npm - @fedify/cli - Versions diffs - 2.2.0-dev.938 → 2.2.0-dev.946 - Mend

@fedify/cli 2.2.0-dev.938 → 2.2.0-dev.946

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/deno.js CHANGED Viewed

@@ -1,5 +1,5 @@
 import "@js-temporal/polyfill";
 //#region deno.json
-var version = "2.2.0-dev.938+94d98c0c";
+var version = "2.2.0-dev.946+1764300f";
 //#endregion
 export { version };

package/dist/lookup.js CHANGED Viewed

@@ -6,16 +6,18 @@ import { colorEnabled, colors, formatObject } from "./utils.js";
 import { configContext } from "./config.js";
 import { createTunnelServiceOption, userAgentOption } from "./options.js";
 import { renderImages } from "./imagerenderer.js";
+import { url } from "@optique/core/message";
 import { path, printError } from "@optique/run";
 import process from "node:process";
-import { argument, choice, command, constant, flag, float, integer, map, merge, message, multiple, object, option, optionNames, optional, or, string, withDefault } from "@optique/core";
+import { argument, choice, command, constant, flag, float, integer, map, merge, message as message$1, multiple, object, option, optionNames, optional, or, string, withDefault } from "@optique/core";
 import { generateCryptoKeyPair, getAuthenticatedDocumentLoader, respondWithObject } from "@fedify/fedify";
 import { Application, Collection, CryptographicKey, Object as Object$1, lookupObject, traverseCollection } from "@fedify/vocab";
 import { getLogger } from "@logtape/logtape";
 import ora from "ora";
-import { UrlError } from "@fedify/vocab-runtime";
+import { UrlError, expandIPv6Address, isValidPublicIPv4Address, isValidPublicIPv6Address } from "@fedify/vocab-runtime";
 import { bindConfig } from "@optique/config";
 import { createWriteStream } from "node:fs";
+import { isIP } from "node:net";
 //#region src/lookup.ts
 const logger = getLogger([
 	"fedify",
@@ -37,27 +39,25 @@ const recurseProperties = [
 	MISSKEY_QUOTE_IRI,
 	FEDIBIRD_QUOTE_IRI
 ];
-const suppressErrorsOption = bindConfig(flag("-S", "--suppress-errors", { description: message`Suppress partial errors during traversal or recursion.` }), {
+const suppressErrorsOption = bindConfig(flag("-S", "--suppress-errors", { description: message$1`Suppress partial errors during traversal or recursion.` }), {
 	context: configContext,
 	key: (config) => config.lookup?.suppressErrors ?? false,
 	default: false
 });
-const allowPrivateAddressOption = bindConfig(flag("-p", "--allow-private-address", { description: message`Allow private IP addresses for URLs discovered \
-during traversal. This option only has an effect when used together \
-with ${optionNames(["-t", "--traverse"])}, since URLs explicitly \
-provided on the command line always allow private addresses and \
-recursive fetches via ${optionNames(["--recurse"])} always disallow \
-them.` }), {
+const allowPrivateAddressOption = bindConfig(flag("-p", "--allow-private-address", { description: message$1`Allow private IP addresses for URLs discovered \
+during traversal or recursive object fetches. Recursive JSON-LD \
+context URLs always remain blocked. URLs explicitly provided on the \
+command line always allow private addresses.` }), {
 	context: configContext,
 	key: (config) => config.lookup?.allowPrivateAddress ?? false,
 	default: false
 });
 const authorizedFetchOption = withDefault(object("Authorized fetch options", {
-	authorizedFetch: bindConfig(map(flag("-a", "--authorized-fetch", { description: message`Sign the request with an one-time key.` }), () => true), {
+	authorizedFetch: bindConfig(map(flag("-a", "--authorized-fetch", { description: message$1`Sign the request with an one-time key.` }), () => true), {
 		context: configContext,
 		key: (config) => config.lookup?.authorizedFetch ? true : void 0
 	}),
-	firstKnock: bindConfig(option("--first-knock", choice(["draft-cavage-http-signatures-12", "rfc9421"]), { description: message`The first-knock spec for ${optionNames(["-a", "--authorized-fetch"])}. It is used for the double-knocking technique.` }), {
+	firstKnock: bindConfig(option("--first-knock", choice(["draft-cavage-http-signatures-12", "rfc9421"]), { description: message$1`The first-knock spec for ${optionNames(["-a", "--authorized-fetch"])}. It is used for the double-knocking technique.` }), {
 		context: configContext,
 		key: (config) => config.lookup?.firstKnock ?? "draft-cavage-http-signatures-12",
 		default: "draft-cavage-http-signatures-12"
