javascript-solid-server 0.0.153 → 0.0.155

package/.claude/settings.local.json

@@ -357,7 +357,8 @@
       "Bash(cat LICENSE.full)",
       "Bash(rm LICENSE.full)",
       "Bash(awk -F: '{print $1,$2}')",
-      "Bash(awk -F: '{print $1}')"
+      "Bash(awk -F: '{print $1}')",
+      "WebFetch(domain:www.gitfork.app)"
     ]
   }
 }

package/bin/jss.js

@@ -84,6 +84,7 @@ program
   .option('--no-invite-only', 'Allow open registration')
   .option('--single-user', 'Single-user mode (creates pod on startup, disables registration)')
   .option('--single-user-name <name>', 'Username for single-user mode (default: me)')
+  .option('--single-user-password <pw>', 'Initial IDP password to seed when creating the single-user pod (or set JSS_SINGLE_USER_PASSWORD)')
   .option('--webid-tls', 'Enable WebID-TLS client certificate authentication')
   .option('--no-webid-tls', 'Disable WebID-TLS authentication')
   .option('--public', 'Allow unauthenticated access (skip WAC, open read/write)')
@@ -164,6 +165,7 @@ program
         webidTls: config.webidTls,
         singleUser: config.singleUser,
         singleUserName: config.singleUserName,
+        singleUserPassword: config.singleUserPassword,
         public: config.public,
         readOnly: config.readOnly,
         liveReload: config.liveReload,

package/docs/configuration.md

@@ -201,6 +201,9 @@ export JSS_ACTIVITYPUB=true
 export JSS_AP_USERNAME=alice
 export JSS_PUBLIC=true
 export JSS_READ_ONLY=true
+export JSS_SINGLE_USER=true
+export JSS_SINGLE_USER_NAME=me
+export JSS_SINGLE_USER_PASSWORD=choose-a-good-one  # seeds IDP account on first start
 export JSS_LIVE_RELOAD=true
 export JSS_SOLIDOS_UI=true
 export JSS_PAY=true
@@ -256,8 +259,13 @@ For personal pod servers where only one user needs access:
 
 ```bash
 # Basic single-user mode (creates pod at /me/)
+# On first run JSS will prompt for an initial password (TTY only).
 jss start --single-user --idp
 
+# Provide the initial IDP password non-interactively (systemd, containers, CI):
+jss start --single-user --idp --single-user-password 'choose-a-good-one'
+JSS_SINGLE_USER_PASSWORD='choose-a-good-one' jss start --single-user --idp
+
 # Custom username
 jss start --single-user --single-user-name alice --idp
 
@@ -270,10 +278,19 @@ JSS_SINGLE_USER=true jss start --idp
 
 **Features:**
 - Pod auto-created on first startup with full structure (inbox, public, private, profile)
+- IDP account auto-seeded so the operator can log in immediately
 - Registration endpoint disabled (returns 403)
-- Login still works for the single user
+- Login works for the single user via password (`POST /idp/credentials`) or any other configured method
 - Proper ACLs generated automatically
 
+**Initial password sources, in priority order:**
+1. `--single-user-password <pw>` CLI flag
+2. `JSS_SINGLE_USER_PASSWORD` env var
+3. Interactive no-echo prompt (TTY only)
+4. None — the server starts and warns; the pod is created but isn't loggable until you restart with `--single-user-password <pw>`, set `JSS_SINGLE_USER_PASSWORD`, or run on a TTY to be prompted. (`jss passwd <user>` does not work here — it returns "User not found" until an account exists.)
+
+The password is only consulted on the first start — once an account exists, subsequent restarts skip the seed step and never overwrite it. The password is never written to the saved config file (`.jss/config`).
+
 
 ## Invite-Only Registration
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.153",
+  "version": "0.0.155",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/config.js

@@ -75,6 +75,11 @@ export const defaults = {
   // Single-user mode (personal pod server)
   singleUser: false,
   singleUserName: 'me',
+  // Initial IDP password seeded on first single-user pod creation. If
+  // unset and --idp is enabled, the server prompts on a TTY or logs a
+  // warning and continues startup on non-TTY (so the pod is created but
+  // is not yet loggable until a password is set).
+  singleUserPassword: null,
 
   // WebID-TLS client certificate authentication
   webidTls: false,
@@ -154,6 +159,7 @@ const envMap = {
   JSS_INVITE_ONLY: 'inviteOnly',
   JSS_SINGLE_USER: 'singleUser',
   JSS_SINGLE_USER_NAME: 'singleUserName',
+  JSS_SINGLE_USER_PASSWORD: 'singleUserPassword',
   JSS_WEBID_TLS: 'webidTls',
   JSS_DEFAULT_QUOTA: 'defaultQuota',
   JSS_PUBLIC: 'public',
@@ -184,15 +190,53 @@ export function parseSize(str) {
   return Math.floor(num * (multipliers[unit] || 1));
 }
 
+/**
+ * Config keys whose values are genuinely boolean. Only these get the
+ * "true"/"false" string coercion below — otherwise a user-supplied
+ * password (or any other string-valued option) like "true"/"false"
+ * would silently turn into a boolean and break downstream code (e.g.
+ * bcrypt hashing).
+ */
+const BOOLEAN_KEYS = new Set([
+  'ssl',
+  'conneg',
+  'subdomains',
+  'mashlib',
+  'mashlibCdn',
+  'git',
+  'nostr',
+  'webrtc',
+  'terminal',
+  'tunnel',
+  'activitypub',
+  'inviteOnly',
+  'multiuser',
+  'singleUser',
+  'webidTls',
+  'public',
+  'readOnly',
+  'liveReload',
+  'pay',
+  'mongo',
+  'idp',
+  'notifications',
+  'logger',
+  'quiet'
+]);
+
 /**
  * Parse a value from environment variable string
  */
 function parseEnvValue(value, key) {
   if (value === undefined) return undefined;
 
-  // Boolean values
-  if (value.toLowerCase() === 'true') return true;
-  if (value.toLowerCase() === 'false') return false;
+  // Boolean values — only for known boolean keys; everything else
+  // stays a string so passwords / tokens / arbitrary text aren't
+  // silently coerced to booleans.
+  if (BOOLEAN_KEYS.has(key)) {
+    if (value.toLowerCase() === 'true') return true;
+    if (value.toLowerCase() === 'false') return false;
+  }
 
   // Numeric values for known numeric keys
   if ((key === 'port' || key === 'nostrMaxEvents' || key === 'payCost' || key === 'payRate') && !isNaN(value)) {
@@ -311,6 +355,10 @@ export async function saveConfig(config, configFile) {
   // Remove derived/runtime values
   delete toSave.ssl;
   delete toSave.logger;
+  // Never persist secrets to a static config file. The password is
+  // expected to come from --single-user-password or
+  // JSS_SINGLE_USER_PASSWORD at runtime, not be written into .jss/config.
+  delete toSave.singleUserPassword;
 
   await fs.ensureDir(path.dirname(configFile));
   await fs.writeFile(configFile, JSON.stringify(toSave, null, 2));
@@ -327,6 +375,24 @@ export function printConfig(config) {
   console.log(`  Root:          ${path.resolve(config.root)}`);
   console.log(`  SSL:           ${config.ssl ? 'enabled' : 'disabled'}`);
   console.log(`  Multi-user:    ${config.multiuser}`);
+  if (config.singleUser) {
+    let details = `${config.singleUserName}`;
+    // Password seeding only runs when --idp is on AND the pod isn't the
+    // root-level case ('/'). Reflect both gates in the printed line so
+    // operators don't see a misleading "missing — login disabled" when
+    // login isn't governed by an IDP password at all.
+    if (config.idp) {
+      if (config.singleUserName === '/' || !config.singleUserName) {
+        details += ' (root pod; password not seeded)';
+      } else {
+        const pwSource = config.singleUserPassword
+          ? 'provided'
+          : (process.stdin.isTTY ? 'will prompt at startup' : 'missing — login disabled');
+        details += ` (password: ${pwSource})`;
+      }
+    }
+    console.log(`  Single-user:   ${details}`);
+  }
   console.log(`  Conneg:        ${config.conneg}`);
   console.log(`  Notifications: ${config.notifications}`);
   console.log(`  IdP:           ${config.idp ? (config.idpIssuer || 'enabled') : 'disabled'}`);

package/src/rdf/turtle.js

@@ -189,10 +189,26 @@ function jsonLdToQuads(jsonLd, baseUri) {
 
   const context = mergedContext;
 
-  for (const node of nodes) {
+  // BFS over nodes so that nested node objects (e.g. CID `service[]` entries
+  // with their own @id/@type/properties) are emitted as their own subjects
+  // rather than collapsed to a bare URI reference.
+  //
+  // Two notes on the traversal shape:
+  //  - Index-based iteration avoids O(n) array.shift() per step.
+  //  - We deliberately do NOT skip re-emission when the same @id appears
+  //    twice. Duplicate triples are harmless in RDF, and documents built
+  //    from PATCH merges or multi-doc inputs can legitimately carry
+  //    multiple objects for the same subject. The `enqueuedNested` set
+  //    (by object identity) is used only to prevent the same nested
+  //    object from being enqueued twice — i.e. cycle protection, not
+  //    emission deduplication.
+  const enqueuedNested = new WeakSet();
+  const queue = [...nodes];
+  for (let i = 0; i < queue.length; i++) {
+    const node = queue[i];
     if (!node['@id']) continue;
-
     const subjectUri = resolveUri(node['@id'], baseUri);
+
     const subject = subjectUri.startsWith('_:')
       ? blankNode(subjectUri.slice(2))
       : namedNode(subjectUri);
@@ -227,6 +243,20 @@ function jsonLdToQuads(jsonLd, baseUri) {
         if (object) {
           quads.push(quad(subject, predicate, object));
         }
+        // If v is a nested node (object with @id and at least one non-@value
+        // own property beyond @id), enqueue it so its triples are also
+        // emitted. Object-identity tracking (WeakSet) prevents the same
+        // nested object from being enqueued twice, which would otherwise
+        // loop for graphs that reuse an object reference (cycles).
+        if (v && typeof v === 'object' && !Array.isArray(v) &&
+            v['@id'] && v['@value'] === undefined &&
+            !enqueuedNested.has(v)) {
+          const hasOwnClaims = Object.keys(v).some(k => k !== '@id');
+          if (hasOwnClaims) {
+            enqueuedNested.add(v);
+            queue.push(v);
+          }
+        }
       }
     }
   }
@@ -378,9 +408,14 @@ function resolveUri(uri, baseUri) {
 }
 
 /**
- * Expand prefixed URI using context
+ * Expand prefixed URI using context.
