(14/n) sync policy and semantic docs

[philipnee]

Description:

Why

The client policy and semantic context tool work changed mvmt's actual security and product surface. The docs still described per-client scoping and HTTP proxy write gates as missing, which no longer matched the
implementation.

What changed

• Update README status and security sections for:
  • per-client tool scopes
  • semantic context tools
  • HTTP proxy write gates
  • remaining gaps such as admin UI, token issuance CLI, and memory-write tools
• Document clients[] and semanticTools in the configuration guide.
• Update the security memo to describe:
  • configured client identities
  • quarantined unknown OAuth clients
  • source/action permissions
  • owner/session token compatibility behavior
• Update the architecture doc to show client policy in the request path.
• Add semantic tool descriptions to the architecture doc.
• Update audit log docs for clientId and deniedReason.
• Clarify client setup behavior when clients[] is configured.
• Remove stale language saying per-client connector scoping and HTTP proxy write gates are not enforced.

How

This is docs-only. It aligns public docs with the merged router enforcement and semantic context tool behavior, while keeping future work explicitly called out instead of overstating the current product.

Changed files

README.md - update status table, security model, config overview, and roadmap.

docs/security-memo.md - document client identity, permission enforcement, quarantine behavior, and remaining security priorities.

docs/architecture.md - update request pipeline and semantic tool architecture.

docs/configuration.md - document clients[], semanticTools, proxy id, and source IDs.

docs/connectors.md - update proxy guardrail wording.

docs/audit-log.md - document clientId and deniedReason.

docs/client-setup.md - clarify client token vs owner/session token behavior.

CHANGELOG.md - record policy and semantic tool additions.

Verification

npm run verify