@fedify/cli 2.2.0-dev.945 → 2.2.0-dev.949

package/dist/deno.js

@@ -1,5 +1,5 @@
 import "@js-temporal/polyfill";
 //#region deno.json
-var version = "2.2.0-dev.945+31b67787";
+var version = "2.2.0-dev.949+bd260a9f";
 //#endregion
 export { version };

package/dist/lookup.js

@@ -6,16 +6,18 @@ import { colorEnabled, colors, formatObject } from "./utils.js";
 import { configContext } from "./config.js";
 import { createTunnelServiceOption, userAgentOption } from "./options.js";
 import { renderImages } from "./imagerenderer.js";
+import { url } from "@optique/core/message";
 import { path, printError } from "@optique/run";
 import process from "node:process";
-import { argument, choice, command, constant, flag, float, integer, map, merge, message, multiple, object, option, optionNames, optional, or, string, withDefault } from "@optique/core";
+import { argument, choice, command, constant, flag, float, integer, map, merge, message as message$1, multiple, object, option, optionNames, optional, or, string, withDefault } from "@optique/core";
 import { generateCryptoKeyPair, getAuthenticatedDocumentLoader, respondWithObject } from "@fedify/fedify";
 import { Application, Collection, CryptographicKey, Object as Object$1, lookupObject, traverseCollection } from "@fedify/vocab";
 import { getLogger } from "@logtape/logtape";
 import ora from "ora";
-import { UrlError } from "@fedify/vocab-runtime";
+import { UrlError, expandIPv6Address, isValidPublicIPv4Address, isValidPublicIPv6Address } from "@fedify/vocab-runtime";
 import { bindConfig } from "@optique/config";
 import { createWriteStream } from "node:fs";
+import { isIP } from "node:net";
 //#region src/lookup.ts
 const logger = getLogger([
 	"fedify",
@@ -37,27 +39,25 @@ const recurseProperties = [
 	MISSKEY_QUOTE_IRI,
 	FEDIBIRD_QUOTE_IRI
 ];
-const suppressErrorsOption = bindConfig(flag("-S", "--suppress-errors", { description: message`Suppress partial errors during traversal or recursion.` }), {
+const suppressErrorsOption = bindConfig(flag("-S", "--suppress-errors", { description: message$1`Suppress partial errors during traversal or recursion.` }), {
 	context: configContext,
 	key: (config) => config.lookup?.suppressErrors ?? false,
 	default: false
 });
-const allowPrivateAddressOption = bindConfig(flag("-p", "--allow-private-address", { description: message`Allow private IP addresses for URLs discovered \
-during traversal. This option only has an effect when used together \
-with ${optionNames(["-t", "--traverse"])}, since URLs explicitly \
-provided on the command line always allow private addresses and \
-recursive fetches via ${optionNames(["--recurse"])} always disallow \
-them.` }), {
+const allowPrivateAddressOption = bindConfig(flag("-p", "--allow-private-address", { description: message$1`Allow private IP addresses for URLs discovered \
+during traversal or recursive object fetches. Recursive JSON-LD \
+context URLs always remain blocked. URLs explicitly provided on the \
+command line always allow private addresses.` }), {
 	context: configContext,
 	key: (config) => config.lookup?.allowPrivateAddress ?? false,
 	default: false
 });
 const authorizedFetchOption = withDefault(object("Authorized fetch options", {
-	authorizedFetch: bindConfig(map(flag("-a", "--authorized-fetch", { description: message`Sign the request with an one-time key.` }), () => true), {
+	authorizedFetch: bindConfig(map(flag("-a", "--authorized-fetch", { description: message$1`Sign the request with an one-time key.` }), () => true), {
 		context: configContext,
 		key: (config) => config.lookup?.authorizedFetch ? true : void 0
 	}),
-	firstKnock: bindConfig(option("--first-knock", choice(["draft-cavage-http-signatures-12", "rfc9421"]), { description: message`The first-knock spec for ${optionNames(["-a", "--authorized-fetch"])}. It is used for the double-knocking technique.` }), {
+	firstKnock: bindConfig(option("--first-knock", choice(["draft-cavage-http-signatures-12", "rfc9421"]), { description: message$1`The first-knock spec for ${optionNames(["-a", "--authorized-fetch"])}. It is used for the double-knocking technique.` }), {
 		context: configContext,
 		key: (config) => config.lookup?.firstKnock ?? "draft-cavage-http-signatures-12",
 		default: "draft-cavage-http-signatures-12"
@@ -70,20 +70,20 @@ const authorizedFetchOption = withDefault(object("Authorized fetch options", {