+ *
+ * The `seen` parameter guards against cycles in user-supplied contexts
+ * (e.g., `foo -> bar -> foo`). Without this a request carrying a malicious
+ * JSON-LD context could cause unbounded recursion / stack overflow on the
+ * server during conneg conversion — a remote DoS.
  */
-function expandUri(uri, context) {
+function expandUri(uri, context, seen) {
   if (uri.includes('://')) {
     return uri;
   }
@@ -388,19 +423,29 @@ function expandUri(uri, context) {
   if (uri.includes(':')) {
     const [prefix, local] = uri.split(':', 2);
     const ns = context[prefix] || COMMON_PREFIXES[prefix];
-    if (ns) {
+    // Only concat when the prefix maps to a string namespace. A user-supplied
+    // context can legally define a prefix-looking key as a term-definition
+    // object; string-concatenating that would produce "[object Object]…".
+    if (typeof ns === 'string') {
       return ns + local;
     }
   }
 
-  // Check if it's a term in context
+  // Check if it's a term in context. A context value can itself be a
+  // CURIE (`cid:service`) that still needs prefix expansion, so recurse —
+  // but only when we haven't already followed this term on the current
+  // expansion chain.
   if (context[uri]) {
+    const chain = seen || new Set();
+    if (chain.has(uri)) return uri;
+    chain.add(uri);
     const expansion = context[uri];
     if (typeof expansion === 'string') {
-      return expansion;
+      return expansion === uri ? uri : expandUri(expansion, context, chain);
     }
     if (expansion['@id']) {
-      return expansion['@id'];
+      const id = expansion['@id'];
+      return id === uri ? uri : expandUri(id, context, chain);
     }
   }
 

package/src/server.js

@@ -94,6 +94,7 @@ export function createServer(options = {}) {
   // Single-user mode - creates pod on startup, disables registration
   const singleUser = options.singleUser ?? false;
   const singleUserName = options.singleUserName ?? 'me';
+  const singleUserPassword = options.singleUserPassword ?? null;
   // Default storage quota per pod (50MB default, 0 = unlimited)
   const defaultQuota = options.defaultQuota ?? 50 * 1024 * 1024;
   // WebID-TLS client certificate authentication is OFF by default
@@ -561,15 +562,21 @@ export function createServer(options = {}) {
       const isRootPod = !singleUserName || singleUserName === '/';
       const podPath = isRootPod ? '/' : `/${singleUserName}/`;
       const podUri = isRootPod ? `${baseUrl}/` : `${baseUrl}/${singleUserName}/`;
-      const webId = `${podUri}profile/card.jsonld#me`;
       const displayName = isRootPod ? 'me' : singleUserName;
 
       // Check if pod already exists. Accept either the new `card.jsonld`
       // or legacy extensionless `card` layout so we don't re-seed a pod
-      // that was created by an older JSS version.
-      const profileExists =
-        await storage.exists(`${podPath}profile/card.jsonld`) ||
-        await storage.exists(`${podPath}profile/card`);
+      // that was created by an older JSS version. Compute the effective
+      // WebID against whichever profile file actually resolves — a
+      // legacy pod must keep its `/profile/card#me` WebID, otherwise the
+      // seeded IDP account would point at a non-existent document.
+      const hasJsonLd = await storage.exists(`${podPath}profile/card.jsonld`);
+      const hasLegacy = !hasJsonLd && await storage.exists(`${podPath}profile/card`);
+      const profileFile = hasJsonLd ? 'profile/card.jsonld'
+                          : hasLegacy ? 'profile/card'
+                          : 'profile/card.jsonld'; // fresh pod default
+      const webId = `${podUri}${profileFile}#me`;
+      const profileExists = hasJsonLd || hasLegacy;
 
       if (!profileExists) {
         fastify.log.info(`Creating single-user pod at ${podUri}...`);
@@ -583,6 +590,123 @@ export function createServer(options = {}) {
         }
         fastify.log.info(`Single-user pod created at ${podUri}`);
       }
+
+      // Seed an IDP account so the operator can actually log in. Without
+      // this, single-user + --idp produces a pod but no credential, and
+      // registration is intentionally disabled in single-user mode — so
+      // the pod is unloggable until a password is set externally (#323).
+      if (idpEnabled && !isRootPod) {
+        await seedSingleUserIdpAccount({
+          fastify,
+          username: singleUserName,
+          webId,
+          podName: singleUserName,
+          providedPassword: singleUserPassword
+        });
+      }
+    });
+  }
+
+  /**
+   * Seed an IDP account for the single-user pod owner if one doesn't
+   * already exist. Password sources, in priority order:
+   *   1. `--single-user-password` / `JSS_SINGLE_USER_PASSWORD`
+   *   2. interactive prompt (TTY only)
+   *   3. error — server stays up but logs that login won't work yet
+   */
+  async function seedSingleUserIdpAccount({ fastify, username, webId, podName, providedPassword }) {
+    const { findByUsername, createAccount } = await import('./idp/accounts.js');
+    const existing = await findByUsername(username);
+    if (existing) return; // already seeded — idempotent
+
+    // Treat anything that isn't a non-empty string as "not provided" so
+    // a misconfigured env coercion or stray boolean can't reach bcrypt.
