javascript-solid-server 0.0.154 → 0.0.156

package/.claude/settings.local.json

@@ -357,7 +357,8 @@
       "Bash(cat LICENSE.full)",
       "Bash(rm LICENSE.full)",
       "Bash(awk -F: '{print $1,$2}')",
-      "Bash(awk -F: '{print $1}')"
+      "Bash(awk -F: '{print $1}')",
+      "WebFetch(domain:www.gitfork.app)"
     ]
   }
 }

package/bin/jss.js

@@ -84,6 +84,7 @@ program
   .option('--no-invite-only', 'Allow open registration')
   .option('--single-user', 'Single-user mode (creates pod on startup, disables registration)')
   .option('--single-user-name <name>', 'Username for single-user mode (default: me)')
+  .option('--single-user-password <pw>', 'Initial IDP password to seed when creating the single-user pod (or set JSS_SINGLE_USER_PASSWORD)')
   .option('--webid-tls', 'Enable WebID-TLS client certificate authentication')
   .option('--no-webid-tls', 'Disable WebID-TLS authentication')
   .option('--public', 'Allow unauthenticated access (skip WAC, open read/write)')
@@ -164,6 +165,7 @@ program
         webidTls: config.webidTls,
         singleUser: config.singleUser,
         singleUserName: config.singleUserName,
+        singleUserPassword: config.singleUserPassword,
         public: config.public,
         readOnly: config.readOnly,
         liveReload: config.liveReload,

package/docs/configuration.md

@@ -201,6 +201,9 @@ export JSS_ACTIVITYPUB=true
 export JSS_AP_USERNAME=alice
 export JSS_PUBLIC=true
 export JSS_READ_ONLY=true
+export JSS_SINGLE_USER=true
+export JSS_SINGLE_USER_NAME=me
+export JSS_SINGLE_USER_PASSWORD=choose-a-good-one  # seeds IDP account on first start
 export JSS_LIVE_RELOAD=true
 export JSS_SOLIDOS_UI=true
 export JSS_PAY=true
@@ -256,8 +259,13 @@ For personal pod servers where only one user needs access:
 
 ```bash
 # Basic single-user mode (creates pod at /me/)
+# On first run JSS will prompt for an initial password (TTY only).
 jss start --single-user --idp
 
+# Provide the initial IDP password non-interactively (systemd, containers, CI):
+jss start --single-user --idp --single-user-password 'choose-a-good-one'
+JSS_SINGLE_USER_PASSWORD='choose-a-good-one' jss start --single-user --idp
+
 # Custom username
 jss start --single-user --single-user-name alice --idp
 
@@ -270,10 +278,19 @@ JSS_SINGLE_USER=true jss start --idp
 
 **Features:**
 - Pod auto-created on first startup with full structure (inbox, public, private, profile)
+- IDP account auto-seeded so the operator can log in immediately
 - Registration endpoint disabled (returns 403)
-- Login still works for the single user
+- Login works for the single user via password (`POST /idp/credentials`) or any other configured method
 - Proper ACLs generated automatically
 
+**Initial password sources, in priority order:**
+1. `--single-user-password <pw>` CLI flag
+2. `JSS_SINGLE_USER_PASSWORD` env var
+3. Interactive no-echo prompt (TTY only)
+4. None — the server starts and warns; the pod is created but isn't loggable until you restart with `--single-user-password <pw>`, set `JSS_SINGLE_USER_PASSWORD`, or run on a TTY to be prompted. (`jss passwd <user>` does not work here — it returns "User not found" until an account exists.)
+
+The password is only consulted on the first start — once an account exists, subsequent restarts skip the seed step and never overwrite it. The password is never written to the saved config file (`.jss/config`).
+
 
 ## Invite-Only Registration
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.154",
+  "version": "0.0.156",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/config.js

@@ -75,6 +75,11 @@ export const defaults = {
   // Single-user mode (personal pod server)
   singleUser: false,
   singleUserName: 'me',
+  // Initial IDP password seeded on first single-user pod creation. If
+  // unset and --idp is enabled, the server prompts on a TTY or logs a
+  // warning and continues startup on non-TTY (so the pod is created but
+  // is not yet loggable until a password is set).
