Pipelock's default SSRF blocklist includes 100.64.0.0/10 (RFC 6598
CGNAT, where Tailscale IPs live) plus all RFC 1918 / link-local
ranges, so a CONNECT to a bottle.ssh[] target on Tailscale was rejected
with `scanner: ssrf, reason: SSRF blocked: <ip> resolves to internal IP`
even after the host appeared in api_allowlist.
Fix: while emitting the YAML, classify each bottle.ssh[].Hostname:
- IPv4 literal -> ssrf.ip_allowlist as <ip>/32 (canonical CIDR).
- Hostname -> trusted_domains (hostname-based SSRF exemption).
Both blocks are emitted only when entries exist, so bottles with no
ssh / no private-IP targets still produce a minimal config.
Assisted-by: Claude Code
didericis
7d5f30763f