+    let password = (typeof providedPassword === 'string' && providedPassword.length > 0)
+      ? providedPassword
+      : null;
+
+    if (!password) {
+      if (process.stdin.isTTY && process.stdout.isTTY) {
+        try {
+          password = await promptPasswordOnce(`[jss] Set initial IDP password for "${username}": `);
+        } catch (err) {
+          fastify.log.warn({ err }, `Password prompt failed for "${username}"`);
+          return;
+        }
+      } else {
+        fastify.log.warn(
+          `--single-user --idp: no password provided. Set --single-user-password or ` +
+          `JSS_SINGLE_USER_PASSWORD before starting (or run on a TTY to be prompted). ` +
+          `Login is currently not possible for "${username}".`
+        );
+        return;
+      }
+    }
+
+    if (typeof password !== 'string' || password.length === 0) {
+      fastify.log.warn(`Empty password — skipping IDP account creation for "${username}".`);
+      return;
+    }
+
+    try {
+      await createAccount({ username, password, webId, podName });
+      fastify.log.info(`IDP account seeded for single-user "${username}".`);
+    } catch (err) {
+      fastify.log.error({ err }, `Failed to seed IDP account for "${username}"`);
+    }
+  }
+
+  /**
+   * Read a password from stdin without echoing it. Uses the public
+   * `emitKeypressEvents` + raw-mode keypress API rather than overriding
+   * the underscored `_writeToOutput` on a `readline.Interface`, which is
+   * a private/unstable hook.
+   */
+  async function promptPasswordOnce(prompt) {
+    const { emitKeypressEvents } = await import('node:readline');
+    const stdin = process.stdin;
+    const stdout = process.stdout;
+    if (!stdin.isTTY || typeof stdin.setRawMode !== 'function') {
+      throw new Error('Interactive password prompt requires a TTY');
+    }
+    return new Promise((resolve, reject) => {
+      let password = '';
+      const wasRaw = stdin.isRaw === true;
+      const onKeypress = (str, key = {}) => {
+        if (key.ctrl && key.name === 'c') {
+          cleanup();
+          reject(new Error('Password prompt cancelled'));
+          return;
+        }
+        if (key.name === 'return' || key.name === 'enter') {
+          cleanup();
+          resolve(password);
+          return;
+        }
+        if (key.name === 'backspace' || key.name === 'delete') {
+          password = password.slice(0, -1);
+          return;
+        }
+        // Only accept printable input — \P{C} excludes control codes,
+        // so escape sequences from arrow keys, function keys, etc. don't
+        // sneak invisible bytes into the password buffer.
+        if (!key.ctrl && !key.meta &&
+            typeof str === 'string' && str.length > 0 &&
+            /^\P{C}+$/u.test(str)) {
+          password += str;
+        }
+      };
+      const cleanup = () => {
+        stdin.removeListener('keypress', onKeypress);
+        if (!wasRaw) stdin.setRawMode(false);
+        stdout.write('\n');
+        stdin.pause();
+      };
+      emitKeypressEvents(stdin);
+      stdout.write(prompt);
+      if (!wasRaw) stdin.setRawMode(true);
+      stdin.resume();
+      stdin.on('keypress', onKeypress);
     });
   }
 

package/src/webid/profile.js

@@ -12,6 +12,8 @@ const SOLID = 'http://www.w3.org/ns/solid/terms#';
 const SCHEMA = 'http://schema.org/';
 const LDP = 'http://www.w3.org/ns/ldp#';
 const PIM = 'http://www.w3.org/ns/pim/space#';
+const CID = 'https://www.w3.org/ns/cid/v1#';
+const LWS = 'https://www.w3.org/ns/lws#';
 
 /**
  * Generate JSON-LD data for a WebID profile
@@ -24,6 +26,9 @@ const PIM = 'http://www.w3.org/ns/pim/space#';
  */
 export function generateProfileJsonLd({ webId, name, podUri, issuer }) {
   const pod = podUri.endsWith('/') ? podUri : podUri + '/';
+  // Document URL is the WebID without its fragment; service entries use
+  // fragment ids resolved against it.
+  const docUrl = webId.split('#')[0];
 
   return {
     '@context': {
@@ -32,6 +37,8 @@ export function generateProfileJsonLd({ webId, name, podUri, issuer }) {
       'schema': SCHEMA,
       'pim': PIM,
       'ldp': LDP,
+      'cid': CID,
+      'lws': LWS,
       'inbox': { '@id': 'ldp:inbox', '@type': '@id' },
       'storage': { '@id': 'pim:storage', '@type': '@id' },
       'oidcIssuer': { '@id': 'solid:oidcIssuer', '@type': '@id' },
@@ -39,7 +46,9 @@ export function generateProfileJsonLd({ webId, name, podUri, issuer }) {
       'publicTypeIndex': { '@id': 'solid:publicTypeIndex', '@type': '@id' },
       'privateTypeIndex': { '@id': 'solid:privateTypeIndex', '@type': '@id' },
       'isPrimaryTopicOf': { '@id': 'foaf:isPrimaryTopicOf', '@type': '@id' },
-      'mainEntityOfPage': { '@id': 'schema:mainEntityOfPage', '@type': '@id' }
+      'mainEntityOfPage': { '@id': 'schema:mainEntityOfPage', '@type': '@id' },
+      'service': { '@id': 'cid:service', '@container': '@set' },
+      'serviceEndpoint': { '@id': 'cid:serviceEndpoint', '@type': '@id' }
     },
     '@id': webId,
     '@type': ['foaf:Person', 'schema:Person'],
@@ -51,7 +60,17 @@ export function generateProfileJsonLd({ webId, name, podUri, issuer }) {
     'oidcIssuer': issuer,
     'preferencesFile': `${pod}settings/prefs.jsonld`,
     'publicTypeIndex': `${pod}settings/publicTypeIndex.jsonld`,
-    'privateTypeIndex': `${pod}settings/privateTypeIndex.jsonld`
+    'privateTypeIndex': `${pod}settings/privateTypeIndex.jsonld`,
+    // LWS 1.0 Controlled Identifier service entry — mirrors `oidcIssuer` so
+    // LWS-aware verifiers can establish trust. Additive; the legacy
+    // `solid:oidcIssuer` predicate stays for existing Solid clients.
