilds listing
-        if: ${{ startsWith(github.ref, 'refs/heads/tmp-')
-                || startsWith(github.ref_name, 'tmp-')
-                || (inputs.ref != '' && (startsWith(inputs.ref, 'refs/heads/tmp-') || startsWith(inputs.ref, 'tmp-'))) }}
+        if: ${{ startsWith(github.ref, 'refs/heads/tmp-') || startsWith(github.ref_name, 'tmp-') || (inputs.ref != '' && (startsWith(inputs.ref, 'refs/heads/tmp-') || startsWith(inputs.ref, 'tmp-'))) }}
         shell: bash
         working-directory: ${{ env.WORKDIR }}
         run: |
diff --git a/.github/workflows/test-android-sdk.yml b/.github/workflows/test-android-sdk.yml
index 700fe26ca3..720d0fff5b 100644
--- a/.github/workflows/test-android-sdk.yml
+++ b/.github/workflows/test-android-sdk.yml
@@ -78,6 +78,27 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   report-start:
     name: "[android] report-start"
     runs-on: ubuntu-latest
@@ -103,6 +124,8 @@ jobs:
           exclude-suite: ${{ inputs.exclude-suite }}
 
   build:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     name: "[android] build"
     runs-on: ai-run-linux
     environment: release
@@ -312,7 +335,8 @@ jobs:
 
   device-farm:
     name: "[android] device-farm"
-    needs: build
+    needs: [build, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-latest
     environment: release
     timeout-minutes: 45
@@ -490,7 +514,8 @@ jobs:
 
   run-producer:
     name: "[android] run-producer"
-    needs: build
+    needs: [build, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-latest
     environment: release
     timeout-minutes: 90
@@ -722,8 +747,8 @@ jobs:
 
   cleanup-device-farm:
     name: "[android] cleanup-device-farm"
-    needs: [build, run-producer, device-farm]
-    if: always()
+    needs: [build, run-producer, device-farm, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && always()
     runs-on: ubuntu-latest
     environment: release
     timeout-minutes: 35
diff --git a/.github/workflows/test-desktop-sdk.yml b/.github/workflows/test-desktop-sdk.yml
index f11f5edccc..c0c913dfa0 100644
--- a/.github/workflows/test-desktop-sdk.yml
+++ b/.github/workflows/test-desktop-sdk.yml
@@ -76,6 +76,27 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   report-start:
     name: "[desktop] report-start"
     runs-on: ubuntu-latest
@@ -120,6 +141,8 @@ jobs:
           exclude-suite: ${{ inputs.exclude-suite }}
 
   test-desktop:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     name: "[desktop] test (${{ matrix.os }})"
     strategy:
       matrix:
@@ -453,7 +476,6 @@ jobs:
               ]);
             }
 
-
             const exitCode = producerExit || consumerExitCode;
             if (exitCode !== 0) {
               console.log(`❌ Tests failed with exit code: ${exitCode}`);
diff --git a/.github/workflows/test-ios-sdk.yml b/.github/workflows/test-ios-sdk.yml
index 369a047950..11ef583d39 100644
--- a/.github/workflows/test-ios-sdk.yml
+++ b/.github/workflows/test-ios-sdk.yml
@@ -94,6 +94,27 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   report-start:
     name: "[ios] report-start"
     runs-on: ubuntu-latest
@@ -119,6 +140,8 @@ jobs:
           exclude-suite: ${{ inputs.exclude-suite }}
 
   build:
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     name: "[ios] build"
     runs-on: macos-14
     environment: release
@@ -427,7 +450,8 @@ jobs:
 
   device-farm:
     name: "[ios] device-farm"
-    needs: build
+    needs: [build, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-latest
     environment: release
     timeout-minutes: 45
@@ -612,7 +636,8 @@ jobs:
 
   run-producer:
     name: "[ios] run-producer"
-    needs: build
+    needs: [build, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true'
     runs-on: ubuntu-latest
     environment: release
     timeout-minutes: 90
@@ -844,8 +869,8 @@ jobs:
 
