Skip to content

Commit 4d04498

Browse files
dahliadahlia
committed
Document recursive lookup helper intent
Add targeted comments explaining why recursive object fetches and recursive JSON-LD context fetches use different loader policies, and why the private-address helper functions only exist for post-failure hint classification. Assisted-by: Codex:gpt-5.4
1 parent 79689b3 commit 4d04498

1 file changed

Lines changed: 13 additions & 0 deletions

File tree

packages/cli/src/lookup.ts

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -559,6 +559,9 @@ function isPrivateAddressError(error: unknown): boolean {
559559
export function getPrivateUrlCandidate(
560560
candidate: unknown,
561561
): URL | null {
562+
// This helper is only for post-failure hinting. It intentionally does a
563+
// cheap hostname/IP check so we can recognize obvious private targets
564+
// without re-running the full document-loader validation path.
562565
if (typeof candidate !== "string" && !(candidate instanceof URL)) return null;
563566

564567
try {
@@ -588,6 +591,12 @@ function isPrivateAddressTarget(target: string): boolean {
588591
}
589592

590593
function getPrivateContextUrl(error: unknown): URL | null {
594+
// Recursive object fetches and recursive JSON-LD context fetches use
595+
// different loader policies. When the strict context loader rejects a
596+
// private @context URL, the underlying UrlError is often surfaced as a
597+
// jsonld parsing error instead of the original loader error. This helper
598+
// reconstructs the blocked private context URL so the CLI can show a
599+
// recurse-specific hint instead of the generic authorized-fetch hint.
591600
// This detection intentionally depends on jsonld's current error shape:
592601
// name === "jsonld.InvalidUrl", the "valid JSON-LD object" substring, and
593602
// a trailing `URL: "..."` segment all at once. If jsonld changes those
@@ -985,6 +994,10 @@ export async function runLookup(
985994
initialDocumentLoader;
986995
const recursiveLookupDocumentLoader: DocumentLoader = authLoader ??
987996
documentLoader;
997+
// `-p/--allow-private-address` only changes the follow-up object fetches
998+
// that recurse explicitly performs. JSON-LD context loads stay on the
999+
// strict loader so a remote object cannot implicitly expand the trust
1000+
// boundary via private @context URLs.
9881001
const recursiveBaseContextLoader = await getContextLoader({
9891002
userAgent: command.userAgent,
9901003
allowPrivateAddress: false,

0 commit comments

Comments
 (0)