+  singleUserPassword: null,
 
   // WebID-TLS client certificate authentication
   webidTls: false,
@@ -154,6 +159,7 @@ const envMap = {
   JSS_INVITE_ONLY: 'inviteOnly',
   JSS_SINGLE_USER: 'singleUser',
   JSS_SINGLE_USER_NAME: 'singleUserName',
+  JSS_SINGLE_USER_PASSWORD: 'singleUserPassword',
   JSS_WEBID_TLS: 'webidTls',
   JSS_DEFAULT_QUOTA: 'defaultQuota',
   JSS_PUBLIC: 'public',
@@ -184,15 +190,53 @@ export function parseSize(str) {
   return Math.floor(num * (multipliers[unit] || 1));
 }
 
+/**
+ * Config keys whose values are genuinely boolean. Only these get the
+ * "true"/"false" string coercion below — otherwise a user-supplied
+ * password (or any other string-valued option) like "true"/"false"
+ * would silently turn into a boolean and break downstream code (e.g.
+ * bcrypt hashing).
+ */
+const BOOLEAN_KEYS = new Set([
+  'ssl',
+  'conneg',
+  'subdomains',
+  'mashlib',
+  'mashlibCdn',
+  'git',
+  'nostr',
+  'webrtc',
+  'terminal',
+  'tunnel',
+  'activitypub',
+  'inviteOnly',
+  'multiuser',
+  'singleUser',
+  'webidTls',
+  'public',
+  'readOnly',
+  'liveReload',
+  'pay',
+  'mongo',
+  'idp',
+  'notifications',
+  'logger',
+  'quiet'
+]);
+
 /**
  * Parse a value from environment variable string
  */
 function parseEnvValue(value, key) {
   if (value === undefined) return undefined;
 
-  // Boolean values
-  if (value.toLowerCase() === 'true') return true;
-  if (value.toLowerCase() === 'false') return false;
+  // Boolean values — only for known boolean keys; everything else
+  // stays a string so passwords / tokens / arbitrary text aren't
+  // silently coerced to booleans.
+  if (BOOLEAN_KEYS.has(key)) {
+    if (value.toLowerCase() === 'true') return true;
+    if (value.toLowerCase() === 'false') return false;
+  }
 
   // Numeric values for known numeric keys
   if ((key === 'port' || key === 'nostrMaxEvents' || key === 'payCost' || key === 'payRate') && !isNaN(value)) {
@@ -311,6 +355,10 @@ export async function saveConfig(config, configFile) {
   // Remove derived/runtime values
   delete toSave.ssl;
   delete toSave.logger;
+  // Never persist secrets to a static config file. The password is
+  // expected to come from --single-user-password or
+  // JSS_SINGLE_USER_PASSWORD at runtime, not be written into .jss/config.
+  delete toSave.singleUserPassword;
 
   await fs.ensureDir(path.dirname(configFile));
   await fs.writeFile(configFile, JSON.stringify(toSave, null, 2));
@@ -327,6 +375,24 @@ export function printConfig(config) {
   console.log(`  Root:          ${path.resolve(config.root)}`);
   console.log(`  SSL:           ${config.ssl ? 'enabled' : 'disabled'}`);
   console.log(`  Multi-user:    ${config.multiuser}`);
+  if (config.singleUser) {
+    let details = `${config.singleUserName}`;
+    // Password seeding only runs when --idp is on AND the pod isn't the
+    // root-level case ('/'). Reflect both gates in the printed line so
+    // operators don't see a misleading "missing — login disabled" when
+    // login isn't governed by an IDP password at all.
+    if (config.idp) {
+      if (config.singleUserName === '/' || !config.singleUserName) {
+        details += ' (root pod; password not seeded)';
+      } else {
+        const pwSource = config.singleUserPassword
+          ? 'provided'
+          : (process.stdin.isTTY ? 'will prompt at startup' : 'missing — login disabled');
+        details += ` (password: ${pwSource})`;
+      }
+    }
+    console.log(`  Single-user:   ${details}`);
+  }
   console.log(`  Conneg:        ${config.conneg}`);
   console.log(`  Notifications: ${config.notifications}`);
   console.log(`  IdP:           ${config.idp ? (config.idpIssuer || 'enabled') : 'disabled'}`);

package/src/handlers/resource.js

@@ -149,17 +149,18 @@ export async function handleGet(request, reply) {
       const content = await storage.read(indexPath);
       const indexStats = await storage.stat(indexPath);
 
-      // Check if RDF format requested via content negotiation
+      // Pick the negotiated RDF type using q-aware Accept parsing. The
+      // naive `acceptHeader.includes('text/turtle')` we used to do here
+      // ignored q-weights — `Accept: application/ld+json, text/turtle;q=0.1`
+      // would still pick Turtle even though JSON-LD was preferred (#325).