+    'service': [
+      {
+        '@id': `${docUrl}#oidc`,
+        '@type': 'lws:OpenIdProvider',
+        'serviceEndpoint': issuer
+      }
+    ]
   };
 }
 

package/test/config.test.js

@@ -0,0 +1,66 @@
+/**
+ * Config / env-var parsing tests.
+ *
+ * Regression coverage for the env-coercion fix in #323: only known
+ * boolean keys may have their string values coerced to booleans.
+ * Otherwise an env var like JSS_SINGLE_USER_PASSWORD="true" would silently
+ * become a real boolean and break downstream code (bcrypt, etc.).
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import { loadConfig } from '../src/config.js';
+
+describe('config — env var boolean coercion', () => {
+  // Save/restore the env vars we touch so this test is hermetic.
+  const KEYS = ['JSS_SINGLE_USER_PASSWORD', 'JSS_IDP', 'JSS_BASE_DOMAIN', 'JSS_MULTIUSER'];
+  const original = {};
+  before(() => { for (const k of KEYS) original[k] = process.env[k]; });
+  after(() => {
+    for (const k of KEYS) {
+      if (original[k] === undefined) delete process.env[k];
+      else process.env[k] = original[k];
+    }
+  });
+
+  it('preserves string-valued env vars when their value is "true"', async () => {
+    process.env.JSS_SINGLE_USER_PASSWORD = 'true';
+    const cfg = await loadConfig({}, null);
+    assert.strictEqual(cfg.singleUserPassword, 'true',
+      'password env var must remain a string, not be coerced to boolean true');
+  });
+
+  it('preserves string-valued env vars when their value is "false"', async () => {
+    process.env.JSS_SINGLE_USER_PASSWORD = 'false';
+    const cfg = await loadConfig({}, null);
+    assert.strictEqual(cfg.singleUserPassword, 'false');
+  });
+
+  it('preserves string-valued env vars when set to other strings', async () => {
+    process.env.JSS_BASE_DOMAIN = 'example.com';
+    const cfg = await loadConfig({}, null);
+    assert.strictEqual(cfg.baseDomain, 'example.com');
+  });
+
+  it('still coerces known boolean keys', async () => {
+    process.env.JSS_IDP = 'true';
+    const cfg = await loadConfig({}, null);
+    assert.strictEqual(cfg.idp, true, 'idp env var should be coerced to boolean');
+  });
+
+  it('still coerces known boolean keys when "false"', async () => {
+    process.env.JSS_IDP = 'false';
+    const cfg = await loadConfig({}, null);
+    assert.strictEqual(cfg.idp, false);
+  });
+
+  it('coerces JSS_MULTIUSER to a boolean (regression for missed entry)', async () => {
+    process.env.JSS_MULTIUSER = 'false';
+    const cfg = await loadConfig({}, null);
+    assert.strictEqual(cfg.multiuser, false,
+      'multiuser must coerce to boolean false, not the string "false" (truthy)');
+    process.env.JSS_MULTIUSER = 'true';
+    const cfg2 = await loadConfig({}, null);
+    assert.strictEqual(cfg2.multiuser, true);
+  });
+});

package/test/idp.test.js

@@ -713,3 +713,205 @@ describe('Identity Provider - Credentials Endpoint', () => {
     });
   });
 });
+
+// Single-user + --idp must seed an IDP account so the operator can log in.
+// Without this, the pod is created but is unloggable: registration is
+// disabled in single-user mode and there's no pre-existing account.
+// Regression for #323.
+describe('Identity Provider — single-user password seeding (#323)', () => {
+  // Save/restore DATA_ROOT and stdin.isTTY around this suite so we don't
+  // leak global state into other tests in the same `node --test` run.
+  // For isTTY we capture the *property descriptor* so we can correctly
+  // restore an inherited (prototype) accessor — Object.defineProperty
+  // would otherwise leave a shadowing own-property behind.
+  let originalDataRoot;
+  let originalIsTTYDescriptor;
+  let originalIsTTYWasOwn;
+  before(() => {
+    originalDataRoot = process.env.DATA_ROOT;
+    originalIsTTYWasOwn = Object.prototype.hasOwnProperty.call(process.stdin, 'isTTY');
+    originalIsTTYDescriptor = Object.getOwnPropertyDescriptor(process.stdin, 'isTTY');
+    // Force non-TTY so the no-password test never blocks on an
+    // unanswerable prompt when the suite is run from an interactive shell.