 });
 const lookupModeOption = withDefault(or(object("Recurse options", {
 	traverse: constant(false),
-	recurse: bindConfig(option("--recurse", choice(recurseProperties, { metavar: "PROPERTY" }), { description: message`Recursively follow a relationship property.` }), {
+	recurse: bindConfig(option("--recurse", choice(recurseProperties, { metavar: "PROPERTY" }), { description: message$1`Recursively follow a relationship property.` }), {
 		context: configContext,
 		key: (config) => config.lookup?.recurse
 	}),
 	recurseDepth: withDefault(bindConfig(option("--recurse-depth", integer({
 		min: 1,
 		metavar: "DEPTH"
-	}), { description: message`Maximum recursion depth for ${optionNames(["--recurse"])}.` }), {
+	}), { description: message$1`Maximum recursion depth for ${optionNames(["--recurse"])}.` }), {
 		context: configContext,
 		key: (config) => config.lookup?.recurseDepth
 	}), 20),
 	suppressErrors: suppressErrorsOption
 }), object("Traverse options", {
-	traverse: bindConfig(flag("-t", "--traverse", { description: message`Traverse the given collection(s) to fetch all items.` }), {
+	traverse: bindConfig(flag("-t", "--traverse", { description: message$1`Traverse the given collection(s) to fetch all items.` }), {
 		context: configContext,
 		key: (config) => config.lookup?.traverse ?? false,
 		default: false
@@ -102,22 +102,22 @@ const lookupCommand = command("lookup", merge(object({ command: constant("lookup
 	timeout: optional(bindConfig(option("-T", "--timeout", float({
 		min: 0,
 		metavar: "SECONDS"
-	}), { description: message`Set timeout for network requests in seconds.` }), {
+	}), { description: message$1`Set timeout for network requests in seconds.` }), {
 		context: configContext,
 		key: (config) => config.lookup?.timeout
 	}))
-})), object("Arguments", { urls: multiple(argument(string({ metavar: "URL_OR_HANDLE" }), { description: message`One or more URLs or handles to look up.` }), { min: 1 }) }), object("Output options", {
-	reverse: bindConfig(flag("--reverse", { description: message`Reverse the output order of fetched objects or items.` }), {
+})), object("Arguments", { urls: multiple(argument(string({ metavar: "URL_OR_HANDLE" }), { description: message$1`One or more URLs or handles to look up.` }), { min: 1 }) }), object("Output options", {
+	reverse: bindConfig(flag("--reverse", { description: message$1`Reverse the output order of fetched objects or items.` }), {
 		context: configContext,
 		key: (config) => config.lookup?.reverse ?? false,
 		default: false
 	}),
-	format: bindConfig(optional(or(map(flag("-r", "--raw", { description: message`Print the fetched JSON-LD document as is.` }), () => "raw"), map(flag("-C", "--compact", { description: message`Compact the fetched JSON-LD document.` }), () => "compact"), map(flag("-e", "--expand", { description: message`Expand the fetched JSON-LD document.` }), () => "expand"))), {
+	format: bindConfig(optional(or(map(flag("-r", "--raw", { description: message$1`Print the fetched JSON-LD document as is.` }), () => "raw"), map(flag("-C", "--compact", { description: message$1`Compact the fetched JSON-LD document.` }), () => "compact"), map(flag("-e", "--expand", { description: message$1`Expand the fetched JSON-LD document.` }), () => "expand"))), {
 		context: configContext,
 		key: (config) => config.lookup?.defaultFormat ?? "default",
 		default: "default"
 	}),
-	separator: bindConfig(option("-s", "--separator", string({ metavar: "SEPARATOR" }), { description: message`Specify the separator between adjacent output objects or collection items.` }), {
+	separator: bindConfig(option("-s", "--separator", string({ metavar: "SEPARATOR" }), { description: message$1`Specify the separator between adjacent output objects or collection items.` }), {
 		context: configContext,
 		key: (config) => config.lookup?.separator ?? "----",
 		default: "----"
@@ -126,10 +126,10 @@ const lookupCommand = command("lookup", merge(object({ command: constant("lookup
 		metavar: "OUTPUT_PATH",
 		type: "file",
 		allowCreate: true
-	}), { description: message`Specify the output file path.` }))
+	}), { description: message$1`Specify the output file path.` }))
 })), {
-	brief: message`Look up Activity Streams objects.`,
-	description: message`Look up Activity Streams objects by URL or actor handle.
