# Allowlist false-positive LAN-IP / tailnet-IP hits in docs + compose.
# These are the documented nullstone LAN address, the LAN/CGNAT
# allowed-egress subnets baked into gluetun config, and Proton WG client
# addresses — all infrastructure facts, not credentials.
# The lan-ip-rfc1918 rule is low-confidence by design — see ~/.config/git/.gitleaks.toml

# CLAUDE.md — header references nullstone LAN IP.
CLAUDE.md:lan-ip-rfc1918:9

# docs/architecture.md — header + § "Current State" reference live nullstone host.
docs/architecture.md:lan-ip-rfc1918:3
docs/architecture.md:lan-ip-rfc1918:30

# docs/migration.md — ssh + rsync targets to nullstone.
docs/migration.md:lan-ip-rfc1918:22
docs/migration.md:lan-ip-rfc1918:32
docs/migration.md:lan-ip-rfc1918:81

# scripts/migrate-onyx.sh — default NULLSTONE_SSH and ssh target.
scripts/migrate-onyx.sh:lan-ip-rfc1918:27
scripts/migrate-onyx.sh:lan-ip-rfc1918:35

# compose/docker-compose.yml — FIREWALL_OUTBOUND_SUBNETS allows LAN +
# RFC1918 + the Tailscale CGNAT range for webui reachability from
# trusted networks. These are public, well-known subnet constants.
compose/docker-compose.yml:lan-ip-rfc1918:26
compose/docker-compose.yml:tailnet-ip:26
