javascript-solid-server 0.0.21 → 0.0.23

package/.claude/settings.local.json

@@ -67,7 +67,37 @@
       "Bash(pm2 save:*)",
       "Bash(gh issue create:*)",
       "Bash(gh issue view:*)",
-      "Bash(gh issue edit:*)"
+      "Bash(gh issue edit:*)",
+      "WebFetch(domain:nostrcg.github.io)",
+      "WebFetch(domain:melvincarvalho.github.io)",
+      "WebFetch(domain:dev.to)",
+      "WebFetch(domain:solidproject.org)",
+      "WebFetch(domain:www.w3.org)",
+      "Bash(wc:*)",
+      "Bash(TOKEN=\"eyJraW5kIjoyNzIzNSwidGFncyI6W1sidSIsImh0dHA6Ly9sb2NhbGhvc3Q6NDAwMC9kZW1vL25vc3RyLXpvbmUvIl0sWyJtZXRob2QiLCJHRVQiXV0sImNyZWF0ZWRfYXQiOjE3NjY5MzQ1NjksImNvbnRlbnQiOiIiLCJwdWJrZXkiOiI4OTg5OWNmOWEyNGE5ZTdlMTNmODU3MGRkMGI1MmJiOTQyMjllNDI2OGM1MGQ1OWZhNjdhMzQ0MGQ0NmFhZTdkIiwiaWQiOiJiNTUyMDUyOTVmYmQwYzhjZDYwMzk1NTgwOWYxZGM5Y2MwMjdlY2U4N2NjYmNlNzcwNWY2MjdmNmQ0ODk1MGJkIiwic2lnIjoiOWYzN2Y0NzIyZDlkNmFmZGQ5OTNkYTM0MDg2MWQ2YzQ4MmY1NzQ1MmFmZTIwZmY2YmI5OTAxNGIwOTU3NjUwMWZiNTgyZjEzNzNlZmVhNjI4ZDI5ZjlhMzhmZTgyODU0ODlmMzAzYzlmYmJjYWE0OTQxZjUyZGZlMWYxNzVkOWMifQ==\")",
+      "WebFetch(domain:solid-lite.org)",
+      "Bash(git push:*)",
+      "WebFetch(domain:linkedwebstorage.com)",
+      "WebFetch(domain:w3c.github.io)",
+      "WebFetch(domain:socialdocs.org)",
+      "WebFetch(domain:nosdav.com)",
+      "WebFetch(domain:sandy-mount.com)",
+      "WebFetch(domain:ditto.pub)",
+      "WebFetch(domain:blocktrails.org)",
+      "WebFetch(domain:microfed.org)",
+      "WebFetch(domain:soliddocs.org)",
+      "WebFetch(domain:agenticalliance.com)",
+      "WebFetch(domain:activitypub.rocks)",
+      "WebFetch(domain:nostrgit.org)",
+      "Bash(convert:*)",
+      "WebFetch(domain:instantdomainsearch.com)",
+      "Bash(for domain in jss.dev jss.sh jss.io jss.app solidserver.dev solid-server.dev)",
+      "Bash(do echo -n '$domain: ')",
+      "Bash(whois $domain)",
+      "Bash(done)",
+      "Bash(for domain in jss.dev jss.sh jss.io jss.app solidserver.dev)",
+      "Bash(host:*)",
+      "WebFetch(domain:nostr-components.github.io)"
     ]
   }
 }

package/README.md

@@ -54,7 +54,7 @@ npm run benchmark
 
 ## Features
 
-### Implemented (v0.0.17)
+### Implemented (v0.0.23)
 
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
 - **N3 Patch** - Solid's native patch format for RDF updates
@@ -66,11 +66,13 @@ npm run benchmark
 - **Container Management** - Create, list, and manage containers
 - **Multi-user Pods** - Path-based (`/alice/`) or subdomain-based (`alice.example.com`)
 - **Subdomain Mode** - XSS protection via origin isolation
-- **Mashlib Data Browser** - Optional SolidOS UI for browsing RDF resources
+- **Mashlib Data Browser** - Optional SolidOS UI (CDN or local hosting)
 - **WebID Profiles** - JSON-LD structured data in HTML at pod root
 - **Web Access Control (WAC)** - `.acl` file-based authorization
 - **Solid-OIDC Identity Provider** - Built-in IdP with DPoP, dynamic registration
 - **Solid-OIDC Resource Server** - Accept DPoP-bound access tokens from external IdPs
+- **NSS-style Registration** - Username/password auth compatible with Solid apps
+- **Nostr Authentication** - NIP-98 HTTP Auth with Schnorr signatures
 - **Simple Auth Tokens** - Built-in token authentication for development
 - **Content Negotiation** - Optional Turtle <-> JSON-LD conversion
 - **CORS Support** - Full cross-origin resource sharing
@@ -139,8 +141,9 @@ jss --help             # Show help
 | `--idp-issuer <url>` | IdP issuer URL | (auto) |
 | `--subdomains` | Enable subdomain-based pods | false |
 | `--base-domain <domain>` | Base domain for subdomains | - |
-| `--mashlib` | Enable Mashlib data browser | false |
-| `--mashlib-version <ver>` | Mashlib version | 2.0.0 |
+| `--mashlib` | Enable Mashlib (local mode) | false |
+| `--mashlib-cdn` | Enable Mashlib (CDN mode) | false |
+| `--mashlib-version <ver>` | Mashlib CDN version | 2.0.0 |
 | `-q, --quiet` | Suppress logs | false |
 
 ### Environment Variables
@@ -407,24 +410,35 @@ createServer({
   notifications: false, // Enable WebSocket notifications (default: false)
   subdomains: false,   // Enable subdomain-based pods (default: false)
   baseDomain: null,    // Base domain for subdomains (e.g., "example.com")
-  mashlib: false,      // Enable Mashlib data browser (default: false)
-  mashlibVersion: '2.0.0', // Mashlib version to use
+  mashlib: false,      // Enable Mashlib data browser - local mode (default: false)
+  mashlibCdn: false,   // Enable Mashlib data browser - CDN mode (default: false)
+  mashlibVersion: '2.0.0', // Mashlib version for CDN mode
 });
 ```
 
 ### Mashlib Data Browser
 
-Enable the [SolidOS Mashlib](https://github.com/SolidOS/mashlib) data browser for RDF resources:
+Enable the [SolidOS Mashlib](https://github.com/SolidOS/mashlib) data browser for RDF resources. Two modes are available:
 
+**CDN Mode** (recommended for getting started):
 ```bash
-jss start --mashlib --conneg
+jss start --mashlib-cdn --conneg
 ```
+Loads mashlib from unpkg.com CDN. Zero footprint - no local files needed.