   cleanup-device-farm:
     name: "[ios] cleanup-device-farm"
-    needs: [build, run-producer, device-farm]
-    if: always()
+    needs: [build, run-producer, device-farm, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && always()
     runs-on: ubuntu-latest
     environment: release
     timeout-minutes: 35
diff --git a/.github/workflows/test-sdk.yml b/.github/workflows/test-sdk.yml
index 8fa889728d..360d645a6c 100644
--- a/.github/workflows/test-sdk.yml
+++ b/.github/workflows/test-sdk.yml
@@ -101,6 +101,27 @@ permissions:
   packages: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   resolve:
     runs-on: ubuntu-latest
     outputs:
@@ -120,8 +141,8 @@ jobs:
           fi
 
   desktop-tests:
-    needs: resolve
-    if: inputs.targets != 'mobile' && inputs.targets != 'android' && inputs.targets != 'ios'
+    needs: [resolve, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && inputs.targets != 'mobile' && inputs.targets != 'android' && inputs.targets != 'ios'
     uses: ./.github/workflows/test-desktop-sdk.yml
     with:
       project-directory: "packages/sdk"
@@ -136,14 +157,14 @@ jobs:
     secrets: inherit
 
   android-tests:
-    needs: resolve
+    needs: [resolve, label-gate]
     permissions:
       actions: read
       id-token: write
       contents: read
       pull-requests: write
       packages: read
-    if: inputs.targets != 'desktop' && inputs.targets != 'ios'
+    if: needs.label-gate.outputs.authorised == 'true' && inputs.targets != 'desktop' && inputs.targets != 'ios'
     uses: ./.github/workflows/test-android-sdk.yml
     with:
       project-directory: "packages/sdk"
@@ -159,14 +180,14 @@ jobs:
     secrets: inherit
 
   ios-tests:
-    needs: resolve
+    needs: [resolve, label-gate]
     permissions:
       actions: read
       id-token: write
       contents: read
       pull-requests: write
       packages: read
-    if: inputs.targets != 'desktop' && inputs.targets != 'android'
+    if: needs.label-gate.outputs.authorised == 'true' && inputs.targets != 'desktop' && inputs.targets != 'android'
     uses: ./.github/workflows/test-ios-sdk.yml
     with:
       project-directory: "packages/sdk"
diff --git a/.github/workflows/trigger-docs-sdk.yml b/.github/workflows/trigger-docs-sdk.yml
index 82aa0d0925..e634363b8a 100644
--- a/.github/workflows/trigger-docs-sdk.yml
+++ b/.github/workflows/trigger-docs-sdk.yml
@@ -13,8 +13,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   dispatch:
-    if: github.event.pull_request.merged == true && (github.event.pull_request.base.ref == 'main' || startsWith(github.event.pull_request.base.ref, 'release-'))
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (github.event.pull_request.merged == true && (github.event.pull_request.base.ref == 'main' || startsWith(github.event.pull_request.base.ref, 'release-')))
     runs-on: ubuntu-latest
     environment: release
     steps:
diff --git a/.github/workflows/trigger-docs-translation-nmtcpp.yml b/.github/workflows/trigger-docs-translation-nmtcpp.yml
index 30192352d1..09ab1beaa7 100644
--- a/.github/workflows/trigger-docs-translation-nmtcpp.yml
+++ b/.github/workflows/trigger-docs-translation-nmtcpp.yml
@@ -13,8 +13,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   dispatch:
-    if: github.event.pull_request.merged == true && (github.event.pull_request.base.ref == 'main' || startsWith(github.event.pull_request.base.ref, 'release-'))
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (github.event.pull_request.merged == true && (github.event.pull_request.base.ref == 'main' || startsWith(github.event.pull_request.base.ref, 'release-')))
     runs-on: ubuntu-latest
     environment: release
     steps:
diff --git a/.github/workflows/trigger-reusable-diagnostics.yml b/.github/workflows/trigger-reusable-diagnostics.yml
index 2d24d3806c..75a686f1c8 100644
--- a/.github/workflows/trigger-reusable-diagnostics.yml
+++ b/.github/workflows/trigger-reusable-diagnostics.yml
@@ -17,11 +17,31 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   release-merge-guard:
     name: Release Merge Guard
     if: >-
-      github.event_name == 'push' &&
-      startsWith(github.ref_name, 'release-')
+      github.event_name == 'push' && startsWith(github.ref_name, 'release-')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -86,8 +106,8 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   publish-main-gpr-dev:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_main == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_main == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -108,12 +128,12 @@ jobs:
           name-suffix: "-mono"
 
