Fix comment: deploy key secrecy scope is policy-dependent

The comment claimed secrecy was always private:owner/repo, but
policy_private_scope_label() returns a scope that depends on the
cached policy scope kind (unscoped, owner-scoped, or repo-scoped).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: lpcox

guards/github-guard/rust-guard/src/labels/tool_rules.rs

@@ -663,7 +663,7 @@ pub fn apply_tool_labels(
         // === Deploy key management (SSH key with optional write access) ===
         "add_deploy_key" | "delete_deploy_key" => {
             // Manages SSH deploy keys — `add_deploy_key` may grant persistent write access.
-            // S = private:owner/repo (deploy key secrets should be restricted)
+            // S = at least private; scope is policy-dependent (may be unscoped, owner-scoped, or repo-scoped)
             // I = writer (requires admin access)
             secrecy = policy_private_scope_label(&owner, &repo, repo_id, ctx);
             integrity = writer_integrity(repo_id, ctx);