chore: cut 0.15.0

[danielmeppiel]

TL;DR

Cut 0.15.0. Bumps pyproject.toml + uv.lock, moves [Unreleased] -> [0.15.0] - 2026-05-27.

Why a minor (not a patch)

Unreleased carries a BREAKING Security change: apm install against *.ghe.com marketplaces now fail-closes on bare cross-repo repo: fields (#1459, closes #1326). Per SemVer (and this repo's stated SemVer adherence in the CHANGELOG header), breaking behaviour change on a 0.x line warrants a minor bump, not a patch. Several new user-facing features (#1308, #1471, #1288, #1476) reinforce that.

Changelog audit applied during the cut

Every PR merged since v0.14.2 has exactly one entry, each leading with the user-visible impact.

Fixes folded in:

• Added missing entries for refactor(cli): clean up compilation config and registry cursor #1367, fix(compile): live-reload apm.yml and warn on --clean --watch #1403, fix(mcp): rewrite skill-shipped MCP command paths for the Claude target #1465, fix(triage-panel): replace invalid difc: block with tools.github.min-integrity #1487, test(codeql): fix 30 py/incomplete-url-substring-sanitization alerts #1492, fix(triage-panel): add DIFC read-integrity exemption for external issues #1462, fix: resolve 3 flaky integration tests blocking merge queue #1477, perf(scaling-guards): add variant-key and cache-lookup guards, wire to CI integration gate #1439, fix(marketplace): handle Windows file:// URI shapes in _local_path_from_source #1484, and the 131679f follow-up commit.
• Collapsed the two fix(install): honour spec drift in BFS resolve callback #1473 lines into one.
• Merged the GitCache core.hooksPath=/dev/null / no-submodule-recursion entry into the feat(marketplace): support local paths, file:// URIs, and generic git hosts #1476 Added entry (same PR, one logical change).
• Corrected PR ref for the persisted transport-flag config: was Support persisting CLI flags via apm config (e.g. allow-protocol-fallback, ssh) #1243 (does not exist), now feat: persist transport flags via apm config #1308 (actual merge).
• Relocated the marketplace CLI entries (apm pack --marketplace, --marketplace-path, --json, outputs map form) out of Unreleased into [0.14.2]. They were attributed to a non-existent Marketplace output UX: filter-driven CLI + map-based manifest + JSON output #1317 and orphaned across the 0.14.2 cut; they actually shipped via feat(marketplace): filter-driven CLI, map-based manifest, JSON output #1324, so they now sit in the version that contained them.

Validation

Local mirror of CI Lint gate:

$ uv run --extra dev ruff check src/ tests/
All checks passed!

$ uv run --extra dev ruff format --check src/ tests/
1100 files already formatted

No code or tests changed; only CHANGELOG.md, pyproject.toml, uv.lock.

Release dance after merge

git tag -a v0.15.0 -m "v0.15.0" <merge-sha>
git push origin v0.15.0

[Copilot]

Pull request overview

This PR cuts the 0.15.0 release by bumping package metadata and moving the accumulated changelog entries into a versioned section.

Changes:

• Bumps apm-cli from 0.14.2 to 0.15.0.
• Moves [Unreleased] entries into 0.15.0 and audits release notes.
• Relocates marketplace CLI changelog items to 0.14.2.

Show a summary per file

File	Description
pyproject.toml	Updates project version to 0.15.0.
uv.lock	Updates locked editable package version to 0.15.0.
CHANGELOG.md	Adds the 0.15.0 release section and adjusts prior release entries.

Copilot's findings

• Files reviewed: 2/3 changed files
• Comments generated: 1