javascript-solid-server 0.0.36 → 0.0.38

package/.claude/settings.local.json

@@ -114,7 +114,12 @@
       "Bash(if [ ! -d \"jose\" ])",
       "Bash(then git clone --depth 1 --branch v0.7.0 https://github.com/solid/jose.git)",
       "Bash(fi)",
-      "Bash(timeout 45 node:*)"
+      "Bash(timeout 45 node:*)",
+      "Bash(gh issue list:*)",
+      "Bash(DATA_ROOT=/tmp/jss-git-test JSS_PORT=4444 timeout 3 node:*)",
+      "Bash(pm2 show:*)",
+      "Bash(git config:*)",
+      "Bash(npm version:*)"
     ]
   }
 }

package/README.md

@@ -4,7 +4,7 @@ A minimal, fast, JSON-LD native Solid server.
 
 ## Features
 
-### Implemented (v0.0.31)
+### Implemented (v0.0.37)
 
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
 - **N3 Patch** - Solid's native patch format for RDF updates
@@ -19,13 +19,15 @@ A minimal, fast, JSON-LD native Solid server.
 - **Mashlib Data Browser** - Optional SolidOS UI (CDN or local hosting)
 - **WebID Profiles** - HTML with JSON-LD data islands, rendered with mashlib-jss + solidos-lite
 - **Web Access Control (WAC)** - `.acl` file-based authorization
-- **Solid-OIDC Identity Provider** - Built-in IdP with DPoP, dynamic registration
+- **Solid-OIDC Identity Provider** - Built-in IdP with DPoP, RS256/ES256, dynamic registration
 - **Solid-OIDC Resource Server** - Accept DPoP-bound access tokens from external IdPs
 - **NSS-style Registration** - Username/password auth compatible with Solid apps
 - **Nostr Authentication** - NIP-98 HTTP Auth with Schnorr signatures
 - **Simple Auth Tokens** - Built-in token authentication for development
 - **Content Negotiation** - Turtle <-> JSON-LD conversion, including HTML data islands
 - **CORS Support** - Full cross-origin resource sharing
+- **Git HTTP Backend** - Clone and push to containers via `git` protocol
+- **Security** - Blocks access to dotfiles (`.git/`, `.env`, etc.) except Solid-specific ones
 
 ### HTTP Methods
 
@@ -94,6 +96,7 @@ jss --help             # Show help
 | `--mashlib` | Enable Mashlib (local mode) | false |
 | `--mashlib-cdn` | Enable Mashlib (CDN mode) | false |
 | `--mashlib-version <ver>` | Mashlib CDN version | 2.0.0 |
+| `--git` | Enable Git HTTP backend | false |
 | `-q, --quiet` | Suppress logs | false |
 
 ### Environment Variables
@@ -318,6 +321,93 @@ Server: ack http://localhost:3000/alice/public/data.json
 Server: pub http://localhost:3000/alice/public/data.json  (on change)
 ```
 
+## Git Support
+
+Enable Git HTTP backend to clone and push to pod containers:
+
+```bash
+jss start --git
+```
+
+### Initialize a Repository
+
+```bash
+# Create a git repo in a pod container
+cd data/alice/myrepo
+git init
+echo "# My Project" > README.md
+git add . && git commit -m "Initial commit"
+```
+
+### Clone and Push
+
+```bash
+# Clone (public read access)
+git clone http://localhost:3000/alice/myrepo
+
+# Push (requires write access via WAC)
+cd myrepo
+echo "New content" >> README.md
+git add . && git commit -m "Update"
+git push
+```
+
+Git operations respect WAC permissions - clone requires Read access, push requires Write access.
