javascript-solid-server 0.0.22 → 0.0.23

package/.claude/settings.local.json

@@ -72,7 +72,32 @@
       "WebFetch(domain:melvincarvalho.github.io)",
       "WebFetch(domain:dev.to)",
       "WebFetch(domain:solidproject.org)",
-      "WebFetch(domain:www.w3.org)"
+      "WebFetch(domain:www.w3.org)",
+      "Bash(wc:*)",
+      "Bash(TOKEN=\"eyJraW5kIjoyNzIzNSwidGFncyI6W1sidSIsImh0dHA6Ly9sb2NhbGhvc3Q6NDAwMC9kZW1vL25vc3RyLXpvbmUvIl0sWyJtZXRob2QiLCJHRVQiXV0sImNyZWF0ZWRfYXQiOjE3NjY5MzQ1NjksImNvbnRlbnQiOiIiLCJwdWJrZXkiOiI4OTg5OWNmOWEyNGE5ZTdlMTNmODU3MGRkMGI1MmJiOTQyMjllNDI2OGM1MGQ1OWZhNjdhMzQ0MGQ0NmFhZTdkIiwiaWQiOiJiNTUyMDUyOTVmYmQwYzhjZDYwMzk1NTgwOWYxZGM5Y2MwMjdlY2U4N2NjYmNlNzcwNWY2MjdmNmQ0ODk1MGJkIiwic2lnIjoiOWYzN2Y0NzIyZDlkNmFmZGQ5OTNkYTM0MDg2MWQ2YzQ4MmY1NzQ1MmFmZTIwZmY2YmI5OTAxNGIwOTU3NjUwMWZiNTgyZjEzNzNlZmVhNjI4ZDI5ZjlhMzhmZTgyODU0ODlmMzAzYzlmYmJjYWE0OTQxZjUyZGZlMWYxNzVkOWMifQ==\")",
+      "WebFetch(domain:solid-lite.org)",
+      "Bash(git push:*)",
+      "WebFetch(domain:linkedwebstorage.com)",
+      "WebFetch(domain:w3c.github.io)",
+      "WebFetch(domain:socialdocs.org)",
+      "WebFetch(domain:nosdav.com)",
+      "WebFetch(domain:sandy-mount.com)",
+      "WebFetch(domain:ditto.pub)",
+      "WebFetch(domain:blocktrails.org)",
+      "WebFetch(domain:microfed.org)",
+      "WebFetch(domain:soliddocs.org)",
+      "WebFetch(domain:agenticalliance.com)",
+      "WebFetch(domain:activitypub.rocks)",
+      "WebFetch(domain:nostrgit.org)",
+      "Bash(convert:*)",
+      "WebFetch(domain:instantdomainsearch.com)",
+      "Bash(for domain in jss.dev jss.sh jss.io jss.app solidserver.dev solid-server.dev)",
+      "Bash(do echo -n '$domain: ')",
+      "Bash(whois $domain)",
+      "Bash(done)",
+      "Bash(for domain in jss.dev jss.sh jss.io jss.app solidserver.dev)",
+      "Bash(host:*)",
+      "WebFetch(domain:nostr-components.github.io)"
     ]
   }
 }

package/README.md

@@ -54,7 +54,7 @@ npm run benchmark
 
 ## Features
 
-### Implemented (v0.0.17)
+### Implemented (v0.0.23)
 
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
 - **N3 Patch** - Solid's native patch format for RDF updates
@@ -66,11 +66,13 @@ npm run benchmark
 - **Container Management** - Create, list, and manage containers
 - **Multi-user Pods** - Path-based (`/alice/`) or subdomain-based (`alice.example.com`)
 - **Subdomain Mode** - XSS protection via origin isolation
-- **Mashlib Data Browser** - Optional SolidOS UI for browsing RDF resources
+- **Mashlib Data Browser** - Optional SolidOS UI (CDN or local hosting)
 - **WebID Profiles** - JSON-LD structured data in HTML at pod root
 - **Web Access Control (WAC)** - `.acl` file-based authorization
 - **Solid-OIDC Identity Provider** - Built-in IdP with DPoP, dynamic registration
 - **Solid-OIDC Resource Server** - Accept DPoP-bound access tokens from external IdPs
+- **NSS-style Registration** - Username/password auth compatible with Solid apps
+- **Nostr Authentication** - NIP-98 HTTP Auth with Schnorr signatures
 - **Simple Auth Tokens** - Built-in token authentication for development
 - **Content Negotiation** - Optional Turtle <-> JSON-LD conversion
 - **CORS Support** - Full cross-origin resource sharing
@@ -139,8 +141,9 @@ jss --help             # Show help
 | `--idp-issuer <url>` | IdP issuer URL | (auto) |
 | `--subdomains` | Enable subdomain-based pods | false |
 | `--base-domain <domain>` | Base domain for subdomains | - |
-| `--mashlib` | Enable Mashlib data browser | false |
-| `--mashlib-version <ver>` | Mashlib version | 2.0.0 |
+| `--mashlib` | Enable Mashlib (local mode) | false |
+| `--mashlib-cdn` | Enable Mashlib (CDN mode) | false |
