docs(architecture): add allocation_policy.md and CONTRIBUTING.md cross-link (Phase 6f, refs #193)

[githubrobbi]

Phase 6 sub-phase 6f deliverable per the phase-6 ownership/borrowing/allocation plan §5f (local plan, gitignored under /docs/dev/).

Mirrors the Phase 5e panic_policy.md pattern (PR #278): a single contract page captures the rule, the decision tree, the lint posture, the per-site annotation contract, the audit cadence, the workspace cross-references, and an append-only decisions log.

What this adds

File	Purpose
docs/architecture/code-quality/allocation_policy.md (new, 318 lines)	Full workspace allocation contract
CONTRIBUTING.md §Allocation policy (new section, 20 lines)	One-screen summary + link to the full doc

The new doc covers:

1. The one-line rule — hot paths (per-record / per-row / per-query) never allocate defensively; cold paths (error context, log lines, one-time setup) may allocate freely; every prod .clone() / format!() / to_owned() must fit one of five blessed categories (α / β / γ / δ / ε), and δ is a bug.
2. The lint posture — 5 clone-family lints at deny (redundant_clone, clone_on_ref_ptr, cloned_instead_of_copied, inefficient_to_string, unnecessary_to_owned) + 7 at warn (the broader Clippy clone-family set). All 12 emit zero diagnostics across the workspace.
3. The five categories in depth — each with the pattern, the verdict, the workspace convention, and worked examples taken directly from the production code:
   • α — Arc clone (Arc::clone(&x) form): KEEP
   • β — Ownership fence (caller has &T, API needs T): KEEP
   • γ — Error / log context (cold path): KEEP
   • δ — Hot-path anti-pattern (per-record clone of String / Vec<T> eliminable by ownership restructuring): FIX, do not suppress
   • ε — Test helper (#[cfg(test)]-only): KEEP, out of scope
4. The per-site annotation contract — every prod allocation site must satisfy one of three justification shapes (self-evident α, β/γ reason text, or δ refactor comment).
5. The audit cadence — bash scripts/dev/clone_alloc_audit.sh (the helper shipped in PR chore(scripts): add clone_alloc_audit.sh — Phase 6a baseline tool (refs #193) #281) produces the workspace inventory; absolute counts must not regress between PRs.
6. Workspace cross-references between this doc, panic_policy.md, lint-posture.md, Cargo.toml [workspace.lints], and clippy.toml.
7. Append-only decisions log capturing every cat-δ refactor that has landed in Phase 6:
   • 2026-05-19: clone_alloc_audit.sh shipped (Phase 6a, PR chore(scripts): add clone_alloc_audit.sh — Phase 6a baseline tool (refs #193) #281)
   • 2026-05-19: Two cat-δ sites in path_only_top_n / path_sorted_top_n refactored (Phase 6c, PR fix(uffs-core): drop defensive Vec<u16> clone in path-only / path-sorted top-N hot path (Phase 6c, refs #193) #282)
   • 2026-05-19: Two cat-δ sites in path_resolver::fast / search::dataframe_convert refactored (Phase 6d, PR fix(uffs-core): drop per-row format!() allocations in path-resolver + result-conversion hot paths (Phase 6d, refs #193) #283)
   • 2026-05-19: fold_needle helper returning Cow<'_, str> extracted (Phase 6e, PR refactor(uffs-core): extract fold_needle helper returning Cow<'_, str> (Phase 6e, refs #193) #284)
   • 2026-05-19: This document created (Phase 6f, this PR)

CONTRIBUTING.md gains a §Allocation policy section directly below the existing §Panic policy section, summarising the rule + five categories in ~200 words and linking to the full doc.

Why this matters

• Discoverability: contributors landing in the repo from a search hit or a PR review can find the rule + worked examples in one place — same as panic_policy.md.
• Auditability: the decisions log + cross-references make every clone-family rule traceable to a specific phase / PR.
• Code review velocity: reviewers can point at a category letter (α / β / γ / δ / ε) instead of re-deriving the rule each time.

Verification

• just lint-pre-push ✅ (95s): every gate green — fmt, file-size, gates-drift, hooks-drift, workflow-drift, fast-drift, manifest-drift, commit-subjects, vet, vet-audit-discipline, machete, typos, reuse, cargo-check, lint-ci, lint-prod, lint-tests, rustdoc, doc-tests, tests, smoke, deny, lint-ci-windows.
• Markdown links validated by the typos + reuse gates plus a manual check against docs/architecture/code-quality/ (existing panic_policy.md and lint-posture.md cross-links resolve correctly).
• Doc structure mirrors panic_policy.md 1:1 (eight sections in the same order) so contributors who know one know the other.

Behavior & contracts

• No code change. Documentation-only.
• The lint posture described in §2 of the new doc is already in force as of Phase 6a's Cargo.toml (5 deny-level + 7 warn-level clone-family lints). This commit codifies the contract behind the lints, not their values.
• The decisions log in §7 records PRs chore(scripts): add clone_alloc_audit.sh — Phase 6a baseline tool (refs #193) #281 / fix(uffs-core): drop defensive Vec<u16> clone in path-only / path-sorted top-N hot path (Phase 6c, refs #193) #282 / fix(uffs-core): drop per-row format!() allocations in path-resolver + result-conversion hot paths (Phase 6d, refs #193) #283 / refactor(uffs-core): extract fold_needle helper returning Cow<'_, str> (Phase 6e, refs #193) #284 as the cat-δ refactors that have landed; future entries follow the same append-only convention as panic_policy.md §7.

Strict-lint posture

No code change; lint posture unchanged. No new #[allow] / #[expect] introduced.

refs #193