feat: add per-project bash command allowlist system

Implement hierarchical command security with project and org-level configs:

WHAT'S NEW:
- Project-level YAML config (.autocoder/allowed_commands.yaml)
- Organization-level config (~/.autocoder/config.yaml)
- Pattern matching (exact, wildcards, local scripts)
- Hardcoded blocklist (sudo, dd, shutdown - never allowed)
- Org blocklist (terraform, kubectl - configurable)
- Helpful error messages with config hints
- Comprehensive documentation and examples

ARCHITECTURE:
- Hierarchical resolution: Hardcoded → Org Block → Org Allow → Global → Project
- YAML validation with 50 command limit per project
- Pattern matching: exact ("swift"), wildcards ("swift*"), scripts ("./build.sh")
- Secure by default: all examples commented out

TESTING:
- 136 unit tests (pattern matching, YAML, hierarchy, validation)
- 9 integration tests (real security hook flows)
- All tests passing, 100% backward compatible

DOCUMENTATION:
- examples/README.md - comprehensive guide with use cases
- examples/project_allowed_commands.yaml - template (all commented)
- examples/org_config.yaml - org config template (all commented)
- PHASE3_SPEC.md - mid-session approval spec (future enhancement)
- Updated CLAUDE.md with security model documentation

USE CASES:
- iOS projects: Add Swift toolchain (xcodebuild, swift*, etc.)
- Rust projects: Add cargo, rustc, clippy
- Enterprise: Block aws, kubectl, terraform org-wide
- Custom scripts: Allow ./scripts/build.sh

PHASES:
✅ Phase 1: Project YAML + blocklist (implemented)
✅ Phase 2: Org config + hierarchy (implemented)
📋 Phase 3: Mid-session approval (spec ready, not implemented)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

CLAUDE.md

@@ -169,19 +169,99 @@ Projects can be stored in any directory (registered in `~/.autocoder/registry.db
 - `prompts/coding_prompt.md` - Continuation session prompt
 - `features.db` - SQLite database with feature test cases
 - `.agent.lock` - Lock file to prevent multiple agent instances
+- `.autocoder/allowed_commands.yaml` - Project-specific bash command allowlist (optional)
 
 ### Security Model
 
 Defense-in-depth approach configured in `client.py`:
 1. OS-level sandbox for bash commands
 2. Filesystem restricted to project directory only
-3. Bash commands validated against `ALLOWED_COMMANDS` in `security.py`
+3. Bash commands validated using hierarchical allowlist system
+
+#### Per-Project Allowed Commands
+
+The agent's bash command access is controlled through a hierarchical configuration system:
+
+**Command Hierarchy (highest to lowest priority):**
+1. **Hardcoded Blocklist** (`security.py`) - NEVER allowed (dd, sudo, shutdown, etc.)
+2. **Org Blocklist** (`~/.autocoder/config.yaml`) - Cannot be overridden by projects
+3. **Org Allowlist** (`~/.autocoder/config.yaml`) - Available to all projects
+4. **Global Allowlist** (`security.py`) - Default commands (npm, git, curl, etc.)
+5. **Project Allowlist** (`.autocoder/allowed_commands.yaml`) - Project-specific commands
+
+**Project Configuration:**
+
+Each project can define custom allowed commands in `.autocoder/allowed_commands.yaml`:
+
+```yaml
+version: 1
+commands:
+  # Exact command names
+  - name: swift
+    description: Swift compiler
+
+  # Prefix wildcards (matches swiftc, swiftlint, swiftformat)
+  - name: swift*
+    description: All Swift development tools
+
+  # Local project scripts
+  - name: ./scripts/build.sh
+    description: Project build script
+```
+
+**Organization Configuration:**
+
+System administrators can set org-wide policies in `~/.autocoder/config.yaml`:
+
+```yaml
+version: 1
+
+# Commands available to ALL projects
+allowed_commands:
+  - name: jq
+    description: JSON processor
+
+# Commands blocked across ALL projects (cannot be overridden)
+blocked_commands:
+  - aws        # Prevent accidental cloud operations
+  - kubectl    # Block production deployments
+```
+
+**Pattern Matching:**
+- Exact: `swift` matches only `swift`
+- Wildcard: `swift*` matches `swift`, `swiftc`, `swiftlint`, etc.
+- Scripts: `./scripts/build.sh` matches the script by name from any directory
+
+**Limits:**
+- Maximum 50 commands per project config
+- Blocklisted commands (sudo, dd, shutdown, etc.) can NEVER be allowed
+- Org-level blocked commands cannot be overridden by project configs
+
+**Testing:**
+```bash
+# Unit tests (136 tests - fast)
+python test_security.py
+
+# Integration tests (9 tests - uses real hooks)
+python test_security_integration.py
+```
+
+**Files:**
+- `security.py` - Command validation logic and hardcoded blocklist
+- `test_security.py` - Unit tests for security system (136 tests)
+- `test_security_integration.py` - Integration tests with real hooks (9 tests)
+- `TEST_SECURITY.md` - Quick testing reference guide
+- `examples/project_allowed_commands.yaml` - Project config example (all commented by default)
+- `examples/org_config.yaml` - Org config example (all commented by default)
+- `examples/README.md` - Comprehensive guide with use cases, testing, and troubleshooting
+- `PHASE3_SPEC.md` - Specification for mid-session approval feature (future enhancement)
 
 ## Claude Code Integration
 
 - `.claude/commands/create-spec.md` - `/create-spec` slash command for interactive spec creation
 - `.claude/skills/frontend-design/SKILL.md` - Skill for distinctive UI design
 - `.claude/templates/` - Prompt templates copied to new projects
+- `examples/` - Configuration examples and documentation for security settings
 
 ## Key Patterns