 
-When enabled, requesting an RDF resource with `Accept: text/html` returns an interactive data browser UI instead of raw data. Mashlib is loaded from the unpkg CDN.
+**Local Mode** (for production/offline):
+```bash
+jss start --mashlib --conneg
+```
+Serves mashlib from `src/mashlib-local/dist/`. Requires building mashlib locally:
+```bash
+cd src/mashlib-local
+npm install && npm run build
+```
 
 **How it works:**
 1. Browser requests `/alice/public/data.ttl` with `Accept: text/html`
-2. Server returns Mashlib HTML wrapper (loads JS/CSS from CDN)
+2. Server returns Mashlib HTML wrapper
 3. Mashlib fetches the actual data via content negotiation
 4. Mashlib renders an interactive, editable view
 

package/bin/jss.js

@@ -50,9 +50,10 @@ program
   .option('--subdomains', 'Enable subdomain-based pods (XSS protection)')
   .option('--no-subdomains', 'Disable subdomain-based pods')
   .option('--base-domain <domain>', 'Base domain for subdomain pods (e.g., "example.com")')
-  .option('--mashlib', 'Enable Mashlib data browser for RDF resources')
+  .option('--mashlib', 'Enable Mashlib data browser (local mode, requires mashlib in node_modules)')
+  .option('--mashlib-cdn', 'Enable Mashlib data browser (CDN mode, no local files needed)')
   .option('--no-mashlib', 'Disable Mashlib data browser')
-  .option('--mashlib-version <version>', 'Mashlib version to use (default: 2.0.0)')
+  .option('--mashlib-version <version>', 'Mashlib version for CDN mode (default: 2.0.0)')
   .option('-q, --quiet', 'Suppress log output')
   .option('--print-config', 'Print configuration and exit')
   .action(async (options) => {
@@ -91,7 +92,8 @@ program
         root: config.root,
         subdomains: config.subdomains,
         baseDomain: config.baseDomain,
-        mashlib: config.mashlib,
+        mashlib: config.mashlib || config.mashlibCdn,
+        mashlibCdn: config.mashlibCdn,
         mashlibVersion: config.mashlibVersion,
       });
 
@@ -106,7 +108,11 @@ program
         if (config.notifications) console.log('  WebSocket: enabled');
         if (config.idp) console.log(`  IdP: ${idpIssuer}`);
         if (config.subdomains) console.log(`  Subdomains: ${config.baseDomain} (XSS protection enabled)`);
-        if (config.mashlib) console.log(`  Mashlib: v${config.mashlibVersion} (data browser enabled)`);
+        if (config.mashlibCdn) {
+          console.log(`  Mashlib: v${config.mashlibVersion} (CDN mode)`);
+        } else if (config.mashlib) {
+          console.log(`  Mashlib: local (data browser enabled)`);
+        }
         console.log('\n  Press Ctrl+C to stop\n');
       }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.21",
+  "version": "0.0.23",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",
@@ -31,6 +31,7 @@
     "fs-extra": "^11.2.0",
     "jose": "^6.1.3",
     "n3": "^1.26.0",
+    "nostr-tools": "^2.19.4",
     "oidc-provider": "^9.6.0"
   },
   "engines": {

package/src/auth/nostr.js

@@ -0,0 +1,197 @@
+/**
+ * Nostr NIP-98 Authentication
+ *
+ * Implements HTTP authentication using Schnorr signatures as defined in:
+ * - NIP-98: https://nips.nostr.com/98
+ * - JIP-0001: https://github.com/JavaScriptSolidServer/jips/blob/main/jip-0001.md
+ *
+ * Authorization header format: "Nostr <base64-encoded-event>"
+ *
+ * The authenticated identity is returned as a did:nostr URI:
+ *   did:nostr:<64-char-hex-pubkey>
+ */
+
+import { verifyEvent } from 'nostr-tools';
+import crypto from 'crypto';
+
+// NIP-98 event kind (references RFC 7235)
+const HTTP_AUTH_KIND = 27235;
+
+// Timestamp tolerance in seconds
+const TIMESTAMP_TOLERANCE = 60;
+
+/**
+ * Check if request has Nostr authentication
+ * @param {object} request - Fastify request object
+ * @returns {boolean}
+ */
+export function hasNostrAuth(request) {
+  const authHeader = request.headers.authorization;
+  return authHeader && authHeader.startsWith('Nostr ');
+}
+
+/**
+ * Extract token from Nostr authorization header
+ * @param {string} authHeader - Authorization header value
+ * @returns {string|null}
+ */
+export function extractNostrToken(authHeader) {
+  if (!authHeader || !authHeader.startsWith('Nostr ')) {
+    return null;
+  }
+  return authHeader.slice(6).trim();
+}
+
+/**
+ * Decode NIP-98 event from base64 token
+ * @param {string} token - Base64 encoded event
+ * @returns {object|null} Decoded event or null
+ */
+function decodeEvent(token) {
+  try {
+    const decoded = Buffer.from(token, 'base64').toString('utf8');
+    return JSON.parse(decoded);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Get tag value from event
+ * @param {object} event - Nostr event
+ * @param {string} tagName - Tag name (e.g., 'u', 'method')
+ * @returns {string|null} Tag value or null
+ */
+function getTagValue(event, tagName) {
+  if (!event.tags || !Array.isArray(event.tags)) {
+    return null;
+  }
+  const tag = event.tags.find(t => Array.isArray(t) && t[0] === tagName);
+  return tag ? tag[1] : null;
+}
+
+/**
+ * Convert Nostr pubkey to did:nostr URI
+ * @param {string} pubkey - 64-char hex public key
+ * @returns {string} did:nostr URI
+ */
+export function pubkeyToDidNostr(pubkey) {
+  return `did:nostr:${pubkey.toLowerCase()}`;
+}
+
+/**
+ * Verify NIP-98 authentication and return agent identity
+ * @param {object} request - Fastify request object
+ * @returns {Promise<{webId: string|null, error: string|null}>}
+ */
+export async function verifyNostrAuth(request) {
+  const token = extractNostrToken(request.headers.authorization);
+
+  if (!token) {
+    return { webId: null, error: 'Missing Nostr token' };
+  }
+
+  // Decode the event
+  const event = decodeEvent(token);
+  if (!event) {
