fix: address CodeRabbit review feedback

- Move gh api from allow to ask (exfiltration risk via raw API calls)
- Add git push --force/--f to deny list (remote repo is not disposable)
- Remove stale tier references from settings.local.json.example
- Fix P.3.2 reference to deleted agent in DEVELOPMENT_PROCESS.md
- Update test expectations for gh api and force push changes

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Author: stranma

.claude/settings.json

@@ -19,7 +19,7 @@
       "Bash(git describe *)", "Bash(git shortlog *)", "Bash(git rev-list *)",
       "Bash(gh pr create *)", "Bash(gh pr view *)", "Bash(gh pr list *)",
       "Bash(gh pr checks *)", "Bash(gh pr diff *)", "Bash(gh pr edit *)",
-      "Bash(gh pr close *)", "Bash(gh api *)",
+      "Bash(gh pr close *)",
       "Bash(gh run list *)", "Bash(gh run view *)", "Bash(gh run watch *)",
       "Bash(gh issue list *)", "Bash(gh issue view *)",
       "Bash(gh repo view *)", "Bash(gh release list *)", "Bash(gh release view *)",
@@ -32,6 +32,7 @@
     ],
     "deny": [
       "Bash(gh secret *)", "Bash(gh auth *)", "Bash(gh ssh-key *)", "Bash(gh gpg-key *)",
+      "Bash(git push --force *)", "Bash(git push -f *)",
       "Bash(git clean *)", "Bash(git config *)",
       "Bash(*git remote add *)", "Bash(*git remote set-url *)", "Bash(*git remote remove *)",
       "Bash(*git remote rename *)", "Bash(*git remote set-head *)",
@@ -43,6 +44,7 @@
       "Bash(gh pr merge *)", "Bash(gh pr reopen *)", "Bash(gh pr comment *)",
       "Bash(gh pr review *)", "Bash(gh pr ready *)", "Bash(gh workflow run *)",
       "Bash(gh workflow enable *)", "Bash(gh workflow disable *)",
+      "Bash(gh api *)",
       "Bash(gh issue create *)", "Bash(gh issue comment *)",
       "Bash(gh issue close *)", "Bash(gh issue edit *)",
       "Bash(git init *)", "Bash(git clone *)",

.claude/settings.local.json.example

@@ -5,14 +5,7 @@
     "Precedence: global < project settings.json < settings.local.json",
     "Use this for: local hook overrides, extra permissions, MCP server configs"
   ],
-  "__devcontainer_tiers": [
-    "In devcontainers, this file is auto-generated from .devcontainer/permissions/tier{1,2,3}.json.",
-    "Set PERMISSION_TIER env var before building (default: 2).",
-    "  Tier 1 (Assisted): File ops auto-allowed, bash asks per-command",
-    "  Tier 2 (Autonomous): Bash(*) with curated deny list -- zero prompts",
-    "  Tier 3 (Full Trust): Bash(*) with minimal deny -- requires branch protection",
-    "See docs/DEVCONTAINER_PERMISSIONS.md for full details."
-  ],
+  "__note": "In devcontainers, settings.json is the single baseline for all environments.",
 
   "hooks": {
     "PreToolUse": [],

docs/DEVELOPMENT_PROCESS.md

@@ -120,7 +120,7 @@ next phase for P-scope work.
 
 **P.3 Execute** (repeat per phase)
 1. Run Standard Path (S.1 through S.7) for the phase
-2. Update `docs/IMPLEMENTATION_PLAN.md` (use built-in `Plan` agent)
+2. Update `docs/IMPLEMENTATION_PLAN.md`
 3. Write phase handoff note (2-5 sentences: what completed, deviations, risks, dependencies, intentional debt)
 
 **P.4 Finalize** -- Merge. Version bump and changelog consolidation if applicable.

tests/test_permissions.py

@@ -302,6 +302,11 @@ def test_git_config_is_denied(self, settings: dict[str, Any]) -> None:
     def test_uv_self_is_denied(self, settings: dict[str, Any]) -> None:
         assert evaluate("Bash(uv self update)", settings) == "deny"
 
+    def test_git_push_force_is_denied(self, settings: dict[str, Any]) -> None:
+        """Force push affects the remote repo (not disposable) -- must be denied."""
+        assert evaluate("Bash(git push --force origin main)", settings) == "deny"
+        assert evaluate("Bash(git push -f origin main)", settings) == "deny"
+
     def test_rm_rf_is_not_allowed(self, settings: dict[str, Any]) -> None:
         assert evaluate("Bash(rm -rf /)", settings) != "allow"
 
@@ -440,8 +445,9 @@ def test_web_fetch_requires_confirmation(self, settings: dict[str, Any]) -> None
     def test_chained_commands_fall_through(self, settings: dict[str, Any]) -> None:
         assert evaluate("Bash(cd /foo && ls)", settings) == "none"
 
-    def test_gh_api_is_allowed(self, settings: dict[str, Any]) -> None:
-        assert evaluate("Bash(gh api repos/owner/repo/pulls)", settings) == "allow"
+    def test_gh_api_requires_confirmation(self, settings: dict[str, Any]) -> None:
+        """gh api can create gists/issues -- requires confirmation to prevent exfiltration."""
+        assert evaluate("Bash(gh api repos/owner/repo/pulls)", settings) == "ask"
 
     def test_gh_pr_review_operations_require_confirmation(self, settings: dict[str, Any]) -> None:
         """PR comment/review/ready are state-changing and have data exfiltration risk."""