+
+### Git Push with Nostr Authentication
+
+Git push supports NIP-98 authentication via Basic Auth. Create a credential helper:
+
+```javascript
+// git-credential-nostr.js
+import { getPublicKey, finalizeEvent } from 'nostr-tools/pure';
+import { hexToBytes } from '@noble/hashes/utils';
+import fs from 'fs';
+import readline from 'readline';
+
+const sk = hexToBytes(fs.readFileSync('.nostr-key', 'utf8').trim());
+const rl = readline.createInterface({ input: process.stdin });
+const params = {};
+for await (const line of rl) {
+  if (!line) break;
+  const [key, ...vals] = line.split('=');
+  params[key] = vals.join('=');
+}
+
+if (params.protocol && params.host) {
+  let path = params.path || '/';
+  path = path.replace(/\/info\/refs$/, '').replace(/\/git-.*$/, '');
+  const baseUrl = `${params.protocol}://${params.host}${path}`;
+
+  const event = finalizeEvent({
+    kind: 27235,
+    created_at: Math.floor(Date.now() / 1000),
+    tags: [['u', baseUrl], ['method', '*']],
+    content: ''
+  }, sk);
+
+  console.log('username=nostr');
+  console.log('password=' + Buffer.from(JSON.stringify(event)).toString('base64'));
+}
+```
+
+Configure git to use it:
+
+```bash
+git config credential.helper 'node /path/to/git-credential-nostr.js'
+```
+
+Add the Nostr identity to your ACL:
+
+```turtle
+<#nostr-writer>
+    a acl:Authorization;
+    acl:agent <did:nostr:YOUR_64_CHAR_HEX_PUBKEY>;
+    acl:accessTo <./>;
+    acl:default <./>;
+    acl:mode acl:Read, acl:Write.
+```
+
 ## Authentication
 
 ### Simple Tokens (Development)
@@ -531,7 +621,8 @@ src/
 ├── server.js             # Fastify setup
 ├── handlers/
 │   ├── resource.js       # GET, PUT, DELETE, HEAD, PATCH
-│   └── container.js      # POST, pod creation
+│   ├── container.js      # POST, pod creation
+│   └── git.js            # Git HTTP backend
 ├── storage/
 │   └── filesystem.js     # File operations
 ├── auth/

package/bin/jss.js

@@ -54,6 +54,8 @@ program
   .option('--mashlib-cdn', 'Enable Mashlib data browser (CDN mode, no local files needed)')
   .option('--no-mashlib', 'Disable Mashlib data browser')
   .option('--mashlib-version <version>', 'Mashlib version for CDN mode (default: 2.0.0)')
+  .option('--git', 'Enable Git HTTP backend (clone/push support)')
+  .option('--no-git', 'Disable Git HTTP backend')
   .option('-q, --quiet', 'Suppress log output')
   .option('--print-config', 'Print configuration and exit')
   .action(async (options) => {
@@ -95,6 +97,7 @@ program
         mashlib: config.mashlib || config.mashlibCdn,
         mashlibCdn: config.mashlibCdn,
         mashlibVersion: config.mashlibVersion,
+        git: config.git,
       });
 
       await server.listen({ port: config.port, host: config.host });
@@ -113,6 +116,7 @@ program
         } else if (config.mashlib) {
           console.log(`  Mashlib: local (data browser enabled)`);
         }
+        if (config.git) console.log('  Git: enabled (clone/push support)');
         console.log('\n  Press Ctrl+C to stop\n');