@@ -70,20 +70,20 @@ const authorizedFetchOption = withDefault(object("Authorized fetch options", {
 });
 const lookupModeOption = withDefault(or(object("Recurse options", {
 	traverse: constant(false),
-	recurse: bindConfig(option("--recurse", choice(recurseProperties, { metavar: "PROPERTY" }), { description: message`Recursively follow a relationship property.` }), {
+	recurse: bindConfig(option("--recurse", choice(recurseProperties, { metavar: "PROPERTY" }), { description: message$1`Recursively follow a relationship property.` }), {
 		context: configContext,
 		key: (config) => config.lookup?.recurse
 	}),
 	recurseDepth: withDefault(bindConfig(option("--recurse-depth", integer({
 		min: 1,
 		metavar: "DEPTH"
-	}), { description: message`Maximum recursion depth for ${optionNames(["--recurse"])}.` }), {
+	}), { description: message$1`Maximum recursion depth for ${optionNames(["--recurse"])}.` }), {
 		context: configContext,
 		key: (config) => config.lookup?.recurseDepth
 	}), 20),
 	suppressErrors: suppressErrorsOption
 }), object("Traverse options", {
-	traverse: bindConfig(flag("-t", "--traverse", { description: message`Traverse the given collection(s) to fetch all items.` }), {
+	traverse: bindConfig(flag("-t", "--traverse", { description: message$1`Traverse the given collection(s) to fetch all items.` }), {
 		context: configContext,
 		key: (config) => config.lookup?.traverse ?? false,
 		default: false
@@ -102,22 +102,22 @@ const lookupCommand = command("lookup", merge(object({ command: constant("lookup
 	timeout: optional(bindConfig(option("-T", "--timeout", float({
 		min: 0,
 		metavar: "SECONDS"
-	}), { description: message`Set timeout for network requests in seconds.` }), {
+	}), { description: message$1`Set timeout for network requests in seconds.` }), {
 		context: configContext,
 		key: (config) => config.lookup?.timeout
 	}))
-})), object("Arguments", { urls: multiple(argument(string({ metavar: "URL_OR_HANDLE" }), { description: message`One or more URLs or handles to look up.` }), { min: 1 }) }), object("Output options", {
-	reverse: bindConfig(flag("--reverse", { description: message`Reverse the output order of fetched objects or items.` }), {
+})), object("Arguments", { urls: multiple(argument(string({ metavar: "URL_OR_HANDLE" }), { description: message$1`One or more URLs or handles to look up.` }), { min: 1 }) }), object("Output options", {
+	reverse: bindConfig(flag("--reverse", { description: message$1`Reverse the output order of fetched objects or items.` }), {
 		context: configContext,
 		key: (config) => config.lookup?.reverse ?? false,
 		default: false
 	}),
-	format: bindConfig(optional(or(map(flag("-r", "--raw", { description: message`Print the fetched JSON-LD document as is.` }), () => "raw"), map(flag("-C", "--compact", { description: message`Compact the fetched JSON-LD document.` }), () => "compact"), map(flag("-e", "--expand", { description: message`Expand the fetched JSON-LD document.` }), () => "expand"))), {
+	format: bindConfig(optional(or(map(flag("-r", "--raw", { description: message$1`Print the fetched JSON-LD document as is.` }), () => "raw"), map(flag("-C", "--compact", { description: message$1`Compact the fetched JSON-LD document.` }), () => "compact"), map(flag("-e", "--expand", { description: message$1`Expand the fetched JSON-LD document.` }), () => "expand"))), {
 		context: configContext,
 		key: (config) => config.lookup?.defaultFormat ?? "default",
 		default: "default"
 	}),
-	separator: bindConfig(option("-s", "--separator", string({ metavar: "SEPARATOR" }), { description: message`Specify the separator between adjacent output objects or collection items.` }), {
+	separator: bindConfig(option("-s", "--separator", string({ metavar: "SEPARATOR" }), { description: message$1`Specify the separator between adjacent output objects or collection items.` }), {
 		context: configContext,
 		key: (config) => config.lookup?.separator ?? "----",
 		default: "----"
@@ -126,10 +126,10 @@ const lookupCommand = command("lookup", merge(object({ command: constant("lookup
 		metavar: "OUTPUT_PATH",
 		type: "file",
 		allowCreate: true
-	}), { description: message`Specify the output file path.` }))
+	}), { description: message$1`Specify the output file path.` }))
 })), {
-	brief: message`Look up Activity Streams objects.`,
-	description: message`Look up Activity Streams objects by URL or actor handle.
