/** * DNS resolution cache for URL classification. * * Resolves FQDNs to determine whether they point to public (external) or * private (internal/RFC 1918) addresses. Public URLs are passed through * without obfuscation — the LLM needs to see real URLs to make tool call * decisions (e.g., "fetch this page"). * * Design: * - warmCache() is async — called in the before_prompt_build hook * - isPublic() is sync — checked in the obfuscation pipeline's isDocExample() * - Cache miss = null (unknown) → obfuscate (safe default, privacy-first) * - Uses only Node.js builtins (dns, net). Zero runtime dependencies. */ /** * RFC 1918 + other private/reserved IPv4 ranges. * Returns true if the IP should be treated as internal. */ export declare function isPrivateIPv4(ip: string): boolean; /** * Check if an IPv6 address is private/reserved. */ export declare function isPrivateIPv6(ip: string): boolean; /** * Extract FQDN from a URL string. * Returns null if the URL is malformed or the host is an IP literal. */ export declare function extractFqdn(url: string): string | null; export declare class DnsCache { private _cache; private _ttlMs; private _pending; constructor(ttlMs?: number); /** * Resolve an array of URLs and warm the cache. * Called from the async before_prompt_build hook. * Resolves all FQDNs in parallel for speed. */ warmCache(urls: string[]): Promise; /** * Check if a URL points to a public (external) host. * * Returns: * true — resolved to a public IP, safe to pass through * false — resolved to a private IP, should be obfuscated * null — not in cache (DNS not yet resolved), obfuscate as safe default */ isPublic(url: string): boolean | null; /** * Get the resolved address for a URL (for logging/audit). */ getAddress(url: string): string | null; /** Number of cached entries. */ get size(): number; /** Clear the cache. */ clear(): void; /** Pre-seed the cache (for testing with /etc/hosts or mocks). */ seed(fqdn: string, address: string | null, isPublic: boolean): void; private _isCached; private _resolve; }