+    return { webId: null, error: 'Invalid token format: could not decode base64 JSON' };
+  }
+
+  // Validate event kind (must be 27235)
+  if (event.kind !== HTTP_AUTH_KIND) {
+    return { webId: null, error: `Invalid event kind: expected ${HTTP_AUTH_KIND}, got ${event.kind}` };
+  }
+
+  // Validate timestamp (within ±60 seconds)
+  const now = Math.floor(Date.now() / 1000);
+  const eventTime = event.created_at;
+  if (!eventTime || Math.abs(now - eventTime) > TIMESTAMP_TOLERANCE) {
+    return { webId: null, error: 'Event timestamp outside acceptable window (±60s)' };
+  }
+
+  // Build full URL for validation
+  const protocol = request.protocol || 'http';
+  const host = request.headers.host || request.hostname;
+  const fullUrl = `${protocol}://${host}${request.url}`;
+
+  // Validate URL tag matches request URL
+  const eventUrl = getTagValue(event, 'u');
+  if (!eventUrl) {
+    return { webId: null, error: 'Missing URL tag in event' };
+  }
+
+  // Compare URLs (normalize by removing trailing slashes)
+  const normalizedEventUrl = eventUrl.replace(/\/$/, '');
+  const normalizedRequestUrl = fullUrl.replace(/\/$/, '');
+  const normalizedRequestUrlNoQuery = fullUrl.split('?')[0].replace(/\/$/, '');
+
+  if (normalizedEventUrl !== normalizedRequestUrl && normalizedEventUrl !== normalizedRequestUrlNoQuery) {
+    return { webId: null, error: `URL mismatch: event URL "${eventUrl}" does not match request URL "${fullUrl}"` };
+  }
+
+  // Validate method tag matches request method
+  const eventMethod = getTagValue(event, 'method');
+  if (!eventMethod) {
+    return { webId: null, error: 'Missing method tag in event' };
+  }
+  if (eventMethod.toUpperCase() !== request.method.toUpperCase()) {
+    return { webId: null, error: `Method mismatch: expected ${request.method}, got ${eventMethod}` };
+  }
+
+  // Validate payload hash if present and request has body
+  const payloadTag = getTagValue(event, 'payload');
+  if (payloadTag && request.body) {
+    let bodyString;
+    if (typeof request.body === 'string') {
+      bodyString = request.body;
+    } else if (Buffer.isBuffer(request.body)) {
+      bodyString = request.body.toString();
+    } else {
+      bodyString = JSON.stringify(request.body);
+    }
+
+    const expectedHash = crypto.createHash('sha256').update(bodyString).digest('hex');
+    if (payloadTag.toLowerCase() !== expectedHash.toLowerCase()) {
+      return { webId: null, error: 'Payload hash mismatch' };
+    }
+  }
+
+  // Validate pubkey exists
+  if (!event.pubkey || typeof event.pubkey !== 'string' || event.pubkey.length !== 64) {
+    return { webId: null, error: 'Invalid or missing pubkey' };
+  }
+
+  // Verify Schnorr signature
+  const isValid = verifyEvent(event);
+  if (!isValid) {
+    return { webId: null, error: 'Invalid Schnorr signature' };
+  }
+
+  // Return did:nostr as the agent identifier
+  const didNostr = pubkeyToDidNostr(event.pubkey);
+
+  return { webId: didNostr, error: null };
+}
+
+/**
+ * Get Nostr pubkey from request if authenticated via NIP-98
+ * @param {object} request - Fastify request object
+ * @returns {Promise<string|null>} Hex pubkey or null
+ */
+export async function getNostrPubkey(request) {
+  if (!hasNostrAuth(request)) {
+    return null;
+  }
+
+  const token = extractNostrToken(request.headers.authorization);
+  if (!token) {
+    return null;
+  }
+
+  try {
+    const event = decodeEvent(token);
+    return event?.pubkey || null;
+  } catch {
+    return null;
+  }
+}

package/src/auth/token.js

@@ -1,13 +1,15 @@
 /**
  * Token-based authentication
  *
- * Supports two modes:
+ * Supports multiple modes:
  * 1. Simple tokens (for local/dev use): base64(JSON({webId, iat, exp})) + HMAC signature
  * 2. Solid-OIDC DPoP tokens (for federation): verified via external IdP JWKS
+ * 3. Nostr NIP-98 tokens: Schnorr signatures, returns did:nostr identity
  */
 
 import crypto from 'crypto';
 import { verifySolidOidc, hasSolidOidcAuth } from './solid-oidc.js';
+import { verifyNostrAuth, hasNostrAuth } from './nostr.js';
 
 // Secret for signing tokens (in production, use env var)
 const SECRET = process.env.TOKEN_SECRET || 'dev-secret-change-in-production';
@@ -151,6 +153,11 @@ export function getWebIdFromRequest(request) {
     return null;
   }
 
+  // Skip Nostr tokens - use async version for those
+  if (authHeader && authHeader.startsWith('Nostr ')) {
+    return null;
+  }
+
   const token = extractToken(authHeader);
 
   if (!token) {
@@ -178,6 +185,11 @@ export async function getWebIdFromRequestAsync(request) {
     return verifySolidOidc(request);
   }
 
+  // Try Nostr NIP-98 (Schnorr signatures)
+  if (hasNostrAuth(request)) {
+    return verifyNostrAuth(request);
+  }
+
   // Fall back to simple Bearer tokens
   const token = extractToken(authHeader);
   if (!token) {

package/src/config.js

@@ -39,6 +39,7 @@ export const defaults = {
 
   // Mashlib data browser
   mashlib: false,
+  mashlibCdn: false,
   mashlibVersion: '2.0.0',
 
   // Logging
@@ -68,6 +69,7 @@ const envMap = {
   JSS_SUBDOMAINS: 'subdomains',
   JSS_BASE_DOMAIN: 'baseDomain',
   JSS_MASHLIB: 'mashlib',
+  JSS_MASHLIB_CDN: 'mashlibCdn',
   JSS_MASHLIB_VERSION: 'mashlibVersion',
 };
 
@@ -201,6 +203,6 @@ export function printConfig(config) {
   console.log(`  Notifications: ${config.notifications}`);
   console.log(`  IdP:           ${config.idp ? (config.idpIssuer || 'enabled') : 'disabled'}`);
   console.log(`  Subdomains:    ${config.subdomains ? (config.baseDomain || 'enabled') : 'disabled'}`);
-  console.log(`  Mashlib:       ${config.mashlib ? `v${config.mashlibVersion}` : 'disabled'}`);
