javascript-solid-server 0.0.108 → 0.0.110

package/README.md

@@ -164,6 +164,8 @@ jss --help             # Show help
 | `--mongo-database <name>` | MongoDB database name | solid |
 | `--webrtc` | Enable WebRTC signaling server | false |
 | `--webrtc-path <path>` | WebRTC signaling WebSocket path | /.webrtc |
+| `--tunnel` | Enable tunnel proxy (decentralized ngrok) | false |
+| `--tunnel-path <path>` | Tunnel WebSocket path | /.tunnel |
 | `-q, --quiet` | Suppress logs | false |
 
 ### Environment Variables
@@ -862,6 +864,36 @@ Messages are JSON over WebSocket:
 
 On connect, peers receive a list of online users and get notified when others join or leave.
 
+## Tunnel Proxy (Decentralized ngrok)
+
+Expose a local dev server to the internet through your JSS pod. A tunnel client connects via WebSocket, registers a name, and receives proxied HTTP requests.
+
+```bash
+jss start --tunnel
+```
+
+### How It Works
+
+1. Tunnel client connects to `wss://your.pod/.tunnel` (WebID auth required)
+2. Client registers a name: `{ "type": "register", "name": "myapp" }`
+3. Public URL becomes available at `https://your.pod/tunnel/myapp/`
+4. HTTP requests to that URL are serialized and sent to the tunnel client over WebSocket
+5. Tunnel client forwards to localhost, returns the response
+
+### Tunnel Client Protocol
+
+```js
+// 1. Register a tunnel
+→ { "type": "register", "name": "myapp" }
+← { "type": "registered", "name": "myapp", "url": "/tunnel/myapp/" }
+
+// 2. Receive proxied HTTP requests
+← { "type": "request", "id": "uuid", "method": "GET", "path": "/api/hello", "headers": {...} }
+
+// 3. Return the response
+→ { "type": "response", "id": "uuid", "status": 200, "headers": {...}, "body": "..." }
+```
+
 ## HTTP 402 Paid Access
 
 Monetize API endpoints with per-request satoshi payments. Resources under `/pay/*` require NIP-98 authentication and a positive balance.

package/bin/jss.js

@@ -68,6 +68,9 @@ program
   .option('--webrtc', 'Enable WebRTC signaling server')
   .option('--no-webrtc', 'Disable WebRTC signaling server')
   .option('--webrtc-path <path>', 'WebRTC signaling WebSocket path (default: /.webrtc)')
+  .option('--tunnel', 'Enable tunnel proxy (decentralized ngrok)')
+  .option('--no-tunnel', 'Disable tunnel proxy')
+  .option('--tunnel-path <path>', 'Tunnel WebSocket path (default: /.tunnel)')
   .option('--activitypub', 'Enable ActivityPub federation')
   .option('--no-activitypub', 'Disable ActivityPub federation')
   .option('--ap-username <name>', 'ActivityPub username (default: me)')
@@ -147,6 +150,8 @@ program
         nostrMaxEvents: config.nostrMaxEvents,
         webrtc: config.webrtc,
         webrtcPath: config.webrtcPath,
+        tunnel: config.tunnel,
+        tunnelPath: config.tunnelPath,
         activitypub: config.activitypub,
         apUsername: config.apUsername,
         apDisplayName: config.apDisplayName,
@@ -192,6 +197,7 @@ program
         if (config.git) console.log('  Git: enabled (clone/push support)');
         if (config.nostr) console.log(`  Nostr: enabled (${config.nostrPath})`);
         if (config.webrtc) console.log(`  WebRTC: enabled (${config.webrtcPath || '/.webrtc'})`);
+        if (config.tunnel) console.log(`  Tunnel: enabled (${config.tunnelPath || '/.tunnel'})`);
         if (config.activitypub) console.log(`  ActivityPub: enabled (@${config.apUsername || 'me'})`);
         if (config.singleUser) console.log(`  Single-user: ${config.singleUserName || 'me'} (registration disabled)`);
         else if (config.inviteOnly) console.log('  Registration: invite-only');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.108",
+  "version": "0.0.110",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/config.js

@@ -58,6 +58,10 @@ export const defaults = {
   webrtc: false,
   webrtcPath: '/.webrtc',
 