       }
 

package/data/.idp/keys/jwks.json

@@ -0,0 +1,37 @@
+{
+  "jwks": {
+    "keys": [
+      {
+        "kty": "RSA",
+        "n": "zVVbuPqzcpJI4er_VpHQQd8UgRDI-PcLlwUGRG3DGqMvAWzB4UX2m5e5Uhc2vnzBC2U_1bZ5u3ovhZZhXqqj0ItBTOWjhjOZz4YpaPiwM68sqp_JUNNZPSLljhXnEhEv8q57Wcl0N8orJeuSmfjh7shsLKN-3nbWjCbQr4oAUneQ_2HNvazUTgRLKYCniS0SaI_ogTwuIJlNdFIc3FAHs4yNoSaXZDkdGWhGn49wYdB58nkjJ2ja8wc-rwNtcKEG7HZWNhoVCredav9jswWgAGodJofAxP_PCjguqn6-TzvGodXM3p0Rj1qaf27Ok39GbtOEwX4upwFKj-yJaZETQQ",
+        "e": "AQAB",
+        "d": "BAgqbUkP876bW4NMqP-jPB3kJk4k8h2QvtIIj9iraXcdlcyzyGeCKoc5ynq99pLWzBFchebnwEaLjxcXOZ-GaLKJUVgbhEe4XBa1crQaaqNkkEOjtXh28sBAC3CS6VwIyd5C-g3-gBdyTjPwXKFiV1jcZep-c-IXv6gF9kJyk-vv3aT6VabcqRBOk4PeNxL_VJt65x5JQBqyV06fv7OBrt15ez0dZL-fYMPhMhBZom0YGCkMVAC4VHAOmoVuHk3hQQCQv5x9-hq27qfgHAlkSKxTEDp2aJi4nIfzqEnFHrBqB9BwR0JEyV3ankVPzBcfEGffi5XY3kWK3EDE3oX9SQ",
+        "p": "6ZGd_spW6xSiTNwlU-to7Qr06dr1hXzWLyFbJM9_APFxE761WJtAsN50oNg-rKRQk2JdlC0N04OFYWBED-pvJ0AIEVnKJfWsxEQaBkRueZefUcf-0L1M2Q7-LQdqz9qTR3hSZ42lJhPKMdLRI2WrxTz1v1p0w0yl3bwcbBRLtTk",
+        "q": "4Q2QFyMKQUQhr4-JlQbI3VtBhfP-65oZg-13hG5Xc9kT0qo_-79YCK_4wMUX4WaSH6fG6lobTgZento3d6MXCAFpEl8WM4uRRNlzTLCC2FDZXms8i6hJHN89QFPLEPQd5bDXsw8pmA3ANIeHcwzR243VuWAYeQfeOJ-qymUjlkk",
+        "dp": "AUldDm885VSaxEOeLQUp8cxSpwseuRqD74SGhQBjmbS6w7oUM6W_SHohOFWYmsjY7Mbo7w0Ee3rI_E1UcqX-8L9oi_frpiPhTL93STuNRDwyk3e_jpTMXJG5krPswbJZh1ZBVfKwyzHmtjmMD17bAF4imGg-JmlArKUBnxLJi_k",
+        "dq": "A6Z7qtRnqy1WuolCewdUJLsBMhIGFX43YbttT9mWU4u21ZjrVsMAw4tPJplLzN0kC51mDZEOllJmIH97nNYpXnjfYmvmaUmfPpWkWB8Y0Ddnfy-QGNfO78fzL2LsjUbYYUxgA0iArTWz42Y7XTNdCAmh6NLVMslc4mA8nfHMBPk",
+        "qi": "Wikwy4ljfyLLHDO1Fpm2hn-_G7rWbwOP0ANJzY62cIEorbyyr4zAaaPflGMrDJHadlLdww_x2L1g2lNePN7mY97kFJVL0ceuwUmxDr434LqyRZWTrTP5qP6vrkjGjMImBuJEftXdOyJElcqHgtpvltydZRjlvhugnxcOKRble3Y",
+        "kid": "509868cc-c850-4708-9331-8e38273df4db",
+        "use": "sig",
+        "alg": "RS256",
+        "iat": 1767263929
+      },
+      {
+        "kty": "EC",
+        "x": "KSGjhPP_QyoqHu8v891hEk_TsF5yuQUN0hFBY_qq26o",
+        "y": "aTYYEwxOR0tM82FtJoCVJ7u8xtf3y0exoWVJzJAZQ24",
+        "crv": "P-256",
+        "d": "Mkm_Oh4_emAzg2MbxoMuHcJZo3E-O_-YlK8mlSHWU8M",
+        "kid": "92009452-c551-4389-97fd-314ddd59b7d4",
+        "use": "sig",
+        "alg": "ES256",
+        "iat": 1767263929
+      }
+    ]
+  },
+  "cookieKeys": [
+    "IiO299-8bui4UVILu0azGvlCnNTckSGMPMPQSG2HqHw",
+    "NbeOVkfw-xN9T4J0_1uzAmDp6tYOwFW-yTJLSd7nqDU"
+  ],
+  "createdAt": "2026-01-01T10:38:49.528Z"
+}

package/docs/git-support.md

@@ -0,0 +1,283 @@
+# Adding Git Support to a Solid Server
+
+This guide explains how to add Git HTTP backend support to a Solid server, enabling `git clone` and `git push` operations on pod containers.
+
+## Overview
+
+The Git HTTP protocol allows clients to clone and push to repositories over HTTP. This is implemented using Git's built-in `git http-backend` CGI program - the same one used by Apache and Nginx.