+  console.log(`  Mashlib:       ${config.mashlibCdn ? `CDN v${config.mashlibVersion}` : config.mashlib ? 'local' : 'disabled'}`);
   console.log('─'.repeat(40));
 }

package/src/handlers/resource.js

@@ -145,7 +145,9 @@ export async function handleGet(request, reply) {
   // Check if we should serve Mashlib data browser
   // Only for RDF resources when Accept: text/html is requested
   if (shouldServeMashlib(request, request.mashlibEnabled, storedContentType)) {
-    const html = generateDatabrowserHtml(resourceUrl, request.mashlibVersion);
+    // Pass CDN version if using CDN mode, null for local mode
+    const cdnVersion = request.mashlibCdn ? request.mashlibVersion : null;
+    const html = generateDatabrowserHtml(resourceUrl, cdnVersion);
     const headers = getAllHeaders({
       isContainer: false,
       etag: stats.etag,
@@ -155,6 +157,10 @@ export async function handleGet(request, reply) {
       connegEnabled
     });
     headers['Vary'] = 'Accept';
+    headers['X-Frame-Options'] = 'DENY';
+    headers['Content-Security-Policy'] = "frame-ancestors 'none'";
+    // Don't cache the HTML wrapper - always negotiate fresh
+    headers['Cache-Control'] = 'no-store';
 
     Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
     return reply.type('text/html').send(html);
@@ -191,7 +197,7 @@ export async function handleGet(request, reply) {
         resourceUrl,
         connegEnabled
       });
-      headers['Vary'] = getVaryHeader(connegEnabled);
+      headers['Vary'] = getVaryHeader(connegEnabled, request.mashlibEnabled);
 
       Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
       return reply.send(outputContent);
@@ -209,7 +215,7 @@ export async function handleGet(request, reply) {
     resourceUrl,
     connegEnabled
   });
-  headers['Vary'] = getVaryHeader(connegEnabled);
+  headers['Vary'] = getVaryHeader(connegEnabled, request.mashlibEnabled);
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
   return reply.send(content);
@@ -353,7 +359,7 @@ export async function handlePut(request, reply) {
   const origin = request.headers.origin;
   const headers = getAllHeaders({ isContainer: false, origin, resourceUrl, connegEnabled });
   headers['Location'] = resourceUrl;
-  headers['Vary'] = getVaryHeader(connegEnabled);
+  headers['Vary'] = getVaryHeader(connegEnabled, request.mashlibEnabled);
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
 

package/src/mashlib/index.js

@@ -6,51 +6,38 @@
  * we return this wrapper which then fetches and renders the data.
  */
 
-const CDN_BASE = 'https://unpkg.com/mashlib';
-
 /**
  * Generate Mashlib databrowser HTML
- * @param {string} resourceUrl - The URL of the resource being viewed
- * @param {string} version - Mashlib version (default: '2.0.0')
+ *
+ * @param {string} resourceUrl - The URL of the resource being viewed (unused, kept for API compatibility)
+ * @param {string} cdnVersion - If provided, load mashlib from unpkg CDN (e.g., "2.0.0")
  * @returns {string} HTML content
  */
-export function generateDatabrowserHtml(resourceUrl, version = '2.0.0') {
-  const cdnUrl = `${CDN_BASE}@${version}/dist`;
+export function generateDatabrowserHtml(resourceUrl, cdnVersion = null) {
+  if (cdnVersion) {
+    // CDN mode - use script.onload to ensure mashlib is fully loaded before init
+    // This avoids race conditions with defer + DOMContentLoaded
+    const cdnBase = `https://unpkg.com/mashlib@${cdnVersion}/dist`;
+    return `<!doctype html><html><head><meta charset="utf-8"/><title>SolidOS Web App</title>
+<link href="${cdnBase}/mash.css" rel="stylesheet"></head>
+<body id="PageBody"><header id="PageHeader"></header>
+<div class="TabulatorOutline" id="DummyUUID" role="main"><table id="outline"></table><div id="GlobalDashboard"></div></div>
+<footer id="PageFooter"></footer>
+<script>
+(function() {
+  var s = document.createElement('script');
+  s.src = '${cdnBase}/mashlib.min.js';
+  s.onload = function() { panes.runDataBrowser(); };
+  s.onerror = function() { document.body.innerHTML = '<p>Failed to load Mashlib from CDN</p>'; };
+  document.head.appendChild(s);
+})();
+</script></body></html>`;
+  }
 
-  return `<!doctype html>
-<html>
-<head>
-  <meta charset="utf-8"/>
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <title>SolidOS - ${escapeHtml(resourceUrl)}</title>
-  <script defer src="${cdnUrl}/mashlib.min.js"></script>
-  <link href="${cdnUrl}/mash.css" rel="stylesheet">
-  <script>
-    document.addEventListener('DOMContentLoaded', function() {
-      // runDataBrowser uses window.location to determine what to fetch
-      panes.runDataBrowser();
-    });
-  </script>
-  <style>
-    /* Loading indicator */
-    body:not(.loaded) #PageBody::before {
-      content: 'Loading SolidOS...';
-      display: block;
-      padding: 2em;
-      text-align: center;
-      color: #666;
-    }
-  </style>
-</head>
-<body id="PageBody">
-  <header id="PageHeader"></header>
-  <div class="TabulatorOutline" id="DummyUUID" role="main">
-    <table id="outline"></table>
-    <div id="GlobalDashboard"></div>
-  </div>
-  <footer id="PageFooter"></footer>
-</body>
-</html>`;
+  // Local mode - use defer (reliable when served locally)
+  return `<!doctype html><html><head><meta charset="utf-8"/><title>SolidOS Web App</title><script>document.addEventListener('DOMContentLoaded', function() {
+        panes.runDataBrowser()
+      })</script><script defer="defer" src="/mashlib.min.js"></script><link href="/mash.css" rel="stylesheet"></head><body id="PageBody"><header id="PageHeader"></header><div class="TabulatorOutline" id="DummyUUID" role="main"><table id="outline"></table><div id="GlobalDashboard"></div></div><footer id="PageFooter"></footer></body></html>`;
