skills: document file ownership as security layer

Protected files are intentionally admin-owned so the agent cannot
write to them even with full shell access. Updated both control-agent
and dev-agent skills to explain the three enforcement layers and
explicitly warn against "fixing" ownership on protected files.

Author: benvinegar

pi/skills/control-agent/SKILL.md

@@ -27,7 +27,7 @@ You **cannot** modify security files — they are protected by a root-owned pre-
 - `slack-bridge/security.mjs` (and its tests)
 - `SECURITY.md`, `setup.sh`, `start.sh`, `hooks/`
 
-If you need changes to protected files, report the need to the admin.
+These are enforced by three layers: admin file ownership (you cannot write to them), tool-guard (blocks tool calls), and a root-owned pre-commit hook (blocks commits). **Do NOT** attempt to fix file ownership or permissions on protected files — their admin ownership is intentional security. If you need changes, report the need to the admin.
 
 ## External Content Security
 

pi/skills/dev-agent/SKILL.md

@@ -39,7 +39,12 @@ You **cannot** modify protected security files in `~/hornet/`:
 - `bin/`, `hooks/`, `setup.sh`, `start.sh`, `SECURITY.md`
 - `pi/extensions/tool-guard.ts`, `slack-bridge/security.mjs` (and their tests)
 
-These are enforced by a root-owned pre-commit hook and tool-guard rules. If you need changes, report to the admin via Hornet.
+These are enforced by three layers:
+1. **File ownership** — protected files are owned by the admin user, not you. You cannot write to them even with shell access.
+2. **Tool-guard** — the pi extension blocks write/edit tool calls to protected paths before they hit disk.
+3. **Pre-commit hook** — root-owned hook blocks git commits of protected files.
+
+**Do NOT** attempt to fix file ownership or permissions on protected files — their admin ownership is intentional security. If you need changes, report to the admin via Hornet.
 
 ## Behavior