+	brief: message$1`Look up Activity Streams objects.`,
+	description: message$1`Look up Activity Streams objects by URL or actor handle.
 The arguments can be either URLs or actor handles (e.g., ${"@username@domain"}), and they can be multiple.`
 });
@@ -281,13 +281,47 @@ function wrapDocumentLoaderWithTimeout(loader, timeoutSeconds) {
 function handleTimeoutError(spinner, timeoutSeconds, url) {
 	const urlText = url ? ` for: ${colors.red(url)}` : "";
 	spinner.fail(`Request timed out after ${timeoutSeconds} seconds${urlText}.`);
-	printError(message`Try increasing the timeout with -T/--timeout option or check network connectivity.`);
+	printError(message$1`Try increasing the timeout with ${optionNames(["-T", "--timeout"])} option or check network connectivity.`);
 }
 function isPrivateAddressError(error) {
 	const lowerMessage = (error instanceof Error ? error.message : String(error)).toLowerCase();
 	if (error instanceof UrlError) return lowerMessage.includes("invalid or private address") || lowerMessage.includes("localhost is not allowed");
 	return lowerMessage.includes("private address") || lowerMessage.includes("private ip") || lowerMessage.includes("localhost") || lowerMessage.includes("loopback");
 }
+function getPrivateUrlCandidate(candidate) {
+	if (typeof candidate !== "string" && !(candidate instanceof URL)) return null;
+	try {
+		const url = new URL(candidate);
+		const hostname = url.hostname;
+		if (hostname === "localhost") return url;
+		const normalized = hostname.startsWith("[") && hostname.endsWith("]") ? hostname.slice(1, -1) : hostname;
+		const ipVersion = isIP(normalized);
+		if (ipVersion === 4) return isValidPublicIPv4Address(normalized) ? null : url;
+		if (ipVersion === 6) return isValidPublicIPv6Address(expandIPv6Address(normalized)) ? null : url;
+		return null;
+	} catch {
+		return null;
+	}
+}
+function isPrivateAddressTarget(target) {
+	return getPrivateUrlCandidate(target) != null;
+}
+function getPrivateContextUrl(error) {
+	const errorMessage = error instanceof Error ? error.message : String(error);
+	if (!(error instanceof Error) || error.name !== "jsonld.InvalidUrl" || !errorMessage.includes("valid JSON-LD object")) return null;
+	const structuredError = error;
+	const structuredUrl = getPrivateUrlCandidate(structuredError.details?.url) ?? getPrivateUrlCandidate(structuredError.url);
+	if (structuredUrl != null) return structuredUrl;
+	const match = errorMessage.match(/URL:\s*"([^"]+)"/);
+	if (match == null) return null;
+	return getPrivateUrlCandidate(match[1]);
+}
+function printRecursivePrivateAddressHint() {
+	printError(message$1`The recursive target appears to be private or localhost.  Try with ${optionNames(["-p", "--allow-private-address"])}, or use ${optionNames(["-S", "--suppress-errors"])} to skip blocked steps.`);
+}
+function printRecursivePrivateContextHint(privateContextUrl) {
+	printError(message$1`Recursive JSON-LD context URL ${url(privateContextUrl)} is always blocked, even with ${optionNames(["-p", "--allow-private-address"])}.  Use ${optionNames(["-S", "--suppress-errors"])} to skip blocked steps.`);
+}
 function getLookupFailureHint(error, options = {}) {
 	if (isPrivateAddressError(error)) return options.recursive ? "recursive-private-address" : "private-address";
 	return "authorized-fetch";
@@ -303,13 +337,13 @@ function printLookupFailureHint(authLoader, error, options = {}) {
 	if (!shouldPrintLookupFailureHint(authLoader, hint)) return;
 	switch (hint) {
 		case "private-address":
-			printError(message`The URL appears to be private or localhost.  Try with -p/--allow-private-address.`);