 }
 
 /**
@@ -61,11 +48,17 @@ export function generateDatabrowserHtml(resourceUrl, version = '2.0.0') {
  * @returns {boolean}
  */
 export function shouldServeMashlib(request, mashlibEnabled, contentType) {
+  const accept = request.headers.accept || '';
+  const secFetchDest = request.headers['sec-fetch-dest'] || '';
+
   if (!mashlibEnabled) {
     return false;
   }
 
-  const accept = request.headers.accept || '';
+  // Don't serve mashlib for iframe/embed requests (prevents recursive loop)
+  if (secFetchDest === 'iframe' || secFetchDest === 'embed' || secFetchDest === 'object') {
+    return false;
+  }
 
   // Must explicitly accept HTML
   if (!accept.includes('text/html')) {

package/src/rdf/conneg.js

@@ -188,9 +188,10 @@ export async function fromJsonLd(jsonLd, targetType, baseUri, connegEnabled = fa
 
 /**
  * Get Vary header value for content negotiation
+ * Include Accept when conneg or mashlib is enabled (response varies by Accept header)
  */
-export function getVaryHeader(connegEnabled) {
-  return connegEnabled ? 'Accept, Origin' : 'Origin';
+export function getVaryHeader(connegEnabled, mashlibEnabled = false) {
+  return (connegEnabled || mashlibEnabled) ? 'Accept, Origin' : 'Origin';
 }
 
 /**

package/src/server.js

@@ -1,4 +1,7 @@
 import Fastify from 'fastify';
+import { readFile } from 'fs/promises';
+import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
 import { handleGet, handleHead, handlePut, handleDelete, handleOptions, handlePatch } from './handlers/resource.js';
 import { handlePost, handleCreatePod } from './handlers/container.js';
 import { getCorsHeaders } from './ldp/headers.js';
@@ -6,6 +9,8 @@ import { authorize, handleUnauthorized } from './auth/middleware.js';
 import { notificationsPlugin } from './notifications/index.js';
 import { idpPlugin } from './idp/index.js';
 
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
 /**
  * Create and configure Fastify server
  * @param {object} options - Server options
@@ -31,7 +36,9 @@ export function createServer(options = {}) {
   const subdomainsEnabled = options.subdomains ?? false;
   const baseDomain = options.baseDomain || null;
   // Mashlib data browser is OFF by default
+  // mashlibCdn: if true, load from CDN; if false, serve locally
   const mashlibEnabled = options.mashlib ?? false;
+  const mashlibCdn = options.mashlibCdn ?? false;
   const mashlibVersion = options.mashlibVersion ?? '2.0.0';
 
   // Set data root via environment variable if provided
@@ -70,6 +77,7 @@ export function createServer(options = {}) {
   fastify.decorateRequest('baseDomain', null);
   fastify.decorateRequest('podName', null);
   fastify.decorateRequest('mashlibEnabled', null);
+  fastify.decorateRequest('mashlibCdn', null);
   fastify.decorateRequest('mashlibVersion', null);
   fastify.addHook('onRequest', async (request) => {
     request.connegEnabled = connegEnabled;
@@ -78,6 +86,7 @@ export function createServer(options = {}) {
     request.subdomainsEnabled = subdomainsEnabled;
     request.baseDomain = baseDomain;
     request.mashlibEnabled = mashlibEnabled;
+    request.mashlibCdn = mashlibCdn;
     request.mashlibVersion = mashlibVersion;
 
     // Extract pod name from subdomain if enabled
@@ -122,11 +131,13 @@ export function createServer(options = {}) {
   // Authorization hook - check WAC permissions
   // Skip for pod creation endpoint (needs special handling)
   fastify.addHook('preHandler', async (request, reply) => {
-    // Skip auth for pod creation, OPTIONS, IdP routes, and well-known endpoints
+    // Skip auth for pod creation, OPTIONS, IdP routes, mashlib, and well-known endpoints
+    const mashlibPaths = ['/mashlib.min.js', '/mash.css', '/841.mashlib.min.js'];
     if (request.url === '/.pods' ||
         request.method === 'OPTIONS' ||
         request.url.startsWith('/idp/') ||
-        request.url.startsWith('/.well-known/')) {
+        request.url.startsWith('/.well-known/') ||
+        mashlibPaths.some(p => request.url === p || request.url.startsWith(p + '.'))) {
       return;
     }
 
@@ -144,6 +155,30 @@ export function createServer(options = {}) {
   // Pod creation endpoint
   fastify.post('/.pods', handleCreatePod);
 
+  // Mashlib static files (served from root like NSS does)
+  if (mashlibEnabled) {
+    const mashlibDir = join(__dirname, 'mashlib-local', 'dist');
+    const mashlibFiles = {
+      '/mashlib.min.js': { file: 'mashlib.min.js', type: 'application/javascript' },
+      '/mashlib.min.js.map': { file: 'mashlib.min.js.map', type: 'application/json' },
+      '/mash.css': { file: 'mash.css', type: 'text/css' },
+      '/mash.css.map': { file: 'mash.css.map', type: 'application/json' },
+      '/841.mashlib.min.js': { file: '841.mashlib.min.js', type: 'application/javascript' },
+      '/841.mashlib.min.js.map': { file: '841.mashlib.min.js.map', type: 'application/json' }
+    };
+
+    for (const [path, config] of Object.entries(mashlibFiles)) {
+      fastify.get(path, async (request, reply) => {
+        try {
+          const content = await readFile(join(mashlibDir, config.file));
+          return reply.type(config.type).send(content);
+        } catch {
+          return reply.code(404).send({ error: 'Not Found' });
+        }
+      });
+    }
+  }
+
   // LDP routes - using wildcard routing
   fastify.get('/*', handleGet);
   fastify.head('/*', handleHead);

package/src/wac/checker.js

@@ -64,7 +64,7 @@ async function findApplicableAcl(resourceUrl, resourcePath, isContainer) {
     const content = await storage.read(resourceAclPath);
     if (content) {
