@fedify/cli 2.3.0-dev.1258 → 2.3.0-dev.1274

package/dist/bench/action.js

@@ -1,6 +1,9 @@
 import "@js-temporal/polyfill";
 import { getContextLoader, getDocumentLoader } from "../docloader.js";
+import { describeError } from "../utils.js";
 import { buildFleet } from "./actor/fleet.js";
+import { convertUrlIfHandle } from "../webfinger/lib.js";
+import { discoverInbox, selectInbox } from "./discovery/discover.js";
 import { validateExpectBlock } from "./result/expect/evaluate.js";
 import { buildReport, buildScenarioResult, configHash, detectEnvironment } from "./result/build.js";
 import { probeBenchmarkMode } from "./discovery/probe.js";
@@ -8,8 +11,8 @@ import { renderReport } from "./render/index.js";
 import { loadSuiteFile, renderSuiteTemplates } from "./scenario/load.js";
 import { normalizeSuite } from "./scenario/normalize.js";
 import { validateSuite } from "./scenario/validate.js";
-import { classifyTarget } from "./safety/tiers.js";
-import { UnsafeTargetError, assertInboxDestinationAllowed, assertTargetAllowed } from "./safety/gate.js";
+import { UnsafeTargetError, assertInboxDestinationAllowed, assertTargetAllowed, assertUnsafeOverrideAllowed } from "./safety/gate.js";
+import { classifyResolvedTarget } from "./safety/tiers.js";
 import { runnerFor } from "./scenarios/registry.js";
 import { resolveAdvertiseHost, spawnSyntheticServer } from "./server/synthetic.js";
 import { writeFile } from "node:fs/promises";
@@ -38,7 +41,7 @@ async function runBench(command, deps = {}) {
 		validated = validateSuite(renderSuiteTemplates(await loadSuiteFile(command.scenario), command.target), command.scenario);
 		suite = normalizeSuite(validated, { target: command.target });
 	} catch (error) {
-		log(error instanceof Error ? error.message : String(error));
+		log(describeError(error));
 		exit(2);
 		return;
 	}
@@ -52,23 +55,25 @@ async function runBench(command, deps = {}) {
 		});
 		if (command.advertiseHost != null) resolveAdvertiseHost(command.advertiseHost);
 	} catch (error) {
-		log(error instanceof Error ? error.message : String(error));
+		log(describeError(error));
 		exit(2);
 		return;
 	}
-	if (command.dryRun) {
-		await writeOutput(renderPlan(suite), command.output);
-		exit(0);
-		return;
-	}
-	const tier = classifyTarget(suite.target);
+	const tier = await classifyResolvedTarget(suite.target, deps.resolveTargetAddresses);
 	const probe = await probeBenchmarkMode(suite.target, fetchImpl);
 	try {
+		if (!command.dryRun) assertUnsafeOverrideAllowed({
+			tier,
+			benchmarkMode: probe.benchmarkMode,
+			allowUnsafe: command.allowUnsafeTarget,
+			explicitCliTarget: command.target != null,
+			scenarios: unsafeOverrideScenarios(validated)
+		});
 		assertTargetAllowed({
 			tier,
 			benchmarkMode: probe.benchmarkMode,
 			allowUnsafe: command.allowUnsafeTarget,
-			dryRun: false
+			dryRun: command.dryRun
 		});
 	} catch (error) {
 		if (error instanceof UnsafeTargetError) {
@@ -78,11 +83,6 @@ async function runBench(command, deps = {}) {
 		}
 		throw error;
 	}
-	if (tier !== "loopback" && command.advertiseHost == null && suite.scenarios.some((s) => SIGNED_TYPES.has(s.type))) {
-		log("Signed scenarios (inbox) need the benchmark's synthetic actor server to be reachable from the target.  A loopback target reaches it automatically; for a non-loopback target, pass --advertise-host with an address the target can reach (the synthetic server then binds all interfaces), or use a read scenario such as webfinger.");
