chore(security): block direct git push to master/main branches (#3157)

Add deny patterns to prevent Claude Code from pushing directly to
master or main, enforcing the PR-only workflow for protected branches.

Author: PierreBrisorgueil

.claude/settings.json

@@ -243,6 +243,22 @@
           "pattern": "git push -f *",
           "reason": "Force push without lease is not allowed — use --force-with-lease"
         },
+        {
+          "pattern": "git push origin master",
+          "reason": "Never push directly to master — use a feature branch and open a PR"
+        },
+        {
+          "pattern": "git push origin main",
+          "reason": "Never push directly to main — use a feature branch and open a PR"
+        },
+        {
+          "pattern": "git push * master",
+          "reason": "Never push directly to master — use a feature branch and open a PR"
+        },
+        {
+          "pattern": "git push * main",
+          "reason": "Never push directly to main — use a feature branch and open a PR"
+        },
         {
           "pattern": "npm publish",
           "reason": "Package publishing requires explicit approval"