+
+### How It Works
+
+```
+┌─────────────┐     HTTP      ┌──────────────┐     CGI      ┌─────────────────┐
+│  Git Client │ ─────────────▶│ Solid Server │ ────────────▶│ git http-backend│
+│             │◀───────────── │              │◀──────────── │                 │
+└─────────────┘               └──────────────┘              └─────────────────┘
+```
+
+**Clone flow:**
+1. `GET /repo/info/refs?service=git-upload-pack` - Discovery
+2. `POST /repo/git-upload-pack` - Fetch objects
+
+**Push flow:**
+1. `GET /repo/info/refs?service=git-receive-pack` - Discovery
+2. `POST /repo/git-receive-pack` - Send objects
+
+## Implementation
+
+### 1. Detect Git Requests
+
+Git protocol requests are identified by URL patterns:
+
+```javascript
+function isGitRequest(urlPath) {
+  return urlPath.includes('/info/refs') ||
+    urlPath.includes('/git-upload-pack') ||
+    urlPath.includes('/git-receive-pack');
+}
+
+function isGitWriteOperation(urlPath) {
+  return urlPath.includes('/git-receive-pack');
+}
+```
+
+### 2. Security: Block Direct .git Access
+
+**Important:** Git protocol requests should be allowed, but direct file access to `.git/` contents must be blocked:
+
+```javascript
+// BLOCK: Direct access to .git contents (security risk)
+GET /.git/config         → 403 Forbidden
+GET /.git/objects/abc123 → 403 Forbidden
+
+// ALLOW: Git protocol (handled by git http-backend)
+GET /repo/info/refs?service=git-upload-pack → 200 OK
+POST /repo/git-upload-pack                   → 200 OK
+```
+
+### 3. Authorization with WAC
+
+Check permissions before allowing git operations:
+
+```javascript
+// Clone/fetch requires Read access
+// Push requires Write access
+
+const needsWrite = isGitWriteOperation(request.url);
+const requiredMode = needsWrite ? 'write' : 'read';
+
+const { allowed } = await checkAccess({
+  resourceUrl,
+  resourcePath,
+  agentWebId: request.webId,
+  requiredMode
+});
+
+if (!allowed) {
+  return reply.code(needsWrite ? 403 : 401).send({
+    error: needsWrite ? 'Write access required' : 'Read access required'
+  });
+}
+```
+
+### 4. Git HTTP Backend Handler
+
+The core handler spawns `git http-backend` with CGI environment variables:
+
+```javascript
+import { spawn } from 'child_process';
+
+async function handleGit(request, reply) {
+  const urlPath = decodeURIComponent(request.url.split('?')[0]);
+  const queryString = request.url.split('?')[1] || '';
+
+  // Build CGI environment
+  const env = {
+    ...process.env,
+    GIT_PROJECT_ROOT: dataRoot,           // Where repos are stored
+    GIT_HTTP_EXPORT_ALL: '',              // Allow read access
+    GIT_HTTP_RECEIVE_PACK: 'true',        // Enable push
+    PATH_INFO: urlPath,
+    REQUEST_METHOD: request.method,
+    CONTENT_TYPE: request.headers['content-type'] || '',
+    QUERY_STRING: queryString,
+    CONTENT_LENGTH: request.headers['content-length'] || '0',
+  };
+
+  // For non-bare repos, set GIT_DIR to .git subdirectory
+  if (isRegularRepo) {
+    env.GIT_DIR = path.join(repoPath, '.git');
+  }
+
+  // Spawn git http-backend
+  const child = spawn('git', ['http-backend'], { env });
+
+  // Send request body (for POST requests)
+  if (request.body && request.body.length > 0) {
+    child.stdin.write(request.body);
