feat(security): add private network SSRF rule + .yarnrc.yml config scanning

[cyyever]

Summary

• Add block-ssrf-private-network locked rule with full IANA Special Purpose Registry coverage — blocks RFC1918, loopback, link-local, CGN (100.64/10), benchmarking (198.18/15), documentation nets (TEST-NET-1/2/3), IETF protocol assignments, and IPv6 ULA/link-local
• Add .yarnrc.yml scanning to configscan: detect malicious yarnPath overrides (CVE-2025-59828) and npmRegistryServer redirects
• 14 new tests, 3 existing scenarios upgraded from SELFPROTECT → BLOCKED (defense in depth)
• Zero new dependencies — equivalent IANA coverage to code.dny.dev/ssrf via regex

Blocked IP ranges

Range	Purpose
10.0.0.0/8	RFC1918 private
172.16.0.0/12	RFC1918 private
192.168.0.0/16	RFC1918 private
127.0.0.0/8	Loopback
0.0.0.0	All-zeros
169.254.0.0/16	Link-local
100.64.0.0/10	CGN / shared address space
198.18.0.0/15	Benchmarking
192.0.0.0/24	IETF protocol assignments
192.0.2.0/24	Documentation (TEST-NET-1)
198.51.100.0/24	Documentation (TEST-NET-2)
203.0.113.0/24	Documentation (TEST-NET-3)
fc00::/7	IPv6 ULA
fe80::/10	IPv6 link-local

Test plan

• All pre-commit hooks pass (gofmt, golangci-lint, nilaway, gitleaks, govulncheck, rule lint, rule coverage, doc consistency, go test)
• 11 SSRF private network test cases (RFC1918, loopback, all-zeros, link-local, CGN, benchmarking, 3x documentation)
• 3 yarnrc test cases (yarnPath, malicious registry, official registry)
• Existing SSRF metadata + bypass tests still pass
• Manual: crust start + agent sends curl http://10.0.0.1/admin → blocked