release: v1.5.0 - Quality of Life Improvements

IndieAuth Authentication:
- Corrected W3C IndieAuth specification compliance
- Uses response_type=id for authentication-only flow per spec
- Discovers endpoints from user profile URL
- Removed hardcoded indielogin.com service
- DEPRECATED: INDIELOGIN_URL config (now auto-discovered)

Timestamp-Based Slugs (ADR-062):
- Default slugs now use YYYYMMDDHHMMSS format
- Unique collision handling with numeric suffix

Debug File Management:
- Controlled by DEBUG_SAVE_FAILED_UPLOADS config
- Auto-cleanup of files older than 7 days
- 100MB disk space protection
- Filename sanitization for security

Performance:
- N+1 query fix in feed generation
- Batch media loading for feed notes

Data Integrity:
- Atomic variant generation with temp files
- Database/filesystem consistency on failure

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

starpunk/auth.py

@@ -308,12 +308,15 @@ def initiate_login(me_url: str) -> str:
     db.commit()
 
     # Build authorization URL
+    # Per W3C IndieAuth spec: use response_type=id for authentication-only flow
+    # (identity verification without access token). This allows code redemption
+    # at the authorization_endpoint rather than requiring token_endpoint.
     params = {
         "me": me_url,
         "client_id": current_app.config["SITE_URL"],
         "redirect_uri": redirect_uri,
         "state": state,
-        "response_type": "code",
+        "response_type": "id",
     }
 
     current_app.logger.debug(
@@ -322,7 +325,7 @@ def initiate_login(me_url: str) -> str:
         f"  client_id: {current_app.config['SITE_URL']}\n"
         f"  redirect_uri: {redirect_uri}\n"
         f"  state: {_redact_token(state, 8)}\n"
-        f"  response_type: code"
+        f"  response_type: id (authentication-only flow)"
     )
 
     auth_url = f"{auth_endpoint}?{urlencode(params)}"