-		exit(2);
-		return;
-	}
 	const allowPrivateAddress = tier !== "public";
 	const documentLoader = await getDocumentLoader({
 		allowPrivateAddress,
@@ -92,12 +92,44 @@ async function runBench(command, deps = {}) {
 		allowPrivateAddress,
 		userAgent: command.userAgent
 	});
-	const assertDestinationAllowed = (url) => assertInboxDestinationAllowed(url, {
-		targetOrigin: suite.target.origin,
-		targetBenchmarkMode: probe.benchmarkMode,
-		allowUnsafe: command.allowUnsafeTarget,
-		advertised: command.advertiseHost != null
-	});
+	const assertDestinationAllowed = async (url, scenario) => {
+		const destinationTier = url.origin === suite.target.origin ? tier : await classifyResolvedTarget(url, deps.resolveTargetAddresses);
+		assertInboxDestinationAllowed(url, {
+			targetOrigin: suite.target.origin,
+			targetTier: tier,
+			destinationTier,
+			targetBenchmarkMode: probe.benchmarkMode,
+			allowUnsafe: command.allowUnsafeTarget,
+			advertised: command.advertiseHost != null
+		});
+		assertPublicDestinationOverrideAllowed(url, scenario, {
+			targetOrigin: suite.target.origin,
+			targetBenchmarkMode: probe.benchmarkMode,
+			allowUnsafe: command.allowUnsafeTarget,
+			explicitCliTarget: command.target != null,
+			destinationTier,
+			defaults: validated.defaults
+		});
+	};
+	if (command.dryRun) try {
+		await writeOutput(await renderPlan(suite, {
+			documentLoader,
+			contextLoader,
+			allowPrivateAddress,
+			assertDestinationAllowed
+		}), command.output);
+		exit(0);
+		return;
+	} catch (error) {
+		log(describeError(error));
+		exit(2);
+		return;
+	}
+	if (tier !== "loopback" && command.advertiseHost == null && suite.scenarios.some((s) => SIGNED_TYPES.has(s.type))) {
+		log("Signed scenarios (inbox) need the benchmark's synthetic actor server to be reachable from the target.  A loopback target reaches it automatically; for a non-loopback target, pass --advertise-host with an address the target can reach (the synthetic server then binds all interfaces), or use a read scenario such as webfinger.");
+		exit(2);
+		return;
+	}
 	let fleet;
 	const startedAt = (/* @__PURE__ */ new Date()).toISOString();
 	try {
@@ -114,7 +146,7 @@ async function runBench(command, deps = {}) {
 				allowPrivateAddress,
 				fleet: fleet ?? null,
 				fetch: fetchImpl,
-				assertDestinationAllowed
+				assertDestinationAllowed: (url) => assertDestinationAllowed(url, scenario)
 			});
 			results.push(buildScenarioResult(scenario, measurement));
 		}
@@ -185,19 +217,93 @@ async function defaultWriteOutput(content, outputPath) {
 	}
 	await writeFile(outputPath, content, { encoding: "utf-8" });
 }
-function renderPlan(suite) {
+async function renderPlan(suite, context) {
 	const lines = [
 		"Fedify benchmark plan (dry run)",
 		"",
 		`Target: ${suite.target.href}`,
 		""
 	];
-	for (const scenario of suite.scenarios) lines.push(`- ${scenario.name} (${scenario.type}): ${describePlan(scenario)}`);
-	lines.push("", "No requests were sent.");
+	for (const scenario of suite.scenarios) {
+		lines.push(`- ${scenario.name} (${scenario.type}): ${describePlan(scenario)}`);
+		lines.push(...await describeDiscoveryPlan(scenario, suite, context));
+	}
+	lines.push("", "No benchmark load was sent.  Discovery and stats probe requests may have been sent.");
