chore(guard): sync vendored public-repo-guard to canonical

[yakimoto]

Syncs the vendored public-repo-guard trio to the canonical source in wave-foundation/scaffolder/public-repo-guard.

• adds the internal-ip leak rule (Tailscale-CGNAT 100.64.0.0/10), lockstep with the pre-publish mirror gate
• reconciles accumulated drift in the vendored copy

Each changed file is byte-for-byte identical to canonical (verified by git blob SHA). The repo's own Secrets + content policy gate re-scans this PR.

🤖 Generated with Claude Code

---

Note

Low Risk
CI-only guard script changes that tighten leak detection; no runtime application or auth/data-path changes.

Overview
Vendors the canonical public-repo-guard policy so this repo matches wave-foundation/scaffolder.

.gitleaks.toml extends the path allowlist with testdata/ so Go-style fixture directories (e.g. published Hardhat test vectors) are not flagged as secrets.

content-policy.sh adds a BLOCK rule for Tailscale CGNAT addresses in 100.64.0.0/10, aligned with the foundation pre-publish mirror gate, and adds shellcheck disable=SC2016 on rules whose error messages intentionally show $CLOUDFLARE_ACCOUNT_ID and $HOME as literal guidance.

^{Reviewed by Cursor Bugbot for commit 94472c2. Configure here.}

---

Summary by cubic

Syncs the vendored public-repo-guard to the canonical source in wave-foundation/scaffolder/public-repo-guard, aligning checks with the pre-publish mirror gate. Adds an internal IP leak rule for Tailscale CGNAT (100.64.0.0/10) to prevent publishing fleet addresses.

• Refactors
  • Update .gitleaks.toml to also ignore testdata/ (Go fixtures directory).

^{Written for commit 94472c2. Summary will update on new commits.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 94472c2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Warning

Review limit reached

@yakimoto, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 37 minutes and 55 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7c7540e3-2521-4536-b4a0-3c10f84c9a3d

📥 Commits

Reviewing files that changed from the base of the PR and between fb0872b and 94472c2.

📒 Files selected for processing (2)

• .gitleaks.toml
• scripts/public-repo-guard/content-policy.sh

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/guard-canonical-sync

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch chore/guard-canonical-sync

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}