refactor(config): Route all config I/O through AppController

Eliminates 22 call sites that bypassed the AppController state owner
and read/wrote config.toml directly. AppController is now the single
source of truth for self.config; gui_2.py, commands.py, etc. go
through controller.save_config() / controller.load_config().

Production changes:
- src/models.py: rename load_config -> _load_config_from_disk,
  save_config -> _save_config_to_disk (private I/O primitives)
- src/app_controller.py: add public load_config()/save_config() methods
  that own the state. Update 3 internal call sites and 3 ConductorEngine
  call sites to pass max_workers from self.config
- src/multi_agent_conductor.py: ConductorEngine.__init__ now takes
  max_workers as a parameter (caller responsibility, not I/O primitive)
- src/external_editor.py: get_default_launcher() takes config as a
  parameter; gui_2.py:1311,4776 pass app.config
- src/gui_2.py: 17 sites of models.save_config(X.config) replaced with
  X.save_config() (delegates via __getattr__ to controller)
- src/commands.py: save_all() uses app.save_config()

Test changes (route through controller, not I/O primitive):
- tests/conftest.py: mock_app and app_instance fixtures now patch
  AppController.load_config/save_config instead of models I/O primitives
- 18 other test files: patches renamed from models._save_config_to_disk
  to AppController.save_config (and same for load_config)
- tests/test_app_controller_mcp.py: use SLOP_CONFIG env var instead of
  patching removed CONFIG_PATH module constant
- tests/test_parallel_execution.py: pass max_workers=2 explicitly to
  ConductorEngine (caller no longer reads config)
- tests/test_gui_paths.py: add save_config=MagicMock() to MockApp;
  assert on controller method, not I/O primitive
- tests/test_models_no_top_level_tomli_w.py: still calls private
  _save_config_to_disk directly (the only allowed exception; tests
  the lazy-load behavior of the primitive itself)

New files:
- scripts/audit_no_models_config_io.py: enforces the rule (--strict,
  --json modes; AST-based docstring detection to avoid false positives)
- conductor/code_styleguides/config_state_owner.md: documents the rule

Verification:
- 67 targeted tests pass
- scripts/audit_no_models_config_io.py --strict returns 0

This is the architectural cleanup that surfaced during the
audit_architectural_cheats_20260607 review. Closes the smoke-gun
CONFIG_PATH module constant (already done in 0c7ebf22) AND the
free-function models.load_config/save_config smell.

[conductor(checkpoint): config-iO-refactor-20260607]

conductor/code_styleguides/config_state_owner.md

@@ -0,0 +1,106 @@
+# Config I/O State Ownership
+
+**Rule:** The `AppController` is the single source of truth for the
+in-memory config (`self.config`) and the only authorized caller of
+the file I/O primitives in `src/models.py`.
+
+## Why
+
+1. **The controller owns the in-memory state.** If other modules
+   write to `config.toml` directly, the controller's `self.config`
+   silently drifts from disk. Tests can corrupt the user's TOML
+   files; users lose data without warning.
+2. **Test isolation breaks.** When `models.save_config(...)` is
+   called from anywhere in `src/`, tests cannot intercept the
+   write without patching the I/O primitive. The test then
+   couples to the file format, not the controller's behavior.
+3. **Path resolution can't be enforced.** The controller respects
+   `SLOP_CONFIG` env var at call time. Direct calls to
+   `models.save_config` would only respect it if the path is
+   re-resolved (which it is in `_save_config_to_disk`, but only
+   because someone remembered).
+
+## What is Forbidden in `src/`
+
+- `models.load_config(...)` (legacy public function)
+- `models.save_config(...)` (legacy public function)
+- `models._load_config_from_disk(...)` (private I/O primitive)
+- `models._save_config_to_disk(...)` (private I/O primitive)
+
+The only allowed call sites are inside `AppController` itself
+(`load_config()` and `save_config()` methods).
+
+## The Public API
+
+```python
+# In AppController:
+def load_config(self) -> Dict[str, Any]:
+    """Re-read the global config.toml from disk and update self.config."""
+    self.config = models._load_config_from_disk()
+    return self.config
+
+def save_config(self) -> None:
+    """Flush self.config to disk."""
+    models._save_config_to_disk(self.config)
+```
+
+Callers (including `gui_2.py`, `commands.py`, etc.) go through
+the controller:
+
+```python
+# In App class methods (gui_2.py): __getattr__ delegates to controller
+self.save_config()      # -> controller.save_config()
+app.save_config()       # -> controller.save_config() (via __getattr__)
+app.load_config()       # -> controller.load_config() (via __getattr__)
+
+# In AppController:
+self.save_config()      # direct
+self.load_config()      # direct
+```
+
+## Test Patterns
+
+Tests should mock the **controller methods**, not the I/O primitives:
+
+```python
+# CORRECT: route through the controller
+with patch('src.app_controller.AppController.load_config',
+           return_value={'ai': {...}, 'projects': {...}}):
+    app = App()  # controller's load_config returns the mock
+
+with patch('src.app_controller.AppController.save_config'):
+    app._save_paths()  # controller's save_config is a no-op
+    app.save_config.assert_called_once()  # verify the call
+
+# WRONG: patch the I/O primitive
+with patch('src.models._save_config_to_disk'):  # bypasses the controller
+    app._save_paths()  # still hits the I/O primitive if production bypasses
+```
+
+The `mock_app` and `app_instance` fixtures in `tests/conftest.py`
+follow the correct pattern: they patch
+`AppController.load_config` and `AppController.save_config` to
+prevent real I/O and to provide a default config.
+
+## Exceptions
+
+The only allowed non-controller call site is the
+`test_models_no_top_level_tomli_w.py` test, which specifically
+verifies the lazy-load behavior of the I/O primitive itself
+(tomli_w import timing). This test is exempt from the audit.
+
+## Enforcement
+
+The `scripts/audit_no_models_config_io.py` script enforces this rule.
+
+- `python scripts/audit_no_models_config_io.py` — human report
+- `python scripts/audit_no_models_config_io.py --strict` — exit 1 on violation
+- `python scripts/audit_no_models_config_io.py --json` — machine output
+
+CI should run the `--strict` mode on every PR.
+
+## See Also
+
+- `docs/guide_app_controller.md` — the AppController's role
+- `docs/guide_models.md` — the models module
+- `conductor/product.md` — "Modular Controller Pattern" principle

conductor/product-guidelines.md

@@ -56,3 +56,4 @@ The product guidelines are best understood alongside the per-source-file guides
 - **[docs/guide_multi_agent_conductor.md](../docs/guide_multi_agent_conductor.md):** §"Thread Safety" — `threading.local()` source tier tagging, lock-protected event queue.
 - **[docs/guide_models.md](../docs/guide_models.md):** §"Design Principles" + §"SDM Tags" — centralized registry, pydantic validation, `[C: ...]` / `[M: ...]` tags in docstrings.
 - **[docs/guide_testing.md](../docs/guide_testing.md):** §"Structural Testing Contract" — Ban on Arbitrary Core Mocking, `live_gui` Standard, Artifact Isolation.
+- **[code_styleguides/config_state_owner.md](code_styleguides/config_state_owner.md):** Config I/O state ownership — `AppController` is the single source of truth; direct calls to `models.save_config`/`models.load_config` in `src/` are forbidden (enforced by `scripts/audit_no_models_config_io.py`).