docs: sync agent modes from PR #282, Claude/Codex commands from #235, stub web UI

- Reduce agent modes from 7 to 3 (builder, analyst, plan) per PR #282
- Add SQL Write Access Control section with query classification table
- Add sql_execute_write permission to permissions reference
- Update /data to /altimate in Claude Code guide, add /configure-claude setup
- Add Codex CLI skill integration and /configure-codex setup
- Add /configure-claude and /configure-codex to commands reference
- Stub web UI page with Coming Soon notice
- Update all cross-references (getting-started, quickstart, index, tui, training, migration)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Saurabh Arora

docs/docs/configure/agents.md

@@ -4,26 +4,46 @@ Agents define different AI personas with specific models, prompts, permissions,
 
 ## Built-in Agents
 
-### General Purpose
+| Agent | Description | Access Level |
+|-------|------------|-------------|
+| `builder` | Create and modify dbt models, SQL pipelines, and data transformations | Full read/write. SQL mutations prompt for approval. |
+| `analyst` | Explore data, run SELECT queries, inspect schemas, generate insights | Read-only (enforced). SQL writes denied. Safe bash commands auto-allowed. |
+| `plan` | Plan before acting, restricted to planning files only | Minimal: no edits, no bash, no SQL |
 
-| Agent | Description |
-|-------|------------|
-| `general` | Default general-purpose coding agent |
-| `plan` | Planning agent that analyzes before acting |
-| `build` | Build-focused agent that prioritizes code generation |
-| `explore` | Read-only exploration agent |
+### Builder
 
-### Data Engineering
+Full access mode. Can read/write files, run any bash command (with approval), execute SQL, and modify dbt models. SQL write operations (`INSERT`, `UPDATE`, `DELETE`, `CREATE`, etc.) prompt for user approval. Destructive SQL (`DROP DATABASE`, `DROP SCHEMA`, `TRUNCATE`) is hard-blocked.
 
-| Agent | Description | Permissions |
-|-------|------------|------------|
-| `builder` | Create dbt models, SQL pipelines, transformations | Full read/write |
-| `analyst` | Explore data, run SELECT queries, generate insights | Read-only (enforced) |
-| `validator` | Data quality checks, schema validation, test coverage | Read + validate |
-| `migrator` | Cross-warehouse SQL translation and migration | Read/write for migration |
+### Analyst
+
+Truly read-only mode for safe data exploration:
+
+- **File access**: Read, grep, glob without prompts
+- **SQL**: SELECT queries execute freely. Write queries are denied (not prompted, blocked entirely)
+- **Bash**: Safe commands auto-allowed (`ls`, `grep`, `cat`, `head`, `tail`, `find`, `wc`). dbt read commands allowed (`dbt list`, `dbt ls`, `dbt debug`, `dbt deps`). Everything else denied.
+- **Web**: Fetch and search allowed without prompts
+- **Schema/warehouse/finops**: All inspection tools available
 
 !!! tip
-    Use the `analyst` agent when exploring data to ensure no accidental writes. Switch to `builder` when you are ready to create or modify models.
+    Use `analyst` when exploring data to ensure no accidental writes. Switch to `builder` when you're ready to create or modify models.
+
+### Plan
+
+Planning mode with minimal permissions. Can only read files and edit plan files. No SQL, no bash, no file modifications.
+
+## SQL Write Access Control
+
+All SQL queries are classified before execution:
+
+| Query Type | Builder | Analyst |
+|-----------|---------|---------|
+| `SELECT`, `SHOW`, `DESCRIBE`, `EXPLAIN` | Allowed | Allowed |
+| `INSERT`, `UPDATE`, `DELETE`, `CREATE`, `ALTER` | Prompts for approval | Denied |
+| `DROP DATABASE`, `DROP SCHEMA`, `TRUNCATE` | Blocked (cannot override) | Blocked |
+
+The classifier detects write operations including: `INSERT`, `UPDATE`, `DELETE`, `MERGE`, `CREATE`, `DROP`, `ALTER`, `TRUNCATE`, `GRANT`, `REVOKE`, `COPY INTO`, `CALL`, `EXEC`, `EXECUTE IMMEDIATE`, `BEGIN`, `DECLARE`, `REPLACE`, `UPSERT`, `RENAME`.
+
+Multi-statement queries (`SELECT 1; INSERT INTO ...`) are classified as write if any statement is a write.
 
