chore: upgrade deps, fix semconv version, remove auth0| usernames

[emsearcy]

Summary

Maintenance pass covering three concerns:

1. Dependency upgrades

• Go toolchain directive 1.26.3 → 1.26.4
• lfx-v2-committee-service v0.2.35 → v0.4.0
• lfx-v2-mailing-list-service v0.4.13 → v0.5.0
• lfx-v2-member-service v0.8.0 → v0.9.0
• lfx-v2-project-service v0.6.11 → v0.8.0
• lfx-v2-query-service v0.4.21 → v0.4.22
• OTel suite v1.43.0 → v1.44.0
• goa.design/goa/v3 v3.27.0 → v3.28.0
• Various golang.org/x/* and google.golang.org/* bumps

Contract fix: committee service v0.4.0 added four new RPCs; the NewClient call in internal/lfxv2/client.go was updated to include GetOrgCommitteeSeats, ReassignOrgCommitteeSeat (inserted after GetCommitteeMember), and GetCurrentWeeklyBrief, GenerateWeeklyBrief (appended).

2. OTel semconv version fix

otelhttp@v0.69.0 now internally imports semconv/v1.41.0, which registers SchemaURL = https://opentelemetry.io/schemas/1.41.0. Our code was still importing semconv/v1.40.0, causing a startup error:

failed to initialise OpenTelemetry SDK: conflicting Schema URL:
https://opentelemetry.io/schemas/1.41.0 and https://opentelemetry.io/schemas/1.40.0

Updated both internal/otel/tracing.go and cmd/lfx-mcp-server/main.go to semconv/v1.41.0, which is the highest sub-package present inside go.opentelemetry.io/otel@v1.44.0. The upgrade-maintenance skill now documents this rule and the command to find the correct version deterministically.

3. Remove auth0| usernames (LFXV2-1962)

Replaced auth0|testuser and auth0|alice identifiers in access_check_test.go mock data and the example in the access_check.go doc comment with plain LFID usernames. After the platform switch, the access-check endpoint returns user:<lfid-username> in its results, where the username is sourced from the http://lfx.dev/claims/username JWT claim stored in TokenInfo.Extra["username"].

Testing

• make check — passes (0 issues)
• make build — passes
• ./scripts/test_server.sh — all tests pass, no OTel schema conflict error
• go test ./internal/... — all unit tests pass

Jira: LFXV2-2201

---

🤖 Generated with GitHub Copilot (via OpenCode)

[Copilot]

Pull request overview

Maintenance-focused update that bumps core Go/OTel/LFX v2 dependencies, aligns OpenTelemetry semantic convention imports to prevent schema URL conflicts at startup, and updates access-check examples/tests to reflect LFID-style usernames (no auth0| prefix).

Changes:

• Upgraded Go toolchain directive and multiple dependencies (LFX v2 services, OTel suite, goa, golang.org/x/*, etc.), including committee client wiring for newly added RPCs.
• Fixed OTel schema URL startup conflict by updating semconv imports to v1.41.0.
• Removed auth0| username prefixes from access-check docs and tests; documented the semconv-version selection rule in the upgrade skill.

Reviewed changes

Copilot reviewed 7 out of 9 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
internal/tools/member.go	Formatting/alignment updates to the search_members args struct.
internal/otel/tracing.go	Updates OTel semconv import to v1.41.0 to match upgraded instrumentation.
internal/lfxv2/client.go	Adds newly required committee-service endpoints to the generated client wiring.
internal/lfxv2/access_check.go	Updates access-check parsing example to LFID-style usernames.
internal/lfxv2/access_check_test.go	Updates mocked access-check results to LFID-style usernames (no `auth0
go.mod	Bumps Go directive and multiple direct/indirect dependencies (LFX v2, OTel, goa, etc.).
go.sum	Updates dependency checksums consistent with go.mod upgrades.
cmd/lfx-mcp-server/main.go	Updates OTel semconv import to v1.41.0.
.agents/skills/upgrade-maintenance/SKILL.md	Documents semconv import-version rule and how to determine it deterministically.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.