fix(entrypoint): increase /tmp tmpfs from 128MB to 512MB

[limbibot]

Summary

• Increase /tmp tmpfs mount from 128MB to 512MB to resolve insufficient temporary storage
• Update documentation in CLAUDE.md and README.md to reflect the new size

Closes #71

Layer-Impact Assessment

• Affected layer: Container Hardening
• Why: Changes the size parameter of the /tmp tmpfs mount in scripts/entrypoint.sh
• Panel review: Completed — all four experts approved (see design comment on bug: increase /tmp size limit from 128MB to 512mb #71)

Security Design Checklist

• Trust anchor mutability: N/A — hardcoded literal in boot script, not writable at runtime
• File and output visibility: N/A — no new files; /tmp remains chmod 1777
• Allowlist vs blocklist: N/A — size parameter, not a filtering mechanism
• Fail mode: Unchanged — mount failure = container won't boot (fail-closed)
• Temporal safety: N/A — mount at boot step 2, before non-root processes
• Network exposure: N/A — no relationship to network
• Layer compensation: /workspace already has 512MB ceiling; total tmpfs ~1.6GB to ~2GB. No new attack vectors

Panel Review

Expert	Verdict
Container Security Specialist	approve-with-conditions (noexec/nosuid follow-on)
Cloud Infra Security Engineer	approve-with-conditions (RAM docs follow-on)
Offensive Security / Red Team	approve-with-conditions (quantitative, not qualitative)
Compliance / Risk Management	approve

All conditions are follow-on suggestions, not blockers.

Test Plan

• bunx prettier --check "**/*.{ts,md}" — passes
• cd approval && bun test — 393/393 pass
• No stale 128MB references in modified files
• Verify mount sizes in entrypoint.sh are correct (512m/512m/1024m)