fix: address CodeRabbit review feedback

- Use wildcard prefix Bash(*git remote add *) in settings.json deny
  rules to catch chained commands (matching tier file patterns)
- Add missing set-head to docs denied commands table

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: stranma

.claude/settings.json

@@ -31,8 +31,8 @@
     "deny": [
       "Bash(gh secret *)", "Bash(gh auth *)", "Bash(gh ssh-key *)", "Bash(gh gpg-key *)",
       "Bash(git clean *)", "Bash(git config *)",
-      "Bash(git remote add *)", "Bash(git remote set-url *)", "Bash(git remote remove *)",
-      "Bash(git remote rename *)", "Bash(git remote set-head *)",
+      "Bash(*git remote add *)", "Bash(*git remote set-url *)", "Bash(*git remote remove *)",
+      "Bash(*git remote rename *)", "Bash(*git remote set-head *)",
       "Bash(uv self *)"
     ],
     "ask": [

docs/DEVCONTAINER_PERMISSIONS.md

@@ -45,7 +45,7 @@ Regardless of tier, these layers provide defense-in-depth:
 | `docker run --privileged` | Use `docker run` without `--privileged` | Container escape vector |
 | `curl ... \| bash` / `wget ... \| sh` | Do not pipe remote scripts. Add to Dockerfile instead. | Supply-chain attack vector |
 | `cd path && command` | Use absolute paths: `command /absolute/path` | Chained commands bypass glob-based permission checks |
-| `git remote add/set-url/remove/rename` | Ask the user to manage remotes | Prevents code exfiltration to unauthorized remotes |
+| `git remote add/set-url/remove/rename/set-head` | Ask the user to manage remotes | Prevents code exfiltration to unauthorized remotes |
 
 ## Tier Comparison