javascript-solid-server 0.0.150 → 0.0.152

package/.claude/settings.local.json

@@ -355,7 +355,9 @@
       "Read(//home/melvin/remote/github.com/solid-helper/core/**)",
       "Bash(curl -s https://www.gnu.org/licenses/agpl-3.0.txt)",
       "Bash(cat LICENSE.full)",
-      "Bash(rm LICENSE.full)"
+      "Bash(rm LICENSE.full)",
+      "Bash(awk -F: '{print $1,$2}')",
+      "Bash(awk -F: '{print $1}')"
     ]
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.150",
+  "version": "0.0.152",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/handlers/container.js

@@ -5,7 +5,7 @@ import { isContainer, getEffectiveUrlPath, getPodName } from '../utils/url.js';
 import { generateProfile, generatePreferences, generateTypeIndex, serialize } from '../webid/profile.js';
 import { generateOwnerAcl, generatePrivateAcl, generateInboxAcl, generatePublicFolderAcl, serializeAcl } from '../wac/parser.js';
 import { createToken } from '../auth/token.js';
-import { canAcceptInput, toJsonLd, getVaryHeader, RDF_TYPES } from '../rdf/conneg.js';
+import { canAcceptInput, toJsonLd, RDF_TYPES } from '../rdf/conneg.js';
 import { emitChange } from '../notifications/events.js';
 
 /**
@@ -138,10 +138,10 @@ export async function handlePost(request, reply) {
   const headers = getAllHeaders({
     isContainer: isCreatingContainer,
     origin,
-    connegEnabled
+    connegEnabled,
+    mashlibEnabled: request.mashlibEnabled
   });
   headers['Location'] = resourceUrl;
-  headers['Vary'] = getVaryHeader(connegEnabled);
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
 

package/src/handlers/resource.js

@@ -10,7 +10,6 @@ import {
   canAcceptInput,
   toJsonLd,
   fromJsonLd,
-  getVaryHeader,
   RDF_TYPES
 } from '../rdf/conneg.js';
 import { emitChange } from '../notifications/events.js';
@@ -22,6 +21,12 @@ import { generateDatabrowserHtml, generateModuleDatabrowserHtml, shouldServeMash
  */
 const LIVE_RELOAD_SCRIPT = `<script>(function(){var ws=new WebSocket((location.protocol==='https:'?'wss:':'ws:')+'//' +location.host+'/.notifications');ws.onopen=function(){ws.send('sub '+location.href)};ws.onmessage=function(e){if(e.data.startsWith('pub '))location.reload()};ws.onclose=function(){setTimeout(function(){location.reload()},1000)}})();</script>`;
 
+// Cache-Control for RDF data responses: let clients keep the body but force
+// revalidation via ETag on every use. This prevents stale bodies from leaking
+// across auth-state changes (WAC) and closes the mashlib render-race window
+// where a cached data variant was served on top-level navigation (#315).
+const RDF_CACHE_CONTROL = 'private, no-cache, must-revalidate';
+
 /**
  * Inject live reload script into HTML content
  */
@@ -181,6 +186,7 @@ export async function handleGet(request, reply) {
                 resourceUrl,
                 connegEnabled
               });
+              headers['Cache-Control'] = RDF_CACHE_CONTROL;
 
               Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
               return reply.send(turtleContent);
@@ -194,6 +200,7 @@ export async function handleGet(request, reply) {
                 resourceUrl,
                 connegEnabled
               });
+              headers['Cache-Control'] = RDF_CACHE_CONTROL;
 
               Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
               return reply.send(JSON.stringify(jsonLd, null, 2));
@@ -239,9 +246,9 @@ export async function handleGet(request, reply) {
         contentType: 'text/html',
         origin,
         resourceUrl,
-        connegEnabled
+        connegEnabled,
+        mashlibEnabled: request.mashlibEnabled
       });
-      headers['Vary'] = 'Accept';
       headers['X-Frame-Options'] = 'DENY';
       headers['Content-Security-Policy'] = "frame-ancestors 'none'";
       headers['Cache-Control'] = 'no-store';
@@ -274,9 +281,10 @@ export async function handleGet(request, reply) {
           contentType: 'text/turtle',
           origin,
           resourceUrl,
-          connegEnabled
+          connegEnabled,
+          mashlibEnabled: request.mashlibEnabled
         });
-        headers['Vary'] = 'Accept';
+        headers['Cache-Control'] = RDF_CACHE_CONTROL;
 
         Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
         return reply.send(turtleContent);
@@ -292,8 +300,10 @@ export async function handleGet(request, reply) {
       contentType: 'application/ld+json',
       origin,
       resourceUrl,
-      connegEnabled
+      connegEnabled,
+      mashlibEnabled: request.mashlibEnabled
     });
+    headers['Cache-Control'] = RDF_CACHE_CONTROL;
 
     Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
     return reply.send(serializeJsonLd(jsonLd));
@@ -315,9 +325,9 @@ export async function handleGet(request, reply) {
       contentType: 'text/html',
       origin,
       resourceUrl,
-      connegEnabled
+      connegEnabled,
+      mashlibEnabled: request.mashlibEnabled
     });
-    headers['Vary'] = 'Accept';
     headers['X-Frame-Options'] = 'DENY';
     headers['Content-Security-Policy'] = "frame-ancestors 'none'";
     // Don't cache the HTML wrapper - always negotiate fresh
@@ -397,9 +407,10 @@ export async function handleGet(request, reply) {
             contentType: 'text/turtle',
             origin,
             resourceUrl,
-            connegEnabled
+            connegEnabled,
+            mashlibEnabled: request.mashlibEnabled
           });
-          headers['Vary'] = getVaryHeader(connegEnabled, request.mashlibEnabled);
+          headers['Cache-Control'] = RDF_CACHE_CONTROL;
 
           Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
           return reply.send(turtleContent);
@@ -427,9 +438,10 @@ export async function handleGet(request, reply) {
           contentType: outputType,
           origin,
           resourceUrl,
-          connegEnabled
+          connegEnabled,
+          mashlibEnabled: request.mashlibEnabled
         });
-        headers['Vary'] = getVaryHeader(connegEnabled, request.mashlibEnabled);
+        headers['Cache-Control'] = RDF_CACHE_CONTROL;
 
         Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
         return reply.send(outputContent);
@@ -455,9 +467,12 @@ export async function handleGet(request, reply) {
     contentType: actualContentType,
     origin,
     resourceUrl,
-    connegEnabled
+    connegEnabled,
+    mashlibEnabled: request.mashlibEnabled
   });
-  headers['Vary'] = getVaryHeader(connegEnabled, request.mashlibEnabled);
+  if (isRdfContentType(actualContentType)) {
+    headers['Cache-Control'] = RDF_CACHE_CONTROL;
+  }
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
 
@@ -671,9 +686,8 @@ export async function handlePut(request, reply) {
   }
 
   const origin = request.headers.origin;
-  const headers = getAllHeaders({ isContainer: false, origin, resourceUrl, connegEnabled });
+  const headers = getAllHeaders({ isContainer: false, origin, resourceUrl, connegEnabled, mashlibEnabled: request.mashlibEnabled });
   headers['Location'] = resourceUrl;
-  headers['Vary'] = getVaryHeader(connegEnabled, request.mashlibEnabled);
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
 

package/src/ldp/headers.js

@@ -2,7 +2,7 @@
  * LDP (Linked Data Platform) header utilities
  */
 
-import { getAcceptHeaders } from '../rdf/conneg.js';
+import { getAcceptHeaders, getVaryHeader } from '../rdf/conneg.js';
 
 const LDP = 'http://www.w3.org/ns/ldp#';
 
