Fix CreateLabelForLabelset signature and quiet permission-denial logs

- Make optional GraphQL arguments (text/description/color/icon/label_type)
  default to None on the Python side so resolver invocations matching
  the schema (which marks them required=False) no longer raise
  'missing positional arguments'.
- Catch LabelSet.DoesNotExist separately in
  RemoveLabelsFromLabelsetMutation to log the legitimate auth-deny path
  at WARNING level without a stack trace, instead of routing it through
  the catch-all except Exception (which used logger.exception).

Author: JSv4

config/graphql/label_mutations.py

@@ -218,7 +218,16 @@ class Arguments:
     obj_id = graphene.ID()
 
     @login_required
-    def mutate(root, info, labelset_id, text, description, color, icon, label_type):
+    def mutate(
+        root,
+        info,
+        labelset_id,
+        text=None,
+        description=None,
+        color=None,
+        icon=None,
+        label_type=None,
+    ):
 
         ok = False
         obj = None
@@ -310,6 +319,17 @@ def mutate(root, info, label_ids, labelset_id):
             ok = True
             message = "Success"
 
+        except LabelSet.DoesNotExist:
+            # Legitimate auth rejection or genuine 404 — log without a stack trace
+            # to avoid polluting logs with what looks like real errors.
+            logger.warning(
+                "RemoveLabelsFromLabelsetMutation: labelset not found or "
+                "permission denied (labelset_id=%s)",
+                labelset_id,
+            )
+            message = (
+                f"Error removing label(s) from labelset: {LabelSet.DoesNotExist()}"
+            )
         except Exception as e:
             logger.exception("RemoveLabelsFromLabelsetMutation failed")
             message = f"Error removing label(s) from labelset: {e}"