       const acceptHeader = request.headers.accept || '';
-      const wantsTurtle = connegEnabled && (
-        acceptHeader.includes('text/turtle') ||
-        acceptHeader.includes('text/n3') ||
-        acceptHeader.includes('application/n-triples')
-      );
-      const wantsJsonLd = connegEnabled && (
-        acceptHeader.includes('application/ld+json') ||
-        acceptHeader.includes('application/json')
-      );
+      const negotiated = connegEnabled
+        ? selectContentType(acceptHeader, true)
+        : null;
+      const wantsTurtle = negotiated === RDF_TYPES.TURTLE
+        || negotiated === RDF_TYPES.N3
+        || negotiated === 'application/n-triples';
+      const wantsJsonLd = negotiated === RDF_TYPES.JSON_LD;
 
       if (wantsTurtle || wantsJsonLd) {
         // Extract JSON-LD from HTML data island
@@ -257,13 +258,14 @@ export async function handleGet(request, reply) {
       return reply.type('text/html').send(html);
     }
 
-    // Check if Turtle/N3 format is requested via content negotiation
+    // Pick the negotiated RDF type using q-aware Accept parsing (#325).
     const acceptHeader = request.headers.accept || '';
-    const wantsTurtle = connegEnabled && (
-      acceptHeader.includes('text/turtle') ||
-      acceptHeader.includes('text/n3') ||
-      acceptHeader.includes('application/n-triples')
-    );
+    const negotiated = connegEnabled
+      ? selectContentType(acceptHeader, true)
+      : null;
+    const wantsTurtle = negotiated === RDF_TYPES.TURTLE
+      || negotiated === RDF_TYPES.N3
+      || negotiated === 'application/n-triples';
 
     if (wantsTurtle) {
       // Convert container JSON-LD to Turtle
@@ -383,11 +385,14 @@ export async function handleGet(request, reply) {
   if (connegEnabled) {
     const contentStr = content.toString();
     const acceptHeader = request.headers.accept || '';
-    // Serve Turtle if: URL ends with .ttl OR Accept header requests it
-    const wantsTurtle = urlPath.endsWith('.ttl') ||
-                        acceptHeader.includes('text/turtle') ||
-                        acceptHeader.includes('text/n3') ||
-                        acceptHeader.includes('application/n-triples');
+    // Serve Turtle if: URL ends with .ttl OR Accept's q-weighted top
+    // RDF type is Turtle/N3 (#325 — naive substring matching ignored
+    // q-weights and would pick Turtle whenever it appeared in Accept).
+    const negotiated = selectContentType(acceptHeader, true);
+    const wantsTurtle = urlPath.endsWith('.ttl')
+      || negotiated === RDF_TYPES.TURTLE
+      || negotiated === RDF_TYPES.N3
+      || negotiated === 'application/n-triples';
 
     // Check if this is HTML with JSON-LD data island
     const isHtmlWithDataIsland = contentStr.trimStart().startsWith('<!DOCTYPE') ||
@@ -505,24 +510,31 @@ export async function handleHead(request, reply) {
   let contentType;
 
   if (stats.isDirectory) {
-    // For directories with index.html, determine content type based on Accept header
     const indexPath = storagePath.endsWith('/') ? `${storagePath}index.html` : `${storagePath}/index.html`;
     const indexExists = await storage.exists(indexPath);
+    const acceptHeader = request.headers.accept || '';
 
-    if (indexExists && connegEnabled) {
-      const acceptHeader = request.headers.accept || '';
-      const wantsTurtle = acceptHeader.includes('text/turtle') ||
-                          acceptHeader.includes('text/n3') ||
-                          acceptHeader.includes('application/n-triples');
-      const wantsJsonLd = acceptHeader.includes('application/ld+json') ||
-                          acceptHeader.includes('application/json');
+    if (connegEnabled) {
+      // HEAD must mirror what GET would emit; otherwise client caches and
+      // RDF-aware tooling key off a content-type that doesn't match the
+      // body they'll see on the next GET (#325). Use q-aware Accept
+      // parsing for both the index.html and listing branches.
+      const negotiated = selectContentType(acceptHeader, true);
+      const wantsTurtle = negotiated === RDF_TYPES.TURTLE
+        || negotiated === RDF_TYPES.N3
+        || negotiated === 'application/n-triples';
+      const wantsJsonLd = negotiated === RDF_TYPES.JSON_LD;
 
       if (wantsTurtle) {
         contentType = 'text/turtle';
       } else if (wantsJsonLd) {
-        contentType = 'application/ld+json';
+        // For an index.html container, only override to JSON-LD if the
+        // Accept header explicitly asked for JSON; otherwise fall back
+        // to text/html so HEAD matches the index.html that GET serves.
+        const explicitJson = /\b(application\/ld\+json|application\/json)\b/i.test(acceptHeader);
+        contentType = (indexExists && !explicitJson) ? 'text/html' : 'application/ld+json';
       } else {
-        contentType = 'text/html';
+        contentType = indexExists ? 'text/html' : 'application/ld+json';
       }
     } else if (indexExists) {
       contentType = 'text/html';

package/src/server.js

@@ -94,6 +94,7 @@ export function createServer(options = {}) {
   // Single-user mode - creates pod on startup, disables registration
   const singleUser = options.singleUser ?? false;
   const singleUserName = options.singleUserName ?? 'me';
+  const singleUserPassword = options.singleUserPassword ?? null;
   // Default storage quota per pod (50MB default, 0 = unlimited)
   const defaultQuota = options.defaultQuota ?? 50 * 1024 * 1024;
   // WebID-TLS client certificate authentication is OFF by default
@@ -561,15 +562,21 @@ export function createServer(options = {}) {
       const isRootPod = !singleUserName || singleUserName === '/';
       const podPath = isRootPod ? '/' : `/${singleUserName}/`;
       const podUri = isRootPod ? `${baseUrl}/` : `${baseUrl}/${singleUserName}/`;
-      const webId = `${podUri}profile/card.jsonld#me`;
       const displayName = isRootPod ? 'me' : singleUserName;
 
       // Check if pod already exists. Accept either the new `card.jsonld`
       // or legacy extensionless `card` layout so we don't re-seed a pod
-      // that was created by an older JSS version.
-      const profileExists =
-        await storage.exists(`${podPath}profile/card.jsonld`) ||
-        await storage.exists(`${podPath}profile/card`);
+      // that was created by an older JSS version. Compute the effective
+      // WebID against whichever profile file actually resolves — a
+      // legacy pod must keep its `/profile/card#me` WebID, otherwise the
+      // seeded IDP account would point at a non-existent document.
+      const hasJsonLd = await storage.exists(`${podPath}profile/card.jsonld`);
+      const hasLegacy = !hasJsonLd && await storage.exists(`${podPath}profile/card`);
+      const profileFile = hasJsonLd ? 'profile/card.jsonld'
+                          : hasLegacy ? 'profile/card'
+                          : 'profile/card.jsonld'; // fresh pod default
+      const webId = `${podUri}${profileFile}#me`;
+      const profileExists = hasJsonLd || hasLegacy;
 
       if (!profileExists) {
         fastify.log.info(`Creating single-user pod at ${podUri}...`);
@@ -583,6 +590,123 @@ export function createServer(options = {}) {
         }
         fastify.log.info(`Single-user pod created at ${podUri}`);
       }
+
+      // Seed an IDP account so the operator can actually log in. Without
+      // this, single-user + --idp produces a pod but no credential, and
+      // registration is intentionally disabled in single-user mode — so
+      // the pod is unloggable until a password is set externally (#323).
+      if (idpEnabled && !isRootPod) {
+        await seedSingleUserIdpAccount({
+          fastify,
+          username: singleUserName,
+          webId,
+          podName: singleUserName,
+          providedPassword: singleUserPassword
+        });
+      }
+    });
+  }
+
+  /**
+   * Seed an IDP account for the single-user pod owner if one doesn't
+   * already exist. Password sources, in priority order:
+   *   1. `--single-user-password` / `JSS_SINGLE_USER_PASSWORD`
+   *   2. interactive prompt (TTY only)
+   *   3. error — server stays up but logs that login won't work yet
+   */
+  async function seedSingleUserIdpAccount({ fastify, username, webId, podName, providedPassword }) {
+    const { findByUsername, createAccount } = await import('./idp/accounts.js');
+    const existing = await findByUsername(username);
+    if (existing) return; // already seeded — idempotent
+
+    // Treat anything that isn't a non-empty string as "not provided" so
+    // a misconfigured env coercion or stray boolean can't reach bcrypt.
