fix(sdd): add Spectral ruleset so contract-validate passes

Spectral v6 ships no implicit ruleset — the CI job exited 'no ruleset found'.
Adds .spectral.yaml (extends spectral:oas, documentation-only warnings relaxed
for design-time stubs), adds operation tags to the _example contract so it lints
clean (0 results), and aligns the api-contract-stub note.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.specify/features/_example/api-contract.yaml

@@ -45,6 +45,7 @@ paths:
   /api/users/me/avatar:
     post:
       summary: Upload or replace the current user's avatar
+      tags: [Users]
       operationId: uploadMyAvatar
       security:
         - cookieAuth: []
@@ -78,6 +79,7 @@ paths:
               schema: { $ref: '#/components/schemas/ErrorResponse' }
     delete:
       summary: Remove the current user's avatar
+      tags: [Users]
       operationId: deleteMyAvatar
       security:
         - cookieAuth: []
@@ -95,6 +97,7 @@ paths:
   /api/users/{id}/avatar:
     get:
       summary: Stream a user's avatar image (authenticated proxy)
+      tags: [Users]
       operationId: getUserAvatar
       security:
         - cookieAuth: []
@@ -113,6 +116,7 @@ paths:
         '404': { description: User has no avatar, content: { application/json: { schema: { $ref: '#/components/schemas/ErrorResponse' } } } }
     delete:
       summary: Remove another user's avatar (admin only)
+      tags: [Users]
       operationId: deleteUserAvatar
       description: Requires Permission.ADMIN_USER (enforced by @RequirePermission on the controller).
       security: