Allow private addresses for explicit URLs in fedify lookup

Since v2.1, `fedify lookup` rejected localhost URLs unless
`-p`/`--allow-private-address` was passed, because the CLI began
forwarding `allowPrivateAddress=false` to the vocab-runtime document
loader, whose `validatePublicUrl` check blocks loopback addresses.

Split the document/auth loaders into two:

 -  An "initial" loader that always allows private addresses, used for
    URLs explicitly provided on the command line (plain lookup, the
    first fetch in `--traverse`, and the first fetch in `--recurse`).
 -  The existing loader, which continues to honor
    `--allow-private-address`, used for URLs discovered from remote
    responses (traversal pages and recursion targets).

This preserves SSRF protection against `http://localhost/...` URLs
embedded in remote `first`/`next`/`inReplyTo` fields while letting
users look up local servers without extra flags.

Assisted-by: Claude Code:claude-opus-4-7

Author: 2chanhaeng

packages/cli/src/lookup.ts

@@ -83,8 +83,9 @@ const suppressErrorsOption = bindConfig(
 
 const allowPrivateAddressOption = bindConfig(
   flag("-p", "--allow-private-address", {
-    description:
-      message`Allow private IP addresses for explicit lookup/traverse requests.`,
+    description: message`Allow private IP addresses for URLs discovered \
+via traversal or recursion. URLs explicitly provided \
+on the command line always allow private addresses.`,
   }),
   {
     context: configContext,
@@ -716,6 +717,18 @@ export async function runLookup(
   }).start();
 
   let server: TemporaryServer | undefined = undefined;
+  // URLs explicitly provided by the user always allow private addresses,
+  // so that local servers can be looked up without -p/--allow-private-address.
+  // URLs discovered via traversal or recursion follow the option, since they
+  // originate from remote responses and must be protected against SSRF.
+  const initialBaseDocumentLoader = await getDocumentLoader({
+    userAgent: command.userAgent,
+    allowPrivateAddress: true,
+  });
+  const initialDocumentLoader = wrapDocumentLoaderWithTimeout(
+    initialBaseDocumentLoader,
+    command.timeout,
+  );
   const baseDocumentLoader = await getDocumentLoader({
     userAgent: command.userAgent,
     allowPrivateAddress: command.allowPrivateAddress,
@@ -734,6 +747,7 @@ export async function runLookup(
   );
 
   let authLoader: DocumentLoader | undefined = undefined;
+  let initialAuthLoader: DocumentLoader | undefined = undefined;
   let authIdentity:
     | { keyId: URL; privateKey: CryptoKey }
     | undefined = undefined;
@@ -836,6 +850,24 @@ export async function runLookup(
       baseAuthLoader,
       command.timeout,
     );
+    const initialBaseAuthLoader = getAuthenticatedDocumentLoader(
+      authIdentity,
+      {
+        allowPrivateAddress: true,
+        userAgent: command.userAgent,
+        specDeterminer: {
+          determineSpec() {
+            return command.firstKnock;
+          },
+          rememberSpec() {
+          },
+        },
+      },
+    );
+    initialAuthLoader = wrapDocumentLoaderWithTimeout(
+      initialBaseAuthLoader,
+      command.timeout,
+    );
   }
 
   spinner.text = `Looking up the ${
@@ -885,8 +917,8 @@ export async function runLookup(
         command.timeout,
       )
       : undefined;
-    const initialLookupDocumentLoader: DocumentLoader = authLoader ??
-      documentLoader;
+    const initialLookupDocumentLoader: DocumentLoader = initialAuthLoader ??
+      initialDocumentLoader;
     const recursiveLookupDocumentLoader: DocumentLoader = recursiveAuthLoader ??
       recursiveDocumentLoader;
     let totalObjects = 0;
@@ -1109,7 +1141,7 @@ export async function runLookup(
       let collection: APObject | null = null;
       try {
         collection = await effectiveDeps.lookupObject(url, {
-          documentLoader: authLoader ?? documentLoader,
+          documentLoader: initialAuthLoader ?? initialDocumentLoader,
           contextLoader,
           userAgent: command.userAgent,
         });
@@ -1248,7 +1280,7 @@ export async function runLookup(
   for (const url of command.urls) {
     promises.push(
       effectiveDeps.lookupObject(url, {
-        documentLoader: authLoader ?? documentLoader,
+        documentLoader: initialAuthLoader ?? initialDocumentLoader,
         contextLoader,
         userAgent: command.userAgent,
       }).catch((error) => {