Resolve inbox destinations for safety

Classify off-origin inbox destinations with the same DNS-aware resolver used
for benchmark targets before applying the inbox safety gate.  This lets
private staging shared inboxes run without the unsafe public override while
keeping public destination override checks bounded.

#744
#784

Assisted-by: Codex:gpt-5.5

Author: dahlia

packages/cli/src/bench/action.test.ts

@@ -28,6 +28,10 @@ async function writeSuite(content: string): Promise<string> {
   return path;
 }
 
+function resolvePublicHost(_hostname: string): Promise<readonly string[]> {
+  return Promise.resolve(["93.184.216.34"]);
+}
+
 function inboxSuite(target: URL, expectLine: string): string {
   // Uses `${{ target.host }}` templating to form the actor URI (WebFinger is
   // https-only, so an acct: handle would not resolve over http loopback).
@@ -246,6 +250,7 @@ scenarios:
           { headers: { "content-type": "application/json" } },
         ),
       ),
+    resolveTargetAddresses: resolvePublicHost,
   });
   assert.strictEqual(code, 2);
   assert.match(message, /advertise-host/);
@@ -306,6 +311,7 @@ scenarios:
       log: (m) => {
         message = m;
       },
+      resolveTargetAddresses: resolvePublicHost,
     });
     assert.strictEqual(code, 2);
     assert.match(message, /public inbox|allow-unsafe-target/);
@@ -314,6 +320,57 @@ scenarios:
   }
 });
 
+test("runBench - allows a DNS-resolved private inbox off the target", async () => {
+  const target = await spawnBenchmarkTarget();
+  try {
+    const file = await writeSuite(`version: 1
+target: ${target.url.href}
+scenarios:
+  - name: inbox-shared
+    type: inbox
+    recipient: "${new URL("/users/alice", target.url).href}"
+    inbox: "https://shared.staging.example/inbox"
+    load: { concurrency: 2 }
+    duration: 250ms
+`);
+    let code = -1;
+    let message = "";
+    const resolved: string[] = [];
+    await runBench(
+      command({
+        scenario: file,
+        advertiseHost: "127.0.0.1",
+      }),
+      {
+        exit: (c) => {
+          code = c;
+        },
+        writeOutput: () => Promise.resolve(),
+        log: (m) => {
+          message = m;
+        },
+        resolveTargetAddresses: (hostname) => {
+          resolved.push(hostname);
+          return Promise.resolve(
+            hostname === "shared.staging.example" ? ["10.0.0.8"] : [],
+          );
+        },
+        fetch: (input) => {
+          const url = new URL(input instanceof Request ? input.url : input);
+          if (url.hostname === "shared.staging.example") {
+            return Promise.resolve(new Response("accepted", { status: 202 }));
+          }
+          return fetch(input);
+        },
+      },
+    );
+    assert.strictEqual(code, 0, message);
+    assert.deepStrictEqual(resolved, ["shared.staging.example"]);
+  } finally {
+    await target.close();
+  }
+});
+
 test("runBench - unsafe public inbox destination needs an explicit CLI target", async () => {
   const target = await spawnBenchmarkTarget();
   try {
@@ -343,6 +400,7 @@ scenarios:
         log: (m) => {
           message = m;
         },
+        resolveTargetAddresses: resolvePublicHost,
       },
     );
     assert.strictEqual(code, 2);
@@ -381,6 +439,7 @@ scenarios:
         log: (m) => {
           message = m;
         },
+        resolveTargetAddresses: resolvePublicHost,
       },
     );
     assert.strictEqual(code, 2);
@@ -421,6 +480,7 @@ scenarios:
         log: (m) => {
           message = m;
         },
+        resolveTargetAddresses: resolvePublicHost,
         fetch: (input) => {
           const url = new URL(input instanceof Request ? input.url : input);
           if (url.hostname === "prod.example") {

packages/cli/src/bench/action.ts

@@ -30,8 +30,8 @@ import {
 } from "./safety/gate.ts";
 import {
   classifyResolvedTarget,
-  classifyTarget,
   type ResolveTargetAddresses,
+  type TargetTier,
 } from "./safety/tiers.ts";
 import { runnerFor } from "./scenarios/registry.ts";
 import {
@@ -165,13 +165,17 @@ export default async function runBench(
 
   // Gates each resolved inbox destination (which can differ from the suite
   // target) before the runner sends load to it.
-  const assertDestinationAllowed = (
+  const assertDestinationAllowed = async (
     url: URL,
     scenario: ResolvedScenario,
-  ): void => {
+  ): Promise<void> => {
+    const destinationTier = url.origin === suite.target.origin
+      ? tier
+      : await classifyResolvedTarget(url, deps.resolveTargetAddresses);
     assertInboxDestinationAllowed(url, {
       targetOrigin: suite.target.origin,
       targetTier: tier,
+      destinationTier,
       targetBenchmarkMode: probe.benchmarkMode,
       allowUnsafe: command.allowUnsafeTarget,
       advertised: command.advertiseHost != null,
@@ -181,6 +185,7 @@ export default async function runBench(
       targetBenchmarkMode: probe.benchmarkMode,
       allowUnsafe: command.allowUnsafeTarget,
       explicitCliTarget: command.target != null,
+      destinationTier,
       suite: validated,
     });
   };
@@ -338,7 +343,7 @@ interface DryRunPlanContext {
   readonly assertDestinationAllowed: (
     url: URL,
     scenario: ResolvedScenario,
-  ) => void;
+  ) => Promise<void>;
 }
 
 async function renderPlan(
@@ -404,9 +409,11 @@ async function describeInboxDiscoveryPlan(
         `inbox ${inbox.href}`,
     );
     lines.push(
-      `  destination safety: ${
-        describeDestinationSafety(inbox, scenario, context)
-      }`,
+      `  destination safety: ${await describeDestinationSafety(
+        inbox,
+        scenario,
+        context,
+      )}`,
     );
   }
   return lines;
@@ -427,13 +434,13 @@ function describeWebFingerPlan(
   });
 }
 
