docs(onecli): expand secrets section; correct stale admin-roles refs

Document the selective-mode gotcha for auto-created OneCLI agents
(no secrets injected by default) with the CLI commands to inspect
and fix it. Note that approval policies are not configurable via
the SDK or `onecli@1.3.0` CLI — web UI only.

Replace stale `NANOCLAW_ADMIN_USER_IDS` / `src/access.ts` references
across CLAUDE.md, docs/architecture.md, docs/checklist.md, and
docs/module-contract.md. Admin gating now runs host-side in
src/command-gate.ts against `user_roles`; approver picks live in
src/modules/approvals/primitive.ts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/modules/permissions/access.ts

@@ -1,14 +1,13 @@
 /**
- * Access control (permissions module half of src/access.ts).
+ * Access control.
  *
  * Privilege is user-level, not group-level. A user holds zero or more roles
  * (owner | admin) via `user_roles`, and is optionally "known" in specific
  * agent groups via `agent_group_members`. Admins are implicitly members of
  * the groups they administer.
  *
- * The approver-picking functions (pickApprover, pickApprovalDelivery) stay
- * in src/access.ts for now — they move into the approvals module in the
- * planned PR #7 re-tier.
+ * Approver-picking (`pickApprover`, `pickApprovalDelivery`) lives in the
+ * approvals module — see `src/modules/approvals/primitive.ts`.
  */
 import { isMember } from './db/agent-group-members.js';
 import { isAdminOfAgentGroup, isGlobalAdmin, isOwner } from './db/user-roles.js';