Add std/net IPAM helpers and explicit reachability probes

[larimonious]

Summary

• Add std/net Phase 1 with IPv4/IPv6 IPAM helpers: ip_parse, subnet_contains, subnet_overlaps, subnet_split, subnet_supernet, subnet_summarize, and ip_range_to_cidrs.
• Keep ping(host, opts?) protocol-honest: Phase 1 returns a clear ICMP-unavailable Err(String) instead of silently switching to TCP.
• Add explicit TCP reachability APIs:
  • tcp_connect(host, port, opts?) for one chosen TCP port, returning connected, latency/attempt summaries, and Ok(... connected: false ...) for ordinary refused/timeout outcomes.
  • reachable(host, opts?) for high-level reachability fallback, requiring caller-provided tcp_ports and reporting method: "tcp" plus fallback_from: "icmp" instead of calling TCP “ping.”
• Register std/net in the stdlib/typechecker, generate stdlib docs, update the AI guide/design doc, and keep the runnable IPAM example.

Safety / behavior notes

• No implicit TCP fallback inside ping() and no random default ports.
• Private/internal probe targets require process opt-in (NTNT_NET_ALLOW_PRIVATE=1 or existing private-IP env) plus per-call allow_private: true.
• DNS resolution policy is applied to every resolved address before probing.
• IPv4-mapped IPv6, metadata, multicast, broadcast, unspecified, and documentation/special-purpose targets are denied by policy.
• tcp_connect() treats refused/timeout/closed ports as data (Ok(map { "connected": false, ... })), while invalid input, resolver/system failure, or policy denial remain Err(String).
• Large IPv6 address counts are returned as strings to avoid overflow; split/range helpers enforce result caps.

Verification

• cargo fmt -- --check
• git diff --check
• cargo build --profile dev-release
• cargo test
• cargo test --test std_net_tests -- --nocapture
• cargo test --lib stdlib::net::tests -- --nocapture
• ./target/dev-release/ntnt docs --generate
• ./target/dev-release/ntnt validate examples/
• ./target/dev-release/ntnt lint examples/ (0 errors; existing suggestions/warnings only)
• strict typechecker smoke: tcp_connect/reachable imports pass and bad tcp_connect(..., "443") is rejected as expected Int, got String

Design status

• DD-046 PR 1 status now reflects IPAM + protocol-honest ping() + explicit tcp_connect() + reachable().
• DNS, bounded port scan, and TLS info remain planned follow-up slices.

[greptile-apps]

Greptile Summary

This PR adds the first std/net networking and IPAM surface. It changes:

• Adds IPv4/IPv6 parsing, CIDR containment, overlap, split, supernet, summarize, and range-to-CIDR helpers.
• Adds protocol-honest ping() behavior that reports ICMP unavailability instead of silently using TCP.
• Adds explicit tcp_connect() and reachable() TCP reachability APIs with bounded options and structured probe results.
• Adds private-target and special-range policy checks for network probes.
• Registers the module in runtime/typechecker layers and updates docs, examples, and tests.

Confidence Score: 5/5

This looks safe to merge.

• No blocking issues found in the changed code.

_{Reviews (14): Last reviewed commit: "refactor: simplify std net reachability ..." | Re-trigger Greptile}

[Copilot]

Pull request overview

This PR introduces the first phase of a new std/net standard-library module, adding deterministic IPv4/IPv6 IPAM helpers plus a ping(host, opts?) reachability probe with a default unprivileged TCP fallback, and wires the module through runtime registration, typechecker signatures, docs, and examples.

Changes:

• Add src/stdlib/net.rs implementing IP/CIDR helpers (ip_parse, subnet_contains, subnet_overlaps, subnet_split, subnet_supernet, subnet_summarize, ip_range_to_cidrs) and ping() (TCP-based Phase 1).
• Register std/net in the stdlib module registry and in the typechecker module-signature map.
• Add integration/typechecker tests, a runnable example, and refresh generated docs + design/AI guide documentation; bump version to 0.4.10.

Reviewed changes

Copilot reviewed 15 out of 16 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
tests/type_checker_tests.rs	Adds lint/typechecker coverage for std/net signature acceptance/rejection.
tests/std_net_tests.rs	Adds integration tests exercising std/net runtime behavior (IPAM fields + ping policy).
src/typechecker.rs	Registers std/net function signatures for lint/typechecking.
src/stdlib/net.rs	Implements the std/net module (IPAM helpers + TCP-based ping + policy checks).
src/stdlib/mod.rs	Registers std/net in the runtime stdlib module map.
examples/std_net_ipam.tnt	Adds a runnable example showcasing IPAM helpers.
docs/SYNTAX_REFERENCE.md	Updates generated “Last updated” version marker to v0.4.10.
docs/STDLIB_REFERENCE.md	Adds generated std/net API reference section.
docs/RUNTIME_REFERENCE.md	Updates generated “Last updated” version marker to v0.4.10.
docs/IAL_REFERENCE.md	Updates generated “Last updated” version marker to v0.4.10.
docs/AI_AGENT_GUIDE.md	Documents std/net usage and private-target opt-in guidance.
design-docs/README.md	Adds entries for DD-046/DD-047 in the design-doc index.
design-docs/dd-047-std-netmon.md	Adds a new draft design doc for a future std/netmon module.
design-docs/dd-046-std-net.md	Updates/expands the std/net design doc to reflect Phase 1 implementation.
Cargo.toml	Bumps crate version to 0.4.10.
Cargo.lock	Updates locked crate version to 0.4.10.