       const aclUrl = getAclUrl(resourceUrl, isContainer);
-      const authorizations = parseAcl(content.toString(), aclUrl);
+      const authorizations = await parseAcl(content.toString(), aclUrl);
       return { authorizations, isDefault: false, targetUrl: resourceUrl };
     }
   }
@@ -80,7 +80,7 @@ async function findApplicableAcl(resourceUrl, resourcePath, isContainer) {
       const content = await storage.read(parentAclPath);
       if (content) {
         const parentUrl = resourceUrl.substring(0, resourceUrl.lastIndexOf(currentPath)) + parentPath;
-        const authorizations = parseAcl(content.toString(), parentAclPath);
+        const authorizations = await parseAcl(content.toString(), parentAclPath);
         return { authorizations, isDefault: true, targetUrl: parentUrl };
       }
     }
@@ -93,7 +93,7 @@ async function findApplicableAcl(resourceUrl, resourcePath, isContainer) {
     const content = await storage.read('/.acl');
     if (content) {
       const rootUrl = resourceUrl.substring(0, resourceUrl.indexOf('/', 8) + 1);
-      const authorizations = parseAcl(content.toString(), '/.acl');
+      const authorizations = await parseAcl(content.toString(), '/.acl');
       return { authorizations, isDefault: true, targetUrl: rootUrl };
     }
   }

package/src/wac/parser.js

@@ -1,8 +1,10 @@
 /**
  * WAC (Web Access Control) Parser
- * Parses JSON-LD .acl files into authorization rules
+ * Parses ACL files (JSON-LD or Turtle) into authorization rules
  */
 
+import { turtleToJsonLd } from '../rdf/turtle.js';
+
 const ACL = 'http://www.w3.org/ns/auth/acl#';
 const FOAF = 'http://xmlns.com/foaf/0.1/';
 
@@ -21,16 +23,31 @@ export const AgentClass = {
 };
 
 /**
- * Parse a JSON-LD ACL document
- * @param {string|object} content - JSON-LD content (string or parsed object)
+ * Parse an ACL document (JSON-LD or Turtle)
+ * @param {string|object} content - ACL content (JSON-LD string/object or Turtle string)
  * @param {string} aclUrl - URL of the ACL document
- * @returns {Array<Authorization>} List of authorization rules
+ * @returns {Promise<Array<Authorization>>} List of authorization rules
  */
-export function parseAcl(content, aclUrl) {
+export async function parseAcl(content, aclUrl) {
   let doc;
-  try {
-    doc = typeof content === 'string' ? JSON.parse(content) : content;
-  } catch {
+
+  // If already an object, use it directly
+  if (typeof content === 'object' && content !== null) {
+    doc = content;
+  } else if (typeof content === 'string') {
+    // Try JSON-LD first
+    try {
+      doc = JSON.parse(content);
+    } catch {
+      // Not JSON, try Turtle
+      try {
+        doc = await turtleToJsonLd(content, aclUrl);
+      } catch (turtleError) {
+        // Neither JSON-LD nor valid Turtle
+        return [];
+      }
+    }
+  } else {
     return [];
   }
 

package/test/wac.test.js

@@ -18,7 +18,7 @@ import { checkAccess, getRequiredMode } from '../src/wac/checker.js';
 
 describe('WAC Parser', () => {
   describe('parseAcl', () => {
-    it('should parse a simple ACL', () => {
+    it('should parse a simple ACL', async () => {
       const acl = {
         '@context': { 'acl': 'http://www.w3.org/ns/auth/acl#' },
         '@graph': [{
@@ -30,7 +30,7 @@ describe('WAC Parser', () => {
         }]
       };
 
-      const auths = parseAcl(JSON.stringify(acl), 'https://alice.example/.acl');
+      const auths = await parseAcl(JSON.stringify(acl), 'https://alice.example/.acl');
 
       assert.strictEqual(auths.length, 1);
       assert.ok(auths[0].agents.includes('https://alice.example/#me'));
@@ -38,7 +38,7 @@ describe('WAC Parser', () => {
       assert.ok(auths[0].modes.includes(AccessMode.WRITE));
     });
 
-    it('should parse public access', () => {
+    it('should parse public access', async () => {
       const acl = {
         '@context': { 'acl': 'http://www.w3.org/ns/auth/acl#', 'foaf': 'http://xmlns.com/foaf/0.1/' },
         '@graph': [{
@@ -50,14 +50,14 @@ describe('WAC Parser', () => {
         }]
       };
 
-      const auths = parseAcl(JSON.stringify(acl), 'https://alice.example/public/.acl');
+      const auths = await parseAcl(JSON.stringify(acl), 'https://alice.example/public/.acl');
 
       assert.strictEqual(auths.length, 1);
       assert.ok(auths[0].agentClasses.includes('foaf:Agent'));
       assert.ok(auths[0].modes.includes(AccessMode.READ));
     });
 
-    it('should parse default authorizations for containers', () => {
+    it('should parse default authorizations for containers', async () => {
       const acl = {
         '@context': { 'acl': 'http://www.w3.org/ns/auth/acl#' },
         '@graph': [{
@@ -69,16 +69,35 @@ describe('WAC Parser', () => {
         }]
       };
 
-      const auths = parseAcl(JSON.stringify(acl), 'https://alice.example/folder/.acl');
+      const auths = await parseAcl(JSON.stringify(acl), 'https://alice.example/folder/.acl');
 
       assert.strictEqual(auths.length, 1);
       assert.ok(auths[0].default.includes('https://alice.example/folder/'));
     });
 
-    it('should handle invalid JSON gracefully', () => {
-      const auths = parseAcl('not valid json', 'https://example.com/.acl');
+    it('should handle invalid JSON gracefully', async () => {
+      const auths = await parseAcl('not valid json', 'https://example.com/.acl');
       assert.strictEqual(auths.length, 0);
     });
+
+    it('should parse Turtle ACL format', async () => {
+      const turtleAcl = `
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+
+<#owner>
+    a acl:Authorization;
+    acl:agent <did:nostr:abc123>;
+    acl:accessTo <https://example.com/resource>;
+    acl:mode acl:Read, acl:Write.