+| `--mashlib-version <ver>` | Mashlib CDN version | 2.0.0 |
 | `-q, --quiet` | Suppress logs | false |
 
 ### Environment Variables
@@ -407,24 +410,35 @@ createServer({
   notifications: false, // Enable WebSocket notifications (default: false)
   subdomains: false,   // Enable subdomain-based pods (default: false)
   baseDomain: null,    // Base domain for subdomains (e.g., "example.com")
-  mashlib: false,      // Enable Mashlib data browser (default: false)
-  mashlibVersion: '2.0.0', // Mashlib version to use
+  mashlib: false,      // Enable Mashlib data browser - local mode (default: false)
+  mashlibCdn: false,   // Enable Mashlib data browser - CDN mode (default: false)
+  mashlibVersion: '2.0.0', // Mashlib version for CDN mode
 });
 ```
 
 ### Mashlib Data Browser
 
-Enable the [SolidOS Mashlib](https://github.com/SolidOS/mashlib) data browser for RDF resources:
+Enable the [SolidOS Mashlib](https://github.com/SolidOS/mashlib) data browser for RDF resources. Two modes are available:
 
+**CDN Mode** (recommended for getting started):
 ```bash
-jss start --mashlib --conneg
+jss start --mashlib-cdn --conneg
 ```
+Loads mashlib from unpkg.com CDN. Zero footprint - no local files needed.
 
-When enabled, requesting an RDF resource with `Accept: text/html` returns an interactive data browser UI instead of raw data. Mashlib is loaded from the unpkg CDN.
+**Local Mode** (for production/offline):
+```bash
+jss start --mashlib --conneg
+```
+Serves mashlib from `src/mashlib-local/dist/`. Requires building mashlib locally:
+```bash
+cd src/mashlib-local
+npm install && npm run build
+```
 
 **How it works:**
 1. Browser requests `/alice/public/data.ttl` with `Accept: text/html`
-2. Server returns Mashlib HTML wrapper (loads JS/CSS from CDN)
+2. Server returns Mashlib HTML wrapper
 3. Mashlib fetches the actual data via content negotiation
 4. Mashlib renders an interactive, editable view
 

package/bin/jss.js

@@ -50,9 +50,10 @@ program
   .option('--subdomains', 'Enable subdomain-based pods (XSS protection)')
   .option('--no-subdomains', 'Disable subdomain-based pods')
   .option('--base-domain <domain>', 'Base domain for subdomain pods (e.g., "example.com")')
-  .option('--mashlib', 'Enable Mashlib data browser for RDF resources')
+  .option('--mashlib', 'Enable Mashlib data browser (local mode, requires mashlib in node_modules)')
+  .option('--mashlib-cdn', 'Enable Mashlib data browser (CDN mode, no local files needed)')
   .option('--no-mashlib', 'Disable Mashlib data browser')
-  .option('--mashlib-version <version>', 'Mashlib version to use (default: 2.0.0)')
+  .option('--mashlib-version <version>', 'Mashlib version for CDN mode (default: 2.0.0)')
   .option('-q, --quiet', 'Suppress log output')
   .option('--print-config', 'Print configuration and exit')
   .action(async (options) => {
@@ -91,7 +92,8 @@ program
         root: config.root,
         subdomains: config.subdomains,
         baseDomain: config.baseDomain,
-        mashlib: config.mashlib,
+        mashlib: config.mashlib || config.mashlibCdn,
+        mashlibCdn: config.mashlibCdn,
         mashlibVersion: config.mashlibVersion,
       });
 
@@ -106,7 +108,11 @@ program
         if (config.notifications) console.log('  WebSocket: enabled');
         if (config.idp) console.log(`  IdP: ${idpIssuer}`);
         if (config.subdomains) console.log(`  Subdomains: ${config.baseDomain} (XSS protection enabled)`);
-        if (config.mashlib) console.log(`  Mashlib: v${config.mashlibVersion} (data browser enabled)`);
+        if (config.mashlibCdn) {
+          console.log(`  Mashlib: v${config.mashlibVersion} (CDN mode)`);
