Recovery: push kai/sso-existing-user-membership (13a8a14c2f) + create Linear + open PR under Option A default authority

Recovery sub-agent task per LEARNINGS 2026-05-31 04:10 UTC Action Item #2. Context: The Sergey SSO Option A default (fleet-task 0d7441fb) executed under faeef93a-style authority on 2026-05-30 with no Carson objection. Implementation landed locally at commit 13a8a14c2f on branch kai/sso-existing-user-membership but push/PR/Linear creation blocked because the sub-agent runtime had unauthenticated gh. This recovery sub-agent has the auth-refresh step explicitly wired. DoD steps: (0) eval $(~/bin/gh-fleet-token.sh) — MANDATORY first step. Verify GH_TOKEN and GITHUB_TOKEN are both set (length > 0). If refresh fails, set status=blocked with reason and STOP. (0b) export LINEAR_API_KEY=$(cat /home/agent/agents/carson-engineer/.linear-token) — fallback Linear auth. (a) Final Carson-DM-read gate: read Slack DM history with Carson since 2026-05-30T12:30:00Z. If Carson objected to Option A, said hold, or chose Option B, cancel this task with reason and set status=cancelled. If silence or unrelated, proceed. (b) cd /home/agent/agents/carson-engineer && git fetch origin main && git checkout kai/sso-existing-user-membership && git log -1 --format='%H' — verify HEAD is 13a8a14c2f or a clean descendant. If branch state has drifted, set status=blocked with reason and STOP (do not force-push). (c) git push origin kai/sso-existing-user-membership — push the branch to origin. (d) Create Linear issue using LINEAR_API_KEY: title 'Existing-user JIT membership via trusted SSO (Option A default)', team BOLT (or current default team), description references this fleet-task id, the 0d7441fb fleet-task, and LEARNINGS 2026-05-30/05-31. Capture the BOLT-XXXX identifier. (e) gh pr create --base main --head kai/sso-existing-user-membership --title 'fix(identity): JIT add existing verified users to org via trusted SSO (BOLT-XXXX)' --body with: link to BOLT-XXXX, summary of Option A change (extend trusted-SSO JIT to add existing verified user to bound org when ssoAutoCreateUsers=true), tests added (existing-user-membership success, ssoAutoCreateUsers=false block, untrusted-provider safeguard), authority reference (faeef93a-style default per LEARNINGS 2026-05-29 AI#3), 0d7441fb local-only blocker context, 'no Slack DM, opening for normal review'. (f) PATCH this task to completed with result.pr_url, result.linear_issue_id (BOLT-XXXX), result.pushed_sha=13a8a14c2f. (g) PATCH the original 0d7441fb fleet-task with metadata.recovery_pr_url and metadata.recovery_linear_issue_id for the follow-up trail. No Slack DM under any condition. Coordinate via the PR thread once it is open. If any step fails, set status=blocked with checkpoint describing the exact failure point. Do NOT mark complete unless the PR is actually created with a Linear key.