+`;
+
+      const auths = await parseAcl(turtleAcl, 'https://example.com/.acl');
+
+      assert.strictEqual(auths.length, 1);
+      assert.ok(auths[0].agents.includes('did:nostr:abc123'));
+      assert.ok(auths[0].modes.includes(AccessMode.READ));
+      assert.ok(auths[0].modes.includes(AccessMode.WRITE));
+    });
   });
 
   describe('generateOwnerAcl', () => {

package/test-nostr-auth.js

@@ -0,0 +1,114 @@
+/**
+ * Test script for Nostr NIP-98 authentication
+ *
+ * Usage: node test-nostr-auth.js
+ *
+ * This script:
+ * 1. Generates a Nostr keypair
+ * 2. Creates a NIP-98 auth event
+ * 3. Makes authenticated request to JSS
+ * 4. Verifies the did:nostr identity is recognized
+ */
+
+import { generateSecretKey, getPublicKey, finalizeEvent } from 'nostr-tools';
+import { getToken } from 'nostr-tools/nip98';
+
+const BASE_URL = process.env.TEST_URL || 'http://localhost:4000';
+
+async function main() {
+  console.log('=== Nostr NIP-98 Authentication Test ===\n');
+
+  // Generate a new keypair
+  const sk = generateSecretKey();
+  const pk = getPublicKey(sk);
+
+  console.log('1. Generated keypair');
+  console.log(`   Public key: ${pk}`);
+  console.log(`   did:nostr:  did:nostr:${pk}\n`);
+
+  // Create NIP-98 token for GET request to a public resource
+  const testUrl = `${BASE_URL}/`;
+  const method = 'GET';
+
+  console.log(`2. Creating NIP-98 token for ${method} ${testUrl}`);
+
+  const token = await getToken(testUrl, method, (event) => finalizeEvent(event, sk));
+
+  console.log(`   Token length: ${token.length} chars\n`);
+
+  // Make authenticated request
+  console.log('3. Making authenticated request...');
+
+  try {
+    const response = await fetch(testUrl, {
+      method,
+      headers: {
+        'Authorization': `Nostr ${token}`,
+        'Accept': 'application/json'
+      }
+    });
+
+    console.log(`   Status: ${response.status} ${response.statusText}`);
+
+    // Check headers for any auth info
+    const wwwAuth = response.headers.get('www-authenticate');
+    if (wwwAuth) {
+      console.log(`   WWW-Authenticate: ${wwwAuth}`);
+    }
+
+    // For a protected resource, we'd check if access was granted
+    // For now, just verify the request went through
+    if (response.ok) {
+      console.log('   Request succeeded!\n');
+    } else {
+      const body = await response.text();
+      console.log(`   Response: ${body.slice(0, 200)}\n`);
+    }
+  } catch (err) {
+    console.error(`   Error: ${err.message}\n`);
+  }
+
+  // Test with a protected resource (if exists)
+  console.log('4. Testing access to a container...');
+
+  const containerUrl = `${BASE_URL}/demo/public/`;
+
+  try {
+    const containerToken = await getToken(containerUrl, 'GET', (event) => finalizeEvent(event, sk));
+
+    const response = await fetch(containerUrl, {
+      headers: {
+        'Authorization': `Nostr ${containerToken}`,
+        'Accept': 'text/turtle'
+      }
+    });
+
+    console.log(`   ${containerUrl}`);
+    console.log(`   Status: ${response.status} ${response.statusText}`);
+
+    if (response.status === 200) {
+      console.log('   Container accessible with Nostr auth!');
+    } else if (response.status === 403) {
+      console.log('   403 Forbidden - auth worked but no ACL grant for did:nostr');
+      console.log(`   (Add did:nostr:${pk} to ACL to grant access)`);
+    } else if (response.status === 404) {
+      console.log('   404 Not Found - container does not exist');
+    }
+  } catch (err) {
+    console.error(`   Error: ${err.message}`);
+  }
+
+  console.log('\n=== Test Complete ===');
+  console.log('\nTo grant this identity access, add to an ACL file:');
+  console.log(`
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+
+<#nostrAuth>
+    a acl:Authorization;
+    acl:agent <did:nostr:${pk}>;
+    acl:accessTo <./>;
+    acl:mode acl:Read, acl:Write.
+`);
+}
+
+main().catch(console.error);

package/cth-config/application.yaml

@@ -1,2 +0,0 @@
-subjects: file:/config/test-subjects.ttl
-target: jss

package/cth-config/jss.ttl

@@ -1,6 +0,0 @@
-@prefix test-harness: <https://github.com/solid-contrib/specification-tests/> .
-@prefix solid-test: <https://github.com/solid-contrib/specification-tests/blob/main/vocab.ttl#> .
-
-<jss>
-    a solid-test:TestSubject ;
-    solid-test:serverRoot <http://localhost:4000/> .

package/cth-config/test-subjects.ttl

@@ -1,14 +0,0 @@
-@prefix doap: <http://usefulinc.com/ns/doap#> .
-@prefix earl: <http://www.w3.org/ns/earl#> .
-@prefix solid-test: <https://github.com/solid-contrib/specification-tests/blob/main/vocab.ttl#> .
-@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
-@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
-
-<jss>
-    a earl:Software, earl:TestSubject ;
-    doap:name "JavaScript Solid Server" ;
-    doap:description "A minimal, fast, JSON-LD native Solid server" ;
-    doap:programming-language "JavaScript" ;
-    solid-test:serverRoot <http://localhost:4000/> ;
-    solid-test:skip "acp" ;
-    rdfs:comment "Uses WAC for access control" .

package/test-data-idp-accounts/.idp/accounts/318e7a79-23d5-4e0b-8fa1-b63cfaee87e1.json

@@ -1,10 +0,0 @@
-{
-  "id": "318e7a79-23d5-4e0b-8fa1-b63cfaee87e1",
-  "username": "credtest",
-  "email": "credtest@example.com",
-  "passwordHash": "$2b$10$ITkxFeVH56JBgjDqYASbfuounFozpoVQpBvtsYxCszx2I0PBEX0hq",
-  "webId": "http://localhost:3101/credtest/#me",
-  "podName": "credtest",
-  "createdAt": "2025-12-27T14:33:50.756Z",
-  "lastLogin": "2025-12-27T14:33:51.196Z"
-}

package/test-data-idp-accounts/.idp/accounts/_email_index.json

@@ -1,3 +0,0 @@
-{
-  "credtest@example.com": "318e7a79-23d5-4e0b-8fa1-b63cfaee87e1"
-}

package/test-data-idp-accounts/.idp/accounts/_username_index.json

@@ -1,3 +0,0 @@
-{
-  "credtest": "318e7a79-23d5-4e0b-8fa1-b63cfaee87e1"
-}

package/test-data-idp-accounts/.idp/accounts/_webid_index.json

@@ -1,3 +0,0 @@
-{
-  "http://localhost:3101/credtest/#me": "318e7a79-23d5-4e0b-8fa1-b63cfaee87e1"
-}

package/test-data-idp-accounts/.idp/keys/jwks.json

@@ -1,22 +0,0 @@
-{
-  "jwks": {
