Canonical origin nice-to-haves

Author: dacharyc

src/cli/commands/check.ts

@@ -39,7 +39,7 @@ export function registerCheckCommand(program: Command): void {
     .option('--score', 'Include scoring data in JSON output')
     .option(
       '--canonical-origin <url>',
-      'Rewrite this origin to the target in fetched content (for preview/staging testing)',
+      'The production domain your content links to (for preview/staging testing)',
     )
     .action(async (rawUrl: string | undefined, opts: Record<string, unknown>) => {
       // Load config: explicit path or auto-discover
@@ -185,6 +185,13 @@ export function registerCheckCommand(program: Command): void {
           process.exitCode = 1;
           return;
         }
+        const targetOrigin = new URL(url).origin;
+        if (canonicalOrigin === targetOrigin) {
+          process.stderr.write(
+            `Warning: --canonical-origin "${canonicalOrigin}" is the same as the target origin. The flag has no effect.\n`,
+          );
+          canonicalOrigin = undefined;
+        }
       }
 
       const report = await runChecks(url, {

src/http.ts

@@ -26,7 +26,7 @@ export function createHttpClient(options: RateLimitedHttpClientOptions): HttpCli
   let activeRequests = 0;
   const originPattern =
     options.canonicalOrigin && options.targetOrigin
-      ? new RegExp(escapeRegExp(options.canonicalOrigin), 'g')
+      ? new RegExp(escapeRegExp(options.canonicalOrigin) + '(?=[/\\s"\'\\]>]|$)', 'g')
       : null;
 
   async function waitForSlot(): Promise<void> {

test/unit/helpers/http.test.ts

@@ -153,6 +153,63 @@ describe('createHttpClient', () => {
       expect(response.redirected).toBe(true);
     });
 
+    it('rewrites origins that include a port', async () => {
+      const body = 'See https://prod.example.com:8080/docs/guide for details.';
+      globalThis.fetch = vi.fn(async () => makeTextResponse(body, { contentType: 'text/plain' }));
+
+      const client = createHttpClient({
+        requestDelay: 0,
+        requestTimeout: 5000,
+        maxConcurrency: 10,
+        canonicalOrigin: 'https://prod.example.com:8080',
+        targetOrigin: 'http://localhost:3000',
+      });
+      const response = await client.fetch('http://localhost:3000/docs/guide');
+      const text = await response.text();
+
+      expect(text).toBe('See http://localhost:3000/docs/guide for details.');
+    });
+
+    it('does not match a longer domain that starts with the canonical origin', async () => {
+      const body = [
+        'https://prod.example.com/docs/guide',
+        'https://prod.example.com.evil.com/phishing',
+      ].join('\n');
+      globalThis.fetch = vi.fn(async () => makeTextResponse(body, { contentType: 'text/plain' }));
+
+      const client = createHttpClient({
+        requestDelay: 0,
+        requestTimeout: 5000,
+        maxConcurrency: 10,
+        canonicalOrigin: 'https://prod.example.com',
+        targetOrigin: 'https://preview.local',
+      });
+      const response = await client.fetch('http://preview.local/docs');
+      const text = await response.text();
+
+      expect(text).toContain('https://preview.local/docs/guide');
+      expect(text).toContain('https://prod.example.com.evil.com/phishing');
+    });
+
+    it('returns the same rewritten body on multiple text() calls', async () => {
+      const body = 'Link: https://prod.example.com/page';
+      globalThis.fetch = vi.fn(async () => makeTextResponse(body, { contentType: 'text/plain' }));
+
+      const client = createHttpClient({
+        requestDelay: 0,
+        requestTimeout: 5000,
+        maxConcurrency: 10,
+        canonicalOrigin: 'https://prod.example.com',
+        targetOrigin: 'https://preview.local',
+      });
+      const response = await client.fetch('http://preview.local/page');
+      const first = await response.text();
+      const second = await response.text();
+
+      expect(first).toBe('Link: https://preview.local/page');
+      expect(second).toBe(first);
+    });
+
     it('skips rewrite for non-text content types', async () => {
       const original = 'https://prod.example.com/binary-data';
       globalThis.fetch = vi.fn(async () =>