   publish-release-npm:
-    needs: [publish-logic, release-merge-guard]
+    needs: [publish-logic, release-merge-guard, label-gate]
     permissions:
       contents: write
       packages: write
       id-token: write
-    if: needs.publish-logic.outputs.publish_release == 'true'
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_release == 'true'
     uses: ./.github/workflows/public-reusable-npm.yml
     secrets: inherit
     with:
@@ -123,7 +143,7 @@ jobs:
   # Create GitHub release only for actual releases (after NPM publish)
   publish-release:
     needs: [publish-release-npm]
-    if:  needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != ''
+    if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != ''
     permissions:
       contents: write
     uses: ./.github/workflows/create-github-release.yml
@@ -135,8 +155,8 @@ jobs:
       workdir: "packages/diagnostics"
 
   publish-feature-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_feature == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_feature == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -157,8 +177,8 @@ jobs:
           name-suffix: "-mono"
 
   publish-tmp-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_tmp == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
diff --git a/.github/workflows/trigger-reusable-infer-base.yml b/.github/workflows/trigger-reusable-infer-base.yml
index 112c960324..2dbbccc85f 100644
--- a/.github/workflows/trigger-reusable-infer-base.yml
+++ b/.github/workflows/trigger-reusable-infer-base.yml
@@ -27,11 +27,31 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   release-merge-guard:
     name: Release Merge Guard
     if: >-
-      github.event_name == 'push' &&
-      startsWith(github.ref_name, 'release-')
+      github.event_name == 'push' && startsWith(github.ref_name, 'release-')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -96,8 +116,8 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   publish-main-gpr-dev:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_main == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_main == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -118,15 +138,12 @@ jobs:
           name-suffix: "-mono"
 
   publish-release-npm:
-    needs: [publish-logic, release-merge-guard]
+    needs: [publish-logic, release-merge-guard, label-gate]
     permissions:
       contents: write
       packages: write
       id-token: write
-    if: |
-      always() &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     uses: ./.github/workflows/public-reusable-npm.yml
     secrets: inherit
     with:
@@ -136,7 +153,7 @@ jobs:
   # Create GitHub release only for actual releases (after NPM publish)
   publish-release:
     needs: [publish-release-npm]
-    if:  needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != ''
+    if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != ''
     permissions:
       contents: write
     uses: ./.github/workflows/create-github-release.yml
@@ -148,8 +165,8 @@ jobs:
       workdir: "packages/infer-base"
 
   publish-feature-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_feature == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_feature == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -170,8 +187,8 @@ jobs:
           name-suffix: "-mono"
 
   publish-tmp-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_tmp == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
diff --git a/.github/workflows/trigger-reusable-langdetect-text-cld2.yml b/.github/workflows/trigger-reusable-langdetect-text-cld2.yml
index 933873bd56..f3436883e7 100644
--- a/.github/workflows/trigger-reusable-langdetect-text-cld2.yml
+++ b/.github/workflows/trigger-reusable-langdetect-text-cld2.yml
@@ -33,8 +33,30 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   test:
-    if: github.event_name == 'pull_request'
+    needs: [label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     environment: release
     steps:
@@ -70,8 +92,7 @@ jobs:
   release-merge-guard:
     name: Release Merge Guard
     if: >-
-      github.event_name == 'push' &&
-      startsWith(github.ref_name, 'release-')
+      github.event_name == 'push' && startsWith(github.ref_name, 'release-')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -136,8 +157,8 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   publish-main-gpr-dev:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_main == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_main == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -158,15 +179,12 @@ jobs:
           name-suffix: "-mono"
 
