Treat bad resolver output as public

Malformed resolver output should not escape the benchmark safety classifier.
Fall back to the public tier so the gate stays conservative when a custom
resolver returns an address string that cannot be parsed as a URL host.

#795 (comment)

Assisted-by: Codex:gpt-5.5

Author: dahlia

packages/cli/src/bench/safety/tiers.test.ts

@@ -102,3 +102,11 @@ test("classifyResolvedTarget - treats resolution failure as public", async () =>
   );
   assert.strictEqual(tier, "public");
 });
+
+test("classifyResolvedTarget - treats malformed resolver output as public", async () => {
+  const tier = await classifyResolvedTarget(
+    new URL("https://bench.example"),
+    () => Promise.resolve(["2001:db8:::1"]),
+  );
+  assert.strictEqual(tier, "public");
+});

packages/cli/src/bench/safety/tiers.ts

@@ -65,7 +65,12 @@ export async function classifyResolvedTarget(
   if (addresses.length < 1) return "public";
   let aggregate: TargetTier = "loopback";
   for (const address of addresses) {
-    const tier = classifyTarget(new URL(`http://${hostForAddress(address)}/`));
+    let tier: TargetTier;
+    try {
+      tier = classifyTarget(new URL(`http://${hostForAddress(address)}/`));
+    } catch {
+      return "public";
+    }
     if (tier === "public") return "public";
     if (tier === "private") aggregate = "private";
   }