+	brief: message$1`Look up Activity Streams objects.`,
+	description: message$1`Look up Activity Streams objects by URL or actor handle.
 
 The arguments can be either URLs or actor handles (e.g., ${"@username@domain"}), and they can be multiple.`
 });
@@ -281,13 +281,47 @@ function wrapDocumentLoaderWithTimeout(loader, timeoutSeconds) {
 function handleTimeoutError(spinner, timeoutSeconds, url) {
 	const urlText = url ? ` for: ${colors.red(url)}` : "";
 	spinner.fail(`Request timed out after ${timeoutSeconds} seconds${urlText}.`);
-	printError(message`Try increasing the timeout with -T/--timeout option or check network connectivity.`);
+	printError(message$1`Try increasing the timeout with ${optionNames(["-T", "--timeout"])} option or check network connectivity.`);
 }
 function isPrivateAddressError(error) {
 	const lowerMessage = (error instanceof Error ? error.message : String(error)).toLowerCase();
 	if (error instanceof UrlError) return lowerMessage.includes("invalid or private address") || lowerMessage.includes("localhost is not allowed");
 	return lowerMessage.includes("private address") || lowerMessage.includes("private ip") || lowerMessage.includes("localhost") || lowerMessage.includes("loopback");
 }
+function getPrivateUrlCandidate(candidate) {
+	if (typeof candidate !== "string" && !(candidate instanceof URL)) return null;
+	try {
+		const url = new URL(candidate);
+		const hostname = url.hostname;
+		if (hostname === "localhost") return url;
+		const normalized = hostname.startsWith("[") && hostname.endsWith("]") ? hostname.slice(1, -1) : hostname;
+		const ipVersion = isIP(normalized);
+		if (ipVersion === 4) return isValidPublicIPv4Address(normalized) ? null : url;
+		if (ipVersion === 6) return isValidPublicIPv6Address(expandIPv6Address(normalized)) ? null : url;
+		return null;
+	} catch {
+		return null;
+	}
+}
+function isPrivateAddressTarget(target) {
+	return getPrivateUrlCandidate(target) != null;
+}
+function getPrivateContextUrl(error) {
+	const errorMessage = error instanceof Error ? error.message : String(error);
+	if (!(error instanceof Error) || error.name !== "jsonld.InvalidUrl" || !errorMessage.includes("valid JSON-LD object")) return null;
+	const structuredError = error;
+	const structuredUrl = getPrivateUrlCandidate(structuredError.details?.url) ?? getPrivateUrlCandidate(structuredError.url);
+	if (structuredUrl != null) return structuredUrl;
+	const match = errorMessage.match(/URL:\s*"([^"]+)"/);
+	if (match == null) return null;
+	return getPrivateUrlCandidate(match[1]);
+}
+function printRecursivePrivateAddressHint() {
+	printError(message$1`The recursive target appears to be private or localhost.  Try with ${optionNames(["-p", "--allow-private-address"])}, or use ${optionNames(["-S", "--suppress-errors"])} to skip blocked steps.`);
+}
+function printRecursivePrivateContextHint(privateContextUrl) {
+	printError(message$1`Recursive JSON-LD context URL ${url(privateContextUrl)} is always blocked, even with ${optionNames(["-p", "--allow-private-address"])}.  Use ${optionNames(["-S", "--suppress-errors"])} to skip blocked steps.`);
+}
 function getLookupFailureHint(error, options = {}) {
 	if (isPrivateAddressError(error)) return options.recursive ? "recursive-private-address" : "private-address";
 	return "authorized-fetch";
@@ -303,13 +337,13 @@ function printLookupFailureHint(authLoader, error, options = {}) {
 	if (!shouldPrintLookupFailureHint(authLoader, hint)) return;
 	switch (hint) {
 		case "private-address":
-			printError(message`The URL appears to be private or localhost.  Try with -p/--allow-private-address.`);