+        } else if (config.mashlib) {
+          console.log(`  Mashlib: local (data browser enabled)`);
+        }
         console.log('\n  Press Ctrl+C to stop\n');
       }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.22",
+  "version": "0.0.23",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/config.js

@@ -39,6 +39,7 @@ export const defaults = {
 
   // Mashlib data browser
   mashlib: false,
+  mashlibCdn: false,
   mashlibVersion: '2.0.0',
 
   // Logging
@@ -68,6 +69,7 @@ const envMap = {
   JSS_SUBDOMAINS: 'subdomains',
   JSS_BASE_DOMAIN: 'baseDomain',
   JSS_MASHLIB: 'mashlib',
+  JSS_MASHLIB_CDN: 'mashlibCdn',
   JSS_MASHLIB_VERSION: 'mashlibVersion',
 };
 
@@ -201,6 +203,6 @@ export function printConfig(config) {
   console.log(`  Notifications: ${config.notifications}`);
   console.log(`  IdP:           ${config.idp ? (config.idpIssuer || 'enabled') : 'disabled'}`);
   console.log(`  Subdomains:    ${config.subdomains ? (config.baseDomain || 'enabled') : 'disabled'}`);
-  console.log(`  Mashlib:       ${config.mashlib ? `v${config.mashlibVersion}` : 'disabled'}`);
+  console.log(`  Mashlib:       ${config.mashlibCdn ? `CDN v${config.mashlibVersion}` : config.mashlib ? 'local' : 'disabled'}`);
   console.log('─'.repeat(40));
 }

package/src/handlers/resource.js

@@ -145,7 +145,9 @@ export async function handleGet(request, reply) {
   // Check if we should serve Mashlib data browser
   // Only for RDF resources when Accept: text/html is requested
   if (shouldServeMashlib(request, request.mashlibEnabled, storedContentType)) {
-    const html = generateDatabrowserHtml(resourceUrl, request.mashlibVersion);
+    // Pass CDN version if using CDN mode, null for local mode
+    const cdnVersion = request.mashlibCdn ? request.mashlibVersion : null;
+    const html = generateDatabrowserHtml(resourceUrl, cdnVersion);
     const headers = getAllHeaders({
       isContainer: false,
       etag: stats.etag,
@@ -155,6 +157,10 @@ export async function handleGet(request, reply) {
       connegEnabled
     });
     headers['Vary'] = 'Accept';
+    headers['X-Frame-Options'] = 'DENY';
+    headers['Content-Security-Policy'] = "frame-ancestors 'none'";
+    // Don't cache the HTML wrapper - always negotiate fresh
+    headers['Cache-Control'] = 'no-store';
 
     Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
     return reply.type('text/html').send(html);
@@ -191,7 +197,7 @@ export async function handleGet(request, reply) {
         resourceUrl,
         connegEnabled
       });
-      headers['Vary'] = getVaryHeader(connegEnabled);
+      headers['Vary'] = getVaryHeader(connegEnabled, request.mashlibEnabled);
 
       Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
       return reply.send(outputContent);
@@ -209,7 +215,7 @@ export async function handleGet(request, reply) {
     resourceUrl,
     connegEnabled
   });
-  headers['Vary'] = getVaryHeader(connegEnabled);
+  headers['Vary'] = getVaryHeader(connegEnabled, request.mashlibEnabled);
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
   return reply.send(content);
@@ -353,7 +359,7 @@ export async function handlePut(request, reply) {
   const origin = request.headers.origin;
   const headers = getAllHeaders({ isContainer: false, origin, resourceUrl, connegEnabled });
   headers['Location'] = resourceUrl;
-  headers['Vary'] = getVaryHeader(connegEnabled);
+  headers['Vary'] = getVaryHeader(connegEnabled, request.mashlibEnabled);
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
 

package/src/mashlib/index.js

@@ -6,51 +6,38 @@
  * we return this wrapper which then fetches and renders the data.