@@ -49,7 +49,7 @@ export function getAclUrl(resourceUrl, isContainer) {
  * @param {object} options
  * @returns {object}
  */
-export function getResponseHeaders({ isContainer = false, etag = null, contentType = null, resourceUrl = null, wacAllow = null, connegEnabled = false, updatesVia = null }) {
+export function getResponseHeaders({ isContainer = false, etag = null, contentType = null, resourceUrl = null, wacAllow = null, connegEnabled = false, mashlibEnabled = false, updatesVia = null }) {
   // Calculate ACL URL if resource URL provided
   const aclUrl = resourceUrl ? getAclUrl(resourceUrl, isContainer) : null;
 
@@ -58,7 +58,7 @@ export function getResponseHeaders({ isContainer = false, etag = null, contentTy
     'Accept-Patch': 'text/n3, application/sparql-update',
     'Accept-Ranges': isContainer ? 'none' : 'bytes',
     'Allow': 'GET, HEAD, PUT, DELETE, PATCH, OPTIONS' + (isContainer ? ', POST' : ''),
-    'Vary': connegEnabled ? 'Accept, Authorization, Origin' : 'Authorization, Origin'
+    'Vary': getVaryHeader(connegEnabled, mashlibEnabled)
   };
 
   // Only set WAC-Allow if explicitly provided (otherwise the auth hook sets it)
@@ -107,9 +107,9 @@ export function getCorsHeaders(origin) {
  * @param {object} options
  * @returns {object}
  */
-export function getAllHeaders({ isContainer = false, etag = null, contentType = null, origin = null, resourceUrl = null, wacAllow = null, connegEnabled = false, updatesVia = null }) {
+export function getAllHeaders({ isContainer = false, etag = null, contentType = null, origin = null, resourceUrl = null, wacAllow = null, connegEnabled = false, mashlibEnabled = false, updatesVia = null }) {
   return {
-    ...getResponseHeaders({ isContainer, etag, contentType, resourceUrl, wacAllow, connegEnabled, updatesVia }),
+    ...getResponseHeaders({ isContainer, etag, contentType, resourceUrl, wacAllow, connegEnabled, mashlibEnabled, updatesVia }),
     ...getCorsHeaders(origin)
   };
 }
@@ -120,7 +120,7 @@ export function getAllHeaders({ isContainer = false, etag = null, contentType =
  * @param {object} options
  * @returns {object}
  */
-export function getNotFoundHeaders({ resourceUrl = null, origin = null, connegEnabled = false }) {
+export function getNotFoundHeaders({ resourceUrl = null, origin = null, connegEnabled = false, mashlibEnabled = false }) {
   // Determine if this would be a container based on URL ending with /
   const isContainer = resourceUrl?.endsWith('/') || false;
   const aclUrl = resourceUrl ? getAclUrl(resourceUrl, isContainer) : null;
@@ -134,7 +134,7 @@ export function getNotFoundHeaders({ resourceUrl = null, origin = null, connegEn
     'Accept-Patch': 'text/n3, application/sparql-update',
     'Accept-Put': acceptHeaders['Accept-Put'] || 'application/ld+json, */*',
     'Allow': 'GET, HEAD, PUT, PATCH, OPTIONS' + (isContainer ? ', POST' : ''),
-    'Vary': connegEnabled ? 'Accept, Authorization, Origin' : 'Authorization, Origin'
+    'Vary': getVaryHeader(connegEnabled, mashlibEnabled)
   };
 
   if (isContainer && acceptHeaders['Accept-Post']) {

package/src/rdf/conneg.js

@@ -189,10 +189,19 @@ export async function fromJsonLd(jsonLd, targetType, baseUri, connegEnabled = fa
 
 /**
  * Get Vary header value for content negotiation
- * Include Accept when conneg or mashlib is enabled (response varies by Accept header)
+ *
+ * Must be identical across all variants of a given URL — inconsistent Vary
+ * across variants confuses browser caches and can cause the wrong variant
+ * to be served on reload (see #315).
+ *
+ * - `Accept` — response body depends on Accept (conneg or mashlib HTML shell)
+ * - `Authorization` — response body depends on the authenticated user (WAC)
+ * - `Origin` — CORS headers echo the request's Origin
  */
 export function getVaryHeader(connegEnabled, mashlibEnabled = false) {
-  return (connegEnabled || mashlibEnabled) ? 'Accept, Origin' : 'Origin';
+  return (connegEnabled || mashlibEnabled)
+    ? 'Accept, Authorization, Origin'
+    : 'Authorization, Origin';
 }
 
 /**

package/src/storage/quota.js

@@ -8,6 +8,10 @@ import { join } from 'path';
 import { getDataRoot } from '../utils/url.js';
 
 const QUOTA_FILE = '.quota.json';
+// Temp files created by saveQuota live next to the quota file; they must be
+// excluded from disk-usage reconciliation so an orphan (e.g. from a crash
+// between writeFile and rename) doesn't inflate pod usage.
+const QUOTA_TMP_PREFIX = `${QUOTA_FILE}.tmp.`;
 
 /**
  * Get quota file path for a pod
@@ -16,6 +20,18 @@ function getQuotaPath(podName) {
   return join(getDataRoot(), podName, QUOTA_FILE);
 }
 
+/**
+ * Coerce a parsed quota object to a sane shape so all callers can do
+ * arithmetic on it without worrying about undefined/NaN/negative values.
+ */
+function sanitizeQuota(q) {
+  const toNum = (v) => {
+    const n = Number(v);
+    return Number.isFinite(n) && n >= 0 ? n : 0;
+  };
+  return { limit: toNum(q?.limit), used: toNum(q?.used) };
+}
+
 /**
  * Load quota data for a pod
  * @param {string} podName - The pod name
@@ -24,11 +40,15 @@ function getQuotaPath(podName) {
 export async function loadQuota(podName) {
   try {
     const data = await fs.readFile(getQuotaPath(podName), 'utf-8');
-    return JSON.parse(data);
+    // Empty/partial file can appear if a write was interrupted (or from a
+    // racing non-atomic save on older versions). Treat as missing and
+    // reconcile against on-disk usage so we don't under-count.
+    if (!data.trim()) return { limit: 0, used: await calculatePodSize(podName) };
+    return sanitizeQuota(JSON.parse(data));
   } catch (err) {
-    if (err.code === 'ENOENT') {
-      // No quota file - return defaults (will be initialized on first write)
-      return { limit: 0, used: 0 };
+    if (err.code === 'ENOENT') return { limit: 0, used: 0 };
+    if (err instanceof SyntaxError) {
+      return { limit: 0, used: await calculatePodSize(podName) };
     }
     throw err;
   }
@@ -40,7 +60,19 @@ export async function loadQuota(podName) {
  * @param {object} quota - Quota data
  */
 export async function saveQuota(podName, quota) {
-  await fs.writeFile(getQuotaPath(podName), JSON.stringify(quota, null, 2));
+  // Atomic write: fs.writeFile truncates before writing, which lets concurrent
+  // readers see an empty file. Write to a temp file and rename (POSIX-atomic).
+  // Any failure (writeFile or rename) cleans up the temp file so failed writes
+  // don't accumulate orphans.
+  const finalPath = getQuotaPath(podName);
+  const tmpPath = `${finalPath}.tmp.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2)}`;
+  try {
+    await fs.writeFile(tmpPath, JSON.stringify(quota, null, 2));
+    await fs.rename(tmpPath, finalPath);
+  } catch (err) {
+    await fs.unlink(tmpPath).catch(() => {});
+    throw err;
+  }
 }
 
 /**
@@ -76,8 +108,9 @@ async function calculateDirSize(dirPath) {
     for (const entry of entries) {
       const fullPath = join(dirPath, entry.name);
 
-      // Skip quota file itself
+      // Skip the quota file and any orphaned temp files from saveQuota.
       if (entry.name === QUOTA_FILE) continue;
+      if (entry.name.startsWith(QUOTA_TMP_PREFIX)) continue;
 
       if (entry.isDirectory()) {
         total += await calculateDirSize(fullPath);
@@ -106,9 +139,12 @@ async function calculateDirSize(dirPath) {
 export async function checkQuota(podName, additionalBytes, defaultQuota) {
   let quota = await loadQuota(podName);
 
-  // Initialize if no quota set
+  // Initialize if no quota set. loadQuota already sanitizes shape, so `used`
+  // is a finite non-negative number here — preserve it so reconciled usage
+  // from a recovered corrupt/empty file is not reset to 0.
   if (quota.limit === 0 && defaultQuota > 0) {
-    quota = await initializeQuota(podName, defaultQuota);
+    quota = { limit: defaultQuota, used: quota.used };
+    await saveQuota(podName, quota);
   }
 
   // No quota enforcement if limit is 0

package/test/quota-race.test.js

@@ -0,0 +1,143 @@
+/**
+ * Regression tests for #309 — concurrent quota updates causing 500s.
+ *
+ * Without atomic writes, two concurrent updateQuotaUsage calls race on
+ * .quota.json — the second load can read an empty/partial file and
+ * JSON.parse throws "Unexpected end of JSON input".
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import fs from 'fs-extra';
+import os from 'os';
+import path from 'path';
+import {
+  initializeQuota,
+  updateQuotaUsage,
+  loadQuota,
+  saveQuota,
+  checkQuota,
+  calculatePodSize
+} from '../src/storage/quota.js';
+
+const POD = 'testpod';
+let TEST_ROOT;
+let originalDataRoot;
+
+describe('quota — concurrent updates (#309)', () => {
+  before(async () => {
+    originalDataRoot = process.env.DATA_ROOT;
+    TEST_ROOT = await fs.mkdtemp(path.join(os.tmpdir(), 'jss-quota-'));
+    process.env.DATA_ROOT = TEST_ROOT;
+    await fs.ensureDir(path.join(TEST_ROOT, POD));
+    await initializeQuota(POD, 50 * 1024 * 1024);
+  });
+
+  after(async () => {
+    if (originalDataRoot === undefined) delete process.env.DATA_ROOT;
+    else process.env.DATA_ROOT = originalDataRoot;
+    await fs.remove(TEST_ROOT);
+  });
+
+  it('many concurrent updates do not throw', async () => {
+    const N = 50;
+    const updates = Array.from({ length: N }, (_, i) =>
+      updateQuotaUsage(POD, 10 + i)
+    );
+    await assert.doesNotReject(Promise.all(updates));
+    const final = await loadQuota(POD);
+    assert.strictEqual(typeof final.used, 'number');
+    assert.ok(final.used > 0);
+  });
+
+  async function withResourceAndBrokenQuota(brokenContent) {
+    const resourcePath = path.join(TEST_ROOT, POD, 'resource.txt');
+    const quotaPath = path.join(TEST_ROOT, POD, '.quota.json');
+    const size = 321;
+    await fs.writeFile(resourcePath, 'x'.repeat(size));
+    await fs.writeFile(quotaPath, brokenContent);
+    return { size, cleanup: () => fs.remove(resourcePath) };
+  }
+
+  it('loadQuota reconciles usage from disk when quota file is empty', async () => {
+    const { size, cleanup } = await withResourceAndBrokenQuota('');
+    try {
+      const q = await loadQuota(POD);
+      assert.strictEqual(q.limit, 0);
+      assert.strictEqual(q.used, size);
+    } finally { await cleanup(); }
+  });
+
+  it('loadQuota reconciles usage from disk when quota file is corrupt', async () => {
