[task] Design safe workflow actions for future writes

[phongndo]

Goal

Design the safe write-action model for future workflow actions.

Why this matters

Nexgit should prove read-only GitHub workflow state before mutating GitHub. Once write actions are added, contributors and maintainers need explicit target confirmation and dry-run previews.

Command/API target

Produce a maintainer-owned design note for future actions such as issue claim/unclaim, review thread reply/resolve, and check rerun.

Depends on

• v0.1 app-server data methods for the read-only state model.

Out of scope

• Do not implement write actions in this issue.
• Do not add OAuth or direct token management.
• Do not design non-GitHub providers.

Definition of done

• The design states which write actions are first.
• The design requires explicit repository target display before mutation.
• The design defines dry-run preview expectations.
• The design lists permission and failure cases maintainers must review before implementation.

Verification

• Design note or issue comment reviewed by a maintainer.
• Any repo-doc change runs pnpm format:prettier:check.

[github-actions]

This issue needs a small update before triage:

• Area must be one of Automation, CLI, Core, Desktop, Design, Docs, Protocol, Tests, or TUI so triage automation can route the issue.

Please edit the issue instead of opening a new one.