chore(guard): sync vendored public-repo-guard to canonical

[yakimoto]

Syncs the vendored public-repo-guard trio to the canonical source in wave-foundation/scaffolder/public-repo-guard.

• adds the internal-ip leak rule (Tailscale-CGNAT 100.64.0.0/10), lockstep with the pre-publish mirror gate
• reconciles accumulated drift in the vendored copy

Each changed file is byte-for-byte identical to canonical (verified by git blob SHA). The repo's own Secrets + content policy gate re-scans this PR.

🤖 Generated with Claude Code

---

Note

Low Risk
Guard-only policy tweaks that tighten leak detection; no runtime app or auth/data-path changes.

Overview
Syncs the vendored public-repo-guard config with canonical foundation so CI and the pre-publish mirror gate stay aligned.

.gitleaks.toml extends the path allowlist with testdata/ so Go-style fixture directories (e.g. published test vectors) are not flagged as secrets.

content-policy.sh adds a BLOCK internal-ip rule for Tailscale CGNAT addresses (100.64.0.0/10), using the same regex as the foundation mirror scripts. It also adds shellcheck disable=SC2016 on rules whose error messages intentionally show $CLOUDFLARE_ACCOUNT_ID and $HOME as literal guidance.

^{Reviewed by Cursor Bugbot for commit a27b3e2. Configure here.}

---

Summary by cubic

Syncs vendored public-repo-guard to match wave-foundation/scaffolder/public-repo-guard, adds an internal IP leak rule for Tailscale CGNAT (100.64.0.0/10). Updates .gitleaks.toml to ignore Go testdata/ fixtures to reduce false positives.

• New Features

  • Adds internal-ip rule to block Tailscale CGNAT addresses (100.64.0.0/10), aligned with the pre-publish mirror gate.

• Dependencies

  • Vendored public-repo-guard is byte-for-byte identical to canonical; reconciles prior drift.

^{Written for commit a27b3e2. Summary will update on new commits.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: a27b3e2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Warning

Review limit reached

@yakimoto, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 37 minutes and 49 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8993804b-a084-43d8-a753-1519a050c913

📥 Commits

Reviewing files that changed from the base of the PR and between f513ade and a27b3e2.

📒 Files selected for processing (2)

• .gitleaks.toml
• scripts/public-repo-guard/content-policy.sh

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/guard-canonical-sync

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch chore/guard-canonical-sync

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}