+  // Tunnel (decentralized ngrok)
+  tunnel: false,
+  tunnelPath: '/.tunnel',
+
   // ActivityPub federation
   activitypub: false,
   apUsername: 'me',
@@ -140,6 +144,8 @@ const envMap = {
   JSS_NOSTR_MAX_EVENTS: 'nostrMaxEvents',
   JSS_WEBRTC: 'webrtc',
   JSS_WEBRTC_PATH: 'webrtcPath',
+  JSS_TUNNEL: 'tunnel',
+  JSS_TUNNEL_PATH: 'tunnelPath',
   JSS_ACTIVITYPUB: 'activitypub',
   JSS_AP_USERNAME: 'apUsername',
   JSS_AP_DISPLAY_NAME: 'apDisplayName',

package/src/patch/n3-patch.js

@@ -57,6 +57,7 @@ export function parseN3Patch(patchText, baseUri) {
 
 /**
  * Parse triples from N3 block content
+ * Handles Turtle semicolon shorthand (same subject, different predicate-object)
  */
 function parseTriples(content, prefixes, baseUri) {
   const triples = [];
@@ -68,11 +69,37 @@ function parseTriples(content, prefixes, baseUri) {
   // Split by '.' but be careful with strings containing '.'
   const statements = splitStatements(content);
 
+  let lastSubject = null;
   for (const stmt of statements) {
-    const triple = parseStatement(stmt.trim(), prefixes, baseUri);
-    if (triple) {
-      triples.push(triple);
+    const trimmed = stmt.trim();
+    if (!trimmed) continue;
+
+    const tokens = tokenize(trimmed);
+    if (tokens.length < 2) continue;
+
+    let subject, predicate, object;
+
+    if (tokens.length >= 3) {
+      // Full triple: subject predicate object
+      subject = resolveValue(tokens[0], prefixes, baseUri);
+      predicate = resolveValue(tokens[1], prefixes, baseUri);
+      object = resolveValue(tokens.slice(2).join(' '), prefixes, baseUri);
+      lastSubject = subject;
+    } else if (tokens.length === 2 && lastSubject) {
+      // Semicolon continuation: predicate object (reuse last subject)
+      subject = lastSubject;
+      predicate = resolveValue(tokens[0], prefixes, baseUri);
+      object = resolveValue(tokens[1], prefixes, baseUri);
+    } else {
+      continue;
+    }
+
+    // Handle 'a' as rdf:type
+    if (predicate === 'a') {
+      predicate = 'http://www.w3.org/1999/02/22-rdf-syntax-ns#type';
     }
+
+    triples.push({ subject, predicate, object });
   }
 
   return triples;
@@ -86,11 +113,18 @@ function splitStatements(content) {
   let current = '';
   let inString = false;
   let stringChar = null;
+  let inIri = false;
 
   for (let i = 0; i < content.length; i++) {
     const char = content[i];
 
-    if (!inString && (char === '"' || char === "'")) {
+    if (!inString && !inIri && char === '<') {
+      inIri = true;
+      current += char;
+    } else if (inIri && char === '>') {
+      inIri = false;
+      current += char;
+    } else if (!inIri && !inString && (char === '"' || char === "'")) {
       inString = true;
       stringChar = char;
       current += char;
@@ -98,12 +132,12 @@ function splitStatements(content) {
       inString = false;
       stringChar = null;
       current += char;
-    } else if (!inString && char === '.') {
+    } else if (!inString && !inIri && char === '.') {
       if (current.trim()) {
         statements.push(current);
       }
       current = '';
-    } else if (!inString && char === ';') {
+    } else if (!inString && !inIri && char === ';') {
       // Turtle shorthand - same subject, different predicate
       if (current.trim()) {
         statements.push(current);
@@ -121,23 +155,6 @@ function splitStatements(content) {
   return statements;
 }
 
-/**
- * Parse a single N3 statement into a triple
- */
-function parseStatement(stmt, prefixes, baseUri) {
-  if (!stmt) return null;
-
-  // Tokenize - split by whitespace but respect quotes
-  const tokens = tokenize(stmt);
-  if (tokens.length < 3) return null;
-
-  const subject = resolveValue(tokens[0], prefixes, baseUri);
-  const predicate = resolveValue(tokens[1], prefixes, baseUri);
-  const object = resolveValue(tokens.slice(2).join(' '), prefixes, baseUri);
-
-  return { subject, predicate, object };
-}
-
 /**
  * Tokenize a statement respecting quoted strings
  */

package/src/server.js

@@ -19,6 +19,7 @@ import { activityPubPlugin, getActorHandler } from './ap/index.js';
 import { remoteStoragePlugin } from './remotestorage.js';
 import { dbPlugin } from './db/index.js';
 import { webrtcPlugin } from './webrtc/index.js';
+import { tunnelPlugin } from './tunnel/index.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 
@@ -78,6 +79,9 @@ export function createServer(options = {}) {
   // WebRTC signaling is OFF by default
   const webrtcEnabled = options.webrtc ?? false;
   const webrtcPath = options.webrtcPath ?? '/.webrtc';
+  // Tunnel proxy is OFF by default
+  const tunnelEnabled = options.tunnel ?? false;
+  const tunnelPath = options.tunnelPath ?? '/.tunnel';
   // ActivityPub federation is OFF by default
   const activitypubEnabled = options.activitypub ?? false;
   const apUsername = options.apUsername ?? 'me';
@@ -249,6 +253,11 @@ export function createServer(options = {}) {
     fastify.register(webrtcPlugin, { path: webrtcPath });
   }
 
+  // Register tunnel proxy if enabled
+  if (tunnelEnabled) {
+    fastify.register(tunnelPlugin, { path: tunnelPath });
+  }
+
   // Register ActivityPub plugin if enabled
   if (activitypubEnabled) {
     fastify.register(activityPubPlugin, {
@@ -340,8 +349,11 @@ export function createServer(options = {}) {
       return;
     }
 
-    // Allow WebRTC signaling endpoint through when enabled
+    // Allow WebRTC and tunnel endpoints through when enabled
     const urlNoQuery = request.url.split('?')[0];
+    if (tunnelEnabled && (urlNoQuery === tunnelPath || urlNoQuery.startsWith('/tunnel/'))) {
+      return;
+    }
     if (webrtcEnabled && urlNoQuery === webrtcPath) {
       return;
     }
@@ -421,6 +433,7 @@ export function createServer(options = {}) {
         (payEnabled && isPayRequest(request.url)) ||
         (mongoEnabled && (request.url === '/db' || request.url.startsWith('/db/'))) ||
         (webrtcEnabled && (request.url === webrtcPath || request.url.startsWith(webrtcPath + '?'))) ||
+        (tunnelEnabled && (request.url === tunnelPath || request.url.startsWith(tunnelPath + '?') || request.url.startsWith('/tunnel/'))) ||
         mashlibPaths.some(p => request.url === p || request.url.startsWith(p + '.'))) {
       return;
     }

