chore(guard): sync vendored public-repo-guard to canonical

[yakimoto]

Syncs the vendored public-repo-guard trio to the canonical source in wave-foundation/scaffolder/public-repo-guard.

• adds the internal-ip leak rule (Tailscale-CGNAT 100.64.0.0/10), lockstep with the pre-publish mirror gate
• reconciles accumulated drift in the vendored copy

Each changed file is byte-for-byte identical to canonical (verified by git blob SHA). The repo's own Secrets + content policy gate re-scans this PR.

🤖 Generated with Claude Code

---

Note

Low Risk
Guard-only tightening and allowlist tweaks; no runtime app or auth behavior changes.

Overview
Vendors the canonical public-repo-guard config so this repo matches wave-foundation/scaffolder/public-repo-guard.

.gitleaks.toml adds testdata/ to path allowlists so Go-style fixture dirs (e.g. published Hardhat test vectors) are not flagged as secrets.

content-policy.sh adds a BLOCK rule for Tailscale CGNAT addresses in 100.64.0.0/10, aligned with the foundation pre-publish mirror gate, and adds shellcheck disable=SC2016 on rules whose error text mentions $CLOUDFLARE_ACCOUNT_ID and $HOME so those strings are not treated as shell variables.

^{Reviewed by Cursor Bugbot for commit 37602a8. Configure here.}

---

Summary by cubic

Syncs vendored public-repo-guard to the canonical wave-foundation/scaffolder/public-repo-guard to eliminate drift. Adds an internal-IP leak rule and updates gitleaks paths; changes are byte-for-byte identical to canonical.

• New Features
  • Block Tailscale CGNAT internal IPs (100.64.0.0/10) to prevent leaking fleet addresses; pattern matches the pre-publish mirror gate.
  • Add testdata/ to gitleaks fixture paths to avoid false positives in Go-style test fixtures.

^{Written for commit 37602a8. Summary will update on new commits.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 37602a8

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Warning

Review limit reached

@yakimoto, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 36 minutes and 43 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f8c5fa5f-91fe-4fa2-905f-332931b759f1

📥 Commits

Reviewing files that changed from the base of the PR and between f4a33aa and 37602a8.

📒 Files selected for processing (2)

• .gitleaks.toml
• scripts/public-repo-guard/content-policy.sh

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/guard-canonical-sync

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch chore/guard-canonical-sync

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}