+			printError(message$1`The URL appears to be private or localhost.  Try with ${optionNames(["-p", "--allow-private-address"])}.`);
 			return;
 		case "recursive-private-address":
-			printError(message`Recursive fetches do not allow private/localhost URLs.  Use -S/--suppress-errors to skip blocked steps, or fetch those targets explicitly without --recurse.`);
+			printRecursivePrivateAddressHint();
 			return;
 		case "authorized-fetch":
-			printError(message`It may be a private object.  Try with -a/--authorized-fetch.`);
+			printError(message$1`It may be a private object.  Try with ${optionNames(["-a", "--authorized-fetch"])}.`);
 			return;
 	}
 }
@@ -383,7 +417,7 @@ async function runLookup(command, deps = {}) {
 		...deps
 	};
 	if (command.urls.length < 1) {
-		printError(message`At least one URL or actor handle must be provided.`);
+		printError(message$1`At least one URL or actor handle must be provided.`);
 		effectiveDeps.exit(1);
 	}
 	if (command.debug) await configureLogging();
@@ -494,26 +528,12 @@ async function runLookup(command, deps = {}) {
 	}
 	spinner.text = `Looking up the ${command.recurse != null ? "object chain" : command.traverse ? "collection" : command.urls.length > 1 ? "objects" : "object"}...`;
 	if (command.recurse != null) {
-		const recursiveDocumentLoader = wrapDocumentLoaderWithTimeout(await getDocumentLoader$1({
-			userAgent: command.userAgent,
-			allowPrivateAddress: false
-		}), command.timeout);
+		const initialLookupDocumentLoader = initialAuthLoader ?? initialDocumentLoader;
+		const recursiveLookupDocumentLoader = authLoader ?? documentLoader;
 		const recursiveContextLoader = wrapDocumentLoaderWithTimeout(await getContextLoader({
 			userAgent: command.userAgent,
 			allowPrivateAddress: false
 		}), command.timeout);
-		const recursiveAuthLoader = command.authorizedFetch && authIdentity != null ? wrapDocumentLoaderWithTimeout(getAuthenticatedDocumentLoader(authIdentity, {
-			allowPrivateAddress: false,
-			userAgent: command.userAgent,
-			specDeterminer: {
-				determineSpec() {
-					return command.firstKnock;
-				},
-				rememberSpec() {}
-			}
-		}), command.timeout) : void 0;
-		const initialLookupDocumentLoader = initialAuthLoader ?? initialDocumentLoader;
-		const recursiveLookupDocumentLoader = recursiveAuthLoader ?? recursiveDocumentLoader;
 		let totalObjects = 0;
 		const recurseDepth = command.recurseDepth;
 		for (let urlIndex = 0; urlIndex < command.urls.length; urlIndex++) {
@@ -538,7 +558,7 @@ async function runLookup(command, deps = {}) {
 			}
 			if (current == null) {
 				spinner.fail(`Failed to fetch object: ${colors.red(url)}.`);
-				if (authLoader == null) printError(message`It may be a private object.  Try with -a/--authorized-fetch.`);
+				if (authLoader == null) printError(message$1`It may be a private object.  Try with ${optionNames(["-a", "--authorized-fetch"])}.`);
 				await finalizeAndExit(1);
 				return;
 			}
@@ -579,11 +599,18 @@ async function runLookup(command, deps = {}) {
 				if (error instanceof TimeoutError) handleTimeoutError(spinner, command.timeout);
 				else if (error instanceof RecursiveLookupError) {
 					spinner.fail(`Failed to recursively fetch object: ${colors.red(error.target)}.`);
-					if (authLoader == null) printError(message`It may be a private object.  Try with -a/--authorized-fetch.`);
+					if (!command.allowPrivateAddress && isPrivateAddressTarget(error.target)) printRecursivePrivateAddressHint();
+					else if (authLoader == null) printError(message$1`It may be a private object.  Try with ${optionNames(["-a", "--authorized-fetch"])}.`);
