[Change] Safe project artifact writes for init and IDE setup

[djm81]

Why

specfact init and specfact init ide currently mutate user-owned project artifacts such as .vscode/settings.json without a first-class safety contract. Issue #487 showed that a setup run can wipe unrelated local configuration, forcing manual restore and repair. That is unacceptable for any tool writing into customer repositories.

What Changes

• introduce a core safe-write policy for project artifacts with declared ownership and mutation modes (create_only, merge_structured, append_managed_block, explicit_replace)
• route init/setup file mutations through a shared helper instead of ad hoc overwrite logic
• preserve unrelated user configuration in partial-ownership files such as .vscode/settings.json
• require backup/recovery metadata for lossy replacement paths
• add CI/static coverage that flags unsafe raw writes to protected user-project artifacts
• add regression fixtures proving existing user config survives init/setup flows
• coordinate paired runtime adoption in specfact-cli-modules

Acceptance Criteria

• .vscode/settings.json merges only SpecFact-managed entries and preserves unrelated settings
• malformed structured config does not get silently replaced by default
• destructive replacement creates a recoverable backup and explicit output
• CI fails if protected init/setup paths bypass the sanctioned safe-write helper
• paired modules-side adoption change is tracked and linked

Dependencies

• Parent Feature: [Feature] Configuration Profiles #365
• Paired modules change: project-runtime-01-safe-artifact-write-policy

Related Issues/PRs

• Related bug: bug: specfact init overwrites existing .vscode/settings.json completely #487

Additional Context

This is intended as a prevention-by-design change, not a point fix for a single symptom.

---

OpenSpec Change Proposal: profile-04-safe-project-artifact-writes

[djm81]

Implementation PR opened

PR: #496 (target: dev)

Shipped in this PR (specfact-cli)

• Safe merge for .vscode/settings.json via project_artifact_write (preserve unrelated keys; SpecFact chat/prompt recommendations only).
• Fail-safe on malformed JSON; --force replaces with backup under .specfact/recovery/.
• scripts/verify_safe_project_writes.py + hatch run lint guard against raw writes to protected init/setup paths.
• Unit tests + OpenSpec TDD_EVIDENCE.md / tasks.md updates for change profile-04-safe-project-artifact-writes.
• setuptools pinned <82 so Semgrep’s dependency chain still resolves pkg_resources (code review / lint stability).

Acceptance criteria (#490)

• Merge-only SpecFact-managed entries; preserve unrelated settings (see tests).
• Malformed config not silently replaced by default; explicit --force + backup path.
• CI/lint fails on unsafe bypass of helper for protected artifacts.
• Paired modules change project-runtime-01-safe-artifact-write-policy — still tracked separately; link from modules PR when ready.

Parent feature: #365 · Related bug: #487

Please review #496; once merged we can close this issue or tick remaining cross-repo items.