   publish-release-npm:
-    needs: [publish-logic, release-merge-guard]
+    needs: [publish-logic, release-merge-guard, label-gate]
     permissions:
       contents: write
       packages: write
       id-token: write
-    if: |
-      always() &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     uses: ./.github/workflows/public-reusable-npm.yml
     secrets: inherit
     with:
@@ -174,8 +192,8 @@ jobs:
       caller_event_name: ${{ github.event_name }}
 
   publish-feature-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_feature == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_feature == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -196,8 +214,8 @@ jobs:
           name-suffix: "-mono"
 
   publish-tmp-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_tmp == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -215,4 +233,4 @@ jobs:
           npm-token: ${{ secrets.NPM_TOKEN }}
           tag: ${{ needs.publish-logic.outputs.gpr_tag }}
           workdir: packages/langdetect-text-cld2
-          name-suffix: "-mono" 
+          name-suffix: "-mono"
diff --git a/.github/workflows/trigger-reusable-langdetect-text.yml b/.github/workflows/trigger-reusable-langdetect-text.yml
index 1c5644ecfe..6123d65675 100644
--- a/.github/workflows/trigger-reusable-langdetect-text.yml
+++ b/.github/workflows/trigger-reusable-langdetect-text.yml
@@ -27,11 +27,31 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   release-merge-guard:
     name: Release Merge Guard
     if: >-
-      github.event_name == 'push' &&
-      startsWith(github.ref_name, 'release-')
+      github.event_name == 'push' && startsWith(github.ref_name, 'release-')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -96,8 +116,8 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   publish-main-gpr-dev:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_main == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_main == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -118,15 +138,12 @@ jobs:
           name-suffix: "-mono"
 
   publish-release-npm:
-    needs: [publish-logic, release-merge-guard]
+    needs: [publish-logic, release-merge-guard, label-gate]
     permissions:
       contents: write
       packages: write
       id-token: write
-    if: |
-      always() &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     uses: ./.github/workflows/public-reusable-npm.yml
     secrets: inherit
     with:
@@ -136,7 +153,7 @@ jobs:
   # Create GitHub release only for actual releases (after NPM publish)
   publish-release:
     needs: [publish-release-npm]
-    if:  needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != ''
+    if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != ''
     permissions:
       contents: write
     uses: ./.github/workflows/create-github-release.yml
@@ -148,8 +165,8 @@ jobs:
       workdir: "packages/langdetect-text"
 
   publish-feature-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_feature == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_feature == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -170,8 +187,8 @@ jobs:
           name-suffix: "-mono"
 
   publish-tmp-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_tmp == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
diff --git a/.github/workflows/trigger-reusable-lib-cli.yml b/.github/workflows/trigger-reusable-lib-cli.yml
index 668318b00e..da3fa7344c 100644
--- a/.github/workflows/trigger-reusable-lib-cli.yml
+++ b/.github/workflows/trigger-reusable-lib-cli.yml
@@ -33,11 +33,31 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   release-merge-guard:
     name: Release Merge Guard
     if: >-
-      github.event_name == 'push' &&
-      startsWith(github.ref_name, 'release-')
+      github.event_name == 'push' && startsWith(github.ref_name, 'release-')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -128,8 +148,8 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   publish-main-gpr-dev:
-    needs: [build, publish-logic]
-    if: needs.publish-logic.outputs.publish_main == 'true'
+    needs: [build, publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_main == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -159,10 +179,8 @@ jobs:
           name-suffix: "-mono"
 
   publish-release-npm:
-    needs: [build, publish-logic, release-merge-guard]
-    if: >-
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    needs: [build, publish-logic, release-merge-guard, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     runs-on: ubuntu-latest
     environment: npm
     outputs:
@@ -212,8 +230,8 @@ jobs:
       workdir: "packages/cli"
 
   publish-feature-gpr:
-    needs: [build, publish-logic]
-    if: needs.publish-logic.outputs.publish_feature == 'true'
+    needs: [build, publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_feature == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -243,8 +261,8 @@ jobs:
           name-suffix: "-mono"
 
