Clarify private-address policy for recursive lookup docs

dahlia · dahlia · commit aab372f440ad · 2026-03-08T19:21:37.000+09:00
Document that --allow-private-address only applies to explicit lookup/traverse targets, while recursive fetch steps always disallow private and localhost addresses. This updates both the lookup CLI docs and the @fedify/cli changelog entry for the recurse/private-address hardening. #608 (comment)
diff --git a/CHANGES.md b/CHANGES.md
@@ -37,7 +37,8 @@ To be released.
  -  Hardened `fedify lookup` by disallowing private/localhost document loads
     by default.  For local-development workflows, `-p`/`--allow-private-address`
     (or `lookup.allowPrivateAddress = true` in config) can re-enable private
-    address access for explicit lookup/traverse requests.
+    address access for explicit lookup/traverse requests.  This option does
+    not apply to recursive fetches, which always disallow private addresses.
     [[#608]]
 
 [#606]: https://github.com/fedify-dev/fedify/issues/606
diff --git a/docs/cli.md b/docs/cli.md
@@ -530,6 +530,10 @@ and `quoteUri` are not accepted as short forms.
 > [!NOTE]
 > `--recurse` and [`-t`/`--traverse`](#t-traverse-traverse-the-collection)
 > are mutually exclusive.
+>
+> Recursive fetches always disallow private/localhost addresses for safety.
+> `-p`/`--allow-private-address` only applies to explicit lookup/traverse
+> targets, not to recursive steps.
 
 ### `--recurse-depth`: Set recursion depth limit
 
