chore(settings): remove gh workflow run|dispatch from deny

Permission rules evaluate deny → ask → allow with deny always
winning, so the release-workflow-guard hook's verifiable dry-run
bypass couldn't actually fire — the settings-layer deny rejected
the command before the hook ran.

The hook is now the single source of truth for the dispatch
policy: blocks by default, allows only when -f dry-run=true is
explicit, the workflow YAML declares a dry-run input, and no
force-prod overrides are set. The hook reads the workflow file
from $CLAUDE_PROJECT_DIR or the matching sibling clone.

Removed entries:
  Bash(gh workflow run:*)
  Bash(gh workflow dispatch:*)

Other deny rules (gh release create/delete, git push --force,
*publish) are unchanged — those have no dry-run analog and the
hook doesn't cover them.

Author: jdalton

.claude/settings.json

@@ -59,8 +59,6 @@
     "deny": [
       "Bash(gh release create:*)",
       "Bash(gh release delete:*)",
-      "Bash(gh workflow dispatch:*)",
-      "Bash(gh workflow run:*)",
       "Bash(git push --force:*)",
       "Bash(git push -f:*)",
       "Bash(npm publish:*)",