   publish-tmp-gpr:
-    needs: [build, publish-logic]
-    if: needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [build, publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_tmp == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
diff --git a/.github/workflows/trigger-reusable-lib-dl-base.yml b/.github/workflows/trigger-reusable-lib-dl-base.yml
index a71d0b6105..5b6f752198 100644
--- a/.github/workflows/trigger-reusable-lib-dl-base.yml
+++ b/.github/workflows/trigger-reusable-lib-dl-base.yml
@@ -27,11 +27,31 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   release-merge-guard:
     name: Release Merge Guard
     if: >-
-      github.event_name == 'push' &&
-      startsWith(github.ref_name, 'release-')
+      github.event_name == 'push' && startsWith(github.ref_name, 'release-')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -96,8 +116,8 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   publish-main-gpr-dev:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_main == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_main == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -118,15 +138,12 @@ jobs:
           name-suffix: "-mono"
 
   publish-release-npm:
-    needs: [publish-logic, release-merge-guard]
+    needs: [publish-logic, release-merge-guard, label-gate]
     permissions:
       contents: write
       packages: write
       id-token: write
-    if: |
-      always() &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     uses: ./.github/workflows/public-reusable-npm.yml
     secrets: inherit
     with:
@@ -136,7 +153,7 @@ jobs:
   # Create GitHub release only for actual releases (after NPM publish)
   publish-release:
     needs: [publish-release-npm]
-    if:  needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != ''
+    if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != ''
     permissions:
       contents: write
     uses: ./.github/workflows/create-github-release.yml
@@ -148,8 +165,8 @@ jobs:
       workdir: "packages/dl-base"
 
   publish-feature-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_feature == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_feature == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -170,8 +187,8 @@ jobs:
           name-suffix: "-mono"
 
   publish-tmp-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_tmp == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
diff --git a/.github/workflows/trigger-reusable-lib-dl-filesystem.yml b/.github/workflows/trigger-reusable-lib-dl-filesystem.yml
index ad921021f5..b78fd930fa 100644
--- a/.github/workflows/trigger-reusable-lib-dl-filesystem.yml
+++ b/.github/workflows/trigger-reusable-lib-dl-filesystem.yml
@@ -27,11 +27,31 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   release-merge-guard:
     name: Release Merge Guard
     if: >-
-      github.event_name == 'push' &&
-      startsWith(github.ref_name, 'release-')
+      github.event_name == 'push' && startsWith(github.ref_name, 'release-')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -96,8 +116,8 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   publish-main-gpr-dev:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_main == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_main == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -118,15 +138,12 @@ jobs:
           name-suffix: "-mono"
 
   publish-release-npm:
-    needs: [publish-logic, release-merge-guard]
+    needs: [publish-logic, release-merge-guard, label-gate]
     permissions:
       contents: write
       packages: write
       id-token: write
-    if: |
-      always() &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     uses: ./.github/workflows/public-reusable-npm.yml
     secrets: inherit
     with:
@@ -136,7 +153,7 @@ jobs:
   # Create GitHub release only for actual releases (after NPM publish)
   publish-release:
     needs: [publish-release-npm]
-    if:  needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != ''
+    if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != ''
     permissions:
       contents: write
     uses: ./.github/workflows/create-github-release.yml
@@ -148,8 +165,8 @@ jobs:
       workdir: "packages/dl-filesystem"
 
   publish-feature-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_feature == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_feature == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -170,8 +187,8 @@ jobs:
           name-suffix: "-mono"
 
   publish-tmp-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_tmp == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
diff --git a/.github/workflows/trigger-reusable-lib-error.yml b/.github/workflows/trigger-reusable-lib-error.yml
index 018129044d..86276971c0 100644
--- a/.github/workflows/trigger-reusable-lib-error.yml
+++ b/.github/workflows/trigger-reusable-lib-error.yml
@@ -27,11 +27,31 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   release-merge-guard:
     name: Release Merge Guard
     if: >-
-      github.event_name == 'push' &&
-      startsWith(github.ref_name, 'release-')
+      github.event_name == 'push' && startsWith(github.ref_name, 'release-')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -96,8 +116,8 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   publish-main-gpr-dev:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_main == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_main == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -118,15 +138,12 @@ jobs:
           name-suffix: "-mono"
 