 				} else {
 					spinner.fail("Failed to recursively fetch object.");
+					const privateContextUrl = getPrivateContextUrl(error);
+					if (privateContextUrl != null) {
+						printRecursivePrivateContextHint(privateContextUrl);
+						await finalizeAndExit(1);
+						return;
+					}
 					const hint = getLookupFailureHint(error, { recursive: true });
-					if (shouldSuggestSuppressErrorsForLookupFailure(authLoader, hint)) printError(message`Use the -S/--suppress-errors option to suppress partial errors.`);
+					if (shouldSuggestSuppressErrorsForLookupFailure(authLoader, hint)) printError(message$1`Use the ${optionNames(["-S", "--suppress-errors"])} option to suppress partial errors.`);
 					else printLookupFailureHint(authLoader, error, { recursive: true });
 				}
 				await finalizeAndExit(1);
@@ -657,7 +684,7 @@ async function runLookup(command, deps = {}) {
 			}
 			if (collection == null) {
 				spinner.fail(`Failed to fetch object: ${colors.red(url)}.`);
-				if (authLoader == null) printError(message`It may be a private object.  Try with -a/--authorized-fetch.`);
+				if (authLoader == null) printError(message$1`It may be a private object.  Try with ${optionNames(["-a", "--authorized-fetch"])}.`);
 				await finalizeAndExit(1);
 				return;
 			}
@@ -719,7 +746,7 @@ async function runLookup(command, deps = {}) {
 				else {
 					spinner.fail(`Failed to complete the traversal for: ${colors.red(url)}.`);
 					const hint = getLookupFailureHint(error);
-					if (shouldSuggestSuppressErrorsForLookupFailure(authLoader, hint)) printError(message`Use the -S/--suppress-errors option to suppress partial errors.`);
+					if (shouldSuggestSuppressErrorsForLookupFailure(authLoader, hint)) printError(message$1`Use the ${optionNames(["-S", "--suppress-errors"])} option to suppress partial errors.`);
 					else printLookupFailureHint(authLoader, error);
 				}
 				await finalizeAndExit(1);
@@ -754,7 +781,7 @@ async function runLookup(command, deps = {}) {
 		const url = command.urls[i];
 		if (obj == null) {
 			spinner.fail(`Failed to fetch ${colors.red(url)}`);
-			if (authLoader == null) printError(message`It may be a private object.  Try with -a/--authorized-fetch.`);
+			if (authLoader == null) printError(message$1`It may be a private object.  Try with ${optionNames(["-a", "--authorized-fetch"])}.`);
 			success = false;
 		} else {
 			spinner.succeed(`Fetched object: ${colors.green(url)}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/cli",
-  "version": "2.2.0-dev.945+31b67787",
+  "version": "2.2.0-dev.949+bd260a9f",
   "type": "module",
   "files": [
     "README.md",
@@ -86,14 +86,14 @@
     "smol-toml": "^1.6.0",
     "srvx": "^0.8.7",
     "valibot": "^1.2.0",
-    "@fedify/fedify": "2.2.0-dev.945+31b67787",
-    "@fedify/relay": "2.2.0-dev.945+31b67787",
-    "@fedify/init": "2.2.0-dev.945+31b67787",
-    "@fedify/vocab": "2.2.0-dev.945+31b67787",
-    "@fedify/vocab-tools": "2.2.0-dev.945+31b67787",
-    "@fedify/webfinger": "2.2.0-dev.945+31b67787",
-    "@fedify/sqlite": "2.2.0-dev.945+31b67787",
-    "@fedify/vocab-runtime": "2.2.0-dev.945+31b67787"
+    "@fedify/fedify": "2.2.0-dev.949+bd260a9f",
+    "@fedify/init": "2.2.0-dev.949+bd260a9f",
+    "@fedify/relay": "2.2.0-dev.949+bd260a9f",
+    "@fedify/vocab": "2.2.0-dev.949+bd260a9f",
+    "@fedify/vocab-runtime": "2.2.0-dev.949+bd260a9f",
+    "@fedify/sqlite": "2.2.0-dev.949+bd260a9f",
+    "@fedify/vocab-tools": "2.2.0-dev.949+bd260a9f",
+    "@fedify/webfinger": "2.2.0-dev.949+bd260a9f"
   },
   "devDependencies": {
     "@types/bun": "^1.2.23",