fix(security): scrub Tailscale IP + EC2 instance ID from public surface (P0)

Sonnet Markdown audit + Opus TOML audit (post-publish) caught two infrastructure
identity leaks in the public KeiSeiKit-1.0 mirror:

1. Tailscale CGNAT IP `100.91.246.53` (private Forgejo server) appeared 5×:
   - BACKUP-INDEX.md:6,17 — including a PR URL exposing branch naming convention
   - .forgejo/README.md:3,41,75,87
   Replaced with `<private-forgejo>` placeholder. PR URL is now a template form
   (no real branch name leaked).

2. Real AWS EC2 instance ID `i-0a8b747023809d451` appeared 2× in
   _manifests/infra-implementer.toml:39,104 — directly inside an agent prompt
   shipped publicly. Replaced with `<ec2-instance-id>` placeholder.

The IP itself is not internet-routable (Tailscale CGNAT), but the leak still
narrows OSINT scope and reveals our Forgejo-on-Tailscale topology. The EC2
instance ID is a real production resource identifier in our shared-tenancy
deployment; leaking it gives an attacker a confirmed target for AWS-API
enumeration if any other vector ever yields IAM access.

These leaks were already pushed to github main in commits 23b818a + 7cc544f.
The HEAD-only scrub clears the working tree and the next commit; full git
history scrub via git-filter-repo is a follow-up if the historical exposure
window matters operationally.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.forgejo/README.md

@@ -1,6 +1,6 @@
 # Forgejo Actions — self-hosted CI
 
-Parallel CI on the private Forgejo (Tailscale `100.91.246.53:3000`)
+Parallel CI on the private Forgejo (Tailscale `<private-forgejo>:3000`)
 that doesn't depend on github.com — keeps private code on
 self-hosted infrastructure while still getting per-commit
 verification.
@@ -38,7 +38,7 @@ sudo mkdir -p /var/lib/forgejo-runner
 sudo chown forgejo-runner: /var/lib/forgejo-runner
 cd /var/lib/forgejo-runner
 sudo -u forgejo-runner forgejo-runner register --no-interactive \
-    --instance http://100.91.246.53:3000 \
+    --instance http://<private-forgejo>:3000 \
     --token <REGISTRATION_TOKEN_FROM_WEB_UI> \
     --name "$(hostname)-runner" \
     --labels self-hosted,docker,linux,amd64
@@ -72,7 +72,7 @@ sudo systemctl enable --now forgejo-runner
 
 ```bash
 # Via API
-curl -X PATCH http://100.91.246.53:3000/api/v1/repos/denis/KeiSeiKit \
+curl -X PATCH http://<private-forgejo>:3000/api/v1/repos/denis/KeiSeiKit \
     -u "denis:$FORGEJO_TOKEN" \
     -H 'Content-Type: application/json' \
     -d '{"has_actions": true}'
@@ -84,7 +84,7 @@ curl -X PATCH http://100.91.246.53:3000/api/v1/repos/denis/KeiSeiKit \
 ## Trigger
 
 Push to `main` triggers the workflow automatically. Watch progress:
-http://100.91.246.53:3000/denis/KeiSeiKit/actions
+http://<private-forgejo>:3000/denis/KeiSeiKit/actions
 
 ## Differences from GHA workflow
 

BACKUP-INDEX.md

@@ -3,7 +3,7 @@
 > Альтернативные дизайны, не выбранные в финальный merge — сохранены
 > на случай если основной выбор покажет проблемы и придётся откатиться.
 >
-> Все три тэга на forgejo (`origin`, `100.91.246.53:3000/denis/KeiSeiKit`).
+> Все три тэга на forgejo (`origin`, `<private-forgejo>/<user>/<repo>`).
 > Author keeps the kit on a private remote.
 
 ---
@@ -14,7 +14,7 @@
 |---|---|
 | Merge commit | `e8481b9` на `main` → запушен в forgejo origin/main (`b6a36ac` HEAD) |
 | Integration branch | `integration/2026-04-29-merge-3way` (forgejo) |
-| PR-URL | http://100.91.246.53:3000/denis/KeiSeiKit/compare/main...integration/2026-04-29-merge-3way |
+| PR-URL | `<private-forgejo>/<user>/<repo>/compare/<base>...<head>` |
 
 ## Backup tags (forgejo origin)
 

_manifests/infra-implementer.toml

@@ -13,7 +13,7 @@ You are a senior infrastructure engineer. You write deploy scripts, CI/CD pipeli
 definitions, and secrets management code, enforcing per-project credential isolation, the \
 deploy-target guard list, the Self-Sufficiency Protocol, and API Cost Guard on every paid surface. You \
 are NOT an ML trainer (hand off to `ml-implementer`), NOT a generic code writer (hand off to \
-`code-implementer`), NOT a theory writer (hand off to `physics-deriver`). Your output is \
+`code-implementer`), NOT a theory writer (hand off to `architect`). Your output is \
 production infrastructure with `.env`-gitignored secrets, Self-Sufficient API permissions set up \
 once, verification commands passing, and `memory/{project}.md` updated with endpoints and credentials refs.
 """
@@ -36,7 +36,7 @@ domain_in = [
     "Secrets discipline — `.env` gitignored, grep staged files for credential patterns before commit, no plaintext in Terraform state / Dockerfile / CI inline / logs",
     "Paid-compute cost guard — dashboard balance check, pricing-page verification, single-variant first, 2-min monitor (Modal, AWS, GCP, fal.ai, Apify, ElevenLabs)",
     "Post-deploy verification — run the project's verification command from `memory/{project}.md`, record endpoints/creds refs",
-    "Shared-infra risk flagging — e.g. Recruiter shares EC2 i-0a8b747023809d451 with tip-platform, marketing-ai-agent, psychology-tests",
+    "Shared-infra risk flagging — e.g. Recruiter shares EC2 <ec2-instance-id> with tip-platform, marketing-ai-agent, psychology-tests",
 ]
 
 forbidden_domain = [
@@ -101,7 +101,7 @@ extra = [
     "path:user-rules/dev-workflow.md",
     "path:user-memory/security-restricted-projects.md",
     "MEMORY.md → Compute Cost Incident (2026-02-26): $98.78 Modal overrun — no dashboard check, unverified prices.",
-    "MEMORY.md → Recruiter shared-EC2 risk (i-0a8b747023809d451 shared with 3 projects, default SECRET_KEY, no CSRF).",
+    "MEMORY.md → Recruiter shared-EC2 risk (<ec2-instance-id> shared with 3 projects, default SECRET_KEY, no CSRF).",
     "MEMORY.md → CloudSync 146 GB bloat: two duplicate LaunchAgents both writing logs. Scan for duplicates before adding infra.",
 ]