docs: add permanent lessons to JOURNAL.md to prevent recurring mistakes

Added explicit "PERMANENT LESSONS FOR FUTURE SESSIONS" section documenting:
1. Always update callers when modifying source functions
2. Verify documentation matches code reality
3. Cross-reference before committing

These patterns have caused bugs multiple times.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

JOURNAL.md

@@ -59,6 +59,34 @@ files, remember to update ALL callers (hooks, scripts, tests).
 2. Update STATUS.md with accurate state
 3. Consider adding hook validation tests
 
+### ⚠️ PERMANENT LESSONS FOR FUTURE SESSIONS
+
+**These mistakes have happened multiple times. DO NOT repeat them.**
+
+1. **When Adding/Modifying Functions: ALWAYS Update All Callers**
+   - Pattern: Function added to `src/*.sh` but hook in `config/hooks/` not updated
+   - Prevention: After editing `src/security-hardening.sh`, immediately run:
+     ```bash
+     grep -r "configure_ssh\|configure_fim\|configure_audit" config/hooks/
+     ```
+   - Test: Run `./run.sh test` before committing - don't just assume it works
+
+2. **Documentation Claims Must Match Code Reality**
+   - Pattern: JOURNAL says "ADDED" but hook never calls the function
+   - Prevention: After implementing a feature, verify execution path:
+     ```bash
+     # For each new function in src/:
+     # 1. Find where it should be called
+     # 2. Add the call
+     # 3. Test that it runs
+     ```
+   - Never trust docs without code verification
+
+3. **Cross-Reference Before Committing**
+   - This project has: `src/*.sh` → `config/hooks/**/*.sh` → executed during build
+   - Any change to source files requires checking ALL downstream callers
+   - Use `grep -r "function_name" .` liberally
+
 ---
 
 ## Entry 2026-02-17 (Session 4): Script Consolidation