  */
 
-const CDN_BASE = 'https://unpkg.com/mashlib';
-
 /**
  * Generate Mashlib databrowser HTML
- * @param {string} resourceUrl - The URL of the resource being viewed
- * @param {string} version - Mashlib version (default: '2.0.0')
+ *
+ * @param {string} resourceUrl - The URL of the resource being viewed (unused, kept for API compatibility)
+ * @param {string} cdnVersion - If provided, load mashlib from unpkg CDN (e.g., "2.0.0")
  * @returns {string} HTML content
  */
-export function generateDatabrowserHtml(resourceUrl, version = '2.0.0') {
-  const cdnUrl = `${CDN_BASE}@${version}/dist`;
+export function generateDatabrowserHtml(resourceUrl, cdnVersion = null) {
+  if (cdnVersion) {
+    // CDN mode - use script.onload to ensure mashlib is fully loaded before init
+    // This avoids race conditions with defer + DOMContentLoaded
+    const cdnBase = `https://unpkg.com/mashlib@${cdnVersion}/dist`;
+    return `<!doctype html><html><head><meta charset="utf-8"/><title>SolidOS Web App</title>
+<link href="${cdnBase}/mash.css" rel="stylesheet"></head>
+<body id="PageBody"><header id="PageHeader"></header>
+<div class="TabulatorOutline" id="DummyUUID" role="main"><table id="outline"></table><div id="GlobalDashboard"></div></div>
+<footer id="PageFooter"></footer>
+<script>
+(function() {
+  var s = document.createElement('script');
+  s.src = '${cdnBase}/mashlib.min.js';
+  s.onload = function() { panes.runDataBrowser(); };
+  s.onerror = function() { document.body.innerHTML = '<p>Failed to load Mashlib from CDN</p>'; };
+  document.head.appendChild(s);
+})();
+</script></body></html>`;
+  }
 
-  return `<!doctype html>
-<html>
-<head>
-  <meta charset="utf-8"/>
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <title>SolidOS - ${escapeHtml(resourceUrl)}</title>
-  <script defer src="${cdnUrl}/mashlib.min.js"></script>
-  <link href="${cdnUrl}/mash.css" rel="stylesheet">
-  <script>
-    document.addEventListener('DOMContentLoaded', function() {
-      // runDataBrowser uses window.location to determine what to fetch
-      panes.runDataBrowser();
-    });
-  </script>
-  <style>
-    /* Loading indicator */
-    body:not(.loaded) #PageBody::before {
-      content: 'Loading SolidOS...';
-      display: block;
-      padding: 2em;
-      text-align: center;
-      color: #666;
-    }
-  </style>
-</head>
-<body id="PageBody">
-  <header id="PageHeader"></header>
-  <div class="TabulatorOutline" id="DummyUUID" role="main">
-    <table id="outline"></table>
-    <div id="GlobalDashboard"></div>
-  </div>
-  <footer id="PageFooter"></footer>
-</body>
-</html>`;
+  // Local mode - use defer (reliable when served locally)
+  return `<!doctype html><html><head><meta charset="utf-8"/><title>SolidOS Web App</title><script>document.addEventListener('DOMContentLoaded', function() {
+        panes.runDataBrowser()
+      })</script><script defer="defer" src="/mashlib.min.js"></script><link href="/mash.css" rel="stylesheet"></head><body id="PageBody"><header id="PageHeader"></header><div class="TabulatorOutline" id="DummyUUID" role="main"><table id="outline"></table><div id="GlobalDashboard"></div></div><footer id="PageFooter"></footer></body></html>`;
 }
 
 /**
@@ -61,11 +48,17 @@ export function generateDatabrowserHtml(resourceUrl, version = '2.0.0') {
  * @returns {boolean}
  */
 export function shouldServeMashlib(request, mashlibEnabled, contentType) {
+  const accept = request.headers.accept || '';
+  const secFetchDest = request.headers['sec-fetch-dest'] || '';
+
   if (!mashlibEnabled) {
     return false;
   }
 
-  const accept = request.headers.accept || '';
+  // Don't serve mashlib for iframe/embed requests (prevents recursive loop)
+  if (secFetchDest === 'iframe' || secFetchDest === 'embed' || secFetchDest === 'object') {
+    return false;
+  }
 
   // Must explicitly accept HTML
   if (!accept.includes('text/html')) {

package/src/rdf/conneg.js

@@ -188,9 +188,10 @@ export async function fromJsonLd(jsonLd, targetType, baseUri, connegEnabled = fa
 
 /**
  * Get Vary header value for content negotiation
+ * Include Accept when conneg or mashlib is enabled (response varies by Accept header)
  */
-export function getVaryHeader(connegEnabled) {
-  return connegEnabled ? 'Accept, Origin' : 'Origin';
+export function getVaryHeader(connegEnabled, mashlibEnabled = false) {
+  return (connegEnabled || mashlibEnabled) ? 'Accept, Origin' : 'Origin';
 }
 
 /**

package/src/server.js

@@ -1,4 +1,7 @@
 import Fastify from 'fastify';
+import { readFile } from 'fs/promises';
+import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
 import { handleGet, handleHead, handlePut, handleDelete, handleOptions, handlePatch } from './handlers/resource.js';
 import { handlePost, handleCreatePod } from './handlers/container.js';
 import { getCorsHeaders } from './ldp/headers.js';