package/src/tunnel/index.js

@@ -0,0 +1,226 @@
+/**
+ * Tunnel Plugin — Decentralized ngrok
+ *
+ * Tunnels HTTP traffic to a local dev server through JSS via WebSocket.
+ * A tunnel client connects over WebSocket, registers a name, and receives
+ * proxied HTTP requests which it forwards to localhost.
+ *
+ * Usage: jss start --tunnel
+ * Tunnel client connects to: wss://your.pod/.tunnel
+ * Public URL: https://your.pod/tunnel/{name}/path
+ *
+ * Tunnel client protocol (JSON over WebSocket):
+ *   → { type: "register", name: "myapp" }
+ *   ← { type: "registered", name: "myapp", url: "/tunnel/myapp/" }
+ *   ← { type: "request", id: "<uuid>", method: "GET", path: "/api/hello", headers: {...}, body: "..." }
+ *   → { type: "response", id: "<uuid>", status: 200, headers: {...}, body: "..." }
+ *   ← { type: "error", message: "..." }
+ */
+
+import websocket from '@fastify/websocket';
+import { getWebIdFromRequestAsync } from '../auth/token.js';
+import { randomUUID } from 'crypto';
+
+const REQUEST_TIMEOUT = 30000; // 30s timeout for tunnel responses
+const MAX_MESSAGE_SIZE = 10 * 1024 * 1024; // 10MB
+
+/**
+ * @param {object} fastify - Fastify instance
+ * @param {object} options - Options
+ * @param {string} options.path - WebSocket path for tunnel clients (default: '/.tunnel')
+ */
+export async function tunnelPlugin(fastify, options = {}) {
+  const wsPath = options.path || '/.tunnel';
+
+  // Instance-scoped: tunnel name → { socket, webId }
+  const tunnels = new Map();
+  // Pending HTTP requests waiting for tunnel response: id → { resolve, timer }
+  const pending = new Map();
+
+  if (!fastify.websocketServer) {
+    await fastify.register(websocket);
+  }
+
+  fastify.addHook('onClose', async () => {
+    for (const [, tunnel] of tunnels) {
+      tunnel.socket.close();
+    }
+    tunnels.clear();
+    for (const [, p] of pending) {
+      clearTimeout(p.timer);
+      p.resolve({ status: 502, headers: {}, body: 'Tunnel shutting down' });
+    }
+    pending.clear();
+  });
+
+  // WebSocket endpoint for tunnel clients
+  fastify.get(wsPath, { websocket: true }, async (connection, request) => {
+    const socket = connection.socket;
+
+    // Authenticate
+    const { webId } = await getWebIdFromRequestAsync(request);
+    if (!webId) {
+      socket.send(JSON.stringify({ type: 'error', message: 'Authentication required' }));
+      socket.close();
+      return;
+    }
+
+    let tunnelName = null;
+
+    socket.on('message', (data) => {
+      const raw = Buffer.isBuffer(data) ? data : Buffer.from(data);
+      if (raw.byteLength > MAX_MESSAGE_SIZE) {
+        socket.send(JSON.stringify({ type: 'error', message: 'Message too large' }));
+        return;
+      }
+
+      let msg;
+      try {
+        msg = JSON.parse(raw.toString());
+      } catch {
+        socket.send(JSON.stringify({ type: 'error', message: 'Invalid JSON' }));
+        return;
+      }
+
+      if (msg.type === 'register') {
+        // Register a tunnel name
+        const name = (msg.name || '').replace(/[^a-zA-Z0-9_-]/g, '');
+        if (!name) {
+          socket.send(JSON.stringify({ type: 'error', message: 'Invalid tunnel name' }));
+          return;
+        }
+
+        const existing = tunnels.get(name);
+        if (existing && existing.webId !== webId) {
+          socket.send(JSON.stringify({ type: 'error', message: 'Tunnel name taken by another user' }));
+          return;
+        }
+
+        // Close old tunnel with same name from same user
+        if (existing) {
+          existing.socket.close();
+        }
+
+        tunnelName = name;
+        tunnels.set(name, { socket, webId });
+        socket.send(JSON.stringify({ type: 'registered', name, url: `/tunnel/${name}/` }));
+
+      } else if (msg.type === 'response') {
+        // Tunnel client returning an HTTP response
+        if (!msg.id) return;
+        const p = pending.get(msg.id);
+        if (p) {