   publish-release-npm:
-    needs: [publish-logic, release-merge-guard]
+    needs: [publish-logic, release-merge-guard, label-gate]
     permissions:
       contents: write
       packages: write
       id-token: write
-    if: |
-      always() &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     uses: ./.github/workflows/public-reusable-npm.yml
     secrets: inherit
     with:
@@ -136,7 +153,7 @@ jobs:
   # Create GitHub release only for actual releases (after NPM publish)
   publish-release:
     needs: [publish-release-npm]
-    if:  needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != ''
+    if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != ''
     permissions:
       contents: write
     uses: ./.github/workflows/create-github-release.yml
@@ -148,8 +165,8 @@ jobs:
       workdir: "packages/error"
 
   publish-feature-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_feature == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_feature == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -170,8 +187,8 @@ jobs:
           name-suffix: "-mono"
 
   publish-tmp-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_tmp == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
diff --git a/.github/workflows/trigger-reusable-lib-hyperdrive.yml b/.github/workflows/trigger-reusable-lib-hyperdrive.yml
index d1a2cd8c67..87aa058f9f 100644
--- a/.github/workflows/trigger-reusable-lib-hyperdrive.yml
+++ b/.github/workflows/trigger-reusable-lib-hyperdrive.yml
@@ -27,11 +27,31 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   release-merge-guard:
     name: Release Merge Guard
     if: >-
-      github.event_name == 'push' &&
-      startsWith(github.ref_name, 'release-')
+      github.event_name == 'push' && startsWith(github.ref_name, 'release-')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -96,8 +116,8 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   publish-main-gpr-dev:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_main == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_main == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -118,15 +138,12 @@ jobs:
           name-suffix: "-mono"
 
   publish-release-npm:
-    needs: [publish-logic, release-merge-guard]
+    needs: [publish-logic, release-merge-guard, label-gate]
     permissions:
       contents: write
       packages: write
       id-token: write
-    if: |
-      always() &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     uses: ./.github/workflows/public-reusable-npm.yml
     secrets: inherit
     with:
@@ -136,7 +153,7 @@ jobs:
   # Create GitHub release only for actual releases (after NPM publish)
   publish-release:
     needs: [publish-release-npm]
-    if:  needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != ''
+    if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != ''
     permissions:
       contents: write
     uses: ./.github/workflows/create-github-release.yml
@@ -148,8 +165,8 @@ jobs:
       workdir: "packages/dl-hyperdrive"
 
   publish-feature-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_feature == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_feature == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -170,8 +187,8 @@ jobs:
           name-suffix: "-mono"
 
   publish-tmp-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_tmp == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
diff --git a/.github/workflows/trigger-reusable-lib-logging.yml b/.github/workflows/trigger-reusable-lib-logging.yml
index 23ac1deb96..d89eecc12e 100644
--- a/.github/workflows/trigger-reusable-lib-logging.yml
+++ b/.github/workflows/trigger-reusable-lib-logging.yml
@@ -27,11 +27,31 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   release-merge-guard:
     name: Release Merge Guard
     if: >-
-      github.event_name == 'push' &&
-      startsWith(github.ref_name, 'release-')
+      github.event_name == 'push' && startsWith(github.ref_name, 'release-')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -96,8 +116,8 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   publish-main-gpr-dev:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_main == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_main == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -118,15 +138,12 @@ jobs:
           name-suffix: "-mono"
 
   publish-release-npm:
-    needs: [publish-logic, release-merge-guard]
+    needs: [publish-logic, release-merge-guard, label-gate]
     permissions:
       contents: write
       packages: write
       id-token: write
-    if: |
-      always() &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     uses: ./.github/workflows/public-reusable-npm.yml
     secrets: inherit
     with:
@@ -136,7 +153,7 @@ jobs:
   # Create GitHub release only for actual releases (after NPM publish)
   publish-release:
     needs: [publish-release-npm]
-    if:  needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != ''
+    if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != ''
     permissions:
       contents: write
     uses: ./.github/workflows/create-github-release.yml
@@ -148,8 +165,8 @@ jobs:
       workdir: "packages/logging"
 
   publish-feature-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_feature == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_feature == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -170,8 +187,8 @@ jobs:
           name-suffix: "-mono"
 