+  }
+  child.stdin.end();
+
+  // Parse CGI response and send to client
+  // ... (see full implementation below)
+}
+```
+
+### 5. CGI Response Parsing
+
+Git http-backend outputs CGI format (headers + body). Parse and forward:
+
+```javascript
+let buffer = Buffer.alloc(0);
+let headersSent = false;
+
+child.stdout.on('data', (data) => {
+  buffer = Buffer.concat([buffer, data]);
+
+  if (!headersSent) {
+    // Find header/body separator (try both \r\n\r\n and \n\n)
+    let headerEnd = buffer.indexOf('\r\n\r\n');
+    let sep = '\r\n';
+    let sepLen = 4;
+
+    if (headerEnd === -1) {
+      headerEnd = buffer.indexOf('\n\n');
+      sep = '\n';
+      sepLen = 2;
+    }
+
+    if (headerEnd !== -1) {
+      const headerSection = buffer.subarray(0, headerEnd).toString();
+      const bodySection = buffer.subarray(headerEnd + sepLen);
+
+      // Parse CGI headers
+      for (const line of headerSection.split(sep)) {
+        const colonIdx = line.indexOf(':');
+        if (colonIdx > 0) {
+          const key = line.substring(0, colonIdx).trim();
+          const value = line.substring(colonIdx + 1).trim();
+
+          if (key.toLowerCase() === 'status') {
+            statusCode = parseInt(value.split(' ')[0], 10);
+          } else {
+            reply.raw.setHeader(key, value);
+          }
+        }
+      }
+
+      reply.raw.writeHead(statusCode);
+      reply.raw.write(bodySection);
+      headersSent = true;
+    }
+  } else {
+    reply.raw.write(buffer);
+  }
+  buffer = Buffer.alloc(0);
+});
+
+child.stdout.on('end', () => {
+  reply.raw.end();
+});
+```
+
+## Repository Setup
+
+### Regular Repository (with working directory)
+
+```bash
+cd /path/to/pod/myrepo
+git init
+echo "# My Project" > README.md
+git add .
+git commit -m "Initial commit"
+```
+
+### Bare Repository (server-only, more efficient)
+
+```bash
+cd /path/to/pod
+git init --bare myrepo.git
+```
+
+### ACL for Public Clone
+
+Create `/path/to/pod/myrepo/.acl`:
+
+```turtle
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
+
+<#public>
+    a acl:Authorization;
+    acl:agentClass foaf:Agent;
+    acl:accessTo <./>;
+    acl:default <./>;
+    acl:mode acl:Read.
+```
+
+### ACL for Authenticated Push
+
+```turtle
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
+
+<#owner>
+    a acl:Authorization;
+    acl:agent <https://alice.example.com/#me>;
+    acl:accessTo <./>;
+    acl:default <./>;
+    acl:mode acl:Read, acl:Write, acl:Control.
+
+<#public>
+    a acl:Authorization;
+    acl:agentClass foaf:Agent;
+    acl:accessTo <./>;
+    acl:default <./>;
+    acl:mode acl:Read.
+```
+
+## Usage
+
+### Server
+
+```bash
+# Start server with git support enabled
+jss start --git
+
+# Or via environment variable
+JSS_GIT=true jss start
+```
+
+### Client
+
+```bash
+# Clone
+git clone http://localhost:3000/myrepo
+
+# Clone with authentication (if required)
+git clone http://localhost:3000/myrepo
+# Git will prompt for credentials
+
+# Push (requires write access)
+cd myrepo
+echo "New content" >> README.md
+git add .
+git commit -m "Update readme"
+git push
+```
+
+## Complete Handler Code
+
+See `src/handlers/git.js` in the JSS repository for the full implementation.