-    "keys": [
-      {
-        "kty": "EC",
-        "x": "Nf8dDZkLGjtbhOI4-NdDeJpP7jFZ1yRIsLGbg4wWFIU",
-        "y": "RlENuTLrM8M6a1UQorqtB3NIS5VXq_gI9lqJMUKDjo8",
-        "crv": "P-256",
-        "d": "WZKOZkoJBrwF7JfwLXPzpJY2XXNgab-YfqUSIT2Xpfs",
-        "kid": "91ebc94d-1ed9-4ded-b017-70f51f2aff2b",
-        "use": "sig",
-        "alg": "ES256",
-        "iat": 1766846030
-      }
-    ]
-  },
-  "cookieKeys": [
-    "V7_pksFGkYdBgSRG_lC9AWIki50H1qzj9-L_T-Q7OC0",
-    "hmJQwz_B5QLiHUkncYUHZC7xOtGLrLvQVyBmJ5r-nIo"
-  ],
-  "createdAt": "2025-12-27T14:33:50.653Z"
-}

package/test-dpop-flow.js

@@ -1,148 +0,0 @@
-import * as jose from 'jose';
-import crypto from 'crypto';
-
-const BASE = 'http://localhost:4000';
-
-// Create DPoP proof
-async function createDpopProof(privateKey, publicJwk, method, url, ath = null) {
-  const payload = {
-    jti: crypto.randomUUID(),
-    htm: method,
-    htu: url,
-    iat: Math.floor(Date.now() / 1000),
-  };
-  if (ath) payload.ath = ath;
-
-  return new jose.SignJWT(payload)
-    .setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk })
-    .sign(privateKey);
-}
-
-async function main() {
-  console.log('=== Testing DPoP Auth Flow ===\n');
-
-  // 1. Generate key pair
-  const { privateKey, publicKey } = await jose.generateKeyPair('ES256');
-  const publicJwk = await jose.exportJWK(publicKey);
-  const jkt = await jose.calculateJwkThumbprint(publicJwk, 'sha256');
-  console.log('1. Generated DPoP key pair, thumbprint:', jkt.substring(0, 20) + '...\n');
-
-  // 2. Register client dynamically
-  console.log('2. Registering client...');
-  const regRes = await fetch(`${BASE}/idp/reg`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({
-      redirect_uris: ['https://tester'],
-      token_endpoint_auth_method: 'none',
-      grant_types: ['authorization_code'],
-      response_types: ['code'],
-    }),
-  });
-  const client = await regRes.json();
-  console.log('   Client ID:', client.client_id, '\n');
-
-  // 3. Generate PKCE
-  const codeVerifier = crypto.randomBytes(32).toString('base64url');
-  const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');
-  console.log('3. Generated PKCE challenge\n');
-
-  // 4. Authorization request - WITH dpop_jkt parameter
-  console.log('4. Starting authorization (with dpop_jkt)...');
-  const authUrl = new URL(`${BASE}/idp/auth`);
-  authUrl.searchParams.set('client_id', client.client_id);
-  authUrl.searchParams.set('redirect_uri', 'https://tester');
-  authUrl.searchParams.set('response_type', 'code');
-  authUrl.searchParams.set('scope', 'openid');
-  authUrl.searchParams.set('code_challenge', codeChallenge);
-  authUrl.searchParams.set('code_challenge_method', 'S256');
-  authUrl.searchParams.set('dpop_jkt', jkt);  // KEY: Include dpop_jkt!
-
-  const authRes = await fetch(authUrl, { redirect: 'manual' });
-  const interactionUrl = authRes.headers.get('location');
-  console.log('   Redirected to:', interactionUrl ? interactionUrl.substring(0, 50) + '...' : 'none');
-  console.log('   Status:', authRes.status, '\n');
-
-  // 5. Get interaction session cookie
-  const rawCookies = authRes.headers.get('set-cookie') || '';
-  // Extract just name=value from each Set-Cookie, ignore attributes
-  const cookieValues = rawCookies.split(/, (?=[^;]+=[^;]+)/).map(c => c.split(';')[0]).join('; ');
-  console.log('5. Got cookies:', cookieValues ? cookieValues.substring(0, 80) + '...' : 'none\n');
-
-  // 6. Login
-  console.log('6. Logging in...');
-  const uid = interactionUrl ? interactionUrl.match(/interaction\/([^/?]+)/)?.[1] : null;
-  if (!uid) {
-    console.log('   ERROR: No interaction UID found');
-    return;
-  }
-  const loginRes = await fetch(`${BASE}/idp/interaction/${uid}`, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      Cookie: cookieValues,
-    },
-    body: JSON.stringify({ email: 'alice@example.com', password: 'alicepassword123' }),
-  });
-  let loginBody;
-  const loginText = await loginRes.text();
-  try {
-    loginBody = JSON.parse(loginText);
-  } catch (e) {
-    console.log('   Login response (text):', loginText.substring(0, 200));
-    return;
-  }
-  console.log('   Login response:', loginRes.status, loginBody.location ? loginBody.location.substring(0, 50) : '');
-
-  // 7. Follow auth resume
-  console.log('\n7. Following auth resume...');
-  const resumeUrl = loginBody.location;
-  if (!resumeUrl) {
-    console.log('   ERROR: No resume URL');
-    return;
-  }
-  const fullResumeUrl = resumeUrl.startsWith('http') ? resumeUrl : `${BASE}${resumeUrl}`;
-  const resumeRes = await fetch(fullResumeUrl, {
-    redirect: 'manual',
-    headers: { Cookie: cookieValues },
-  });
-  const callbackUrl = resumeRes.headers.get('location');
-  console.log('   Resume status:', resumeRes.status);
-  console.log('   Callback URL:', callbackUrl ? callbackUrl.substring(0, 80) + '...' : 'none');
-
-  // 8. Extract code
-  const codeMatch = callbackUrl ? callbackUrl.match(/code=([^&]+)/) : null;
-  const code = codeMatch ? codeMatch[1] : null;
-  if (!code) {
-    console.log('   ERROR: No code in callback');
-    return;
-  }
-  console.log('   Code:', code.substring(0, 20) + '...\n');
-
-  // 9. Token exchange with DPoP
-  console.log('8. Exchanging code for token (with DPoP)...');
-  const dpopProof = await createDpopProof(privateKey, publicJwk, 'POST', `${BASE}/idp/token`);
-  const tokenRes = await fetch(`${BASE}/idp/token`, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/x-www-form-urlencoded',
-      DPoP: dpopProof,
-    },
-    body: new URLSearchParams({
-      grant_type: 'authorization_code',
-      code: code,
-      redirect_uri: 'https://tester',
-      client_id: client.client_id,
-      code_verifier: codeVerifier,
-    }).toString(),
-  });
-
-  console.log('   Token response status:', tokenRes.status);
-  const tokenBody = await tokenRes.text();
-  console.log('   Token response:', tokenBody.substring(0, 300));
-}
-
-main().catch(err => {
-  console.error('Error:', err.message);
-  console.error(err.stack);
-});