+    Object.defineProperty(process.stdin, 'isTTY', { value: false, configurable: true });
+  });
+  after(() => {
+    if (originalDataRoot === undefined) delete process.env.DATA_ROOT;
+    else process.env.DATA_ROOT = originalDataRoot;
+    if (originalIsTTYWasOwn && originalIsTTYDescriptor) {
+      Object.defineProperty(process.stdin, 'isTTY', originalIsTTYDescriptor);
+    } else {
+      // Property was inherited; remove our shadowing own-property so
+      // the prototype's accessor is visible again.
+      delete process.stdin.isTTY;
+    }
+  });
+
+  it('seeds an IDP account when singleUserPassword is provided', async () => {
+    const dir = './test-data-su-pw-provided';
+    await fs.remove(dir);
+    await fs.ensureDir(dir);
+    const port = await getAvailablePort();
+    const baseUrl = `http://${TEST_HOST}:${port}`;
+    const server = createServer({
+      logger: false,
+      root: dir,
+      idp: true,
+      idpIssuer: baseUrl,
+      singleUser: true,
+      singleUserName: 'me',
+      singleUserPassword: 'hunter2-test',
+      forceCloseConnections: true,
+    });
+    try {
+      // createServer already sets DATA_ROOT when `root` is provided;
+      // import accounts.js after listen() so it picks up the right path.
+      await server.listen({ port, host: TEST_HOST });
+      const { findByUsername, authenticate } = await import('../src/idp/accounts.js');
+      const account = await findByUsername('me');
+      assert.ok(account, 'IDP account for single-user "me" should exist');
+      assert.strictEqual(account.username, 'me');
+      assert.ok(account.webId.includes('/me/profile/card.jsonld#me'));
+      const authed = await authenticate('me', 'hunter2-test');
+      assert.ok(authed, 'should authenticate with the seeded password');
+    } finally {
+      await server.close();
+      await fs.remove(dir);
+    }
+  });
+
+  it('skips seeding (no error) when no password and not on a TTY', async () => {
+    // The before() hook stubs stdin.isTTY=false so the seed step warns
+    // and skips rather than blocking on an unanswerable prompt.
+    const dir = './test-data-su-pw-missing';
+    await fs.remove(dir);
+    await fs.ensureDir(dir);
+    const port = await getAvailablePort();
+    const baseUrl = `http://${TEST_HOST}:${port}`;
+    const server = createServer({
+      logger: false,
+      root: dir,
+      idp: true,
+      idpIssuer: baseUrl,
+      singleUser: true,
+      singleUserName: 'me',
+      // singleUserPassword intentionally omitted
+      forceCloseConnections: true,
+    });
+    try {
+      await server.listen({ port, host: TEST_HOST });
+      const { findByUsername } = await import('../src/idp/accounts.js');
+      const account = await findByUsername('me');
+      assert.strictEqual(account, null, 'no account should be seeded without a password');
+      // Pod itself must still exist — server starts up regardless.
+      const profileExists = await fs.pathExists(path.join(dir, 'me/profile/card.jsonld'));
+      assert.ok(profileExists, 'pod should still be created');
+    } finally {
+      await server.close();
+      await fs.remove(dir);
+    }
+  });
+
+  it('is idempotent — restarting does not duplicate or error', async () => {
+    const dir = './test-data-su-pw-idempotent';
+    await fs.remove(dir);
+    await fs.ensureDir(dir);
+    const port = await getAvailablePort();
+    const baseUrl = `http://${TEST_HOST}:${port}`;
+    const startOnce = async () => {
+      const s = createServer({
+        logger: false,
+        root: dir,
+        idp: true,
+        idpIssuer: baseUrl,
+        singleUser: true,
+        singleUserName: 'me',
+        singleUserPassword: 'idem-pw',
+        forceCloseConnections: true,
+      });
+      await s.listen({ port, host: TEST_HOST });
+      return s;
+    };
+    let s1, s2;
+    try {
+      s1 = await startOnce();
+      await s1.close();
+      s2 = await startOnce();
+      const { findByUsername, authenticate } = await import('../src/idp/accounts.js');
+      const account = await findByUsername('me');
+      assert.ok(account, 'account from first run should still exist');
+      // Original password still valid (we didn't overwrite on the second run).
+      const authed = await authenticate('me', 'idem-pw');
+      assert.ok(authed);
+    } finally {
+      if (s2) await s2.close();
+      await fs.remove(dir);
+    }
+  });
+
+  it('seeds with the legacy WebID when /profile/card (no .jsonld) already exists', async () => {
+    // Older JSS versions used /profile/card without the extension. A
+    // legacy pod must keep that URL — seeding an account whose WebID
+    // points at /profile/card.jsonld#me would create a credential bound
+    // to a document the user doesn't actually have.
+    const dir = './test-data-su-pw-legacy';
+    await fs.remove(dir);
+    await fs.ensureDir(dir);
+    // Pre-seed a legacy-layout pod so the server treats it as already
+    // existing on startup (no fresh creation).