 	return `${lines.join("\n")}\n`;
 }
 function describePlan(scenario) {
 	return `${scenario.load.kind === "open" ? `open-loop ${scenario.load.ratePerSec}/s ${scenario.load.arrival}` : `closed-loop concurrency ${scenario.load.concurrency}`}, duration ${scenario.durationMs}ms, signing ${scenario.signing}`;
 }
+async function describeDiscoveryPlan(scenario, suite, context) {
+	switch (scenario.type) {
+		case "inbox": return await describeInboxDiscoveryPlan(scenario, context);
+		case "webfinger": return describeWebFingerPlan(scenario, suite.target);
+		default: return ["  discovery: not available for this scenario type"];
+	}
+}
+async function describeInboxDiscoveryPlan(scenario, context) {
+	const lines = [];
+	for (const recipient of scenario.recipients) {
+		let discovered;
+		try {
+			discovered = await discoverInbox(recipient, {
+				documentLoader: context.documentLoader,
+				contextLoader: context.contextLoader,
+				allowPrivateAddress: context.allowPrivateAddress
+			});
+		} catch (error) {
+			lines.push(`  recipient ${recipient}: discovery failed (${describeError(error)})`);
+			continue;
+		}
+		const inbox = selectInbox(discovered, scenario.inbox);
+		lines.push(`  recipient ${recipient}: actor ${discovered.actorUri.href}, inbox ${inbox.href}`);
+		lines.push(`  destination safety: ${await describeDestinationSafety(inbox, scenario, context)}`);
+	}
+	return lines;
+}
+function describeWebFingerPlan(scenario, target) {
+	return (scenario.recipients.length > 0 ? scenario.recipients : [target.href]).map((recipient) => {
+		const resource = convertUrlIfHandle(recipient).href;
+		const url = new URL("/.well-known/webfinger", target);
+		url.searchParams.set("resource", resource);
+		return `  webfinger ${resource}: GET ${url.href}`;
+	});
+}
+async function describeDestinationSafety(inbox, scenario, context) {
+	try {
+		await context.assertDestinationAllowed(inbox, scenario);
+		return "allowed";
+	} catch (error) {
+		if (error instanceof UnsafeTargetError) return `would be refused: ${error.message}`;
+		throw error;
+	}
+}
+function assertPublicDestinationOverrideAllowed(url, scenario, context) {
+	const inheritsTargetGate = url.origin === context.targetOrigin && context.targetBenchmarkMode;
+	if (context.destinationTier !== "public" || inheritsTargetGate || !context.allowUnsafe) return;
+	assertUnsafeOverrideAllowed({
+		tier: "public",
+		benchmarkMode: false,
+		allowUnsafe: true,
+		explicitCliTarget: context.explicitCliTarget,
+		scenarios: [unsafeOverrideScenario(scenario, context.defaults)]
+	});
+}
+function unsafeOverrideScenarios(suite) {
+	return suite.scenarios.map((scenario) => unsafeOverrideScenario(scenario, suite.defaults));
+}
+function unsafeOverrideScenario(scenario, defaults) {
+	const defaultDuration = defaults?.duration != null;
+	const defaultLoad = hasExplicitLoad(defaults?.load);
+	const raw = "raw" in scenario ? scenario.raw : scenario;
+	return {
+		name: scenario.name,
+		explicitDuration: raw.duration != null || defaultDuration,
+		explicitLoad: hasExplicitLoad(raw.load) || defaultLoad
+	};
+}
+function hasExplicitLoad(load) {
+	return load != null && typeof load === "object" && ("rate" in load && load.rate != null || "concurrency" in load && load.concurrency != null);
+}
 //#endregion
 export { runBench as default };