@@ -6,6 +9,8 @@ import { authorize, handleUnauthorized } from './auth/middleware.js';
 import { notificationsPlugin } from './notifications/index.js';
 import { idpPlugin } from './idp/index.js';
 
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
 /**
  * Create and configure Fastify server
  * @param {object} options - Server options
@@ -31,7 +36,9 @@ export function createServer(options = {}) {
   const subdomainsEnabled = options.subdomains ?? false;
   const baseDomain = options.baseDomain || null;
   // Mashlib data browser is OFF by default
+  // mashlibCdn: if true, load from CDN; if false, serve locally
   const mashlibEnabled = options.mashlib ?? false;
+  const mashlibCdn = options.mashlibCdn ?? false;
   const mashlibVersion = options.mashlibVersion ?? '2.0.0';
 
   // Set data root via environment variable if provided
@@ -70,6 +77,7 @@ export function createServer(options = {}) {
   fastify.decorateRequest('baseDomain', null);
   fastify.decorateRequest('podName', null);
   fastify.decorateRequest('mashlibEnabled', null);
+  fastify.decorateRequest('mashlibCdn', null);
   fastify.decorateRequest('mashlibVersion', null);
   fastify.addHook('onRequest', async (request) => {
     request.connegEnabled = connegEnabled;
@@ -78,6 +86,7 @@ export function createServer(options = {}) {
     request.subdomainsEnabled = subdomainsEnabled;
     request.baseDomain = baseDomain;
     request.mashlibEnabled = mashlibEnabled;
+    request.mashlibCdn = mashlibCdn;
     request.mashlibVersion = mashlibVersion;
 
     // Extract pod name from subdomain if enabled
@@ -122,11 +131,13 @@ export function createServer(options = {}) {
   // Authorization hook - check WAC permissions
   // Skip for pod creation endpoint (needs special handling)
   fastify.addHook('preHandler', async (request, reply) => {
-    // Skip auth for pod creation, OPTIONS, IdP routes, and well-known endpoints
+    // Skip auth for pod creation, OPTIONS, IdP routes, mashlib, and well-known endpoints
+    const mashlibPaths = ['/mashlib.min.js', '/mash.css', '/841.mashlib.min.js'];
     if (request.url === '/.pods' ||
         request.method === 'OPTIONS' ||
         request.url.startsWith('/idp/') ||
-        request.url.startsWith('/.well-known/')) {
+        request.url.startsWith('/.well-known/') ||
+        mashlibPaths.some(p => request.url === p || request.url.startsWith(p + '.'))) {
       return;
     }
 
@@ -144,6 +155,30 @@ export function createServer(options = {}) {
   // Pod creation endpoint
   fastify.post('/.pods', handleCreatePod);
 
+  // Mashlib static files (served from root like NSS does)
+  if (mashlibEnabled) {
+    const mashlibDir = join(__dirname, 'mashlib-local', 'dist');
+    const mashlibFiles = {
+      '/mashlib.min.js': { file: 'mashlib.min.js', type: 'application/javascript' },
+      '/mashlib.min.js.map': { file: 'mashlib.min.js.map', type: 'application/json' },
+      '/mash.css': { file: 'mash.css', type: 'text/css' },
+      '/mash.css.map': { file: 'mash.css.map', type: 'application/json' },
+      '/841.mashlib.min.js': { file: '841.mashlib.min.js', type: 'application/javascript' },
+      '/841.mashlib.min.js.map': { file: '841.mashlib.min.js.map', type: 'application/json' }
+    };
+
+    for (const [path, config] of Object.entries(mashlibFiles)) {
+      fastify.get(path, async (request, reply) => {
+        try {
+          const content = await readFile(join(mashlibDir, config.file));
+          return reply.type(config.type).send(content);
+        } catch {
+          return reply.code(404).send({ error: 'Not Found' });
+        }
+      });
+    }
+  }
+
   // LDP routes - using wildcard routing
   fastify.get('/*', handleGet);
   fastify.head('/*', handleHead);

package/cth-config/application.yaml

@@ -1,2 +0,0 @@
-subjects: file:/config/test-subjects.ttl
-target: jss

package/cth-config/jss.ttl

@@ -1,6 +0,0 @@
-@prefix test-harness: <https://github.com/solid-contrib/specification-tests/> .
-@prefix solid-test: <https://github.com/solid-contrib/specification-tests/blob/main/vocab.ttl#> .
-
-<jss>
-    a solid-test:TestSubject ;
-    solid-test:serverRoot <http://localhost:4000/> .

package/cth-config/test-subjects.ttl

@@ -1,14 +0,0 @@
-@prefix doap: <http://usefulinc.com/ns/doap#> .
-@prefix earl: <http://www.w3.org/ns/earl#> .
-@prefix solid-test: <https://github.com/solid-contrib/specification-tests/blob/main/vocab.ttl#> .
-@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
-@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
-
-<jss>
-    a earl:Software, earl:TestSubject ;
-    doap:name "JavaScript Solid Server" ;
-    doap:description "A minimal, fast, JSON-LD native Solid server" ;
-    doap:programming-language "JavaScript" ;
-    solid-test:serverRoot <http://localhost:4000/> ;
-    solid-test:skip "acp" ;
-    rdfs:comment "Uses WAC for access control" .