+
+## References
+
+- [Git HTTP Protocol](https://git-scm.com/book/en/v2/Git-on-the-Server-Smart-HTTP)
+- [git-http-backend documentation](https://git-scm.com/docs/git-http-backend)
+- [CGI Specification](https://www.rfc-editor.org/rfc/rfc3875)
+- [Web Access Control (WAC)](https://solidproject.org/TR/wac)
+
+## Prior Art
+
+- [nosdav/server](https://github.com/nosdav/server) - Git support implementation
+- [QuitStore](https://github.com/AKSW/QuitStore) - Git + RDF versioning

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.36",
+  "version": "0.0.38",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/nostr.js

@@ -22,24 +22,58 @@ const TIMESTAMP_TOLERANCE = 60;
 
 /**
  * Check if request has Nostr authentication
+ * Supports both "Nostr <token>" and "Basic <base64(nostr:token)>" formats
+ * The Basic format allows git clients to authenticate via NIP-98
  * @param {object} request - Fastify request object
  * @returns {boolean}
  */
 export function hasNostrAuth(request) {
   const authHeader = request.headers.authorization;
-  return authHeader && authHeader.startsWith('Nostr ');
+  if (!authHeader) return false;
+
+  // Direct Nostr header
+  if (authHeader.startsWith('Nostr ')) return true;
+
+  // Basic auth with username=nostr (for git clients)
+  if (authHeader.startsWith('Basic ')) {
+    try {
+      const decoded = Buffer.from(authHeader.slice(6), 'base64').toString('utf8');
+      return decoded.startsWith('nostr:');
+    } catch {
+      return false;
+    }
+  }
+
+  return false;
 }
 
 /**
  * Extract token from Nostr authorization header
+ * Supports both "Nostr <token>" and "Basic <base64(nostr:token)>" formats
  * @param {string} authHeader - Authorization header value
  * @returns {string|null}
  */
 export function extractNostrToken(authHeader) {
-  if (!authHeader || !authHeader.startsWith('Nostr ')) {
-    return null;
+  if (!authHeader) return null;
+
+  // Direct Nostr header
+  if (authHeader.startsWith('Nostr ')) {
+    return authHeader.slice(6).trim();
+  }
+
+  // Basic auth with username=nostr, password=token
+  if (authHeader.startsWith('Basic ')) {
+    try {
+      const decoded = Buffer.from(authHeader.slice(6), 'base64').toString('utf8');
+      if (decoded.startsWith('nostr:')) {
+        return decoded.slice(6); // Remove "nostr:" prefix to get token
+      }
+    } catch {
+      return null;
+    }
   }
-  return authHeader.slice(6).trim();
+
+  return null;
 }
 
 /**
@@ -125,16 +159,27 @@ export async function verifyNostrAuth(request) {
   const normalizedRequestUrl = fullUrl.replace(/\/$/, '');
   const normalizedRequestUrlNoQuery = fullUrl.split('?')[0].replace(/\/$/, '');
 
-  if (normalizedEventUrl !== normalizedRequestUrl && normalizedEventUrl !== normalizedRequestUrlNoQuery) {
+  // Check for exact match first
+  let urlMatches = normalizedEventUrl === normalizedRequestUrl ||
+                   normalizedEventUrl === normalizedRequestUrlNoQuery;
+
+  // For git clients: allow prefix matching (event URL is base of request URL)
+  // This enables git credential helpers that sign for the repo base URL
+  if (!urlMatches && normalizedRequestUrlNoQuery.startsWith(normalizedEventUrl + '/')) {
+    urlMatches = true;
+  }
+
+  if (!urlMatches) {
     return { webId: null, error: `URL mismatch: event URL "${eventUrl}" does not match request URL "${fullUrl}"` };
   }
 
   // Validate method tag matches request method
+  // For git clients: allow '*' as wildcard method
   const eventMethod = getTagValue(event, 'method');
   if (!eventMethod) {
     return { webId: null, error: 'Missing method tag in event' };
   }
-  if (eventMethod.toUpperCase() !== request.method.toUpperCase()) {
+  if (eventMethod !== '*' && eventMethod.toUpperCase() !== request.method.toUpperCase()) {
     return { webId: null, error: `Method mismatch: expected ${request.method}, got ${eventMethod}` };
   }
 

package/src/handlers/git.js

@@ -0,0 +1,207 @@
+import { spawn } from 'child_process';
+import { existsSync, statSync } from 'fs';
+import { join } from 'path';
+
+/**
+ * Check if a URL path is a Git protocol request
+ * @param {string} urlPath - The URL path
+ * @returns {boolean}
+ */
+export function isGitRequest(urlPath) {