+    let password = (typeof providedPassword === 'string' && providedPassword.length > 0)
+      ? providedPassword
+      : null;
+
+    if (!password) {
+      if (process.stdin.isTTY && process.stdout.isTTY) {
+        try {
+          password = await promptPasswordOnce(`[jss] Set initial IDP password for "${username}": `);
+        } catch (err) {
+          fastify.log.warn({ err }, `Password prompt failed for "${username}"`);
+          return;
+        }
+      } else {
+        fastify.log.warn(
+          `--single-user --idp: no password provided. Set --single-user-password or ` +
+          `JSS_SINGLE_USER_PASSWORD before starting (or run on a TTY to be prompted). ` +
+          `Login is currently not possible for "${username}".`
+        );
+        return;
+      }
+    }
+
+    if (typeof password !== 'string' || password.length === 0) {
+      fastify.log.warn(`Empty password — skipping IDP account creation for "${username}".`);
+      return;
+    }
+
+    try {
+      await createAccount({ username, password, webId, podName });
+      fastify.log.info(`IDP account seeded for single-user "${username}".`);
+    } catch (err) {
+      fastify.log.error({ err }, `Failed to seed IDP account for "${username}"`);
+    }
+  }
+
+  /**
+   * Read a password from stdin without echoing it. Uses the public
+   * `emitKeypressEvents` + raw-mode keypress API rather than overriding
+   * the underscored `_writeToOutput` on a `readline.Interface`, which is
+   * a private/unstable hook.
+   */
+  async function promptPasswordOnce(prompt) {
+    const { emitKeypressEvents } = await import('node:readline');
+    const stdin = process.stdin;
+    const stdout = process.stdout;
+    if (!stdin.isTTY || typeof stdin.setRawMode !== 'function') {
+      throw new Error('Interactive password prompt requires a TTY');
+    }
+    return new Promise((resolve, reject) => {
+      let password = '';
+      const wasRaw = stdin.isRaw === true;
+      const onKeypress = (str, key = {}) => {
+        if (key.ctrl && key.name === 'c') {
+          cleanup();
+          reject(new Error('Password prompt cancelled'));
+          return;
+        }
+        if (key.name === 'return' || key.name === 'enter') {
+          cleanup();
+          resolve(password);
+          return;
+        }
+        if (key.name === 'backspace' || key.name === 'delete') {
+          password = password.slice(0, -1);
+          return;
+        }
+        // Only accept printable input — \P{C} excludes control codes,
+        // so escape sequences from arrow keys, function keys, etc. don't
+        // sneak invisible bytes into the password buffer.
+        if (!key.ctrl && !key.meta &&
+            typeof str === 'string' && str.length > 0 &&
+            /^\P{C}+$/u.test(str)) {
+          password += str;
+        }
+      };
+      const cleanup = () => {
+        stdin.removeListener('keypress', onKeypress);
+        if (!wasRaw) stdin.setRawMode(false);
+        stdout.write('\n');
+        stdin.pause();
+      };
+      emitKeypressEvents(stdin);
+      stdout.write(prompt);
+      if (!wasRaw) stdin.setRawMode(true);
+      stdin.resume();
+      stdin.on('keypress', onKeypress);
     });
   }
 

package/test/config.test.js

@@ -0,0 +1,66 @@
+/**
+ * Config / env-var parsing tests.
+ *
+ * Regression coverage for the env-coercion fix in #323: only known
+ * boolean keys may have their string values coerced to booleans.
+ * Otherwise an env var like JSS_SINGLE_USER_PASSWORD="true" would silently
+ * become a real boolean and break downstream code (bcrypt, etc.).
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import { loadConfig } from '../src/config.js';
+
+describe('config — env var boolean coercion', () => {
+  // Save/restore the env vars we touch so this test is hermetic.
+  const KEYS = ['JSS_SINGLE_USER_PASSWORD', 'JSS_IDP', 'JSS_BASE_DOMAIN', 'JSS_MULTIUSER'];
+  const original = {};
+  before(() => { for (const k of KEYS) original[k] = process.env[k]; });
+  after(() => {
+    for (const k of KEYS) {
+      if (original[k] === undefined) delete process.env[k];
+      else process.env[k] = original[k];
+    }
+  });
+
+  it('preserves string-valued env vars when their value is "true"', async () => {
+    process.env.JSS_SINGLE_USER_PASSWORD = 'true';
+    const cfg = await loadConfig({}, null);
+    assert.strictEqual(cfg.singleUserPassword, 'true',
+      'password env var must remain a string, not be coerced to boolean true');
+  });
+
+  it('preserves string-valued env vars when their value is "false"', async () => {
+    process.env.JSS_SINGLE_USER_PASSWORD = 'false';
+    const cfg = await loadConfig({}, null);
+    assert.strictEqual(cfg.singleUserPassword, 'false');
+  });
+
+  it('preserves string-valued env vars when set to other strings', async () => {
+    process.env.JSS_BASE_DOMAIN = 'example.com';
+    const cfg = await loadConfig({}, null);
+    assert.strictEqual(cfg.baseDomain, 'example.com');
+  });
+
+  it('still coerces known boolean keys', async () => {
+    process.env.JSS_IDP = 'true';
+    const cfg = await loadConfig({}, null);
+    assert.strictEqual(cfg.idp, true, 'idp env var should be coerced to boolean');
+  });
+
+  it('still coerces known boolean keys when "false"', async () => {
+    process.env.JSS_IDP = 'false';
+    const cfg = await loadConfig({}, null);
+    assert.strictEqual(cfg.idp, false);
+  });
+
+  it('coerces JSS_MULTIUSER to a boolean (regression for missed entry)', async () => {
+    process.env.JSS_MULTIUSER = 'false';
+    const cfg = await loadConfig({}, null);
+    assert.strictEqual(cfg.multiuser, false,
+      'multiuser must coerce to boolean false, not the string "false" (truthy)');
+    process.env.JSS_MULTIUSER = 'true';
+    const cfg2 = await loadConfig({}, null);
+    assert.strictEqual(cfg2.multiuser, true);
+  });
+});

package/test/conneg.test.js

@@ -354,3 +354,95 @@ describe('Content Negotiation (conneg disabled - default)', () => {
     });
   });
 });
+
+// Regression coverage for #325 — q-weighted Accept and HEAD/GET parity.