+          clearTimeout(p.timer);
+          pending.delete(msg.id);
+          p.resolve({
+            status: msg.status || 502,
+            headers: msg.headers || {},
+            body: msg.body || '',
+            bodyEncoding: msg.bodyEncoding
+          });
+        }
+      }
+    });
+
+    socket.on('close', () => {
+      if (tunnelName && tunnels.get(tunnelName)?.socket === socket) {
+        tunnels.delete(tunnelName);
+        // Resolve pending requests for this tunnel only with 502
+        for (const [id, p] of pending) {
+          if (p.tunnelName === tunnelName) {
+            clearTimeout(p.timer);
+            pending.delete(id);
+            p.resolve({ status: 502, headers: {}, body: 'Tunnel disconnected' });
+          }
+        }
+      }
+    });
+
+    socket.on('error', () => {});
+  });
+
+  // HTTP proxy: /tunnel/{name}/*
+  fastify.all('/tunnel/:name/*', async (request, reply) => {
+    const { name } = request.params;
+    const tunnel = tunnels.get(name);
+
+    if (!tunnel || tunnel.socket.readyState !== 1) {
+      return reply.code(502).send({ error: 'Bad Gateway', message: 'Tunnel not connected' });
+    }
+
+    // Build the downstream path (strip /tunnel/{name} prefix)
+    const fullPath = request.url.replace(`/tunnel/${name}`, '') || '/';
+    const id = randomUUID();
+
+    // Serialize the HTTP request
+    const tunnelReq = Object.create(null);
+    tunnelReq.type = 'request';
+    tunnelReq.id = id;
+    tunnelReq.method = request.method;
+    tunnelReq.path = fullPath;
+    tunnelReq.headers = Object.create(null);
+    // Forward relevant headers (skip hop-by-hop)
+    const skipHeaders = new Set(['host', 'connection', 'upgrade', 'transfer-encoding', 'cookie', 'authorization', 'proxy-authorization']);
+    for (const [k, v] of Object.entries(request.headers)) {
+      if (!skipHeaders.has(k.toLowerCase())) {
+        tunnelReq.headers[k] = v;
+      }
+    }
+    // Forward body if present
+    if (request.body) {
+      tunnelReq.body = Buffer.isBuffer(request.body)
+        ? request.body.toString('base64')
+        : typeof request.body === 'string' ? request.body : JSON.stringify(request.body);
+      tunnelReq.bodyEncoding = Buffer.isBuffer(request.body) ? 'base64' : 'utf8';
+    }
+
+    // Send to tunnel client and wait for response
+    const responsePromise = new Promise((resolve) => {
+      const timer = setTimeout(() => {
+        pending.delete(id);
+        resolve({ status: 504, headers: {}, body: 'Gateway Timeout' });
+      }, REQUEST_TIMEOUT);
+      pending.set(id, { resolve, timer, tunnelName: name });
+    });
+
+    try {
+      tunnel.socket.send(JSON.stringify(tunnelReq));
+    } catch {
+      const p = pending.get(id);
+      if (p) { clearTimeout(p.timer); pending.delete(id); }
+      return reply.code(502).send({ error: 'Bad Gateway', message: 'Failed to reach tunnel client' });
+    }
+
+    const res = await responsePromise;
+
+    // Set response headers
+    const hopHeaders = new Set(['connection', 'transfer-encoding', 'keep-alive', 'set-cookie']);
+    for (const [k, v] of Object.entries(res.headers)) {
+      if (!hopHeaders.has(k.toLowerCase())) {
+        reply.header(k, v);
+      }
+    }
+
+    // Decode body if base64
+    const body = res.bodyEncoding === 'base64' && res.body
+      ? Buffer.from(res.body, 'base64')
+      : res.body || '';
+
+    return reply.code(res.status).send(body);
+  });
+
+  // Also handle /tunnel/{name} without trailing path
+  fastify.all('/tunnel/:name', async (request, reply) => {
+    // Redirect to add trailing slash, or proxy as root
+    const { name } = request.params;
+    const tunnel = tunnels.get(name);
+
+    if (!tunnel || tunnel.socket.readyState !== 1) {
+      return reply.code(502).send({ error: 'Bad Gateway', message: 'Tunnel not connected' });
+    }
+
+    return reply.redirect(308, `/tunnel/${name}/`);
+  });
+}
+
+export default tunnelPlugin;