package/dist/bench/command.js

@@ -22,7 +22,7 @@ const benchCommand = command("bench", merge("Benchmark options", object({
 	target: optional(option("-t", "--target", string({ metavar: "URL" }), { description: message`Override the target URL declared in the suite.` })),
 	format: formatOption,
 	output: optional(option("-o", "--output", string({ metavar: "OUTPUT_PATH" }), { description: message`Write the report to a file instead of standard output.` })),
-	dryRun: withDefault(flag("--dry-run", { description: message`Print the normalized plan without contacting the target or \
+	dryRun: withDefault(flag("--dry-run", { description: message`Resolve discovery and print the benchmark plan without \
 sending load.` }), false),
 	advertiseHost: optional(option("--advertise-host", string({ metavar: "HOST" }), { description: message`Host (name or IP) a non-loopback target can reach the \
 benchmark's synthetic actor server at.  Required for signed scenarios against a \

package/dist/bench/safety/gate.js

@@ -1,18 +1,5 @@
 import "@js-temporal/polyfill";
-import { classifyTarget } from "./tiers.js";
 //#region src/bench/safety/gate.ts
-/**
-* The client-side safety gate.
-*
-* A run is allowed without friction when the target is loopback/private or
-* advertises benchmark mode (the operator's "not production" assertion).  Only
-* a public target that does not advertise benchmark mode is gated, behind an
-* explicit `--allow-unsafe-target`.  There is no interactive prompt, so the
-* flag is mandatory in CI and any non-TTY context.  An inspection-only run
-* (the `dryRun` flag) sends no load, so it bypasses the gate.
-* @since 2.3.0
-* @module
-*/
 /** An error raised when a target is refused by the safety gate. */
 var UnsafeTargetError = class extends Error {};
 /**
@@ -29,6 +16,24 @@ function assertTargetAllowed(context) {
 	throw new UnsafeTargetError("Refusing to benchmark a public target that does not advertise benchmark mode.  If you control this target, pass --allow-unsafe-target (mandatory in CI and any non-interactive context).");
 }
 /**
+* Asserts that an unsafe public-target override is specific and bounded.
+*
+* The override is only meaningful for a public target that does not advertise
+* benchmark mode.  In that caution tier, the operator must name the target on
+* the command line for this run and must explicitly set load and duration, so
+* the built-in defaults cannot accidentally create a long public benchmark.
+* @param context The unsafe override decision inputs.
+* @throws {UnsafeTargetError} If the unsafe override is too broad.
+*/
+function assertUnsafeOverrideAllowed(context) {
+	if (context.tier !== "public" || context.benchmarkMode || !context.allowUnsafe) return;
+	if (!context.explicitCliTarget) throw new UnsafeTargetError("The --allow-unsafe-target override must be paired with an explicit --target for this run.");
+	for (const scenario of context.scenarios) {
+		if (!scenario.explicitLoad) throw new UnsafeTargetError(`Scenario "${scenario.name}" uses the built-in benchmark load default.  Set rate or concurrency explicitly before using --allow-unsafe-target against a public target.`);
+		if (!scenario.explicitDuration) throw new UnsafeTargetError(`Scenario "${scenario.name}" uses the built-in benchmark duration default.  Set duration explicitly before using --allow-unsafe-target against a public target.`);
+	}
+}
+/**
 * Asserts that a resolved inbox URL — the actual destination of signed
 * benchmark load — may be sent to.  The suite's `target` is gated separately by
 * {@link assertTargetAllowed}; this catches a destination that differs from it
@@ -45,10 +50,11 @@ function assertTargetAllowed(context) {
 * @throws {UnsafeTargetError} If the destination is refused.
 */
 function assertInboxDestinationAllowed(url, context) {
-	const tier = classifyTarget(url);
-	const inheritsTargetGate = url.origin === context.targetOrigin && context.targetBenchmarkMode;
+	const sameOrigin = url.origin === context.targetOrigin;
+	const tier = sameOrigin ? context.targetTier : context.destinationTier;
+	const inheritsTargetGate = sameOrigin && context.targetBenchmarkMode;
 	if (tier === "public" && !inheritsTargetGate && !context.allowUnsafe) throw new UnsafeTargetError(`Refusing to send benchmark load to ${url.href}: it is a public inbox that is neither part of the benchmarked target nor covered by benchmark mode.  Pass --allow-unsafe-target to override.`);
 	if (tier !== "loopback" && !context.advertised) throw new UnsafeTargetError(`Refusing to send signed benchmark load to ${url.href}: the synthetic actor server is unreachable from a non-loopback inbox.  Pass --advertise-host with an address it can reach.`);
 }
 //#endregion
-export { UnsafeTargetError, assertInboxDestinationAllowed, assertTargetAllowed };
+export { UnsafeTargetError, assertInboxDestinationAllowed, assertTargetAllowed, assertUnsafeOverrideAllowed };