package/test-data-idp-accounts/.idp/accounts/_email_index.json

@@ -1,3 +0,0 @@
-{
-  "credtest@example.com": "ba3591b1-4653-4c64-9661-57dc355e5acc"
-}

package/test-data-idp-accounts/.idp/accounts/_username_index.json

@@ -1,3 +0,0 @@
-{
-  "credtest": "ba3591b1-4653-4c64-9661-57dc355e5acc"
-}

package/test-data-idp-accounts/.idp/accounts/_webid_index.json

@@ -1,3 +0,0 @@
-{
-  "http://localhost:3101/credtest/#me": "ba3591b1-4653-4c64-9661-57dc355e5acc"
-}

package/test-data-idp-accounts/.idp/accounts/ba3591b1-4653-4c64-9661-57dc355e5acc.json

@@ -1,10 +0,0 @@
-{
-  "id": "ba3591b1-4653-4c64-9661-57dc355e5acc",
-  "username": "credtest",
-  "email": "credtest@example.com",
-  "passwordHash": "$2b$10$tFYM8KuMVTFRpVMqZOYR4OKNreNLgCBqzZVTNAhpdBFUmGH1MFNBu",
-  "webId": "http://localhost:3101/credtest/#me",
-  "podName": "credtest",
-  "createdAt": "2025-12-28T14:20:02.176Z",
-  "lastLogin": "2025-12-28T14:20:02.579Z"
-}

package/test-data-idp-accounts/.idp/keys/jwks.json

@@ -1,22 +0,0 @@
-{
-  "jwks": {
-    "keys": [
-      {
-        "kty": "EC",
-        "x": "Aa7l5-YrS54RU8xPfEphUTRwNBzSm6lxm84aqKjfrSg",
-        "y": "tWi_lhjqQhd43KdK5YqDg7ZzRSUZo3L0ytbiBTdPOWs",
-        "crv": "P-256",
-        "d": "x6NqVSfA241O10u9Qp4m0dQZsTNYw-Hku3r0eu47VZE",
-        "kid": "ed46f7df-3010-43da-9032-e0acaee4d3e1",
-        "use": "sig",
-        "alg": "ES256",
-        "iat": 1766931602
-      }
-    ]
-  },
-  "cookieKeys": [
-    "Vb3JNLAlJHCOu5u73eUA_rzlc9aJ0_WCQCu9RWV5WL4",
-    "5xCVtYihgadSlvy1QRD_DcU4_9mI_Ggn0DrngzPdiyM"
-  ],
-  "createdAt": "2025-12-28T14:20:02.080Z"
-}

package/test-dpop-flow.js

@@ -1,148 +0,0 @@
-import * as jose from 'jose';
-import crypto from 'crypto';
-
-const BASE = 'http://localhost:4000';
-
-// Create DPoP proof
-async function createDpopProof(privateKey, publicJwk, method, url, ath = null) {
-  const payload = {
-    jti: crypto.randomUUID(),
-    htm: method,
-    htu: url,
-    iat: Math.floor(Date.now() / 1000),
-  };
-  if (ath) payload.ath = ath;
-
-  return new jose.SignJWT(payload)
-    .setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk })
-    .sign(privateKey);
-}
-
-async function main() {
-  console.log('=== Testing DPoP Auth Flow ===\n');
-
-  // 1. Generate key pair
-  const { privateKey, publicKey } = await jose.generateKeyPair('ES256');
-  const publicJwk = await jose.exportJWK(publicKey);
-  const jkt = await jose.calculateJwkThumbprint(publicJwk, 'sha256');
-  console.log('1. Generated DPoP key pair, thumbprint:', jkt.substring(0, 20) + '...\n');
-
-  // 2. Register client dynamically
-  console.log('2. Registering client...');
-  const regRes = await fetch(`${BASE}/idp/reg`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({
-      redirect_uris: ['https://tester'],
-      token_endpoint_auth_method: 'none',
-      grant_types: ['authorization_code'],
-      response_types: ['code'],
-    }),
-  });
-  const client = await regRes.json();
-  console.log('   Client ID:', client.client_id, '\n');
-
-  // 3. Generate PKCE
-  const codeVerifier = crypto.randomBytes(32).toString('base64url');
-  const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');
-  console.log('3. Generated PKCE challenge\n');
-
-  // 4. Authorization request - WITH dpop_jkt parameter
-  console.log('4. Starting authorization (with dpop_jkt)...');
-  const authUrl = new URL(`${BASE}/idp/auth`);
-  authUrl.searchParams.set('client_id', client.client_id);
-  authUrl.searchParams.set('redirect_uri', 'https://tester');
-  authUrl.searchParams.set('response_type', 'code');
-  authUrl.searchParams.set('scope', 'openid');
-  authUrl.searchParams.set('code_challenge', codeChallenge);
-  authUrl.searchParams.set('code_challenge_method', 'S256');
-  authUrl.searchParams.set('dpop_jkt', jkt);  // KEY: Include dpop_jkt!