+    const { size, cleanup } = await withResourceAndBrokenQuota('{"limit":524');
+    try {
+      const q = await loadQuota(POD);
+      assert.strictEqual(q.limit, 0);
+      assert.strictEqual(q.used, size);
+    } finally { await cleanup(); }
+  });
+
+  it('loadQuota sanitizes malformed fields (missing/null/negative)', async () => {
+    const quotaPath = path.join(TEST_ROOT, POD, '.quota.json');
+    const cases = [
+      ['{"limit":0}', { limit: 0, used: 0 }],
+      ['{"limit":null,"used":null}', { limit: 0, used: 0 }],
+      ['{"limit":-10,"used":-5}', { limit: 0, used: 0 }],
+      // Numeric strings are coerced — tolerates legacy/manually-edited files.
+      ['{"limit":"100","used":"50"}', { limit: 100, used: 50 }]
+    ];
+    for (const [body, expected] of cases) {
+      await fs.writeFile(quotaPath, body);
+      const q = await loadQuota(POD);
+      assert.deepStrictEqual(q, expected, `for ${body}`);
+    }
+  });
+
+  it('calculatePodSize ignores orphaned quota temp files', async () => {
+    // Simulate an orphan from a crashed saveQuota (process died between
+    // writeFile and rename) — must not be counted toward pod usage.
+    const resource = path.join(TEST_ROOT, POD, 'data.txt');
+    const orphan = path.join(TEST_ROOT, POD, '.quota.json.tmp.999.1.abc');
+    await fs.writeFile(resource, 'x'.repeat(50));
+    await fs.writeFile(orphan, 'x'.repeat(9999));
+    try {
+      const size = await calculatePodSize(POD);
+      assert.strictEqual(size, 50, 'orphan temp file must not be counted');
+    } finally {
+      await fs.remove(resource);
+      await fs.remove(orphan);
+    }
+  });
+
+  it('checkQuota preserves reconciled usage when re-initializing limit', async () => {
+    const { size, cleanup } = await withResourceAndBrokenQuota('');
+    try {
+      const defaultQuota = 10 * 1024 * 1024;
+      const { quota } = await checkQuota(POD, 0, defaultQuota);
+      assert.strictEqual(quota.limit, defaultQuota);
+      assert.strictEqual(quota.used, size, 'reconciled usage must not be reset to 0');
+    } finally { await cleanup(); }
+  });
+
+  it('saveQuota is atomic — concurrent read during save never sees empty file', async () => {
+    await saveQuota(POD, { limit: 1000, used: 100 });
+    const quotaPath = path.join(TEST_ROOT, POD, '.quota.json');
+
+    // Interleave 200 saves with 200 reads; with non-atomic writes, at least
+    // one read would land on a truncated file — the empty-file assertion
+    // below (or the JSON.parse) would then fail.
+    const ops = [];
+    for (let i = 0; i < 200; i++) {
+      ops.push(saveQuota(POD, { limit: 1000, used: i }));
+      ops.push(fs.readFile(quotaPath, 'utf-8').then((data) => {
+        assert.notStrictEqual(
+          data.length,
+          0,
+          'concurrent read saw an empty quota file'
+        );
+        JSON.parse(data);
+      }));
+    }
+    await assert.doesNotReject(Promise.all(ops));
+  });
+});

