fix(deps): patch dependabot advisories + CTF cred housekeeping

.github/secret_scanning.yml

@@ -0,0 +1,2 @@
+paths-ignore:
+  - "range/**"

range/CTF-NOTICE.md

@@ -0,0 +1,18 @@
+# Cyber Range — Fictional Content Notice
+
+Everything under `range/` is content for a self-contained cyber range used to
+test wallhack. The VMs run only inside an isolated, ephemeral pontoon network.
+None of these credentials, keys, or hostnames are real and none of them grant
+access to anything outside the range.
+
+This includes, but is not limited to:
+
+- Plaintext passwords in `range/layers/*/layer.yml` and discoverable "loot"
+  files (e.g. `intranet/.../creds.txt`, `app-api/.../ssh.conf`).
+- The ed25519 private key at `range/layers/ftp-loot/ftp/backup/id_ed25519`,
+  generated specifically for the `ssh-leaked-key` challenge.
+- Internal IPs in the `10.99.0.0/16` private range.
+
+If your secret scanner pointed you here: this directory is excluded via
+`.github/secret_scanning.yml`. The credentials are part of the test fixture,
+not a leak.

range/layers/backup-ssh/layer.yml

@@ -2,6 +2,7 @@ packages:
   - openssh
   - rsync
 start: |
+  # Fictional CTF range credentials. Not real passwords, not a leak.
   adduser -D backup 2>/dev/null || true
   echo "root:hacker" | chpasswd 2>/dev/null || true
   echo "backup:backup123" | chpasswd 2>/dev/null || true

range/layers/ssh-bastion/layer.yml

@@ -1,6 +1,7 @@
 packages:
   - openssh
 start: |
+  # Fictional CTF range credentials. Not a real password, not a leak.
   echo "pontoon:Tr0mb0n3!2024" | chpasswd
   ssh-keygen -A
   /usr/sbin/sshd -D &

range/layers/ssh-leaked-key/layer.yml

@@ -3,6 +3,8 @@ packages:
 configs:
   - home/deploy/.ssh/authorized_keys
 start: |
+  # Fictional CTF range key. The matching private key under ftp-loot/
+  # is generated for this challenge and grants no real access.
   adduser -D deploy 2>/dev/null || true
   passwd -u deploy 2>/dev/null || true
   chown -R deploy:deploy /home/deploy/.ssh