feat: add configuration management and MCP secrets workflows (closes #16204)

Major additions to address critical gaps in Claude Code configuration:

## New Documentation Sections

1. Section 3.2.1 "Version Control & Backup" (guide/ultimate-guide.md:4085)
   - Configuration hierarchy: global → project → local
   - Git strategy for ~/.claude (symlinks approach)
   - Backup strategies: Git remote, cloud sync, cron
   - Multi-machine sync workflows
   - Disaster recovery procedures
   - Documented .claude/settings.local.json (previously undocumented)

2. Section 8.3.1 "MCP Secrets Management" (guide/ultimate-guide.md:8113)
   - Three practical approaches: OS Keychain, .env, Secret Vaults
   - Secrets rotation workflow
   - Pre-commit secret detection
   - Verification checklist
   - Best practices summary

## New Templates

1. sync-claude-config.sh (examples/scripts/)
   - Commands: setup, sync, backup, restore, validate
   - .env parsing + envsubst for variable substitution
   - Git repo creation with symlinks
   - Validation checks (secrets not in Git)

2. pre-commit-secrets.sh (examples/hooks/bash/)
   - Detects 10+ secret patterns (OpenAI, GitHub, AWS, etc.)
   - Whitelist system for false positives
   - Clear error messages with remediation steps

3. settings.local.json.example (examples/config/)
   - Machine-specific overrides template
   - Example use cases and patterns

## Resource Evaluation

- Added docs/resource-evaluations/ratinaud-config-management-evaluation.md
- Score: 5/5 (CRITICAL)
- Validated via 3 Perplexity searches + technical-writer agent challenge
- Community demand: GitHub #16204 + brianlovin/claude-config

## Updated References

- machine-readable/reference.yaml: 22 new entries
- Configuration management sections
- MCP secrets workflows
- Community resources (Ratinaud, brianlovin, GitHub issue)

## Impact

- Security: Pre-commit hook prevents secret leaks
- Productivity: Multi-machine sync reduces manual reconfig
- Team coordination: Onboarding workflow for ~/.claude setup
- Disaster recovery: Backup/restore strategies documented

Credits:
- Martin Ratinaud (504 sessions, LinkedIn post)
- brianlovin/claude-config (community example)
- GitHub Issue #16204 (community request)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

examples/config/settings.local.json.example

@@ -0,0 +1,145 @@
+{
+  "__comment": "settings.local.json - Machine-specific overrides (gitignored)",
+  "__usage": [
+    "This file allows you to override team settings.json without Git conflicts",
+    "Place in: .claude/settings.local.json (project) or ~/.claude/settings.local.json (global)",
+    "Precedence: global < project settings.json < settings.local.json",
+    "This file should be listed in .gitignore"
+  ],
+
+  "__example_use_cases": [
+    "1. Skip linting on laptop (slower hardware)",
+    "2. Use different MCP endpoints for local development",
+    "3. Personal permission overrides without affecting team",
+    "4. Machine-specific hooks (e.g., notify Slack only on CI server)"
+  ],
+
+  "hooks": {
+    "__comment": "Override team hooks for this machine only",
+
+    "PreToolUse": [
+      {
+        "__example": "Skip expensive pre-commit checks on laptop",
+        "matcher": "Bash|Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "echo 'Skipping security check (local override)'",
+            "timeout": 100
+          }
+        ]
+      }
+    ],
+
+    "PostToolUse": [
+      {
+        "__example": "Disable auto-formatting on this machine (prefer manual)",
+        "matcher": "Edit|Write",
+        "hooks": []
+      }
+    ],
+
+    "UserPromptSubmit": [
+      {
+        "__example": "Add machine-specific context (hostname, branch info)",
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": ".claude/hooks/local-context.sh"
+          }
+        ]
+      }
+    ]
+  },
+
+  "permissions": {
+    "__comment": "Personal permission overrides (more permissive or restrictive)",
+
+    "allow": [
+      "Bash(npm *)",
+      "Bash(pnpm *)",
+      "Bash(git *)",
+      "Edit",
+      "Write",
+      "WebSearch"
+    ],
+
+    "deny": [
+      "__example": "Block dangerous commands even if team allows them",
+      "Bash(rm -rf *)",
+      "Bash(sudo *)",
+      "Bash(dd *)",
+      "Bash(mkfs.*)"
+    ],
+
+    "ask": [
+      "__example": "Ask before expensive operations (slow on laptop)",
+      "Bash(npm run build)",
+      "Bash(docker build)",
+      "Bash(cargo build --release)"
+    ]
+  },
+
+  "mcpServers": {
+    "__comment": "Machine-specific MCP server overrides",
+    "__use_case": "Use local MCP server instead of team's remote endpoint",
+
+    "postgres": {
+      "__example": "Override team's production DB with local dev DB",
+      "command": "npx",
+      "args": ["@modelcontextprotocol/server-postgres"],
+      "env": {
+        "DATABASE_URL": "postgresql://localhost:5432/dev_db"
+      }
+    },
+
+    "serena": {
+      "__example": "Use local Serena build for development",
+      "command": "node",
+      "args": ["/Users/yourname/dev/serena-mcp/dist/index.js"],
+      "env": {
+        "DEBUG": "true"
+      }
+    }
+  },
+
+  "__real_world_examples": {
+    "__laptop_skip_heavy_checks": {
+      "hooks": {
+        "PreToolUse": [
+          {
+            "matcher": "Bash|Edit|Write",
+            "hooks": [
+              {
+                "type": "command",
+                "command": "true",
+                "timeout": 10
+              }
+            ]
+          }
+        ]
+      }
+    },
+
+    "__ci_server_strict": {
+      "permissions": {
+        "deny": [
+          "Bash(git push)",
+          "Bash(npm publish)",
+          "WebSearch"
+        ]
+      }
+    },
+
+    "__local_dev_overrides": {
+      "mcpServers": {
+        "database": {
+          "env": {
+            "DATABASE_URL": "postgresql://localhost:5432/test"
+          }
+        }
+      }
+    }
+  }
+}