package/test/vary-cache-headers.test.js

@@ -0,0 +1,114 @@
+/**
+ * Regression tests for #315 — inconsistent Vary / Cache-Control across
+ * conneg variants caused stale-render races on browser reload.
+ *
+ * What we guarantee now:
+ *  - Every variant of the same URL returns an *identical* Vary header.
+ *  - RDF data variants carry Cache-Control that forces revalidation via
+ *    ETag, so a cached body cannot silently serve across auth changes or
+ *    be picked up on a top-level navigation by mistake.
+ *  - The mashlib HTML wrapper keeps `no-store` (it's a bootstrap template).
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import {
+  startTestServer,
+  stopTestServer,
+  request,
+  createTestPod
+} from './helpers.js';
+
+describe('Vary / Cache-Control consistency (#315)', () => {
+  before(async () => {
+    await startTestServer({ conneg: true, mashlibCdn: true });
+    await createTestPod('varytest');
+    // Create a JSON-LD resource to exercise all variants.
+    await request('/varytest/public/card.jsonld', {
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/ld+json' },
+      body: JSON.stringify({
+        '@context': { foaf: 'http://xmlns.com/foaf/0.1/' },
+        '@id': '#me',
+        'foaf:name': 'Vary Test'
+      }),
+      auth: 'varytest'
+    });
+  });
+
+  after(async () => { await stopTestServer(); });
+
+  it('Vary header is identical across all conneg variants of the same URL', async () => {
+    const accepts = [
+      'text/html,*/*;q=0.8',              // mashlib HTML wrapper
+      'text/turtle',                        // Turtle conversion
+      'application/ld+json'                 // native JSON-LD
+    ];
+    const varyValues = [];
+    for (const accept of accepts) {
+      const res = await request('/varytest/public/card.jsonld', { headers: { Accept: accept } });
+      varyValues.push({ accept, vary: res.headers.get('vary') });
+    }
+    // All three variants must carry the same Vary — inconsistent Vary is
+    // what confused browser caches into serving the wrong variant.
+    const uniqueVaryValues = new Set(varyValues.map((v) => v.vary));
+    assert.strictEqual(uniqueVaryValues.size, 1,
+      `expected identical Vary across variants, got: ${JSON.stringify(varyValues)}`);
+    const vary = [...uniqueVaryValues][0];
+    assert.ok(vary, `expected Vary header across variants, got: ${JSON.stringify(varyValues)}`);
+    assert.match(vary, /Accept/, 'Vary must include Accept (conneg active)');
+    assert.match(vary, /Authorization/, 'Vary must include Authorization (WAC)');
+    assert.match(vary, /Origin/, 'Vary must include Origin (CORS)');
+  });
+
+  it('mashlib HTML wrapper uses Cache-Control: no-store', async () => {
+    const res = await request('/varytest/public/card.jsonld', {
+      headers: { Accept: 'text/html,*/*;q=0.8' }
+    });
+    assert.match(res.headers.get('content-type') || '', /text\/html/);
+    assert.strictEqual(res.headers.get('cache-control'), 'no-store');
+  });
+
+  it('RDF data variants force revalidation (no stale bodies across auth changes)', async () => {
+    // Full expected policy — pinning every directive so a regression that
+    // drops `private` or `must-revalidate` (both needed to prevent auth-state
+    // leakage and force freshness) fails the test.
+    const expected = 'private, no-cache, must-revalidate';
+    for (const accept of ['text/turtle', 'application/ld+json']) {
+      const res = await request('/varytest/public/card.jsonld', { headers: { Accept: accept } });
+      assert.strictEqual(res.headers.get('cache-control'), expected,
+        `Cache-Control mismatch on Accept: ${accept}`);
+      // ETag is preserved so revalidation is cheap (304).
+      assert.ok(res.headers.get('etag'), `expected ETag on ${accept} variant`);
+    }
+  });
+
+  it('container index.html data-island variants also carry revalidating Cache-Control', async () => {
+    // Publish an index.html with a JSON-LD data island; conneg should extract
+    // and serve it as Turtle/JSON-LD. Those variants were missing
+    // Cache-Control pre-#315.
+    const html = [
+      '<!doctype html><html><head>',
+      '<script type="application/ld+json">',
+      JSON.stringify({
+        '@context': { foaf: 'http://xmlns.com/foaf/0.1/' },
+        '@id': '#this',
+        'foaf:name': 'Island'
+      }),
+      '</script></head><body>hi</body></html>'
+    ].join('');
+    await request('/varytest/public/index.html', {
+      method: 'PUT',
+      headers: { 'Content-Type': 'text/html' },
+      body: html,
+      auth: 'varytest'
+    });
+
+    const expected = 'private, no-cache, must-revalidate';
+    for (const accept of ['text/turtle', 'application/ld+json']) {
+      const res = await request('/varytest/public/', { headers: { Accept: accept } });
+      assert.strictEqual(res.headers.get('cache-control'), expected,
+        `Cache-Control mismatch on island variant (Accept: ${accept})`);
+    }
+  });
+});