feat(security): harden repo with scoped permissions, CVE mapping, and scan evidence

Settings.json: 16 scoped Bash grants (was 6 wildcards), 26-pattern deny list (was 5).
CVE mapping: all 9 OpenClaw CVEs mapped to specific defenses with layer documentation.
Scan results: posture Grade D (expected without llm-security), deep scan 0 critical/high.
Hooks README: Option A — document llm-security hooks, recommend plugin installation.
README: evidence-based security section with scan data and verification instructions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.claude/settings.json

@@ -1,26 +1,54 @@
 {
   "permissions": {
     "allow": [
+      "Bash(git:*)",
       "Bash(ls:*)",
-      "Bash(cat:*)",
-      "Bash(echo:*)",
       "Bash(pwd)",
       "Bash(date)",
       "Bash(wc:*)",
+      "Bash(cat:*)",
+      "Bash(head:*)",
+      "Bash(tail:*)",
+      "Bash(echo:*)",
+      "Bash(node:*)",
+      "Bash(npx:*)",
+      "Bash(mkdir:*)",
+      "Bash(cp:*)",
+      "Bash(mv:*)",
+      "Bash(touch:*)",
+      "Bash(diff:*)",
       "Read",
-      "Write",
-      "Edit",
       "Glob",
-      "Grep",
-      "WebSearch",
-      "WebFetch"
+      "Grep"
     ],
     "deny": [
-      "Bash(rm -rf *)",
+      "Bash(rm -rf /)",
+      "Bash(rm -rf ~)",
+      "Bash(rm -rf $HOME)",
       "Bash(sudo *)",
       "Bash(chmod 777 *)",
-      "Bash(curl * | bash)",
-      "Bash(wget * | bash)"
+      "Bash(chmod -R 777 *)",
+      "Bash(curl*|*bash)",
+      "Bash(curl*|*sh)",
+      "Bash(wget*|*bash)",
+      "Bash(wget*|*sh)",
+      "Bash(base64*|*bash)",
+      "Bash(base64*|*sh)",
+      "Bash(eval *)",
+      "Bash(mkfs*)",
+      "Bash(dd if=*)",
+      "Bash(> /dev/sda*)",
+      "Bash(shutdown*)",
+      "Bash(reboot*)",
+      "Bash(init 0*)",
+      "Bash(init 6*)",
+      "Bash(:(){:|:&};:*)",
+      "Bash(nc -e*)",
+      "Bash(ncat -e*)",
+      "Bash(python*-c*import*socket*)",
+      "Bash(export*_KEY=*)",
+      "Bash(export*_TOKEN=*)",
+      "Bash(export*_SECRET=*)"
     ]
   },
   "hooks": {