-
-  const authRes = await fetch(authUrl, { redirect: 'manual' });
-  const interactionUrl = authRes.headers.get('location');
-  console.log('   Redirected to:', interactionUrl ? interactionUrl.substring(0, 50) + '...' : 'none');
-  console.log('   Status:', authRes.status, '\n');
-
-  // 5. Get interaction session cookie
-  const rawCookies = authRes.headers.get('set-cookie') || '';
-  // Extract just name=value from each Set-Cookie, ignore attributes
-  const cookieValues = rawCookies.split(/, (?=[^;]+=[^;]+)/).map(c => c.split(';')[0]).join('; ');
-  console.log('5. Got cookies:', cookieValues ? cookieValues.substring(0, 80) + '...' : 'none\n');
-
-  // 6. Login
-  console.log('6. Logging in...');
-  const uid = interactionUrl ? interactionUrl.match(/interaction\/([^/?]+)/)?.[1] : null;
-  if (!uid) {
-    console.log('   ERROR: No interaction UID found');
-    return;
-  }
-  const loginRes = await fetch(`${BASE}/idp/interaction/${uid}`, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      Cookie: cookieValues,
-    },
-    body: JSON.stringify({ email: 'alice@example.com', password: 'alicepassword123' }),
-  });
-  let loginBody;
-  const loginText = await loginRes.text();
-  try {
-    loginBody = JSON.parse(loginText);
-  } catch (e) {
-    console.log('   Login response (text):', loginText.substring(0, 200));
-    return;
-  }
-  console.log('   Login response:', loginRes.status, loginBody.location ? loginBody.location.substring(0, 50) : '');
-
-  // 7. Follow auth resume
-  console.log('\n7. Following auth resume...');
-  const resumeUrl = loginBody.location;
-  if (!resumeUrl) {
-    console.log('   ERROR: No resume URL');
-    return;
-  }
-  const fullResumeUrl = resumeUrl.startsWith('http') ? resumeUrl : `${BASE}${resumeUrl}`;
-  const resumeRes = await fetch(fullResumeUrl, {
-    redirect: 'manual',
-    headers: { Cookie: cookieValues },
-  });
-  const callbackUrl = resumeRes.headers.get('location');
-  console.log('   Resume status:', resumeRes.status);
-  console.log('   Callback URL:', callbackUrl ? callbackUrl.substring(0, 80) + '...' : 'none');
-
-  // 8. Extract code
-  const codeMatch = callbackUrl ? callbackUrl.match(/code=([^&]+)/) : null;
-  const code = codeMatch ? codeMatch[1] : null;
-  if (!code) {
-    console.log('   ERROR: No code in callback');
-    return;
-  }
-  console.log('   Code:', code.substring(0, 20) + '...\n');
-
-  // 9. Token exchange with DPoP
-  console.log('8. Exchanging code for token (with DPoP)...');
-  const dpopProof = await createDpopProof(privateKey, publicJwk, 'POST', `${BASE}/idp/token`);
-  const tokenRes = await fetch(`${BASE}/idp/token`, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/x-www-form-urlencoded',
-      DPoP: dpopProof,
-    },
-    body: new URLSearchParams({
-      grant_type: 'authorization_code',
-      code: code,
-      redirect_uri: 'https://tester',
-      client_id: client.client_id,
-      code_verifier: codeVerifier,
-    }).toString(),
-  });
-
-  console.log('   Token response status:', tokenRes.status);
-  const tokenBody = await tokenRes.text();
-  console.log('   Token response:', tokenBody.substring(0, 300));
-}
-
-main().catch(err => {
-  console.error('Error:', err.message);
-  console.error(err.stack);
-});

package/test-nostr-acl.js

@@ -1,144 +0,0 @@
-/**
- * Test script for did:nostr in ACL files
- *
- * Tests:
- * 1. Create a container with restricted access
- * 2. Set ACL with did:nostr agent
- * 3. Verify Nostr auth grants access
- */
-
-import { generateSecretKey, getPublicKey, finalizeEvent } from 'nostr-tools';
-import { getToken } from 'nostr-tools/nip98';
-
-const BASE_URL = process.env.TEST_URL || 'http://localhost:4000';
-
-async function main() {
-  console.log('=== did:nostr ACL Authorization Test ===\n');
-
-  // Generate a keypair for testing
-  const sk = generateSecretKey();
-  const pk = getPublicKey(sk);
-  const didNostr = `did:nostr:${pk}`;
-
-  console.log('1. Generated keypair');
-  console.log(`   Pubkey: ${pk.slice(0, 16)}...`);
-  console.log(`   DID:    ${didNostr.slice(0, 24)}...\n`);
-
-  // Create a unique test container
-  const testPath = `/demo/nostr-acl-test-${Date.now()}/`;
-  const containerUrl = `${BASE_URL}${testPath}`;
-
-  console.log(`2. Creating test container: ${testPath}`);
-
-  // Create container (unauthenticated - should work on public parent)
-  const createRes = await fetch(containerUrl, {
-    method: 'PUT',
-    headers: { 'Content-Type': 'text/turtle' },
-    body: ''
-  });
-
-  if (!createRes.ok && createRes.status !== 201) {
-    console.log(`   Failed to create container: ${createRes.status}`);
-    // Try anyway
-  } else {
-    console.log(`   Created: ${createRes.status}\n`);
-  }
-
-  // Create ACL with did:nostr agent (Turtle format)
-  const aclUrl = `${containerUrl}.acl`;
-  const aclContent = `
-@prefix acl: <http://www.w3.org/ns/auth/acl#>.