package/test/patch.test.js

@@ -185,6 +185,67 @@ describe('PATCH Operations', () => {
       assert.ok(data['@graph'], 'Should have @graph');
       assert.strictEqual(data['@graph'].length, 2, 'Should have 2 nodes');
     });
+
+    it('should handle semicolon shorthand and rdf:type "a" keyword', async () => {
+      // Create initial resource with @graph
+      const initial = {
+        '@context': { 'solid': 'http://www.w3.org/ns/solid/terms#' },
+        '@graph': []
+      };
+
+      await request('/patchtest/public/patch-semicolon.json', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/ld+json' },
+        body: JSON.stringify(initial),
+        auth: 'patchtest'
+      });
+
+      // Use semicolons and 'a' keyword (Turtle shorthand)
+      const patch = `
+        @prefix solid: <http://www.w3.org/ns/solid/terms#>.
+        @prefix wf: <http://www.w3.org/2005/01/wf/flow#>.
+        _:patch a solid:InsertDeletePatch;
+          solid:inserts {
+            <#reg1> a solid:TypeRegistration;
+              solid:forClass wf:Tracker;
+              solid:instance <https://example.com/todo/data.jsonld#this>.
+          }.
+      `;
+
+      const res = await request('/patchtest/public/patch-semicolon.json', {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'text/n3' },
+        body: patch,
+        auth: 'patchtest'
+      });
+
+      assertStatus(res, 204);
+
+      // Verify all three triples were inserted
+      const verify = await request('/patchtest/public/patch-semicolon.json');
+      const data = await verify.json();
+      const node = data['@graph'].find(n => n['@id'] && n['@id'].includes('#reg1'));
+      assert.ok(node, 'Should have the reg1 node');
+
+      // Check rdf:type value (from 'a' keyword)
+      const rdfType = node['rdf:type'] || node['http://www.w3.org/1999/02/22-rdf-syntax-ns#type'];
+      assert.ok(rdfType, 'Should have rdf:type (from "a" keyword)');
+      const typeId = rdfType['@id'] || rdfType;
+      assert.ok(String(typeId).includes('TypeRegistration'), `rdf:type should be TypeRegistration, got ${typeId}`);
+
+      // Check solid:forClass value
+      const forClass = node['solid:forClass'];
+      assert.ok(forClass, 'Should have solid:forClass');
+      const forClassId = forClass['@id'] || forClass;
+      assert.ok(String(forClassId).includes('Tracker'), `solid:forClass should be Tracker, got ${forClassId}`);
+
+      // Check solid:instance value (contains a dot in the IRI - tests IRI splitting)
+      const instance = node['solid:instance'];
+      assert.ok(instance, 'Should have solid:instance');
+      const instanceId = instance['@id'] || instance;
+      assert.strictEqual(instanceId, 'https://example.com/todo/data.jsonld#this',
+        'solid:instance should have full IRI preserved');
+    });
   });
 
