fix: resolve hostnames against CIDR allowlist, proxy raw content for copy button, silence .well-known noise

Three bugs found during manual testing:

1. CIDR allowlist DNS resolution: Allowlist.Allows() now resolves
   hostnames when CIDRs are configured, so hosts like intranet.local
   that resolve to 10.x IPs match a 10.0.0.0/8 allowlist entry.
   DNS errors deny access (security-safe default).

2. Copy Source CORS: The "Copy as Markdown" button now fetches through
   /_cooked/raw/{upstream} instead of directly from upstream, avoiding
   cross-origin browser blocks. The new handler reuses the same
   validation pipeline (URL parse, allowlist, SSRF).

3. .well-known log noise: Added a silent 404 handler for
   /.well-known/{path} so Chrome's automatic traffic-advice requests
   don't pollute logs with warn-level bad-request entries.

Author: wthrbtn

.beads/issues.jsonl

@@ -81,6 +81,11 @@ func (cc *CachedClient) Store(key string, entry cache.Entry) {
 	cc.cache.Put(key, entry)
 }
 
+// Client returns the underlying fetch client for direct (uncached) access.
+func (cc *CachedClient) Client() *Client {
+	return cc.client
+}
+
 // Cache returns the underlying cache for direct access.
 func (cc *CachedClient) Cache() *cache.Cache {
 	return cc.cache

internal/fetch/cached.go

@@ -1,6 +1,7 @@
 package server
 
 import (
+	"context"
 	"net"
 	"strings"
 )
@@ -14,6 +15,7 @@ type Allowlist struct {
 	cidrs     []*net.IPNet
 	wildcards []string // stored as ".suffix" (e.g. ".internal" from "*.internal")
 	exact     []string // lowercased hostnames
+	resolver  func(ctx context.Context, host string) ([]net.IPAddr, error)
 }
 
 // ParseAllowlist parses a comma-separated allowlist string into a structured
@@ -28,7 +30,9 @@ func ParseAllowlist(raw string) *Allowlist {
 		return nil
 	}
 
-	a := &Allowlist{}
+	a := &Allowlist{
+		resolver: net.DefaultResolver.LookupIPAddr,
+	}
 	for _, entry := range strings.Split(raw, ",") {
 		entry = strings.TrimSpace(entry)
 		if entry == "" {
@@ -79,11 +83,27 @@ func (a *Allowlist) Allows(host string) bool {
 		}
 	}
 
-	// Check CIDRs (only for IP-literal hosts)
-	if ip := net.ParseIP(hostname); ip != nil {
-		for _, cidr := range a.cidrs {
-			if cidr.Contains(ip) {
-				return true
+	// Check CIDRs
+	if len(a.cidrs) > 0 {
+		if ip := net.ParseIP(hostname); ip != nil {
+			// IP-literal host: check directly
+			for _, cidr := range a.cidrs {
+				if cidr.Contains(ip) {
+					return true
+				}
+			}
+		} else if a.resolver != nil {
+			// Hostname: resolve and check each IP
+			addrs, err := a.resolver(context.Background(), hostname)
+			if err != nil {
+				return false // deny on DNS failure
+			}
+			for _, addr := range addrs {
+				for _, cidr := range a.cidrs {
+					if cidr.Contains(addr.IP) {
+						return true
+					}
+				}
 			}
 		}
 	}

internal/server/allowlist.go

@@ -1,6 +1,9 @@
 package server
 
 import (
+	"context"
+	"fmt"
+	"net"
 	"testing"
 )
 
@@ -76,7 +79,8 @@ func TestAllowlist_CIDR(t *testing.T) {
 		// With port
 		{"10.0.0.1:8080", true},
 
-		// Hostname (not IP) should not match CIDR
+		// Hostname — real DNS resolution may or may not match CIDR;
+		// for deterministic testing of hostname resolution, see TestAllowlist_CIDRResolvesHostname
 		{"example.com", false},
 	}
 
@@ -90,6 +94,43 @@ func TestAllowlist_CIDR(t *testing.T) {
 	}
 }
 
+func TestAllowlist_CIDRResolvesHostname(t *testing.T) {
+	a := ParseAllowlist("10.0.0.0/8")
+	// Inject a fake resolver that returns 10.0.0.42 for "intranet.local"
+	a.resolver = func(_ context.Context, host string) ([]net.IPAddr, error) {
+		if host == "intranet.local" {
+			return []net.IPAddr{{IP: net.ParseIP("10.0.0.42")}}, nil
+		}
+		return nil, fmt.Errorf("no such host")
+	}
+
+	tests := []struct {
+		host   string
+		wantOK bool
+	}{
+		// Hostname resolving to 10.x should match CIDR
+		{"intranet.local", true},
+		{"intranet.local:8080", true},
+
+		// IP literal still works
+		{"10.0.0.1", true},
+
+		// Unknown host — resolver returns error → deny
+		{"unknown.host", false},
+
+		// IP outside CIDR
+		{"11.0.0.1", false},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.host, func(t *testing.T) {
+			if got := a.Allows(tc.host); got != tc.wantOK {
+				t.Errorf("Allows(%q) = %v, want %v", tc.host, got, tc.wantOK)
+			}
+		})
+	}
+}
+
 func TestAllowlist_CIDRIPv6(t *testing.T) {
 	a := ParseAllowlist("fd00::/8")
 

