docs: factual audit + reference sync — 260 findings corrected

Parallel 6-agent audit against official Anthropic docs (llms-full.txt).
Key corrections applied across permissions, hooks, MCP, security, privacy, reference.yaml.

Highlights:
- Fix MCP config path (~/.claude.json), mcpServers key, variable substitution syntax
- Fix permission modes (5 not 3), :* syntax (×6), Stop event description
- Fix hook JSON field names (hook_event_name, tool_name, tool_input, session_id)
- Fix filesystem restriction docs (permission rules, not settings.json keys)
- Fix data-privacy: 4-tier retention, /bug 5yr warning, ZDR conditions, 5 telemetry opt-out vars
- Add official llms.txt/llms-full.txt references to CLAUDE.md + machine-readable/llms.txt
- Reference.yaml: 375 entries re-synced (92% had wrong line numbers — guide grew 15K→21K lines)
- New script: scripts/resync-reference-yaml.py for automated line number sync
- Quiz: corrected answers for hooks (07), memory settings (03), MCP servers (08)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

examples/commands/diagnose.md

@@ -51,7 +51,7 @@ cat .claude/settings.json 2>/dev/null || echo "No project settings"
 ls -la CLAUDE.md .claude/CLAUDE.md ~/.claude/CLAUDE.md 2>/dev/null
 
 # MCP config
-cat ~/.claude/mcp.json 2>/dev/null || echo "No MCP config"
+cat ~/.claude.json 2>/dev/null | jq '.mcpServers // empty' || echo "No MCP config"
 ```
 
 ### Step 4: Present Categories
@@ -150,13 +150,13 @@ cat ~/.claude/settings.json | jq '.permissions.allow'
 
 **Likely causes**:
 1. Server not installed globally
-2. Wrong path in mcp.json
+2. Wrong path in MCP config
 3. Missing environment variables
 
 **Quick diagnostic**:
 ```bash
 # Check MCP config
-cat ~/.claude/mcp.json | jq '.mcpServers'
+cat ~/.claude.json | jq '.mcpServers'
 
 # Check if server binary exists
 which mcp-server-sequential

examples/commands/security-check.md

@@ -26,10 +26,10 @@ Read the user's MCP configuration:
 
 ```bash
 # Global MCP config
-cat ~/.claude/mcp.json 2>/dev/null
+cat ~/.claude.json 2>/dev/null | jq '.mcpServers // empty'
 
 # Project MCP config
-cat .claude/mcp.json 2>/dev/null
+cat .mcp.json 2>/dev/null
 ```
 
 **Check against threat-db.yaml:**

examples/hooks/README.md

@@ -54,7 +54,7 @@ Hooks are scripts that execute automatically on Claude Code events. They enable
 | `Notification` | When Claude sends a notification | Sound alerts, external notifications |
 | `SessionStart` | At session start | Initialization, environment setup |
 | `SessionEnd` | At session end | Cleanup, session summary |
-| `Stop` | User interrupts operation | State saving, graceful shutdown |
+| `Stop` | Claude finishes responding | Post-response actions, state saving |
 
 ## Advanced Guardrails (NEW in v3.3.0)
 

examples/hooks/bash/learning-capture.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # Hook: Stop - Capture one learning insight at session end
-# Event: Stop (when user ends session or interrupts)
+# Event: Stop (when Claude finishes responding)
 # Purpose: Build a learning journal with minimal friction
 #
 # Exit codes:

examples/hooks/bash/mcp-config-integrity.sh

@@ -6,7 +6,7 @@
 # Purpose: Verify MCP configuration has not been tampered with
 #
 # This hook addresses CVE-2025-54135 and CVE-2025-54136 by:
-#   - Computing hash of ~/.claude/mcp.json
+#   - Computing hash of ~/.claude.json (MCP config location)
 #   - Comparing against stored baseline
 #   - Alerting on unauthorized modifications
 #   - Checking project-level .mcp.json for suspicious content
@@ -22,7 +22,7 @@
 #   }
 #
 # Initial setup (run once to create baseline):
-#   sha256sum ~/.claude/mcp.json > ~/.claude/.mcp-baseline.sha256
+#   sha256sum ~/.claude.json > ~/.claude/.mcp-baseline.sha256
 #
 # Exit codes:
 #   0 = allow (config unchanged or no baseline)
@@ -36,7 +36,7 @@
 set -euo pipefail
 
 # Configuration paths
-MCP_CONFIG="${HOME}/.claude/mcp.json"
+MCP_CONFIG="${HOME}/.claude.json"
 MCP_BASELINE="${HOME}/.claude/.mcp-baseline.sha256"
 PROJECT_MCP=".mcp.json"
 
@@ -51,11 +51,11 @@ if [[ -f "$MCP_CONFIG" ]]; then
         BASELINE_HASH=$(awk '{print $1}' "$MCP_BASELINE" 2>/dev/null || echo "")
 
         if [[ -n "$CURRENT_HASH" && -n "$BASELINE_HASH" && "$CURRENT_HASH" != "$BASELINE_HASH" ]]; then
-            WARNINGS+=("MCP config modified since baseline was created. Review ~/.claude/mcp.json for unauthorized changes. Run 'sha256sum ~/.claude/mcp.json > ~/.claude/.mcp-baseline.sha256' to update baseline if changes are legitimate.")
+            WARNINGS+=("MCP config modified since baseline was created. Review ~/.claude.json for unauthorized changes. Run 'sha256sum ~/.claude.json > ~/.claude/.mcp-baseline.sha256' to update baseline if changes are legitimate.")
         fi
     else
         # No baseline - suggest creating one
-        WARNINGS+=("No MCP config baseline found. Consider running: sha256sum ~/.claude/mcp.json > ~/.claude/.mcp-baseline.sha256")
+        WARNINGS+=("No MCP config baseline found. Consider running: sha256sum ~/.claude.json > ~/.claude/.mcp-baseline.sha256")
     fi
 
     # === CHECK FOR SUSPICIOUS MCP SERVERS ===