   describe('PATCH Error Handling', () => {

package/test/tunnel.test.js

@@ -0,0 +1,202 @@
+/**
+ * Tunnel Proxy Tests
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import { WebSocket } from 'ws';
+import {
+  startTestServer,
+  stopTestServer,
+  createTestPod,
+  getBaseUrl,
+  getPodToken
+} from './helpers.js';
+
+describe('Tunnel Proxy', () => {
+  let wsUrl, baseUrl;
+
+  before(async () => {
+    await startTestServer({ tunnel: true });
+    await createTestPod('tunneler');
+    baseUrl = getBaseUrl();
+    wsUrl = baseUrl.replace('http', 'ws') + '/.tunnel';
+  });
+
+  after(async () => {
+    await stopTestServer();
+  });
+
+  function connectTunnel() {
+    const token = getPodToken('tunneler');
+    return new WebSocket(wsUrl, {
+      headers: { 'Authorization': `Bearer ${token}` }
+    });
+  }
+
+  function waitMsg(ws, type, timeout = 5000) {
+    return new Promise((resolve, reject) => {
+      function handler(data) {
+        const msg = JSON.parse(data.toString());
+        if (msg.type === type) {
+          clearTimeout(timer);
+          ws.removeListener('message', handler);
+          ws.removeListener('close', onClose);
+          resolve(msg);
+        }
+      }
+      function onClose() {
+        clearTimeout(timer);
+        ws.removeListener('message', handler);
+        reject(new Error(`WebSocket closed while waiting for "${type}"`));
+      }
+      const timer = setTimeout(() => {
+        ws.removeListener('message', handler);
+        ws.removeListener('close', onClose);
+        reject(new Error(`Timeout waiting for "${type}"`));
+      }, timeout);
+      ws.on('message', handler);
+      ws.on('close', onClose);
+    });
+  }
+
+  describe('Registration', () => {
+    it('should reject unauthenticated connections', async () => {
+      const ws = new WebSocket(wsUrl);
+      const msg = await waitMsg(ws, 'error');
+      assert.ok(msg.message.includes('Authentication'));
+      ws.close();
+    });
+
+    it('should register a tunnel name', async () => {
+      const ws = connectTunnel();
+      await new Promise(r => ws.on('open', r));
+
+      ws.send(JSON.stringify({ type: 'register', name: 'myapp' }));
+      const msg = await waitMsg(ws, 'registered');
+      assert.strictEqual(msg.name, 'myapp');
+      assert.strictEqual(msg.url, '/tunnel/myapp/');
+
+      ws.close();
+      await new Promise(r => setTimeout(r, 50));
+    });
+
+    it('should reject invalid tunnel names', async () => {
+      const ws = connectTunnel();
+      await new Promise(r => ws.on('open', r));
+
+      ws.send(JSON.stringify({ type: 'register', name: '...' }));
+      const msg = await waitMsg(ws, 'error');
+      assert.ok(msg.message.includes('Invalid'));
+
+      ws.close();
+      await new Promise(r => setTimeout(r, 50));
+    });
+  });
+
+  describe('HTTP Proxying', () => {
+    it('should proxy GET requests through the tunnel', async () => {
+      const ws = connectTunnel();
+      await new Promise(r => ws.on('open', r));
+
+      // Register tunnel
+      ws.send(JSON.stringify({ type: 'register', name: 'testapp' }));
+      await waitMsg(ws, 'registered');
+
+      // Listen for tunnel requests and respond
+      ws.on('message', (data) => {
+        const msg = JSON.parse(data.toString());
+        if (msg.type === 'request') {
+          ws.send(JSON.stringify({
+            type: 'response',
+            id: msg.id,
+            status: 200,
+            headers: { 'content-type': 'application/json' },
+            body: JSON.stringify({ hello: 'world', path: msg.path })
+          }));
+        }
+      });
+
+      // Make HTTP request through the tunnel
+      const res = await fetch(`${baseUrl}/tunnel/testapp/api/hello`);
+      assert.strictEqual(res.status, 200);
+      const body = await res.json();
+      assert.strictEqual(body.hello, 'world');
+      assert.strictEqual(body.path, '/api/hello');
+
+      ws.close();
+      await new Promise(r => setTimeout(r, 50));
+    });
+
+    it('should proxy POST requests with body', async () => {
+      const ws = connectTunnel();
+      await new Promise(r => ws.on('open', r));
+
+      ws.send(JSON.stringify({ type: 'register', name: 'postapp' }));
+      await waitMsg(ws, 'registered');
+
+      ws.on('message', (data) => {
+        const msg = JSON.parse(data.toString());
+        if (msg.type === 'request') {
+          assert.strictEqual(msg.method, 'POST');
+          ws.send(JSON.stringify({
+            type: 'response',
+            id: msg.id,
+            status: 201,
+            headers: { 'content-type': 'text/plain' },
+            body: 'Created'
+          }));
+        }
+      });
+
+      const res = await fetch(`${baseUrl}/tunnel/postapp/items`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ name: 'test' })
+      });
+      assert.strictEqual(res.status, 201);
+      assert.strictEqual(await res.text(), 'Created');
+
+      ws.close();
+      await new Promise(r => setTimeout(r, 50));
+    });
+
+    it('should return 502 for unregistered tunnel', async () => {
+      const res = await fetch(`${baseUrl}/tunnel/nonexistent/path`);
+      assert.strictEqual(res.status, 502);
+    });
+
+    it('should forward custom headers', async () => {
+      const ws = connectTunnel();
+      await new Promise(r => ws.on('open', r));
+
+      ws.send(JSON.stringify({ type: 'register', name: 'headerapp' }));
+      await waitMsg(ws, 'registered');
+
+      let receivedHeaders;
+      ws.on('message', (data) => {
+        const msg = JSON.parse(data.toString());
+        if (msg.type === 'request') {
+          receivedHeaders = msg.headers;
+          ws.send(JSON.stringify({
+            type: 'response',
+            id: msg.id,
+            status: 200,
+            headers: { 'x-custom-response': 'from-tunnel' },
+            body: 'ok'
+          }));
+        }
+      });
+
+      const res = await fetch(`${baseUrl}/tunnel/headerapp/`, {
+        headers: { 'X-Custom-Request': 'to-tunnel' }
+      });
+      assert.strictEqual(res.status, 200);
+      assert.strictEqual(res.headers.get('x-custom-response'), 'from-tunnel');
+      assert.strictEqual(receivedHeaders['x-custom-request'], 'to-tunnel');
+
+      ws.close();
+      await new Promise(r => setTimeout(r, 50));
+    });
+  });
+});