package/dist/bench/safety/tiers.js

@@ -1,6 +1,18 @@
 import "@js-temporal/polyfill";
+import { lookup } from "node:dns/promises";
 //#region src/bench/safety/tiers.ts
 /**
+* Target risk classification.
+*
+* A target is `loopback` or `private` when it is clearly one of the operator's
+* own boxes, and `public` otherwise.  Classification is conservative: a host
+* that is not obviously loopback or private is treated as `public` (the gated
+* tier), since the tool cannot tell staging from production without resolving
+* and trusting DNS.
+* @since 2.3.0
+* @module
+*/
+/**
 * Classifies a target URL into a risk tier from its host.
 * @param target The target URL.
 * @returns The risk tier.
@@ -14,6 +26,50 @@ function classifyTarget(target) {
 	if (host.includes(":")) return classifyIpv6(host);
 	return "public";
 }
+/**
+* Classifies a target URL, resolving DNS for public-looking hostnames.
+*
+* Literal addresses and known local hostname suffixes are classified directly.
+* Other hostnames are resolved and classified from their addresses; any public
+* address in the answer keeps the target public, and DNS failure is treated as
+* public so the safety gate remains conservative.
+* @param target The target URL.
+* @param resolveAddresses Hostname resolver, overridable for tests.
+* @returns The resolved target tier.
+*/
+async function classifyResolvedTarget(target, resolveAddresses = defaultResolveTargetAddresses) {
+	const host = normalizedHost(target);
+	const direct = classifyTarget(target);
+	if (direct !== "public" || isIpLiteral(host)) return direct;
+	try {
+		const resolved = await resolveAddresses(host);
+		if (!Array.isArray(resolved) || resolved.length < 1) return "public";
+		let aggregate = "loopback";
+		for (const address of resolved) {
+			const tier = classifyTarget(new URL(`http://${hostForAddress(address)}/`));
+			if (tier === "public") return "public";
+			if (tier === "private") aggregate = "private";
+		}
+		return aggregate;
+	} catch {
+		return "public";
+	}
+}
+/** Resolves a hostname with the platform DNS resolver. */
+async function defaultResolveTargetAddresses(hostname) {
+	return (await lookup(hostname, { all: true })).map((entry) => entry.address);
+}
+function normalizedHost(target) {
+	let host = target.hostname.replace(/^\[/, "").replace(/\]$/, "").toLowerCase();
+	if (host.endsWith(".")) host = host.slice(0, -1);
+	return host;
+}
+function isIpLiteral(host) {
+	return isIpv4(host) || host.includes(":");
+}
+function hostForAddress(address) {
+	return address.includes(":") ? `[${address}]` : address;
+}
 function isIpv4(host) {
 	const match = host.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
 	return match != null && match.slice(1).every((octet) => Number(octet) <= 255);
@@ -38,4 +94,4 @@ function classifyIpv6(host) {
 	return "public";
 }
 //#endregion
-export { classifyTarget };
+export { classifyResolvedTarget };

