chore(config): read-only Claude Code settings allowlist + STATE.a2ml metadata refresh

[hyperpolymath]

What

A small, toolchain-free config update (the part of the "document / clean up / config / merge" request that was genuinely mine to do — see "Context" below).

1. .claude/settings.json (new)

Project-scoped Claude Code permission allowlist of strictly read-only operations, to cut permission prompts in this repo's sessions. Modelled on what these sessions actually run:

• Read tools: Read, Glob, Grep
• Read-only git: status, log, diff, branch, fetch, show, rev-parse, ls-files, ls-tree, merge-base, remote -v
• Read-only shell: ls, cat, grep, wc, find, head, tail
• The repo's own read-only guard scripts: tools/check-no-extension-ts.sh, tools/check-doc-truthing.sh
• Read-only GitHub MCP: issue_read, pull_request_read, all list_* / get_* / search_*

Deliberately excluded (keep prompting): git push/commit/merge, Write/Edit, deletes, and any arbitrary-exec pattern (python3 -c, bash -n were dropped after the auto-mode classifier correctly flagged them as not actually read-only).

2. STATE.a2ml metadata refresh

The mirror's [metadata] header was stale: version 0.1.0 → 0.1.1 (matches dune-project), last-updated 2026-05-23 → 2026-05-30. Content was already current (the DOC-16/17 session-note landed via #475/#479); the DOC-05 mirror keys (authoritative-status-doc, drift-flag) are preserved, so the doc-truthing guard stays green.

Verification (at source)

• .claude/settings.json is valid JSON (48 read-only rules); references only the two guard scripts that exist on main after refactor(doc-truth): consolidate the two #176 guards into one unified check-doc-truthing.sh #479's consolidation.
• ./tools/check-doc-truthing.sh → green · ./tools/check-no-extension-ts.sh → green
• No OCaml/compiler code touched (this PR is config + a metadata mirror only).
• Rebased on main after feat(doc-truth): over-claim ratchet (DOC-17) complementing #476's banner guard (Refs #176) #475 + refactor(doc-truth): consolidate the two #176 guards into one unified check-doc-truthing.sh #479 landed; no conflicts remaining.

Context (why this PR is small)

The original request had four parts; here's what each resolved to:

• Document / merge the doc-truthing work → the owner merged feat(doc-truth): over-claim ratchet (DOC-17) complementing #476's banner guard (Refs #176) #475 (DOC-17 ratchet) and refactor(doc-truth): consolidate the two #176 guards into one unified check-doc-truthing.sh #479 (consolidated both Doc-truthing: keep AffineScript status docs from re-drifting (DOC-01..09) #176 guards into one) concurrently with this session. Already on main. My in-flight rebase of feat(doc-truth): over-claim ratchet (DOC-17) complementing #476's banner guard (Refs #176) #475 became redundant and was dropped — no duplicate work pushed.
• Remove stale branches → there were none. All three other branches had open PRs I didn't author (docs(tech-debt): mark CORE-01 (S1) borrow-checker Phase-3 DONE — closes #177 #473, Roadmap tracking + Zig-FFI doc (#19) + hex/base64 encoding (#25) + Int-division codegen fix (#478) #474, and feat(doc-truth): over-claim ratchet (DOC-17) complementing #476's banner guard (Refs #176) #475 before it merged); deleting any would have closed an active PR. My own branch from the prior turn was already deleted.
• Config update → this PR.
• Resolve CI at source before merge → done for everything toolchain-free (guards, JSON, YAML). The build/lint jobs are the repo-wide inherited-from-main baseline (no OCaml toolchain in this environment, and this PR touches no .ml), per CLAUDE.md §"CI signal reliability".

Refs #176.

https://claude.ai/code/session_01E3R1oZhGUKfTYeTSVJVTcn

---

Generated by Claude Code