+// Previously the conneg dispatcher used naive substring matching on the
+// Accept header, so any Accept that mentioned text/turtle (even at q=0.1
+// alongside q=1.0 application/ld+json) returned Turtle. Separately, HEAD
+// on a container without an index.html hard-coded application/ld+json,
+// so HEAD and GET disagreed on content-type for the same URL.
+describe('Content Negotiation — q-weights and HEAD/GET parity (#325)', () => {
+  before(async () => {
+    await startTestServer({ conneg: true });
+    await createTestPod('qwtest');
+  });
+  after(async () => { await stopTestServer(); });
+
+  function ct(res) {
+    return (res.headers.get('content-type') || '').split(';')[0].trim();
+  }
+
+  describe('container — q-weight respected', () => {
+    it('Accept: jsonld q=1.0, turtle q=0.1 → JSON-LD', async () => {
+      const res = await request('/qwtest/', {
+        headers: { Accept: 'application/ld+json;q=1.0, text/turtle;q=0.1' }
+      });
+      assertStatus(res, 200);
+      assert.strictEqual(ct(res), 'application/ld+json');
+      const body = await res.text();
+      assert.ok(body.trimStart().startsWith('{'),
+        `body should be JSON, got: ${body.slice(0, 80)}`);
+    });
+
+    it('Accept: jsonld, turtle;q=0.5 → JSON-LD wins (downstream repro)', async () => {
+      const res = await request('/qwtest/', {
+        headers: { Accept: 'application/ld+json, text/turtle;q=0.5' }
+      });
+      assert.strictEqual(ct(res), 'application/ld+json');
+      const body = await res.text();
+      assert.ok(body.trimStart().startsWith('{'),
+        `body should be JSON, got: ${body.slice(0, 80)}`);
+    });
+
+    it('Accept: turtle (explicit) → Turtle', async () => {
+      const res = await request('/qwtest/', { headers: { Accept: 'text/turtle' } });
+      assert.strictEqual(ct(res), 'text/turtle');
+      const body = await res.text();
+      assert.ok(body.trimStart().startsWith('@prefix'),
+        `body should be Turtle, got: ${body.slice(0, 80)}`);
+    });
+
+    it('no Accept → JSON-LD (native default)', async () => {
+      const res = await request('/qwtest/');
+      assert.strictEqual(ct(res), 'application/ld+json');
+    });
+  });
+
+  describe('container — HEAD content-type matches GET', () => {
+    const cases = [
+      ['no Accept',         {}],
+      ['jsonld preferred',  { Accept: 'application/ld+json;q=1.0, text/turtle;q=0.1' }],
+      ['turtle preferred',  { Accept: 'text/turtle' }],
+      ['mixed (q=0.5)',     { Accept: 'application/ld+json, text/turtle;q=0.5' }]
+    ];
+    for (const [label, headers] of cases) {
+      it(`HEAD === GET content-type — ${label}`, async () => {
+        const get = await request('/qwtest/', { headers });
+        const head = await request('/qwtest/', { method: 'HEAD', headers });
+        assert.strictEqual(get.status, 200);
+        assert.strictEqual(head.status, 200);
+        assert.strictEqual(ct(head), ct(get),
+          `HEAD ct (${ct(head)}) must equal GET ct (${ct(get)}) for ${label}`);
+      });
+    }
+  });
+
+  describe('container — auth path matches anonymous', () => {
+    it('GET with auth returns same content-type as without auth (turtle case)', async () => {
+      const headers = { Accept: 'text/turtle' };
+      const anon = await request('/qwtest/', { headers });
+      const authed = await request('/qwtest/', { headers, auth: 'qwtest' });
+      assert.strictEqual(ct(anon), 'text/turtle');
+      assert.strictEqual(ct(authed), ct(anon),
+        'authenticated GET must report the same content-type as anonymous');
+    });
+
+    it('GET with auth returns same content-type as without auth (jsonld case)', async () => {
+      const headers = { Accept: 'application/ld+json;q=1.0, text/turtle;q=0.1' };
+      const anon = await request('/qwtest/', { headers });
+      const authed = await request('/qwtest/', { headers, auth: 'qwtest' });
+      assert.strictEqual(ct(anon), 'application/ld+json');
+      assert.strictEqual(ct(authed), ct(anon));
+    });
+  });
+});

package/test/idp.test.js

@@ -713,3 +713,205 @@ describe('Identity Provider - Credentials Endpoint', () => {
     });
   });
 });
+
+// Single-user + --idp must seed an IDP account so the operator can log in.