   publish-tmp-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_tmp == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
diff --git a/.github/workflows/trigger-reusable-lib-rag.yml b/.github/workflows/trigger-reusable-lib-rag.yml
index 24d4979788..8a09ab18a1 100644
--- a/.github/workflows/trigger-reusable-lib-rag.yml
+++ b/.github/workflows/trigger-reusable-lib-rag.yml
@@ -27,11 +27,31 @@ permissions:
   contents: read
 
 jobs:
+  label-gate:
+    name: Authorise (label-gate)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    outputs:
+      authorised: ${{ steps.gate.outputs.authorised }}
+    steps:
+      - name: Checkout (label-gate action only)
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: .github/actions/label-gate
+          sparse-checkout-cone-mode: false
+      - name: Run label-gate
+        id: gate
+        uses: ./.github/actions/label-gate
+        with:
+          github-token: ${{ secrets.PAT_TOKEN }}
+
   release-merge-guard:
     name: Release Merge Guard
     if: >-
-      github.event_name == 'push' &&
-      startsWith(github.ref_name, 'release-')
+      github.event_name == 'push' && startsWith(github.ref_name, 'release-')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -96,8 +116,8 @@ jobs:
           echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT"
 
   publish-main-gpr-dev:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_main == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_main == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -118,15 +138,12 @@ jobs:
           name-suffix: "-mono"
 
   publish-release-npm:
-    needs: [publish-logic, release-merge-guard]
+    needs: [publish-logic, release-merge-guard, label-gate]
     permissions:
       contents: write
       packages: write
       id-token: write
-    if: |
-      always() &&
-      needs.publish-logic.outputs.publish_release == 'true' &&
-      (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')
+    if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped'))
     uses: ./.github/workflows/public-reusable-npm.yml
     secrets: inherit
     with:
@@ -136,7 +153,7 @@ jobs:
     # Create GitHub release only for actual releases (after NPM publish)
   publish-release:
     needs: [publish-release-npm]
-    if:  needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != ''
+    if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != ''
     permissions:
       contents: write
     uses: ./.github/workflows/create-github-release.yml
@@ -148,8 +165,8 @@ jobs:
       workdir: "packages/rag"
 
   publish-feature-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_feature == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_feature == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -170,8 +187,8 @@ jobs:
           name-suffix: "-mono"
 
   publish-tmp-gpr:
-    needs: publish-logic
-    if: needs.publish-logic.outputs.publish_tmp == 'true'
+    needs: [publish-logic, label-gate]
+    if: needs.label-gate.outputs.authorised == 'true' && needs.publish-logic.outputs.publish_tmp == 'true'
     runs-on: ubuntu-latest
     environment: release
     permissions:
diff --git a/.github/workflows/win11-nvidia-image-builder.yml b/.github/workflows/win11-nvidia-image-builder.yml
index 9a4c2162c1..7cf26bd248 100644
--- a/.github/workflows/win11-nvidia-image-builder.yml
+++ b/.github/workflows/win11-nvidia-image-builder.yml
@@ -3,7 +3,7 @@ on:
 
 jobs:
   build-win11-nvidia-image:
-    runs-on:  generator-windows11
+    runs-on: generator-windows11
     snapshot: win11-nvidia-grid-image
     steps:
       - name: Check OS version
@@ -44,7 +44,7 @@ jobs:
 
           # Set the registry value to enable Developer Mode
           Set-ItemProperty -Path $registryPath -Name $propertyName -Value $propertyValue -Type DWORD -Force
-          
+
           Write-Host "Developer Mode enabled successfully."
 
       - name: Install latest Visual C++ Redistributable
@@ -114,10 +114,9 @@ jobs:
           }
           Write-Host "NVIDIA driver installation verified successfully."
 
-
-  # run-vulkaninfo:
-  #   runs-on: ai-run-windows11-gpu
-  #   steps:
+        # run-vulkaninfo:
+        #   runs-on: ai-run-windows11-gpu
+        #   steps:
       - name: GPU detection via nvidia-smi and vulkaninfo
         continue-on-error: true
         shell: powershell