 ## Custom Agents
 
@@ -86,11 +106,11 @@ You are a Snowflake cost optimization expert. For every query:
 ```
 
 !!! info
-    Markdown agent files use YAML frontmatter for configuration and the body as the system prompt. This is a convenient way to define agents without editing your main config file.
+    Markdown agent files use YAML frontmatter for configuration and the body as the system prompt.
 
 ## Agent Permissions
 
-Each agent can have its own permission overrides that restrict or expand the default permissions:
+Each agent can have its own permission overrides:
 
 ```json
 {
@@ -99,10 +119,11 @@ Each agent can have its own permission overrides that restrict or expand the def
       "permission": {
         "write": "deny",
         "edit": "deny",
+        "sql_execute_write": "deny",
         "bash": {
-          "dbt show *": "allow",
+          "*": "deny",
           "dbt list *": "allow",
-          "*": "deny"
+          "ls *": "allow"
         }
       }
     }
@@ -117,4 +138,4 @@ Each agent can have its own permission overrides that restrict or expand the def
 
 - **TUI**: Press leader + `a` or use `/agent <name>`
 - **CLI**: `altimate --agent analyst`
-- **In conversation**: Type `/agent validator`
+- **In conversation**: Type `/agent analyst`

docs/docs/configure/commands.md

@@ -2,14 +2,16 @@
 
 ## Built-in Commands
 
-altimate ships with four built-in slash commands:
+altimate ships with six built-in slash commands:
 
 | Command | Description |
 |---------|-------------|
 | `/init` | Create or update an AGENTS.md file with build commands and code style guidelines. |
 | `/discover` | Scan your data stack and set up warehouse connections. Detects dbt projects, warehouse connections from profiles/Docker/env vars, installed tools, and config files. Walks you through adding and testing new connections, then indexes schemas. |
 | `/review` | Review changes. Accepts `commit`, `branch`, or `pr` as an argument (defaults to uncommitted changes). |
 | `/feedback` | Submit product feedback as a GitHub issue. Guides you through title, category, description, and optional session context. |
+| `/configure-claude` | Configure altimate as a `/altimate` slash command in [Claude Code](https://claude.com/claude-code). Writes `~/.claude/commands/altimate.md` so you can invoke altimate from within Claude Code sessions. |
+| `/configure-codex` | Configure altimate as a skill in [Codex CLI](https://developers.openai.com/codex). Creates `~/.codex/skills/altimate/SKILL.md` so Codex can delegate data engineering tasks to altimate. |
 
 ### `/discover`
 
@@ -47,6 +49,31 @@ Submit product feedback directly from the CLI. The agent walks you through:
 
 Requires the `gh` CLI to be installed and authenticated (`gh auth login`).
 
+### `/configure-claude`
+
+Set up altimate as a tool inside Claude Code:
+
+```
+/configure-claude
+```
+
+This creates `~/.claude/commands/altimate.md`, which registers a `/altimate` slash command in Claude Code. After running this, you can use `/altimate` in any Claude Code session to delegate data engineering tasks:
+
+```
+# In Claude Code
+/altimate analyze the cost of our top 10 most expensive queries
+```
+
+### `/configure-codex`
+
+Set up altimate as a skill inside Codex CLI:
+
+```
+/configure-codex
+```
+
+This creates `~/.codex/skills/altimate/SKILL.md`. Restart Codex after running this command. Codex will then automatically invoke altimate when you ask about data engineering tasks.
+
 ## Custom Commands
 
 Custom commands let you define reusable slash commands.
@@ -109,3 +136,14 @@ Commands are loaded from:
 2. `~/.config/altimate-code/commands/` globally
 
 Press leader + `/` to see all available commands.
+
+## External CLI Integration
+
+The `/configure-claude` and `/configure-codex` commands write integration files to external CLI tools:
+
+| Command | File created | Purpose |
+|---------|-------------|---------|
+| `/configure-claude` | `~/.claude/commands/altimate.md` | Registers `/altimate` slash command in Claude Code |
+| `/configure-codex` | `~/.codex/skills/altimate/SKILL.md` | Registers altimate as a Codex CLI skill |
+
+These files allow you to invoke altimate's data engineering capabilities from within other AI coding agents.

docs/docs/configure/permissions.md

@@ -86,6 +86,7 @@ Override permissions for specific agents:
 | `grep` | Yes | Search files |
 | `list` | Yes | List directories |
 | `bash` | Yes | Shell commands |
+| `sql_execute_write` | Yes | SQL write operations (INSERT, UPDATE, DELETE, etc.) |
 | `task` | Yes | Spawn subagents |
 | `lsp` | Yes | LSP operations |
 | `skill` | Yes | Execute skills |
@@ -205,20 +206,22 @@ Give each agent only the permissions it needs:
       "permission": {
         "write": "deny",
         "edit": "deny",
+        "sql_execute_write": "deny",
         "bash": {
-          "SELECT *": "allow",
-          "dbt docs *": "allow",
-          "*": "deny"
+          "*": "deny",
+          "ls *": "allow",
+          "cat *": "allow",
+          "dbt list *": "allow"
         }
       }
     },
     "builder": {
       "permission": {
+        "sql_execute_write": "ask",
         "bash": {
           "*": "ask",
           "dbt *": "allow",
-          "git *": "ask",
-          "DROP *": "deny"
+          "rm -rf *": "deny"
         }
       }
     }