+// Without this, the pod is created but is unloggable: registration is
+// disabled in single-user mode and there's no pre-existing account.
+// Regression for #323.
+describe('Identity Provider — single-user password seeding (#323)', () => {
+  // Save/restore DATA_ROOT and stdin.isTTY around this suite so we don't
+  // leak global state into other tests in the same `node --test` run.
+  // For isTTY we capture the *property descriptor* so we can correctly
+  // restore an inherited (prototype) accessor — Object.defineProperty
+  // would otherwise leave a shadowing own-property behind.
+  let originalDataRoot;
+  let originalIsTTYDescriptor;
+  let originalIsTTYWasOwn;
+  before(() => {
+    originalDataRoot = process.env.DATA_ROOT;
+    originalIsTTYWasOwn = Object.prototype.hasOwnProperty.call(process.stdin, 'isTTY');
+    originalIsTTYDescriptor = Object.getOwnPropertyDescriptor(process.stdin, 'isTTY');
+    // Force non-TTY so the no-password test never blocks on an
+    // unanswerable prompt when the suite is run from an interactive shell.
+    Object.defineProperty(process.stdin, 'isTTY', { value: false, configurable: true });
+  });
+  after(() => {
+    if (originalDataRoot === undefined) delete process.env.DATA_ROOT;
+    else process.env.DATA_ROOT = originalDataRoot;
+    if (originalIsTTYWasOwn && originalIsTTYDescriptor) {
+      Object.defineProperty(process.stdin, 'isTTY', originalIsTTYDescriptor);
+    } else {
+      // Property was inherited; remove our shadowing own-property so
+      // the prototype's accessor is visible again.
+      delete process.stdin.isTTY;
+    }
+  });
+
+  it('seeds an IDP account when singleUserPassword is provided', async () => {
+    const dir = './test-data-su-pw-provided';
+    await fs.remove(dir);
+    await fs.ensureDir(dir);
+    const port = await getAvailablePort();
+    const baseUrl = `http://${TEST_HOST}:${port}`;
+    const server = createServer({
+      logger: false,
+      root: dir,
+      idp: true,
+      idpIssuer: baseUrl,
+      singleUser: true,
+      singleUserName: 'me',
+      singleUserPassword: 'hunter2-test',
+      forceCloseConnections: true,
+    });
+    try {
+      // createServer already sets DATA_ROOT when `root` is provided;
+      // import accounts.js after listen() so it picks up the right path.
+      await server.listen({ port, host: TEST_HOST });
+      const { findByUsername, authenticate } = await import('../src/idp/accounts.js');
+      const account = await findByUsername('me');
+      assert.ok(account, 'IDP account for single-user "me" should exist');
+      assert.strictEqual(account.username, 'me');
+      assert.ok(account.webId.includes('/me/profile/card.jsonld#me'));
+      const authed = await authenticate('me', 'hunter2-test');
+      assert.ok(authed, 'should authenticate with the seeded password');
+    } finally {
+      await server.close();
+      await fs.remove(dir);
+    }
+  });
+
+  it('skips seeding (no error) when no password and not on a TTY', async () => {
+    // The before() hook stubs stdin.isTTY=false so the seed step warns
+    // and skips rather than blocking on an unanswerable prompt.