package/dist/bench/scenarios/inbox.js

@@ -1,6 +1,6 @@
 import "@js-temporal/polyfill";
-import { asList } from "../scenario/coerce.js";
 import { discoverInbox, selectInbox } from "../discovery/discover.js";
+import { asList } from "../scenario/coerce.js";
 import { runLoad } from "../load/generator.js";
 import { aggregateSamples } from "../metrics/aggregate.js";
 import { diffSnapshots, fetchServerSnapshot, snapshotToMetrics } from "../metrics/stats-client.js";
@@ -41,7 +41,7 @@ const inboxRunner = {
 				allowPrivateAddress: context.allowPrivateAddress
 			});
 			const inbox = selectInbox(discovered, scenario.inbox);
-			context.assertDestinationAllowed?.(inbox);
+			await context.assertDestinationAllowed?.(inbox);
 			targets.push({
 				inbox,
 				actorUri: discovered.actorUri

package/dist/config.js

@@ -1,7 +1,7 @@
 import "@js-temporal/polyfill";
 import { message } from "@optique/core";
-import { createConfigContext } from "@optique/config";
 import { printError } from "@optique/run";
+import { createConfigContext } from "@optique/config";
 import { readFileSync } from "node:fs";
 import { parse } from "smol-toml";
 import { array, boolean, check, forward, integer as integer$1, minValue, number, object as object$1, optional as optional$1, picklist, pipe, string as string$1 } from "valibot";

package/dist/deno.js

@@ -1,5 +1,5 @@
 import "@js-temporal/polyfill";
 //#region deno.json
-var version = "2.3.0-dev.1258+a2a67992";
+var version = "2.3.0-dev.1274+8e82de77";
 //#endregion
 export { version };

package/dist/inbox/view.js

@@ -1,9 +1,9 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { renderActivity, renderRawActivity, renderRequest, renderResponse } from "./rendercode.js";
+import util from "node:util";
 import { getStatusText } from "@poppanator/http-constants";
 import { Fragment } from "hono/jsx";
 import { getSingletonHighlighter } from "shiki";
-import util from "node:util";
 import { jsx, jsxs } from "hono/jsx/jsx-runtime";
 //#region src/inbox/view.tsx
 const Layout = (props) => {

package/dist/inbox.js

@@ -1,11 +1,11 @@
 import { Temporal } from "@js-temporal/polyfill";
 import { getDocumentLoader } from "./docloader.js";
+import { colors, matchesActor } from "./utils.js";
 import { version } from "./deno.js";
 import { ActivityEntryPage, ActivityListPage } from "./inbox/view.js";
 import { configureLogging, recordingSink } from "./log.js";
 import { tableStyle } from "./table.js";
 import { spawnTemporaryServer } from "./tempserver.js";
-import { colors, matchesActor } from "./utils.js";
 import process from "node:process";
 import { MemoryKvStore, createFederation, generateCryptoKeyPair } from "@fedify/fedify";
 import { Accept, Activity, Application, Delete, Endpoints, Follow, Image, PUBLIC_COLLECTION, isActor, lookupObject } from "@fedify/vocab";

