diff --git a/.claude/agents/deploy-blocker-investigator.md b/.claude/agents/deploy-blocker-investigator.md
index 3d32bf9f5bb5d..669646ad3eb9c 100644
--- a/.claude/agents/deploy-blocker-investigator.md
+++ b/.claude/agents/deploy-blocker-investigator.md
@@ -45,46 +45,68 @@ When analyzing, look at the App code to understand:
 ## What To Do
 
 1. **Investigate** the issue and find the causing PR. Check the issue description to see if the bug is reproducible on production. If it's staging-only, the cause is likely a PR in the StagingDeployCash checklist. If it's also on production, the bug may predate the current staging deploy.
-2. **Comment** on the issue with your findings
-3. **Update labels** based on classification:
+2. **Comment** on the issue with your findings (see Comment Structure below)
+3. **Update labels** if needed - first check which labels are actually on the issue:
 
 | Classification | Label Action |
 |----------------|--------------|
-| Backend bug | Remove `DeployBlockerCash` (doesn't block App deploy) |
+| Backend bug | Remove `DeployBlockerCash` if present (doesn't block App deploy) |
 | Frontend bug | Remove `DeployBlocker` if present (doesn't block Web deploy) |
 
 ---
 
 ## Comment Structure
 
-Post ONE comment with:
+Post ONE comment using this format:
 
-1. **Causing PR** (or candidates if uncertain)
-   - PR number, title, author, link
-   - Confidence level (high/medium/low)
-   - Evidence (why you think this PR caused it)
+```markdown
+## 🔍 Investigation Summary
 
-2. **Related issues** - any other deploy blockers that might be caused by the same PR
+**Classification**: Frontend bug / Backend bug
+**Causing PR**: [#NUMBER](link) - "title" by @author (High/Medium/Low confidence)
+**Related Issues**: #NUMBER (if any)
 
-3. **Recommendation** - one of:
-   - **REVERT** - Default choice. Preferred when the causing PR is clear and can be cleanly reverted. Especially important if the PR caused multiple linked issues.
-   - **ROLL FORWARD** - Use when reverting is problematic: fix is simpler than revert, revert would cause merge conflicts, or many dependent PRs have merged on top.
-   - **NEEDS INVESTIGATION** - Use when you cannot determine the root cause with reasonable confidence. List candidate PRs for human review, and tag PR author and reviewers.
-   - **DEMOTE** - Use when the bug is pretty minor (cosmetic and uncommon, pretty edge case, affects very few users) and not worth blocking the deploy.
+### Recommendation: REVERT / ROLL FORWARD / NEEDS INVESTIGATION / DEMOTE
 
-State which label you're removing (if any) and why.
+Brief explanation of why this recommendation (1-2 sentences).
+
+<details>
+<summary>📋 Detailed Analysis</summary>
+
+### Evidence
+- Why you believe this PR caused the issue
+- What changed in the PR that relates to the bug
+- Whether it reproduces on production vs staging only
+
+### Root Cause
+Technical explanation of what went wrong in the code.
+
+</details>
+```
+
+**Recommendations** (choose one):
+- **REVERT** - Default choice. Preferred when the causing PR is clear and can be cleanly reverted.
+- **ROLL FORWARD** - Use when reverting is problematic: fix is simpler than revert, many dependent PRs have merged, or the PR fixed a worse bug than it introduced (reverting would bring back a more severe issue).
+- **NEEDS INVESTIGATION** - Cannot determine root cause with confidence. Tag PR author and reviewers.
+- **DEMOTE** - Bug is minor (cosmetic, edge case, affects few users) and not worth blocking deploy.
+
+**Label removal**: Only remove a label if it's actually present on the issue. Check the issue's labels first before mentioning any label changes in your comment.
 