+			printError(message$1`The URL appears to be private or localhost.  Try with ${optionNames(["-p", "--allow-private-address"])}.`);
 			return;
 		case "recursive-private-address":
-			printError(message`Recursive fetches do not allow private/localhost URLs.  Use -S/--suppress-errors to skip blocked steps, or fetch those targets explicitly without --recurse.`);
+			printRecursivePrivateAddressHint();
 			return;
 		case "authorized-fetch":
-			printError(message`It may be a private object.  Try with -a/--authorized-fetch.`);
+			printError(message$1`It may be a private object.  Try with ${optionNames(["-a", "--authorized-fetch"])}.`);
 			return;
 	}
 }
@@ -383,7 +417,7 @@ async function runLookup(command, deps = {}) {
 		...deps
 	};
 	if (command.urls.length < 1) {
-		printError(message`At least one URL or actor handle must be provided.`);
+		printError(message$1`At least one URL or actor handle must be provided.`);
 		effectiveDeps.exit(1);
 	}
 	if (command.debug) await configureLogging();
@@ -494,26 +528,12 @@ async function runLookup(command, deps = {}) {
 	}
 	spinner.text = `Looking up the ${command.recurse != null ? "object chain" : command.traverse ? "collection" : command.urls.length > 1 ? "objects" : "object"}...`;
 	if (command.recurse != null) {
-		const recursiveDocumentLoader = wrapDocumentLoaderWithTimeout(await getDocumentLoader$1({
-			userAgent: command.userAgent,
-			allowPrivateAddress: false
-		}), command.timeout);
+		const initialLookupDocumentLoader = initialAuthLoader ?? initialDocumentLoader;
+		const recursiveLookupDocumentLoader = authLoader ?? documentLoader;
 		const recursiveContextLoader = wrapDocumentLoaderWithTimeout(await getContextLoader({
 			userAgent: command.userAgent,
 			allowPrivateAddress: false
 		}), command.timeout);
-		const recursiveAuthLoader = command.authorizedFetch && authIdentity != null ? wrapDocumentLoaderWithTimeout(getAuthenticatedDocumentLoader(authIdentity, {
-			allowPrivateAddress: false,
-			userAgent: command.userAgent,
-			specDeterminer: {
-				determineSpec() {
-					return command.firstKnock;
-				},
-				rememberSpec() {}
-			}
-		}), command.timeout) : void 0;
-		const initialLookupDocumentLoader = initialAuthLoader ?? initialDocumentLoader;
-		const recursiveLookupDocumentLoader = recursiveAuthLoader ?? recursiveDocumentLoader;
 		let totalObjects = 0;
 		const recurseDepth = command.recurseDepth;
 		for (let urlIndex = 0; urlIndex < command.urls.length; urlIndex++) {
@@ -538,7 +558,7 @@ async function runLookup(command, deps = {}) {
 			}
 			if (current == null) {
 				spinner.fail(`Failed to fetch object: ${colors.red(url)}.`);
-				if (authLoader == null) printError(message`It may be a private object.  Try with -a/--authorized-fetch.`);
+				if (authLoader == null) printError(message$1`It may be a private object.  Try with ${optionNames(["-a", "--authorized-fetch"])}.`);
 				await finalizeAndExit(1);
 				return;
 			}
@@ -579,11 +599,18 @@ async function runLookup(command, deps = {}) {
 				if (error instanceof TimeoutError) handleTimeoutError(spinner, command.timeout);
 				else if (error instanceof RecursiveLookupError) {
 					spinner.fail(`Failed to recursively fetch object: ${colors.red(error.target)}.`);
-					if (authLoader == null) printError(message`It may be a private object.  Try with -a/--authorized-fetch.`);
+					if (!command.allowPrivateAddress && isPrivateAddressTarget(error.target)) printRecursivePrivateAddressHint();
+					else if (authLoader == null) printError(message$1`It may be a private object.  Try with ${optionNames(["-a", "--authorized-fetch"])}.`);