+  return urlPath.includes('/info/refs') ||
+    urlPath.includes('/git-upload-pack') ||
+    urlPath.includes('/git-receive-pack');
+}
+
+/**
+ * Determine if this is a write operation (push)
+ * @param {string} urlPath - The URL path
+ * @returns {boolean}
+ */
+export function isGitWriteOperation(urlPath) {
+  return urlPath.includes('/git-receive-pack');
+}
+
+/**
+ * Extract the repository path from the URL
+ * @param {string} urlPath - The URL path
+ * @returns {string|null} The repository relative path or null
+ */
+function extractRepoPath(urlPath) {
+  // Remove git service suffixes to get the repo path
+  const cleanPath = urlPath
+    .replace(/\/info\/refs.*$/, '')
+    .replace(/\/git-upload-pack$/, '')
+    .replace(/\/git-receive-pack$/, '');
+
+  // Remove leading slash
+  return cleanPath.replace(/^\//, '') || null;
+}
+
+/**
+ * Find the git directory for a path
+ * @param {string} repoPath - Absolute path to check
+ * @returns {{gitDir: string, isRegular: boolean}|null}
+ */
+function findGitDir(repoPath) {
+  if (!existsSync(repoPath) || !statSync(repoPath).isDirectory()) {
+    return null;
+  }
+
+  // Check for regular repo with .git subdirectory
+  const dotGitPath = join(repoPath, '.git');
+  if (existsSync(dotGitPath) && statSync(dotGitPath).isDirectory()) {
+    return { gitDir: dotGitPath, isRegular: true };
+  }
+
+  // Check for bare repository
+  const objectsPath = join(repoPath, 'objects');
+  const refsPath = join(repoPath, 'refs');
+  if (existsSync(objectsPath) && existsSync(refsPath)) {
+    return { gitDir: repoPath, isRegular: false };
+  }
+
+  return null;
+}
+
+/**
+ * Handle Git HTTP requests using git http-backend
+ * @param {FastifyRequest} request
+ * @param {FastifyReply} reply
+ */
+export async function handleGit(request, reply) {
+  const urlPath = decodeURIComponent(request.url.split('?')[0]);
+  const queryString = request.url.split('?')[1] || '';
+
+  // Extract repository path
+  const repoRelative = extractRepoPath(urlPath);
+  if (!repoRelative) {
+    return reply.code(400).send({ error: 'Invalid git request' });
+  }
+
+  // Handle subdomain mode
+  let dataRoot = process.env.DATA_ROOT || './data';
+  if (request.podName) {
+    dataRoot = join(dataRoot, request.podName);
+  }
+
+  const repoAbs = join(dataRoot, repoRelative);
+
+  // Find git directory
+  const gitInfo = findGitDir(repoAbs);
+  if (!gitInfo) {
+    return reply.code(404).send({ error: 'Not a git repository' });
+  }
+
+  // Build CGI environment
+  const env = {
+    ...process.env,
+    GIT_PROJECT_ROOT: dataRoot,
+    GIT_HTTP_EXPORT_ALL: '',                    // Allow read access
+    GIT_HTTP_RECEIVE_PACK: 'true',              // Enable push
+    GIT_CONFIG_PARAMETERS: "'uploadpack.allowTipSHA1InWant=true'",
+    PATH_INFO: urlPath,
+    REQUEST_METHOD: request.method,
+    CONTENT_TYPE: request.headers['content-type'] || '',
+    QUERY_STRING: queryString,
+    REMOTE_USER: request.webId || '',           // Pass authenticated user
+    CONTENT_LENGTH: request.headers['content-length'] || '0',
+  };
+
+  // For regular repositories, set GIT_DIR
+  if (gitInfo.isRegular) {
+    env.GIT_DIR = gitInfo.gitDir;
+  }
+
+  // Spawn git http-backend
+  return new Promise((resolve, reject) => {
+    const child = spawn('git', ['http-backend'], { env });
+
+    let buffer = Buffer.alloc(0);
+    let headersSent = false;
+
+    child.stdout.on('data', (data) => {
+      buffer = Buffer.concat([buffer, data]);
+
+      if (!headersSent) {
+        // Look for end of CGI headers (try both \r\n\r\n and \n\n)
+        let headerEnd = buffer.indexOf('\r\n\r\n');
+        let headerSep = '\r\n';
+        let headerEndLen = 4;
+
+        if (headerEnd === -1) {
+          headerEnd = buffer.indexOf('\n\n');
+          headerSep = '\n';
+          headerEndLen = 2;
+        }
+
+        if (headerEnd !== -1) {
+          const headerSection = buffer.subarray(0, headerEnd).toString();
+          const bodySection = buffer.subarray(headerEnd + headerEndLen);
+
+          // Parse CGI headers and set on raw response
+          const lines = headerSection.split(headerSep);
+          let statusCode = 200;
+
+          for (const line of lines) {