+    const legacyProfileDir = path.join(dir, 'me/profile');
+    await fs.ensureDir(legacyProfileDir);
+    await fs.writeFile(path.join(legacyProfileDir, 'card'), '<html></html>');
+
+    const port = await getAvailablePort();
+    const baseUrl = `http://${TEST_HOST}:${port}`;
+    const server = createServer({
+      logger: false,
+      root: dir,
+      idp: true,
+      idpIssuer: baseUrl,
+      singleUser: true,
+      singleUserName: 'me',
+      singleUserPassword: 'legacy-pw',
+      forceCloseConnections: true,
+    });
+    try {
+      await server.listen({ port, host: TEST_HOST });
+      const { findByUsername } = await import('../src/idp/accounts.js');
+      const account = await findByUsername('me');
+      assert.ok(account, 'account should be seeded against the legacy pod');
+      assert.ok(
+        account.webId.endsWith('/me/profile/card#me'),
+        `legacy pod must keep /profile/card#me WebID, got ${account.webId}`
+      );
+    } finally {
+      await server.close();
+      await fs.remove(dir);
+    }
+  });
+
+  it('does not seed when --idp is off', async () => {
+    const dir = './test-data-su-pw-no-idp';
+    await fs.remove(dir);
+    await fs.ensureDir(dir);
+    const port = await getAvailablePort();
+    const server = createServer({
+      logger: false,
+      root: dir,
+      idp: false,
+      singleUser: true,
+      singleUserName: 'me',
+      singleUserPassword: 'should-be-ignored',
+      forceCloseConnections: true,
+    });
+    try {
+      await server.listen({ port, host: TEST_HOST });
+      // No .idp directory should exist when idp is disabled.
+      const idpDirExists = await fs.pathExists(path.join(dir, '.idp'));
+      assert.strictEqual(idpDirExists, false, 'no .idp directory when --idp off');
+    } finally {
+      await server.close();
+      await fs.remove(dir);
+    }
+  });
+});

package/test/turtle.test.js

@@ -0,0 +1,104 @@
+/**
+ * Direct unit tests for the JSON-LD → Turtle converter.
+ *
+ * The focus is on regression coverage for properties that would otherwise
+ * be easy to regress silently:
+ *   - cycle-safety in expandUri (DoS guard — a malicious context must not
+ *     cause unbounded recursion / stack overflow)
+ *   - duplicate @id across top-level docs must NOT suppress emission
+ *     (the visited-set refactor previously dropped data)
+ *   - cyclical nested node references must not hang the BFS
+ */
+
+import { describe, it } from 'node:test';
+import assert from 'node:assert';
+import { fromJsonLd } from '../src/rdf/conneg.js';
+
+describe('turtle converter — unit (#320 follow-ups)', () => {
+  it('expandUri does not recurse forever on a cyclic context (a → b → a)', async () => {
+    const doc = {
+      '@context': {
+        // Pathological: each term points at another term via CURIE, forming a loop.
+        'a': { '@id': 'b:x' },
+        'b': { '@id': 'a:y' }
+      },
+      '@id': 'https://example.test/s',
+      'a': 'hello'
+    };
+    // The converter should finish — not stack-overflow — regardless of what
+    // the output happens to look like. We only assert it completes with a
+    // string result.
+    const { content } = await fromJsonLd(doc, 'text/turtle', 'https://example.test/', true);
+    assert.ok(typeof content === 'string');
+  });
+
+  it('expandUri does not recurse forever on a self-loop (a → a)', async () => {
+    const doc = {
+      '@context': {
+        'selfy': 'selfy'
+      },
+      '@id': 'https://example.test/s',
+      'selfy': 'hello'
+    };
+    const { content } = await fromJsonLd(doc, 'text/turtle', 'https://example.test/', true);
+    assert.ok(typeof content === 'string');
+  });
+
+  it('duplicate top-level @id is not silently dropped', async () => {
+    // Two docs describing the same subject — both claims must survive.
+    // (Previously the visited-set in the BFS skipped the second pass.)
+    const docs = [
+      {
+        '@context': { 'foaf': 'http://xmlns.com/foaf/0.1/' },
+        '@id': 'https://example.test/alice',
+        'foaf:name': 'Alice'
+      },
+      {
+        '@context': { 'foaf': 'http://xmlns.com/foaf/0.1/' },
+        '@id': 'https://example.test/alice',
+        'foaf:age': 30
+      }
+    ];
+    const { content } = await fromJsonLd(docs, 'text/turtle', 'https://example.test/', true);
+    assert.ok(content.includes('Alice'), `Turtle should contain the name claim, got:\n${content}`);
+    assert.ok(/30|"30"/.test(content), `Turtle should contain the age claim, got:\n${content}`);
+  });
+
+  it('prefix-looking context key defined as an object is not string-concatenated', async () => {
+    // A user-supplied context can legally define a prefix-looking key as a
+    // term-definition object (not a namespace string). The converter must
+    // not treat it as a namespace — string-concatenating the object would
+    // produce invalid IRIs like "[object Object]foo".
+    const doc = {
+      '@context': {
+        // `bogus` is defined as a term object, not a namespace string.
+        'bogus': { '@id': 'https://example.test/ns#bogus' }
+      },
+      '@id': 'https://example.test/s',
+      // This looks like a CURIE `bogus:foo` but `bogus` is not a valid
+      // namespace — the converter should leave it alone.
+      'bogus:foo': 'hello'
+    };
+    const { content } = await fromJsonLd(doc, 'text/turtle', 'https://example.test/', true);
+    assert.ok(typeof content === 'string');
+    assert.ok(!content.includes('[object Object]'),
+      `Turtle output must not contain object-stringification, got:\n${content}`);
+  });
+
+  it('cyclical nested node reference does not hang', async () => {
+    // Two nested nodes reference each other. BFS must not loop.