package/test-webrtc-smoke.mjs

@@ -1,90 +0,0 @@
-import { createServer } from './src/server.js';
-import { WebSocket } from 'ws';
-
-const PORT = 9877;
-const BASE = `http://127.0.0.1:${PORT}`;
-
-// Start server
-const server = createServer({ logger: false, webrtc: true, forceCloseConnections: true });
-await server.listen({ port: PORT, host: '127.0.0.1' });
-console.log(`Server running on port ${PORT}`);
-
-// Create two pods and get tokens
-const aliceRes = await (await fetch(`${BASE}/.pods`, {
-  method: 'POST', headers: { 'Content-Type': 'application/json' },
-  body: JSON.stringify({ name: 'alice' })
-})).json();
-
-const bobRes = await (await fetch(`${BASE}/.pods`, {
-  method: 'POST', headers: { 'Content-Type': 'application/json' },
-  body: JSON.stringify({ name: 'bob' })
-})).json();
-
-console.log(`Alice WebID: ${aliceRes.webId}`);
-console.log(`Bob WebID: ${bobRes.webId}`);
-
-function connectWs(token) {
-  return new WebSocket(`ws://127.0.0.1:${PORT}/.webrtc`, {
-    headers: { 'Authorization': `Bearer ${token}` }
-  });
-}
-
-function waitMsg(ws, type) {
-  return new Promise((resolve, reject) => {
-    const timer = setTimeout(() => { ws.removeListener('message', h); reject(new Error(`Timeout: ${type}`)); }, 5000);
-    function h(data) {
-      const msg = JSON.parse(data.toString());
-      if (msg.type === type) { clearTimeout(timer); ws.removeListener('message', h); resolve(msg); }
-    }
-    ws.on('message', h);
-  });
-}
-
-// 1. Alice connects
-const alice = connectWs(aliceRes.token);
-const alicePeers = await waitMsg(alice, 'peers');
-console.log(`\n1. Alice connected — you: ${alicePeers.you}, peers: [${alicePeers.peers}]`);
-
-// 2. Bob connects — alice should get peer-joined
-const joinPromise = waitMsg(alice, 'peer-joined');
-const bob = connectWs(bobRes.token);
-const bobPeers = await waitMsg(bob, 'peers');
-console.log(`2. Bob connected — you: ${bobPeers.you}, peers: [${bobPeers.peers}]`);
-
-const joined = await joinPromise;
-console.log(`   Alice got peer-joined: ${joined.webId}`);
-
-// 3. Alice sends offer to Bob
-const offerPromise = waitMsg(bob, 'offer');
-alice.send(JSON.stringify({ type: 'offer', to: bobPeers.you, sdp: 'v=0\r\nfake-sdp-offer' }));
-const offer = await offerPromise;
-console.log(`3. Bob received offer from ${offer.from} — sdp: "${offer.sdp}"`);
-
-// 4. Bob sends answer to Alice
-const answerPromise = waitMsg(alice, 'answer');
-bob.send(JSON.stringify({ type: 'answer', to: alicePeers.you, sdp: 'v=0\r\nfake-sdp-answer' }));
-const answer = await answerPromise;
-console.log(`4. Alice received answer from ${answer.from} — sdp: "${answer.sdp}"`);
-
-// 5. Alice sends ICE candidate to Bob
-const candPromise = waitMsg(bob, 'candidate');
-alice.send(JSON.stringify({ type: 'candidate', to: bobPeers.you, candidate: { candidate: 'candidate:1 1 UDP 12345 192.168.1.1 9999 typ host' } }));
-const cand = await candPromise;
-console.log(`5. Bob received ICE candidate from ${cand.from}`);
-
-// 6. Alice sends hangup
-const hangPromise = waitMsg(bob, 'hangup');
-alice.send(JSON.stringify({ type: 'hangup', to: bobPeers.you }));
-const hang = await hangPromise;
-console.log(`6. Bob received hangup from ${hang.from}`);
-
-// 7. Bob disconnects — alice gets peer-left
-const leftPromise = waitMsg(alice, 'peer-left');
-bob.close();
-const left = await leftPromise;
-console.log(`7. Alice got peer-left: ${left.webId}`);
-
-alice.close();
-await server.close();
-console.log(`\n✅ All signaling steps passed!`);
-process.exit(0);