prevent unauthorized access to administrative db0 when connection to redis-cli

docs/admin.md

@@ -80,6 +80,7 @@ Keys in `DB 0` (internal layout, but useful to understand how things work):
   - Requires the exact admin secret as the `KEY` argument to `SELECT 0`
   - Permission is `ReadWrite` when the secret matches
 
+Connections start with no database selected. Any command that requires storage (GET, SET, H*, L*, SCAN, etc.) will return an error until you issue a SELECT to choose a database. Admin DB 0 is never accessible without authenticating via SELECT 0 KEY <admin_secret>.
 ### How to select databases with optional `KEY`
 
 - Public DB (no key required)

docs/cmds.md

@@ -126,7 +126,9 @@ redis-cli -p 6381 --pipe < dump.rdb
 
 ## Authentication and Database Selection
 
-HeroDB uses an `Admin DB 0` to govern database existence, access and per-db encryption. Access control is enforced via `Admin DB 0` metadata. See the full model in `docs/admin.md`.
+Connections start with no database selected. Any storage-backed command (GET, SET, H*, L*, SCAN, etc.) will return an error until you issue a SELECT to choose a database.
+
+HeroDB uses an `Admin DB 0` to govern database existence, access and per-db encryption. Access control is enforced via `Admin DB 0` metadata. See the full model in (docs/admin.md:1).
 
 Examples:
 ```bash
@@ -145,4 +147,10 @@ redis-cli -p $PORT SELECT 2 KEY my-db2-access-key
 # Admin DB 0 (requires admin secret)
 redis-cli -p $PORT SELECT 0 KEY my-admin-secret
 # → OK
+```
+
+```bash
+# Before selecting a DB, storage commands will fail
+redis-cli -p $PORT GET key
+# → -ERR No database selected. Use SELECT <id> [KEY <key>] first
 ```