+    const a = { '@id': 'https://example.test/a', 'ex:knows': null };
+    const b = { '@id': 'https://example.test/b', 'ex:knows': a };
+    a['ex:knows'] = b;
+
+    const doc = {
+      '@context': { 'ex': 'https://example.test/ns#' },
+      '@id': 'https://example.test/root',
+      'ex:knows': a
+    };
+    const { content } = await fromJsonLd(doc, 'text/turtle', 'https://example.test/', true);
+    assert.ok(typeof content === 'string');
+    assert.ok(content.includes('https://example.test/a'), 'node a should appear');
+    assert.ok(content.includes('https://example.test/b'), 'node b should appear');
+  });
+});

package/test/webid.test.js

@@ -98,6 +98,41 @@ describe('WebID Profile', () => {
       // Empty string is a relative URI reference to the document itself (JSON-LD)
       assert.strictEqual(jsonLd['isPrimaryTopicOf'], '', 'isPrimaryTopicOf should be "" (self)');
     });
+
+    // LWS 1.0 Controlled Identifier alignment (#320).
+    // These assertions live alongside the WebID predicate assertions — both
+    // must continue to hold since the profile is dual-write.
+    it('should emit a CID service[] with an lws:OpenIdProvider entry', async () => {
+      const res = await request(profilePath);
+      const jsonLd = await res.json();
+      assert.ok(Array.isArray(jsonLd.service), 'profile should have a service array');
+      const oidc = jsonLd.service.find((s) => s['@type'] === 'lws:OpenIdProvider');
+      assert.ok(oidc, 'service[] must include an lws:OpenIdProvider entry');
+    });
+
+    it('lws:OpenIdProvider service.serviceEndpoint mirrors oidcIssuer', async () => {
+      const res = await request(profilePath);
+      const jsonLd = await res.json();
+      assert.ok(Array.isArray(jsonLd.service), 'profile should have a service array');
+      const oidc = jsonLd.service.find((s) => s['@type'] === 'lws:OpenIdProvider');
+      assert.ok(oidc, 'service[] must include an lws:OpenIdProvider entry');
+      assert.strictEqual(
+        oidc.serviceEndpoint,
+        jsonLd.oidcIssuer,
+        'serviceEndpoint must equal the existing oidcIssuer value'
+      );
+    });
+
+    it('lws:OpenIdProvider service.id is a fragment on the profile document', async () => {
+      const res = await request(profilePath);
+      const jsonLd = await res.json();
+      assert.ok(Array.isArray(jsonLd.service), 'profile should have a service array');
+      const oidc = jsonLd.service.find((s) => s['@type'] === 'lws:OpenIdProvider');
+      assert.ok(oidc, 'service[] must include an lws:OpenIdProvider entry');
+      const docUrl = jsonLd['@id'].split('#')[0];
+      assert.strictEqual(oidc['@id'], `${docUrl}#oidc`,
+        'service entry @id should be `<profile-doc>#oidc`');
+    });
   });
 
   describe('WebID Resolution', () => {
@@ -119,3 +154,49 @@ describe('WebID Profile', () => {
     });
   });
 });
+
+// With conneg enabled the profile is converted to Turtle on demand. The
+// CID service[] must survive that conversion — LWS verifiers that ask for
+// Turtle need to see the nested service node's type and serviceEndpoint,
+// not just a bare URI reference to it.
+describe('WebID Profile — Turtle conneg (#320)', () => {
+  before(async () => {
+    await startTestServer({ conneg: true });
+    await createTestPod('webidturtletest');
+  });
+
+  after(async () => {
+    await stopTestServer();
+  });
+
+  it('Turtle variant includes cid:service with lws:OpenIdProvider and serviceEndpoint', async () => {
+    const res = await request('/webidturtletest/profile/card.jsonld', {
+      headers: { Accept: 'text/turtle' }
+    });
+    assertStatus(res, 200);
+    assertHeaderContains(res, 'Content-Type', 'text/turtle');
+    const ttl = await res.text();
+    // Accept either prefixed (cid:service) or expanded full-URI form. The
+    // critical property is that the nested service node's data survived the
+    // JSON-LD → Turtle conversion — i.e. the type and endpoint are present
+    // as their own triples, not dropped.
+    assert.ok(
+      ttl.includes('cid:service') || ttl.includes('cid/v1#service'),
+      `Turtle should reference the CID service predicate, got:\n${ttl}`
+    );
+    assert.ok(
+      ttl.includes('OpenIdProvider'),
+      `Turtle should declare the lws:OpenIdProvider type, got:\n${ttl}`
+    );
+    assert.ok(
+      ttl.includes('cid:serviceEndpoint') || ttl.includes('cid/v1#serviceEndpoint'),
+      `Turtle should include the cid:serviceEndpoint predicate, got:\n${ttl}`
+    );
+    // The service entry URI appears as a subject (its own line), proving it
+    // was emitted as a first-class node rather than a bare URI reference.
+    assert.ok(
+      /#oidc>\s+(?:a|<[^>]*#type>)/.test(ttl),
+      `Turtle should emit the service entry as a subject, got:\n${ttl}`
+    );
+  });
+});