package/dist/lookup.js

@@ -1,19 +1,19 @@
 import "@js-temporal/polyfill";
 import { getContextLoader, getDocumentLoader as getDocumentLoader$1 } from "./docloader.js";
+import { colorEnabled, colors, describeError, formatObject } from "./utils.js";
 import { configContext } from "./config.js";
 import { createTunnelServiceOption, userAgentOption } from "./options.js";
 import { configureLogging } from "./log.js";
 import { spawnTemporaryServer } from "./tempserver.js";
-import { colorEnabled, colors, formatObject } from "./utils.js";
 import { renderImages } from "./imagerenderer.js";
 import process from "node:process";
 import { generateCryptoKeyPair, getAuthenticatedDocumentLoader, respondWithObject } from "@fedify/fedify";
 import { UrlError, expandIPv6Address, isValidPublicIPv4Address, isValidPublicIPv6Address } from "@fedify/vocab-runtime";
 import { Application, Collection, CryptographicKey, Object as Object$1, lookupObject, traverseCollection } from "@fedify/vocab";
-import { getLogger } from "@logtape/logtape";
 import { argument, choice, command, constant, flag, float, integer, map, merge, message, multiple, object, option, optionNames, optional, or, string, withDefault } from "@optique/core";
-import { bindConfig } from "@optique/config";
 import { path, printError } from "@optique/run";
+import { getLogger } from "@logtape/logtape";
+import { bindConfig } from "@optique/config";
 import { createWriteStream } from "node:fs";
 import { url } from "@optique/core/message";
 import ora from "ora";
@@ -285,7 +285,7 @@ function handleTimeoutError(spinner, timeoutSeconds, url) {
 	printError(message`Try increasing the timeout with ${optionNames(["-T", "--timeout"])} option or check network connectivity.`);
 }
 function isPrivateAddressError(error) {
-	const lowerMessage = (error instanceof Error ? error.message : String(error)).toLowerCase();
+	const lowerMessage = describeError(error).toLowerCase();
 	if (error instanceof UrlError) return lowerMessage.includes("invalid or private address") || lowerMessage.includes("localhost is not allowed");
 	return lowerMessage.includes("private address") || lowerMessage.includes("private ip") || lowerMessage.includes("localhost") || lowerMessage.includes("loopback");
 }
@@ -308,7 +308,7 @@ function isPrivateAddressTarget(target) {
 	return getPrivateUrlCandidate(target) != null;
 }
 function getPrivateContextUrl(error) {
-	const errorMessage = error instanceof Error ? error.message : String(error);
+	const errorMessage = describeError(error);
 	if (!(error instanceof Error) || error.name !== "jsonld.InvalidUrl" || !errorMessage.includes("valid JSON-LD object")) return null;
 	const structuredError = error;
 	const structuredUrl = getPrivateUrlCandidate(structuredError.details?.url) ?? getPrivateUrlCandidate(structuredError.url);

package/dist/nodeinfo.js

@@ -1,15 +1,15 @@
 import "@js-temporal/polyfill";
+import { colors, formatObject } from "./utils.js";
 import { configContext } from "./config.js";
 import { userAgentOption } from "./options.js";
-import { colors, formatObject } from "./utils.js";
 import process from "node:process";
 import { getNodeInfo } from "@fedify/fedify";
 import { getUserAgent } from "@fedify/vocab-runtime";
-import os from "node:os";
-import { getLogger } from "@logtape/logtape";
 import { argument, command, constant, flag, group, merge, message, object, string, text } from "@optique/core";
-import { bindConfig } from "@optique/config";
 import { print, printError } from "@optique/run";
+import { getLogger } from "@logtape/logtape";
+import os from "node:os";
+import { bindConfig } from "@optique/config";
 import ora from "ora";
 import { createJimp } from "@jimp/core";
 import webp from "@jimp/wasm-webp";

package/dist/relay.js

@@ -1,8 +1,8 @@
 import "@js-temporal/polyfill";
+import { colors, matchesActor } from "./utils.js";
 import { configureLogging } from "./log.js";
 import { tableStyle } from "./table.js";
 import { spawnTemporaryServer } from "./tempserver.js";
-import { colors, matchesActor } from "./utils.js";
 import process from "node:process";
 import { MemoryKvStore } from "@fedify/fedify";
 import { getLogger } from "@logtape/logtape";

package/dist/runner.js

@@ -1,4 +1,5 @@
 import "@js-temporal/polyfill";
+import { describeError } from "./utils.js";
 import { version } from "./deno.js";
 import { configContext, tryLoadToml } from "./config.js";
 import { globalOptions } from "./options.js";
@@ -14,13 +15,13 @@ import { tunnelCommand } from "./tunnel.js";
 import { webFingerCommand } from "./webfinger/command.js";
 import "./webfinger/mod.js";
 import process from "node:process";
-import { homedir } from "node:os";
 import { group, merge, message, or } from "@optique/core";
 import { printError, run } from "@optique/run";
+import { merge as merge$1 } from "es-toolkit";
+import { homedir } from "node:os";
 import { readFileSync } from "node:fs";
 import { parse } from "smol-toml";
 import { join } from "node:path";
-import { merge as merge$1 } from "es-toolkit";
 //#region src/runner.ts
 /**
 * Returns the system-wide configuration file paths.
@@ -50,7 +51,7 @@ function loadConfig(parsed) {
 	if (parsed.configPath) try {
 		custom = parse(readFileSync(parsed.configPath, "utf-8"));
 	} catch (error) {
-		printError(message`Could not load config file at ${parsed.configPath}: ${error instanceof Error ? error.message : String(error)}`);
+		printError(message`Could not load config file at ${parsed.configPath}: ${describeError(error)}`);
 		process.exit(1);
 	}
 	return {