internal/server/allowlist_test.go

@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/air-gapped/cooked/internal/cache"
@@ -88,7 +89,9 @@ func New(cfg *config.Config, version string, assets fs.FS, extraFetchOpts ...fet
 func (s *Server) routes() {
 	s.mux.HandleFunc("GET /healthz", s.handleHealthz)
 	s.mux.HandleFunc("GET /_cooked/docs", s.handleDocs)
+	s.mux.HandleFunc("GET /_cooked/raw/{upstream...}", s.handleRaw)
 	s.mux.HandleFunc("GET /_cooked/{path...}", s.handleAsset)
+	s.mux.HandleFunc("GET /.well-known/{path...}", s.handleWellKnown)
 	s.mux.HandleFunc("GET /{$}", s.handleLanding)
 	s.mux.HandleFunc("GET /{upstream...}", s.handleRender)
 }
@@ -179,6 +182,50 @@ func (s *Server) handleAsset(w http.ResponseWriter, r *http.Request) {
 	w.Write(data)
 }
 
+func (s *Server) handleRaw(w http.ResponseWriter, r *http.Request) {
+	rawUpstream := ExtractUpstreamFromPath(
+		strings.TrimPrefix(r.URL.Path, "/_cooked/raw"),
+		r.URL.RawQuery,
+	)
+
+	upstream, err := ParseUpstreamURL(rawUpstream)
+	if err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	if !s.allowlist.Allows(upstream.Host) {
+		http.Error(w, "forbidden", http.StatusForbidden)
+		return
+	}
+
+	if s.allowlist == nil {
+		private, err := IsPrivateAddress(upstream.Host)
+		if err != nil || private {
+			http.Error(w, "forbidden", http.StatusForbidden)
+			return
+		}
+	}
+
+	result, err := s.fetcher.Client().Fetch(rawUpstream, "", "")
+	if err != nil {
+		http.Error(w, "upstream fetch failed", http.StatusBadGateway)
+		return
+	}
+
+	if result.StatusCode != 200 {
+		http.Error(w, fmt.Sprintf("upstream returned %d", result.StatusCode), result.StatusCode)
+		return
+	}
+
+	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	w.Write(result.Body)
+}
+
+func (s *Server) handleWellKnown(w http.ResponseWriter, _ *http.Request) {
+	w.WriteHeader(http.StatusNotFound)
+}
+
 func (s *Server) handleRender(w http.ResponseWriter, r *http.Request) {
 	start := time.Now()
 

internal/server/server.go

@@ -131,7 +131,7 @@ func writeScripts(buf *bytes.Buffer) {
       btn.addEventListener('click', function() {
         btn.disabled = true;
         btn.textContent = 'Fetching\u2026';
-        fetch(upstreamURL).then(function(r) {
+        fetch('/_cooked/raw/' + upstreamURL).then(function(r) {
           if (!r.ok) throw new Error(r.status);
           return r.text();
         }).then(function(text) {

internal/template/scripts.go

@@ -586,7 +586,7 @@
       btn.addEventListener('click', function() {
         btn.disabled = true;
         btn.textContent = 'Fetching\u2026';
-        fetch(upstreamURL).then(function(r) {
+        fetch('/_cooked/raw/' + upstreamURL).then(function(r) {
           if (!r.ok) throw new Error(r.status);
           return r.text();
         }).then(function(text) {

testdata/golden/template/code_file.html

@@ -330,7 +330,7 @@ <h1>404 Not Found</h1>
       btn.addEventListener('click', function() {
         btn.disabled = true;
         btn.textContent = 'Fetching\u2026';
-        fetch(upstreamURL).then(function(r) {
+        fetch('/_cooked/raw/' + upstreamURL).then(function(r) {
           if (!r.ok) throw new Error(r.status);
           return r.text();
         }).then(function(text) {

testdata/golden/template/error_404.html

@@ -330,7 +330,7 @@ <h1>502 Bad Gateway</h1>
       btn.addEventListener('click', function() {
         btn.disabled = true;
         btn.textContent = 'Fetching\u2026';
-        fetch(upstreamURL).then(function(r) {
+        fetch('/_cooked/raw/' + upstreamURL).then(function(r) {
           if (!r.ok) throw new Error(r.status);
           return r.text();
         }).then(function(text) {

testdata/golden/template/error_502.html

@@ -586,7 +586,7 @@ <h1 id="arch">Architecture</h1>
       btn.addEventListener('click', function() {
         btn.disabled = true;
         btn.textContent = 'Fetching\u2026';
-        fetch(upstreamURL).then(function(r) {
+        fetch('/_cooked/raw/' + upstreamURL).then(function(r) {
           if (!r.ok) throw new Error(r.status);
           return r.text();
         }).then(function(text) {