Fix benchmark safety review issues

Make the shared benchmark fixture work under Node and Bun by replacing the
Deno-only test server with a runtime-neutral node:http bridge.

Use the resolved target tier when gating same-origin inbox destinations, and
apply the unsafe-target bounds to separate public inbox destinations before
signed load can be sent to them.

#744
#784

Assisted-by: Codex:gpt-5.5

Author: dahlia

packages/cli/src/bench/action.test.ts

@@ -314,6 +314,82 @@ scenarios:
   }
 });
 
+test("runBench - unsafe public inbox destination needs an explicit CLI target", async () => {
+  const target = await spawnBenchmarkTarget();
+  try {
+    const file = await writeSuite(`version: 1
+target: ${target.url.href}
+scenarios:
+  - name: inbox-shared
+    type: inbox
+    recipient: "${new URL("/users/alice", target.url).href}"
+    inbox: "https://prod.example/inbox"
+    load: { rate: 1/s }
+    duration: 1ms
+`);
+    let code = -1;
+    let message = "";
+    await runBench(
+      command({
+        scenario: file,
+        allowUnsafeTarget: true,
+        advertiseHost: "127.0.0.1",
+      }),
+      {
+        exit: (c) => {
+          code = c;
+        },
+        writeOutput: () => Promise.resolve(),
+        log: (m) => {
+          message = m;
+        },
+      },
+    );
+    assert.strictEqual(code, 2);
+    assert.match(message, /--target/);
+  } finally {
+    await target.close();
+  }
+});
+
+test("runBench - unsafe public inbox destination needs explicit load", async () => {
+  const target = await spawnBenchmarkTarget();
+  try {
+    const file = await writeSuite(`version: 1
+target: ${target.url.href}
+scenarios:
+  - name: inbox-shared
+    type: inbox
+    recipient: "${new URL("/users/alice", target.url).href}"
+    inbox: "https://prod.example/inbox"
+    duration: 1ms
+`);
+    let code = -1;
+    let message = "";
+    await runBench(
+      command({
+        scenario: file,
+        target: target.url.href,
+        allowUnsafeTarget: true,
+        advertiseHost: "127.0.0.1",
+      }),
+      {
+        exit: (c) => {
+          code = c;
+        },
+        writeOutput: () => Promise.resolve(),
+        log: (m) => {
+          message = m;
+        },
+      },
+    );
+    assert.strictEqual(code, 2);
+    assert.match(message, /load/);
+  } finally {
+    await target.close();
+  }
+});
+
 test("runBench - malformed expect assertion exits 2 before any load", async () => {
   // The expect typo must be caught in preflight, so the run exits 2 (a config
   // error) without ever probing the target or sending load.

packages/cli/src/bench/action.ts

@@ -30,6 +30,7 @@ import {
 } from "./safety/gate.ts";
 import {
   classifyResolvedTarget,
+  classifyTarget,
   type ResolveTargetAddresses,
 } from "./safety/tiers.ts";
 import { runnerFor } from "./scenarios/registry.ts";
@@ -164,13 +165,24 @@ export default async function runBench(
 
   // Gates each resolved inbox destination (which can differ from the suite
   // target) before the runner sends load to it.
-  const assertDestinationAllowed = (url: URL): void =>
+  const assertDestinationAllowed = (
+    url: URL,
+    scenario: ResolvedScenario,
+  ): void => {
     assertInboxDestinationAllowed(url, {
       targetOrigin: suite.target.origin,
+      targetTier: tier,
       targetBenchmarkMode: probe.benchmarkMode,
       allowUnsafe: command.allowUnsafeTarget,
       advertised: command.advertiseHost != null,
     });
+    assertPublicDestinationOverrideAllowed(url, scenario, {
+      targetOrigin: suite.target.origin,
+      targetBenchmarkMode: probe.benchmarkMode,
+      allowUnsafe: command.allowUnsafeTarget,
+      explicitCliTarget: command.target != null,
+    });
+  };
 
   if (command.dryRun) {
     try {
@@ -229,7 +241,8 @@ export default async function runBench(
         allowPrivateAddress,
         fleet: fleet ?? null,
         fetch: fetchImpl,
-        assertDestinationAllowed,
+        assertDestinationAllowed: (url) =>
+          assertDestinationAllowed(url, scenario),
       });
       results.push(buildScenarioResult(scenario, measurement));
     }
@@ -321,7 +334,10 @@ interface DryRunPlanContext {
   readonly documentLoader: DocumentLoader;
   readonly contextLoader: DocumentLoader;
   readonly allowPrivateAddress: boolean;
-  readonly assertDestinationAllowed: (url: URL) => void;
+  readonly assertDestinationAllowed: (
+    url: URL,
+    scenario: ResolvedScenario,
+  ) => void;
 }
 
 async function renderPlan(
@@ -387,7 +403,9 @@ async function describeInboxDiscoveryPlan(
         `inbox ${inbox.href}`,
     );
     lines.push(
-      `  destination safety: ${describeDestinationSafety(inbox, context)}`,
+      `  destination safety: ${
+        describeDestinationSafety(inbox, scenario, context)
+      }`,
     );
   }
   return lines;
@@ -410,10 +428,11 @@ function describeWebFingerPlan(
 
 function describeDestinationSafety(
   inbox: URL,
+  scenario: ResolvedScenario,
   context: DryRunPlanContext,
 ): string {
   try {
-    context.assertDestinationAllowed(inbox);
+    context.assertDestinationAllowed(inbox, scenario);
     return "allowed";
   } catch (error) {
     if (error instanceof UnsafeTargetError) {
@@ -423,16 +442,55 @@ function describeDestinationSafety(
   }
 }
 