package/dist/utils.js

@@ -2,13 +2,13 @@ import "@js-temporal/polyfill";
 import "node:fs/promises";
 import process from "node:process";
 import { getActorHandle } from "@fedify/vocab";
+import "@fxts/core";
 import { message } from "@optique/core";
 import { print, printError } from "@optique/run";
-import util from "node:util";
-import "@fxts/core";
 import { Chalk } from "chalk";
 import { highlight } from "cli-highlight";
 import { flow } from "es-toolkit";
+import util from "node:util";
 //#region src/utils.ts
 const colorEnabled = process.stdout.isTTY && !("NO_COLOR" in process.env && process.env.NO_COLOR !== "");
 const colors = new Chalk(colorEnabled ? {} : { level: 0 });
@@ -34,7 +34,10 @@ async function matchesActor(actor, actorList) {
 	}
 	return false;
 }
+function describeError(error) {
+	return error instanceof Error ? error.message : String(error);
+}
 flow(message, print);
 flow(message, printError);
 //#endregion
-export { colorEnabled, colors, formatObject, matchesActor };
+export { colorEnabled, colors, describeError, formatObject, matchesActor };

package/dist/webfinger/action.js

@@ -1,7 +1,7 @@
 import "@js-temporal/polyfill";
+import { formatObject } from "../utils.js";
 import { NotFoundError, getErrorMessage } from "./error.js";
 import { convertUrlIfHandle } from "./lib.js";
-import { formatObject } from "../utils.js";
 import { print } from "@optique/run";
 import { formatMessage, message } from "@optique/core/message";
 import ora from "ora";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/cli",
-  "version": "2.3.0-dev.1258+a2a67992",
+  "version": "2.3.0-dev.1274+8e82de77",
   "type": "module",
   "files": [
     "README.md",
@@ -89,14 +89,14 @@
     "srvx": "^0.8.7",
     "valibot": "^1.4.0",
     "yaml": "^2.9.0",
-    "@fedify/fedify": "2.3.0-dev.1258+a2a67992",
-    "@fedify/init": "2.3.0-dev.1258+a2a67992",
-    "@fedify/relay": "2.3.0-dev.1258+a2a67992",
-    "@fedify/sqlite": "2.3.0-dev.1258+a2a67992",
-    "@fedify/webfinger": "2.3.0-dev.1258+a2a67992",
-    "@fedify/vocab-tools": "2.3.0-dev.1258+a2a67992",
-    "@fedify/vocab": "2.3.0-dev.1258+a2a67992",
-    "@fedify/vocab-runtime": "2.3.0-dev.1258+a2a67992"
+    "@fedify/fedify": "2.3.0-dev.1274+8e82de77",
+    "@fedify/relay": "2.3.0-dev.1274+8e82de77",
+    "@fedify/vocab": "2.3.0-dev.1274+8e82de77",
+    "@fedify/sqlite": "2.3.0-dev.1274+8e82de77",
+    "@fedify/vocab-runtime": "2.3.0-dev.1274+8e82de77",
+    "@fedify/vocab-tools": "2.3.0-dev.1274+8e82de77",
+    "@fedify/webfinger": "2.3.0-dev.1274+8e82de77",
+    "@fedify/init": "2.3.0-dev.1274+8e82de77"
   },
   "devDependencies": {
     "@types/bun": "^1.2.23",