 ---
 
 ## Commands
 
 ```bash
+# Check which labels are on the issue first:
+gh issue view "$ISSUE_URL" --json labels --jq '.labels[].name'
+
 # Post your findings as a comment:
 gh issue comment "$ISSUE_URL" --body "YOUR_COMMENT_HERE"
 
-# Remove label (backend bugs only):
-gh issue edit "$ISSUE_URL" --remove-label DeployBlockerCash
+# Remove label ONLY if it exists on the issue:
+# For backend bugs - remove DeployBlockerCash (if present)
+removeDeployBlockerLabel.sh "$ISSUE_URL" DeployBlockerCash
 
-# Remove label if confirmed to be frontend bug and label exists
-gh issue edit "$ISSUE_URL" --remove-label DeployBlocker
+# For frontend bugs - remove DeployBlocker (if present)
+removeDeployBlockerLabel.sh "$ISSUE_URL" DeployBlocker
 ```
diff --git a/.claude/commands/investigate-deploy-blocker.md b/.claude/commands/investigate-deploy-blocker.md
index d0f180b0b656e..ce96841f410f6 100644
--- a/.claude/commands/investigate-deploy-blocker.md
+++ b/.claude/commands/investigate-deploy-blocker.md
@@ -1,5 +1,5 @@
 ---
-allowed-tools: Bash(gh issue view:*),Bash(gh issue edit:* --remove-label DeployBlocker),Bash(gh issue edit:* --remove-label DeployBlockerCash),Bash(gh issue comment:*),Bash(gh issue list:*),Bash(gh pr view:*),Bash(gh pr list:*),Bash(gh api:*),Bash(git log:*),Bash(git show:*),Bash(git blame:*),Glob,Grep,Read
+allowed-tools: Bash(gh issue view:*),Bash(gh issue comment:*),Bash(gh issue list:*),Bash(gh pr view:*),Bash(gh pr list:*),Bash(gh pr diff:*),Bash(gh api:*),Bash(git log:*),Bash(git show:*),Bash(git blame:*),Bash(removeDeployBlockerLabel.sh:*),Glob,Grep,Read
 description: Investigate a deploy blocker issue to find the causing PR and recommend resolution
 ---
 
diff --git a/.claude/scripts/removeDeployBlockerLabel.sh b/.claude/scripts/removeDeployBlockerLabel.sh
new file mode 100755
index 0000000000000..7789589066e7e
--- /dev/null
+++ b/.claude/scripts/removeDeployBlockerLabel.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+# Secure proxy script to remove deploy blocker labels from GitHub issues.
+# Only allows removing specific labels: DeployBlocker, DeployBlockerCash
+set -eu
+
+readonly ALLOWED_LABELS=("DeployBlocker" "DeployBlockerCash")
+
+die() {
+    echo "Error: $*" >&2
+    exit 1
+}
+
+usage() {
+    die "Usage: $0 <issue_url> <label>"
+}
+
+validate_label() {
+    local label="$1"
+    for allowed in "${ALLOWED_LABELS[@]}"; do
+        if [[ "$label" == "$allowed" ]]; then
+            return 0
+        fi
+    done
+    die "Label '$label' is not allowed. Allowed labels: ${ALLOWED_LABELS[*]}"
+}
+
+readonly ISSUE_URL="${1:-}"
+readonly LABEL="${2:-}"
+
+[[ -z "$ISSUE_URL" || -z "$LABEL" ]] && usage
+
+# Validate the URL looks like a GitHub issue URL
+if [[ ! "$ISSUE_URL" =~ ^https://github\.com/.+/issues/[0-9]+$ ]]; then
+    die "Invalid issue URL format. Expected: https://github.com/<owner>/<repo>/issues/<number>"
+fi
+
+validate_label "$LABEL"
+
+echo "Removing label '$LABEL' from issue: $ISSUE_URL"
+gh issue edit "$ISSUE_URL" --remove-label "$LABEL"
diff --git a/.github/workflows/deployBlockerInvestigation.yml b/.github/workflows/deployBlockerInvestigation.yml
index 94d5de2a409b2..cd05077727bf5 100644
--- a/.github/workflows/deployBlockerInvestigation.yml
+++ b/.github/workflows/deployBlockerInvestigation.yml
@@ -39,6 +39,10 @@ jobs:
       - name: Setup Node
         uses: ./.github/actions/composite/setupNode
 
+      - name: Add claude utility scripts to PATH
+        run: |
+          echo "$GITHUB_WORKSPACE/.claude/scripts" >> "$GITHUB_PATH"
+
       - name: Validate issue has DeployBlockerCash label
         id: validate
         run: |
@@ -60,4 +64,4 @@ jobs:
           github_token: ${{ secrets.OS_BOTIFY_TOKEN }}
           prompt: "/investigate-deploy-blocker ISSUE_URL: ${{ inputs.ISSUE_URL }}"
           claude_args: |
-            --allowedTools "Task,Glob,Grep,Read,Bash(gh issue view:*),Bash(gh issue edit:* --remove-label DeployBlocker),Bash(gh issue edit:* --remove-label DeployBlockerCash),Bash(gh issue comment:*),Bash(gh issue list:*),Bash(gh pr view:*),Bash(gh pr list:*),Bash(gh api:*),Bash(git log:*),Bash(git show:*),Bash(git blame:*)"
+            --allowedTools "Task,Glob,Grep,Read,Bash(gh issue view:*),Bash(gh issue comment:*),Bash(gh issue list:*),Bash(gh pr view:*),Bash(gh pr list:*),Bash(gh pr diff:*),Bash(gh api:*),Bash(git log:*),Bash(git show:*),Bash(git blame:*),Bash(removeDeployBlockerLabel.sh:*)"