Document fedify lookup private-address behavior

Update CHANGES.md with the 2.1.6 entry for the regression fix, and
rewrite the -p/--allow-private-address section in docs/cli.md to
reflect that URLs given on the command line always allow private
addresses while the option gates URLs discovered via --traverse or
--recurse.

#696
#698

Assisted-by: Claude Code:claude-opus-4-7

Author: 2chanhaeng

CHANGES.md

@@ -8,6 +8,22 @@ Version 2.1.6
 
 To be released.
 
+### @fedify/cli
+
+ -  Fixed `fedify lookup` failing to look up URLs on private or localhost
+    addresses unless `-p`/`--allow-private-address` was passed, which was a
+    regression introduced in Fedify 2.1.0 when the CLI began forwarding
+    the `allowPrivateAddress` option to the underlying document loader.
+    URLs explicitly provided on the command line now always allow private
+    addresses, while URLs discovered via [`-t`/`--traverse`] or [`--recurse`]
+    still honor the option to mitigate SSRF attacks against private
+    addresses.  [[#696], [#698] by Chanhaeng Lee]
+
+[`-t`/`--traverse`]: https://fedify.dev/cli#t-traverse-traverse-the-collection
+[`--recurse`]: https://fedify.dev/cli#recurse-recurse-through-object-relationships
+[#696]: https://github.com/fedify-dev/fedify/issues/696
+[#698]: https://github.com/fedify-dev/fedify/pull/698
+
 
 Version 2.1.5
 -------------

docs/cli.md

@@ -522,8 +522,10 @@ and `quoteUri` are not accepted as short forms.
 > are mutually exclusive.
 >
 > Recursive fetches always disallow private/localhost addresses for safety.
-> `-p`/`--allow-private-address` only applies to explicit lookup/traverse
-> targets, not to recursive steps.
+> URLs explicitly provided on the command line always allow private
+> addresses, while
+> [`-p`/`--allow-private-address`](#p-allow-private-address-allow-private-ip-addresses)
+> has no effect on recursive steps.
 
 ### `--recurse-depth`: Set recursion depth limit
 
@@ -980,18 +982,30 @@ fedify lookup --user-agent MyApp/1.0 @fedify@hollo.social
 
 ### `-p`/`--allow-private-address`: Allow private IP addresses
 
-By default, `fedify lookup` does not fetch private or localhost addresses.
-The `-p`/`--allow-private-address` option allows explicit lookup/traverse
-requests to private addresses when needed for local development.
+URLs explicitly provided on the command line always allow private or
+localhost addresses, so local servers can be looked up without any extra
+flags:
 
 ~~~~ sh
-fedify lookup --allow-private-address http://localhost:8000/users/alice
+fedify lookup http://localhost:8000/users/alice
+~~~~
+
+The `-p`/`--allow-private-address` option additionally allows private
+addresses for URLs discovered via traversal or recursion.  It only has an
+effect when used together with
+[`-t`/`--traverse`](#t-traverse-traverse-the-collection) or
+[`--recurse`](#recurse-recurse-through-object-relationships), since URLs
+embedded in remote responses are otherwise rejected to mitigate SSRF
+attacks against private addresses.
+
+~~~~ sh
+fedify lookup --traverse --allow-private-address http://localhost:8000/users/alice/outbox
 ~~~~
 
 > [!NOTE]
 > Recursive fetches enabled by
 > [`--recurse`](#recurse-recurse-through-object-relationships) continue to
-> disallow private addresses.
+> disallow private addresses regardless of this option.
 
 ### `-s`/`--separator`: Output separator