fix(docs): critical factual corrections v3.6.1

Major audit correcting misleading documentation about Claude Code behavior:

### Fixed
- `--add-dir`: permissions (not context loading)
- `excludePatterns` → `permissions.deny` (never existed)
- `.claudeignore` removed (not an official feature)
- "selective loading" myth → lazy loading reality
- Invented CLI flags (`--think`, `--headless`, `--learn`) → prompt keywords
- `@` file reference: "loads automatically" → "reads on-demand"

### Added
- Session Search Tool (`cs`) - zero-dep bash script for finding sessions
- Security section: Known limitations of permissions.deny

15 files modified, 516 insertions, 200 deletions

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

examples/scripts/audit-scan.sh

@@ -656,13 +656,13 @@ else
   fi
 
   echo -e "\n${BLUE}🔐 PRIVACY CHECK${NC}"
-  # Check excludePatterns for sensitive files
+  # Check permissions.deny for sensitive files
   HAS_ENV_EXCLUSION="false"
   if [[ -f "./.claude/settings.json" ]]; then
-    grep -q '\.env' "./.claude/settings.json" 2>/dev/null && HAS_ENV_EXCLUSION="true"
+    grep -q 'Read.*\.env' "./.claude/settings.json" 2>/dev/null && HAS_ENV_EXCLUSION="true"
   fi
 
-  [[ "$HAS_ENV_EXCLUSION" == "true" ]] && echo -e "  ${GREEN}✅${NC} .env excluded in settings" || echo -e "  ${RED}⚠️${NC}  .env NOT excluded (add to excludePatterns)"
+  [[ "$HAS_ENV_EXCLUSION" == "true" ]] && echo -e "  ${GREEN}✅${NC} .env blocked via permissions.deny" || echo -e "  ${RED}⚠️${NC}  .env NOT blocked (add Read(./.env*) to permissions.deny)"
 
   # Check for database MCP servers (production risk)
   if echo "$MCP_ALL_SERVERS" | grep -qiE "postgres|neon|supabase|mysql|database" 2>/dev/null; then