+interface PublicDestinationOverrideContext {
+  readonly targetOrigin: string;
+  readonly targetBenchmarkMode: boolean;
+  readonly allowUnsafe: boolean;
+  readonly explicitCliTarget: boolean;
+}
+
+function assertPublicDestinationOverrideAllowed(
+  url: URL,
+  scenario: ResolvedScenario,
+  context: PublicDestinationOverrideContext,
+): void {
+  const inheritsTargetGate = url.origin === context.targetOrigin &&
+    context.targetBenchmarkMode;
+  if (
+    classifyTarget(url) !== "public" || inheritsTargetGate ||
+    !context.allowUnsafe
+  ) {
+    return;
+  }
+  assertUnsafeOverrideAllowed({
+    tier: "public",
+    benchmarkMode: false,
+    allowUnsafe: true,
+    explicitCliTarget: context.explicitCliTarget,
+    scenarios: [unsafeOverrideScenario(scenario)],
+  });
+}
+
 function unsafeOverrideScenarios(
   suite: Suite,
 ): Parameters<typeof assertUnsafeOverrideAllowed>[0]["scenarios"] {
-  const defaultDuration = suite.defaults?.duration != null;
-  const defaultLoad = hasExplicitLoad(suite.defaults?.load);
-  return suite.scenarios.map((scenario) => ({
+  return suite.scenarios.map((scenario) =>
+    unsafeOverrideScenario(scenario, suite)
+  );
+}
+
+function unsafeOverrideScenario(
+  scenario: ResolvedScenario | Suite["scenarios"][number],
+  suite?: Suite,
+): Parameters<typeof assertUnsafeOverrideAllowed>[0]["scenarios"][number] {
+  const defaultDuration = suite?.defaults?.duration != null;
+  const defaultLoad = hasExplicitLoad(suite?.defaults?.load);
+  const raw = "raw" in scenario ? scenario.raw : scenario;
+  return {
     name: scenario.name,
-    explicitDuration: scenario.duration != null || defaultDuration,
-    explicitLoad: hasExplicitLoad(scenario.load) || defaultLoad,
-  }));
+    explicitDuration: raw.duration != null || defaultDuration,
+    explicitLoad: hasExplicitLoad(raw.load) || defaultLoad,
+  };
 }
 
 function hasExplicitLoad(load: LoadConfig | undefined): boolean {

packages/cli/src/bench/safety/gate.test.ts

@@ -146,6 +146,7 @@ function destContext(
 ) {
   return {
     targetOrigin: "http://127.0.0.1:3000",
+    targetTier: "loopback" as const,
     targetBenchmarkMode: false,
     allowUnsafe: false,
     advertised: false,
@@ -199,6 +200,22 @@ test("assertInboxDestinationAllowed - an inbox on the target origin inherits its
   );
 });
 
+test("assertInboxDestinationAllowed - same-origin inbox uses the resolved target tier", () => {
+  // The target hostname may be syntactically public but DNS-resolved private.
+  // The discovered same-origin inbox should inherit that resolved tier instead
+  // of being reclassified from the hostname string.
+  assert.doesNotThrow(() =>
+    assertInboxDestinationAllowed(
+      new URL("https://staging.example/inbox"),
+      destContext({
+        targetOrigin: "https://staging.example",
+        targetTier: "private",
+        advertised: true,
+      }),
+    )
+  );
+});
+
 test("assertInboxDestinationAllowed - same host, different scheme does not inherit", () => {
   // The target is https (its benchmark-mode probe covered port 443); an http
   // inbox on the same hostname is a different service (port 80), so it must not
@@ -225,7 +242,10 @@ test("assertInboxDestinationAllowed - a non-loopback inbox needs an advertised h
     () =>
       assertInboxDestinationAllowed(
         new URL("http://10.0.0.5:8000/inbox"),
-        destContext({ targetOrigin: "http://10.0.0.5:8000" }),
+        destContext({
+          targetOrigin: "http://10.0.0.5:8000",
+          targetTier: "private",
+        }),
       ),
     (error: unknown) =>
       error instanceof UnsafeTargetError &&
@@ -234,7 +254,11 @@ test("assertInboxDestinationAllowed - a non-loopback inbox needs an advertised h
   assert.doesNotThrow(() =>
     assertInboxDestinationAllowed(
       new URL("http://10.0.0.5:8000/inbox"),
-      destContext({ targetOrigin: "http://10.0.0.5:8000", advertised: true }),
+      destContext({
+        targetOrigin: "http://10.0.0.5:8000",
+        targetTier: "private",
+        advertised: true,
+      }),
     )
   );
 });

packages/cli/src/bench/safety/gate.ts

@@ -122,6 +122,8 @@ export interface InboxDestinationGateContext {
    * (e.g. an `http://host` inbox does not inherit an `https://host` target).
    */
   readonly targetOrigin: string;
+  /** The resolved target tier used by the main safety gate. */
+  readonly targetTier: TargetTier;
   /** Whether the gated target advertises benchmark mode. */
   readonly targetBenchmarkMode: boolean;
   /** Whether `--allow-unsafe-target` was given. */
@@ -150,8 +152,9 @@ export function assertInboxDestinationAllowed(
   url: URL,
   context: InboxDestinationGateContext,
 ): void {
-  const tier = classifyTarget(url);
-  const inheritsTargetGate = url.origin === context.targetOrigin &&
+  const sameOrigin = url.origin === context.targetOrigin;
+  const tier = sameOrigin ? context.targetTier : classifyTarget(url);
+  const inheritsTargetGate = sameOrigin &&
     context.targetBenchmarkMode;
   if (tier === "public" && !inheritsTargetGate && !context.allowUnsafe) {
     throw new UnsafeTargetError(