chore: enhance protection for quality test allowlists and thresholds

- Added documentation to `CLAUDE.md` outlining strict policies against modifying quality test allowlists and thresholds without explicit user permission.
- Introduced new hookify configurations to block modifications to `src/test/code-quality.test.ts` via bash commands and Serena plugins, ensuring the integrity of quality tests.
- Updated submodule reference for the client.

.claude/hookify.block-code-quality-test-bash.local.md

@@ -0,0 +1,29 @@
+---
+name: block-code-quality-test-bash
+enabled: true
+event: bash
+action: block
+pattern: (sed|awk|cat\s*>|echo\s*>|tee|cp\s+.*code-quality\.test\.ts|mv\s+.*code-quality\.test\.ts|rm\s+.*code-quality\.test\.ts|>|>>).*code-quality\.test\.ts|code-quality\.test\.ts.*(>|>>|\|.*tee)
+---
+
+**BLOCKED: Protected File via Bash**
+
+The file `src/test/code-quality.test.ts` is protected from bash modifications.
+
+**Detected:** Attempt to modify protected file via bash command.
+
+**Blocked commands include:**
+- `sed` editing
+- `awk` modifications
+- Redirections (`>`, `>>`)
+- `tee` writes
+- `cp` overwrites
+- `mv` operations
+- `rm` deletions
+
+**Allowed operations:**
+- `cat` (read only, without redirection)
+- `grep` (searching)
+- `head`, `tail` (viewing)
+
+If you need to modify this file via bash, please ask the user for explicit permission first.

.claude/hookify.block-code-quality-test-edits.local.md

@@ -0,0 +1,27 @@
+---
+name: block-code-quality-test-edits
+enabled: true
+event: file
+action: block
+conditions:
+  - field: file_path
+    operator: regex_match
+    pattern: src/test/code-quality\.test\.ts$
+---
+
+**BLOCKED: Protected File**
+
+The file `src/test/code-quality.test.ts` is protected from modifications.
+
+**Reason:** This file contains quality test allowlists and thresholds that should not be modified without explicit user permission.
+
+**Allowed operations:**
+- Reading the file (Read tool)
+- Referencing the file in discussions
+
+**Blocked operations:**
+- Edit tool modifications
+- Write tool overwrites
+- MultiEdit changes
+
+If you need to modify this file, please ask the user for explicit permission first.

.claude/hookify.block-code-quality-test-serena-plugin.local.md

@@ -0,0 +1,32 @@
+---
+name: block-code-quality-test-serena-plugin
+enabled: true
+event: all
+action: block
+tool_matcher: mcp__plugin_serena_serena__replace_content|mcp__plugin_serena_serena__replace_symbol_body|mcp__plugin_serena_serena__create_text_file|mcp__plugin_serena_serena__insert_before_symbol|mcp__plugin_serena_serena__insert_after_symbol|mcp__plugin_serena_serena__rename_symbol
+conditions:
+  - field: relative_path
+    operator: regex_match
+    pattern: (^|/)src/test/code-quality\.test\.ts$
+---
+
+**BLOCKED: Protected File via Serena Plugin MCP**
+
+The file `src/test/code-quality.test.ts` is protected from modifications.
+
+**Detected:** Attempt to modify protected file via Serena plugin MCP tool.
+
+**Blocked operations:**
+- `replace_content`
+- `replace_symbol_body`
+- `create_text_file`
+- `insert_before_symbol`
+- `insert_after_symbol`
+- `rename_symbol`
+
+**Allowed operations:**
+- Reading file content
+- Symbol lookups (`find_symbol`, `get_symbols_overview`)
+- Pattern searches (`search_for_pattern`)
+
+If you need to modify this file, please ask the user for explicit permission first.

.claude/hookify.block-code-quality-test-serena.local.md

@@ -0,0 +1,32 @@
+---
+name: block-code-quality-test-serena
+enabled: true
+event: all
+action: block
+tool_matcher: mcp__serena__replace_content|mcp__serena__replace_symbol_body|mcp__serena__create_text_file|mcp__serena__insert_before_symbol|mcp__serena__insert_after_symbol|mcp__serena__rename_symbol
+conditions:
+  - field: relative_path
+    operator: regex_match
+    pattern: (^|/)src/test/code-quality\.test\.ts$
+---
+
+**BLOCKED: Protected File via Serena MCP**
+
+The file `src/test/code-quality.test.ts` is protected from modifications.
+
+**Detected:** Attempt to modify protected file via Serena MCP tool.
+
+**Blocked operations:**
+- `replace_content`
+- `replace_symbol_body`
+- `create_text_file`
+- `insert_before_symbol`
+- `insert_after_symbol`
+- `rename_symbol`
+
+**Allowed operations:**
+- Reading file content
+- Symbol lookups (`find_symbol`, `get_symbols_overview`)
+- Pattern searches (`search_for_pattern`)
+
+If you need to modify this file, please ask the user for explicit permission first.

CLAUDE.md

@@ -684,6 +684,7 @@ source .venv/bin/activate && basedpyright src/noteflow/
 |----------------|----------------|
 | `Makefile` | All modifications |
 | `tests/quality/` (except `baselines.json`) | All modifications |
+| `client/src/test/code-quality.test.ts` | All modifications to allowlists/thresholds |
 | `pyproject.toml`, `ruff.toml`, `pyrightconfig.json` | All edits |
 | `biome.json`, `tsconfig.json`, `.eslintrc*` | All edits |
 | `.rustfmt.toml`, `.clippy.toml` | All edits |
@@ -706,6 +707,33 @@ If you encounter lint errors, type errors, or test failures—**even if they exi
 2. Add to todo list (for complex issues)
 3. Launch a subagent to fix (for parallelizable work)
 
+### Policy: Never Modify Quality Test Allowlists
+
+**STRICTLY FORBIDDEN** without explicit user permission:
+
+1. Adding entries to allowlists/whitelists in quality tests (e.g., `allowedNumbers`, `ALLOWED_LONG_FILES`, `allowedStorageFiles`)
+2. Increasing thresholds (e.g., `toBeLessThanOrEqual(0)` → `toBeLessThanOrEqual(5)`)
+3. Adding exclusion patterns to skip files from quality checks
+4. Modifying filter functions to bypass detection (e.g., `isNotMagicNumber`)
+
+**When quality tests fail, the correct approach is:**
+
+1. **Fix the actual code** that triggers the violation
+2. If the detection is a false positive (e.g., sprint references in comments), **improve the filter logic** to correctly exclude false positives while still catching real issues
+3. **Never** add arbitrary values to allowlists just to make tests pass
+
+**Example of WRONG approach:**
+```typescript
+// BAD: Adding sprint numbers to allowlist to avoid fixing code
+const allowedNumbers = ['100', '200', '001', '002', '003'];  // ❌
+```
+
+**Example of CORRECT approach:**
+```typescript
+// GOOD: Improve filter to detect sprint references in comments
+if (/(?:GAP|Sprint)[- ]?\d+/i.test(content)) return true;  // ✓
+```
+
 ---
 
 ## Proto/gRPC