+    const dir = './test-data-su-pw-missing';
+    await fs.remove(dir);
+    await fs.ensureDir(dir);
+    const port = await getAvailablePort();
+    const baseUrl = `http://${TEST_HOST}:${port}`;
+    const server = createServer({
+      logger: false,
+      root: dir,
+      idp: true,
+      idpIssuer: baseUrl,
+      singleUser: true,
+      singleUserName: 'me',
+      // singleUserPassword intentionally omitted
+      forceCloseConnections: true,
+    });
+    try {
+      await server.listen({ port, host: TEST_HOST });
+      const { findByUsername } = await import('../src/idp/accounts.js');
+      const account = await findByUsername('me');
+      assert.strictEqual(account, null, 'no account should be seeded without a password');
+      // Pod itself must still exist — server starts up regardless.
+      const profileExists = await fs.pathExists(path.join(dir, 'me/profile/card.jsonld'));
+      assert.ok(profileExists, 'pod should still be created');
+    } finally {
+      await server.close();
+      await fs.remove(dir);
+    }
+  });
+
+  it('is idempotent — restarting does not duplicate or error', async () => {
+    const dir = './test-data-su-pw-idempotent';
+    await fs.remove(dir);
+    await fs.ensureDir(dir);
+    const port = await getAvailablePort();
+    const baseUrl = `http://${TEST_HOST}:${port}`;
+    const startOnce = async () => {
+      const s = createServer({
+        logger: false,
+        root: dir,
+        idp: true,
+        idpIssuer: baseUrl,
+        singleUser: true,
+        singleUserName: 'me',
+        singleUserPassword: 'idem-pw',
+        forceCloseConnections: true,
+      });
+      await s.listen({ port, host: TEST_HOST });
+      return s;
+    };
+    let s1, s2;
+    try {
+      s1 = await startOnce();
+      await s1.close();
+      s2 = await startOnce();
+      const { findByUsername, authenticate } = await import('../src/idp/accounts.js');
+      const account = await findByUsername('me');
+      assert.ok(account, 'account from first run should still exist');
+      // Original password still valid (we didn't overwrite on the second run).
+      const authed = await authenticate('me', 'idem-pw');
+      assert.ok(authed);
+    } finally {
+      if (s2) await s2.close();
+      await fs.remove(dir);
+    }
+  });
+
+  it('seeds with the legacy WebID when /profile/card (no .jsonld) already exists', async () => {
+    // Older JSS versions used /profile/card without the extension. A
+    // legacy pod must keep that URL — seeding an account whose WebID
+    // points at /profile/card.jsonld#me would create a credential bound
+    // to a document the user doesn't actually have.
+    const dir = './test-data-su-pw-legacy';
+    await fs.remove(dir);
+    await fs.ensureDir(dir);
+    // Pre-seed a legacy-layout pod so the server treats it as already
+    // existing on startup (no fresh creation).
+    const legacyProfileDir = path.join(dir, 'me/profile');
+    await fs.ensureDir(legacyProfileDir);
+    await fs.writeFile(path.join(legacyProfileDir, 'card'), '<html></html>');
+
+    const port = await getAvailablePort();
+    const baseUrl = `http://${TEST_HOST}:${port}`;
+    const server = createServer({
+      logger: false,
+      root: dir,
+      idp: true,
+      idpIssuer: baseUrl,
+      singleUser: true,
+      singleUserName: 'me',
+      singleUserPassword: 'legacy-pw',
+      forceCloseConnections: true,
+    });
+    try {
+      await server.listen({ port, host: TEST_HOST });
+      const { findByUsername } = await import('../src/idp/accounts.js');
+      const account = await findByUsername('me');
+      assert.ok(account, 'account should be seeded against the legacy pod');
+      assert.ok(
+        account.webId.endsWith('/me/profile/card#me'),
+        `legacy pod must keep /profile/card#me WebID, got ${account.webId}`
+      );
+    } finally {
+      await server.close();
+      await fs.remove(dir);
+    }
+  });
+
+  it('does not seed when --idp is off', async () => {
+    const dir = './test-data-su-pw-no-idp';
+    await fs.remove(dir);
+    await fs.ensureDir(dir);
+    const port = await getAvailablePort();
+    const server = createServer({
+      logger: false,
+      root: dir,
+      idp: false,
+      singleUser: true,
+      singleUserName: 'me',
+      singleUserPassword: 'should-be-ignored',
+      forceCloseConnections: true,
+    });
+    try {
+      await server.listen({ port, host: TEST_HOST });
+      // No .idp directory should exist when idp is disabled.
+      const idpDirExists = await fs.pathExists(path.join(dir, '.idp'));
+      assert.strictEqual(idpDirExists, false, 'no .idp directory when --idp off');
+    } finally {
+      await server.close();
+      await fs.remove(dir);
+    }
+  });
+});