Security hints: opt-in external reputation, CT, and domain metadata

[mortenn]

Part of meta issue #245.

Scope

Opt-in integrations that call third-party or public lookup services.

• Research viable options: malware / reputation (e.g. provider APIs, keys, desktop-app terms), domain registration age (prefer RDAP where possible; note rate limits), certificate transparency via public CT APIs or aggregators if appropriate.
• Settings: toggles, API keys where required, rate limits, failure handling.
• Disclosure: explicit copy that hostnames or URLs may be sent to named providers; default off until the user enables.

Out of scope

• Silent background checks on every URL without consent.
• Replacing Phase B (local TLS to target); this issue is additive.

Deliverables

• Short design note in the issue or docs listing chosen providers and data sent (hostname-only vs full URL).

[mortenn]

Reference — behavior

• Opt-in only; clear disclosure of which provider receives hostname vs full URL; rate limits and API keys in settings.
• When the URL matches a user default: do not automatically call third-party reputation / CT / RDAP services on picker open—user must opt in via explicit action (or a setting that clearly enables auto-checks for non-default-matched URLs only, if product chooses that split).
• Depends on Settings: granular network permissions (split DisableNetworkAccess) #251 for clean separation from favicon/shortener traffic and future “security probe” toggles.