 				} else {
 					spinner.fail("Failed to recursively fetch object.");
+					const privateContextUrl = getPrivateContextUrl(error);
+					if (privateContextUrl != null) {
+						printRecursivePrivateContextHint(privateContextUrl);
+						await finalizeAndExit(1);
+						return;
+					}
 					const hint = getLookupFailureHint(error, { recursive: true });
-					if (shouldSuggestSuppressErrorsForLookupFailure(authLoader, hint)) printError(message`Use the -S/--suppress-errors option to suppress partial errors.`);
+					if (shouldSuggestSuppressErrorsForLookupFailure(authLoader, hint)) printError(message$1`Use the ${optionNames(["-S", "--suppress-errors"])} option to suppress partial errors.`);
 					else printLookupFailureHint(authLoader, error, { recursive: true });
 				}
 				await finalizeAndExit(1);
@@ -657,7 +684,7 @@ async function runLookup(command, deps = {}) {
 			}
 			if (collection == null) {
 				spinner.fail(`Failed to fetch object: ${colors.red(url)}.`);
-				if (authLoader == null) printError(message`It may be a private object.  Try with -a/--authorized-fetch.`);
+				if (authLoader == null) printError(message$1`It may be a private object.  Try with ${optionNames(["-a", "--authorized-fetch"])}.`);
 				await finalizeAndExit(1);
 				return;
 			}
@@ -719,7 +746,7 @@ async function runLookup(command, deps = {}) {
 				else {
 					spinner.fail(`Failed to complete the traversal for: ${colors.red(url)}.`);
 					const hint = getLookupFailureHint(error);
-					if (shouldSuggestSuppressErrorsForLookupFailure(authLoader, hint)) printError(message`Use the -S/--suppress-errors option to suppress partial errors.`);
+					if (shouldSuggestSuppressErrorsForLookupFailure(authLoader, hint)) printError(message$1`Use the ${optionNames(["-S", "--suppress-errors"])} option to suppress partial errors.`);
 					else printLookupFailureHint(authLoader, error);
 				}
 				await finalizeAndExit(1);
@@ -754,7 +781,7 @@ async function runLookup(command, deps = {}) {
 		const url = command.urls[i];
 		if (obj == null) {
 			spinner.fail(`Failed to fetch ${colors.red(url)}`);
-			if (authLoader == null) printError(message`It may be a private object.  Try with -a/--authorized-fetch.`);
+			if (authLoader == null) printError(message$1`It may be a private object.  Try with ${optionNames(["-a", "--authorized-fetch"])}.`);
 			success = false;
 		} else {
 			spinner.succeed(`Fetched object: ${colors.green(url)}`);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/cli",
-  "version": "2.2.0-dev.938+94d98c0c",
+  "version": "2.2.0-dev.946+1764300f",
   "type": "module",
   "files": [
     "README.md",
@@ -86,14 +86,14 @@
     "smol-toml": "^1.6.0",
     "srvx": "^0.8.7",
     "valibot": "^1.2.0",
-    "@fedify/init": "2.2.0-dev.938+94d98c0c",
-    "@fedify/fedify": "2.2.0-dev.938+94d98c0c",
-    "@fedify/relay": "2.2.0-dev.938+94d98c0c",
-    "@fedify/sqlite": "2.2.0-dev.938+94d98c0c",
-    "@fedify/vocab-tools": "2.2.0-dev.938+94d98c0c",
-    "@fedify/webfinger": "2.2.0-dev.938+94d98c0c",
-    "@fedify/vocab-runtime": "2.2.0-dev.938+94d98c0c",
-    "@fedify/vocab": "2.2.0-dev.938+94d98c0c"
+    "@fedify/fedify": "2.2.0-dev.946+1764300f",
+    "@fedify/init": "2.2.0-dev.946+1764300f",
+    "@fedify/vocab-runtime": "2.2.0-dev.946+1764300f",
+    "@fedify/relay": "2.2.0-dev.946+1764300f",
+    "@fedify/vocab-tools": "2.2.0-dev.946+1764300f",
+    "@fedify/webfinger": "2.2.0-dev.946+1764300f",
+    "@fedify/sqlite": "2.2.0-dev.946+1764300f",
+    "@fedify/vocab": "2.2.0-dev.946+1764300f"
   },
   "devDependencies": {
     "@types/bun": "^1.2.23",