-function describeDestinationSafety(
+async function describeDestinationSafety(
   inbox: URL,
   scenario: ResolvedScenario,
   context: DryRunPlanContext,
-): string {
+): Promise<string> {
   try {
-    context.assertDestinationAllowed(inbox, scenario);
+    await context.assertDestinationAllowed(inbox, scenario);
     return "allowed";
   } catch (error) {
     if (error instanceof UnsafeTargetError) {
@@ -448,6 +455,7 @@ interface PublicDestinationOverrideContext {
   readonly targetBenchmarkMode: boolean;
   readonly allowUnsafe: boolean;
   readonly explicitCliTarget: boolean;
+  readonly destinationTier: TargetTier;
   readonly suite: Suite;
 }
 
@@ -459,7 +467,7 @@ function assertPublicDestinationOverrideAllowed(
   const inheritsTargetGate = url.origin === context.targetOrigin &&
     context.targetBenchmarkMode;
   if (
-    classifyTarget(url) !== "public" || inheritsTargetGate ||
+    context.destinationTier !== "public" || inheritsTargetGate ||
     !context.allowUnsafe
   ) {
     return;

packages/cli/src/bench/safety/gate.test.ts

@@ -147,6 +147,7 @@ function destContext(
   return {
     targetOrigin: "http://127.0.0.1:3000",
     targetTier: "loopback" as const,
+    destinationTier: "public" as const,
     targetBenchmarkMode: false,
     allowUnsafe: false,
     advertised: false,
@@ -216,6 +217,18 @@ test("assertInboxDestinationAllowed - same-origin inbox uses the resolved target
   );
 });
 
+test("assertInboxDestinationAllowed - off-origin inbox uses destination tier", () => {
+  assert.doesNotThrow(() =>
+    assertInboxDestinationAllowed(
+      new URL("https://shared.staging.example/inbox"),
+      destContext({
+        destinationTier: "private",
+        advertised: true,
+      }),
+    )
+  );
+});
+
 test("assertInboxDestinationAllowed - same host, different scheme does not inherit", () => {
   // The target is https (its benchmark-mode probe covered port 443); an http
   // inbox on the same hostname is a different service (port 80), so it must not

packages/cli/src/bench/safety/gate.ts

@@ -11,7 +11,7 @@
  * @module
  */
 
-import { classifyTarget, type TargetTier } from "./tiers.ts";
+import type { TargetTier } from "./tiers.ts";
 
 /** An error raised when a target is refused by the safety gate. */
 export class UnsafeTargetError extends Error {}
@@ -124,6 +124,8 @@ export interface InboxDestinationGateContext {
   readonly targetOrigin: string;
   /** The resolved target tier used by the main safety gate. */
   readonly targetTier: TargetTier;
+  /** The resolved tier for this inbox destination. */
+  readonly destinationTier: TargetTier;
   /** Whether the gated target advertises benchmark mode. */
   readonly targetBenchmarkMode: boolean;
   /** Whether `--allow-unsafe-target` was given. */
@@ -153,7 +155,7 @@ export function assertInboxDestinationAllowed(
   context: InboxDestinationGateContext,
 ): void {
   const sameOrigin = url.origin === context.targetOrigin;
-  const tier = sameOrigin ? context.targetTier : classifyTarget(url);
+  const tier = sameOrigin ? context.targetTier : context.destinationTier;
   const inheritsTargetGate = sameOrigin &&
     context.targetBenchmarkMode;
   if (tier === "public" && !inheritsTargetGate && !context.allowUnsafe) {

packages/cli/src/bench/scenarios/inbox.ts

@@ -81,7 +81,7 @@ export const inboxRunner: ScenarioRunner = {
       const inbox = selectInbox(discovered, scenario.inbox);
       // Gate the actual load destination before sending anything to it: it can
       // differ from the gated target (a public recipient, or an explicit inbox).
-      context.assertDestinationAllowed?.(inbox);
+      await context.assertDestinationAllowed?.(inbox);
       targets.push({ inbox, actorUri: discovered.actorUri });
     }
 

packages/cli/src/bench/scenarios/runner.ts

@@ -31,11 +31,11 @@ export interface RunContext {
   readonly fetch?: typeof fetch;
   /**
    * Gates a resolved load destination (a discovered or explicit inbox URL)
-   * before any load is sent to it, throwing if it is not allowed.  The suite
-   * `target` is gated by the orchestrator; this covers destinations that differ
-   * from it.  Optional so direct runner tests need not supply it.
+   * before any load is sent to it, throwing or rejecting if it is not allowed.
+   * The suite `target` is gated by the orchestrator; this covers destinations
+   * that differ from it.  Optional so direct runner tests need not supply it.
    */
-  readonly assertDestinationAllowed?: (url: URL) => void;
+  readonly assertDestinationAllowed?: (url: URL) => void | Promise<void>;
 }
 
 /** A runner for one scenario type. */