v0.5.0 — author attribution, ADR mirroring, identity hardening

[0.5.0] — 2026-06-12 — Author attribution, ADR mirroring, identity hardening

Three additive, spec-driven features (specs 008/010 + the #69 hardening) plus
Dependabot. extension.id stays linear; the command surface is unchanged;
every existing install behaves identically until it opts in. All safety
guarantees (idempotency, drift-awareness, fail-closed writes) hold.

Author-based attribution — spec 010

• The board shows who authored each spec. Opt-in (linear.attribution.*,
  default OFF). When enabled, each spec Issue gets an account-independent
  author:<handle> label and — for authors who are Linear members — is assigned
  to that author on creation. A non-member or unresolved author is labelled but
  left unassigned (never the operator). Disabled/absent ⇒ byte-for-byte today's
  behaviour (operator assignee per FR-034, no author label).
• Author resolution is filesystem-derived. A **Owner:** / **Author:**
  line in spec.md wins; otherwise the first git author to add the spec
  directory; otherwise unknown (a graceful no-op — no label, no assignee, no
  failure).
• Members match automatically; the override map is optional. Linear's member
  roster is read at runtime, so a git email that matches a Linear email resolves
  with no configuration. An optional, gitignored linear-authors.local.yml
  (only a .sample is committed) aliases git≠Linear emails and pins handles for
  non-members — no real email or user id ever lands in a tracked file (the
  identity-leak guard covers it).
• Idempotent + never-clobber. The author label is strip-and-set (zero churn
  on re-run; one swap on author change); the author assignee is written on create
  only, so a manual reassignment in Linear always survives. Sub-issues optionally
  inherit the author label (subissue_label, default off) but never the author
  assignee. Parity-locked with the spec-kit-jira author-attribution feature at the
  user-visible level. No new command; extension.id stays linear.

ADR / decision-record mirroring — spec 008

• Your decisions now reach the tracker. The Decision / Rationale / Alternatives blocks in each spec's research.md are mirrored as ADR comments
  on that spec's Linear Issue — one comment per decision, in an ADR layout (id,
  title, status, decision, rationale, alternatives, source). It rides the
  existing after_* hooks; no new command, no config. Works for any spec that
  has a research.md; a spec without one is a graceful no-op.
• Idempotent + update-in-place. Each ADR is keyed by a hidden
  <!-- spec-kit-linear: adr <NNN>-<key> --> marker (heading id D<N>/R<N>,
  else a title slug); an unchanged corpus is zero-churn, a revised decision
  updates its one comment in place, a new decision adds one comment. (Update-in-
  place is Principle I — the filesystem is canonical; it is the sole behavioural
  delta from the clarify-comment path, and the one new mutation, commentUpdate.)
• Parity with the spec-kit-jira ADR feature: the user-visible comment shape
  matches across both sinks. No config/schema change; extension.id stays
  linear.

Consumer identity-leak hardening (#69)

• Install refuses to let your identity reach a tracked file. A new install-
  time guard (install::assert_no_identity_leak) scans the consumer's tracked
  tree for operator-identity leaks — operator.* keys, email-shaped strings, and
  a force-tracked operator-local / authors-override file — and surfaces a loud,
  named warning with remediation (Principle VIII). Export
  SPECKIT_LINEAR_STRICT_IDENTITY=1 to make a detected leak fail the install.
  Reinforces the spec-004 config/identity split: identity stays in the gitignored
  operator-local file, never in committed config.

Tooling — Dependabot (#64–#67)

• Dependabot for GitHub Actions (#64) keeps the CI action pins current; the
  first batch bumped actions/checkout, actions/cache, and actions/setup-node
  (#65–#67). CI-internal only; no consumer-facing change.