-
-<#nostrAccess>
-    a acl:Authorization;
-    acl:agent <${didNostr}>;
-    acl:accessTo <${containerUrl}>;
-    acl:default <${containerUrl}>;
-    acl:mode acl:Read, acl:Write, acl:Control.
-`;
-
-  console.log('3. Creating ACL with did:nostr agent');
-  console.log(`   ACL URL: ${aclUrl}`);
-  console.log(`   Agent: ${didNostr.slice(0, 40)}...`);
-
-  const aclRes = await fetch(aclUrl, {
-    method: 'PUT',
-    headers: { 'Content-Type': 'text/turtle' },
-    body: aclContent
-  });
-
-  console.log(`   ACL created: ${aclRes.status}\n`);
-
-  // Verify ACL was saved correctly
-  console.log('4. Verifying ACL content');
-  const aclCheck = await fetch(aclUrl, {
-    headers: { 'Accept': 'text/turtle' }
-  });
-  const savedAcl = await aclCheck.text();
-  console.log(`   ACL response: ${aclCheck.status}`);
-  console.log(`   Contains did:nostr: ${savedAcl.includes('did:nostr:')}\n`);
-
-  // Test 1: Access WITHOUT auth (should be denied)
-  console.log('5. Testing access WITHOUT auth (should be 401/403)...');
-  const noAuthRes = await fetch(containerUrl);
-  console.log(`   Status: ${noAuthRes.status} ${noAuthRes.status === 401 || noAuthRes.status === 403 ? '✓' : '✗'}\n`);
-
-  // Test 2: Access WITH correct Nostr auth
-  console.log('6. Testing access WITH correct Nostr auth...');
-  const token = await getToken(containerUrl, 'GET', (event) => finalizeEvent(event, sk));
-
-  const authRes = await fetch(containerUrl, {
-    headers: {
-      'Authorization': `Nostr ${token}`,
-      'Accept': 'text/turtle'
-    }
-  });
-
-  console.log(`   Status: ${authRes.status}`);
-
-  if (authRes.status === 200) {
-    console.log('   ✓ ACCESS GRANTED - did:nostr ACL working!\n');
-  } else {
-    console.log('   ✗ Access denied');
-    const body = await authRes.text();
-    console.log(`   Body: ${body.slice(0, 200)}\n`);
-  }
-
-  // Test 3: Access with DIFFERENT Nostr key (should be denied)
-  console.log('7. Testing with DIFFERENT Nostr key (should be denied)...');
-  const wrongSk = generateSecretKey();
-  const wrongToken = await getToken(containerUrl, 'GET', (event) => finalizeEvent(event, wrongSk));
-
-  const wrongAuthRes = await fetch(containerUrl, {
-    headers: {
-      'Authorization': `Nostr ${wrongToken}`,
-      'Accept': 'text/turtle'
-    }
-  });
-
-  console.log(`   Status: ${wrongAuthRes.status} ${wrongAuthRes.status === 403 ? '✓' : '✗'}\n`);
-
-  // Clean up
-  console.log('8. Cleaning up test container...');
-  const deleteToken = await getToken(containerUrl, 'DELETE', (event) => finalizeEvent(event, sk));
-  const deleteRes = await fetch(containerUrl, {
-    method: 'DELETE',
-    headers: { 'Authorization': `Nostr ${deleteToken}` }
-  });
-  console.log(`   Delete: ${deleteRes.status}\n`);
-
-  // Summary
-  console.log('=== Test Summary ===');
-  console.log(`No auth:     ${noAuthRes.status === 401 || noAuthRes.status === 403 ? 'PASS' : 'FAIL'} (${noAuthRes.status})`);
-  console.log(`Correct key: ${authRes.status === 200 ? 'PASS' : 'FAIL'} (${authRes.status})`);
-  console.log(`Wrong key:   ${wrongAuthRes.status === 403 ? 'PASS' : 'FAIL'} (${wrongAuthRes.status})`);
-
-  const allPassed = (noAuthRes.status === 401 || noAuthRes.status === 403) &&
-                    authRes.status === 200 &&
-                    wrongAuthRes.status === 403;
-
-  console.log(`\nOverall: ${allPassed ? 'ALL TESTS PASSED ✓' : 'SOME TESTS FAILED ✗'}`);
-  process.exit(allPassed ? 0 : 1);
-}
-
-main().catch(console.error);