+            const colonIndex = line.indexOf(':');
+            if (colonIndex > 0) {
+              const key = line.substring(0, colonIndex).trim();
+              const value = line.substring(colonIndex + 1).trim();
+
+              // Handle Status header specially
+              if (key.toLowerCase() === 'status') {
+                statusCode = parseInt(value.split(' ')[0], 10);
+              } else {
+                reply.raw.setHeader(key, value);
+              }
+            }
+          }
+
+          reply.raw.writeHead(statusCode);
+          headersSent = true;
+          reply.raw.write(bodySection);
+          buffer = Buffer.alloc(0);
+        }
+      } else {
+        reply.raw.write(buffer);
+        buffer = Buffer.alloc(0);
+      }
+    });
+
+    child.stdout.on('end', () => {
+      reply.raw.end();
+      resolve();
+    });
+
+    // Send request body to git
+    // For POST requests, Fastify has already parsed the body into request.body
+    if (request.body && request.body.length > 0) {
+      child.stdin.write(request.body);
+      child.stdin.end();
+    } else {
+      // For GET requests or empty bodies, just close stdin
+      child.stdin.end();
+    }
+
+    // Log errors
+    child.stderr.on('data', (data) => {
+      console.error('git http-backend stderr:', data.toString());
+    });
+
+    child.on('error', (err) => {
+      console.error('Failed to spawn git http-backend:', err);
+      if (!headersSent) {
+        reply.code(500).send({ error: 'Git backend error' });
+      }
+      resolve();
+    });
+
+    child.on('close', (code) => {
+      if (code !== 0 && !headersSent) {
+        reply.code(500).send({ error: 'Git operation failed' });
+      }
+      resolve();
+    });
+  });
+}

package/src/server.js

@@ -8,6 +8,7 @@ import { getCorsHeaders } from './ldp/headers.js';
 import { authorize, handleUnauthorized } from './auth/middleware.js';
 import { notificationsPlugin } from './notifications/index.js';
 import { idpPlugin } from './idp/index.js';
+import { isGitRequest, isGitWriteOperation, handleGit } from './handlers/git.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 
@@ -23,6 +24,7 @@ const __dirname = dirname(fileURLToPath(import.meta.url));
  * @param {string} options.root - Data directory path (default from env or ./data)
  * @param {boolean} options.subdomains - Enable subdomain-based pods for XSS protection (default false)
  * @param {string} options.baseDomain - Base domain for subdomain pods (e.g., "example.com")
+ * @param {boolean} options.git - Enable Git HTTP backend for clone/push (default false)
  */
 export function createServer(options = {}) {
   // Content negotiation is OFF by default - we're a JSON-LD native server
@@ -40,6 +42,8 @@ export function createServer(options = {}) {
   const mashlibEnabled = options.mashlib ?? false;
   const mashlibCdn = options.mashlibCdn ?? false;
   const mashlibVersion = options.mashlibVersion ?? '2.0.0';
+  // Git HTTP backend is OFF by default - enables clone/push via git protocol
+  const gitEnabled = options.git ?? false;
 
   // Set data root via environment variable if provided
   if (options.root) {
@@ -128,16 +132,64 @@ export function createServer(options = {}) {
     // Note: OPTIONS requests are handled by handleOptions to include Accept-* headers
   });
 
+  // Security: Block access to dotfiles except allowed Solid-specific ones
+  // This prevents exposure of .git/, .env, .htpasswd, etc.
+  // Git protocol requests bypass this check when git is enabled
+  const ALLOWED_DOTFILES = ['.well-known', '.acl', '.meta'];
+  fastify.addHook('onRequest', async (request, reply) => {
+    // Allow git protocol requests through when git is enabled
+    if (gitEnabled && isGitRequest(request.url)) {
+      return;
+    }
+
+    const segments = request.url.split('/').map(s => s.split('?')[0]); // Remove query strings
+    const hasForbiddenDotfile = segments.some(seg =>
+      seg.startsWith('.') &&
+      seg.length > 1 &&
+      !ALLOWED_DOTFILES.includes(seg)
+    );
+
+    if (hasForbiddenDotfile) {
+      return reply.code(403).send({ error: 'Forbidden', message: 'Dotfile access is not allowed' });
+    }
+  });
+
+  // Git HTTP backend handler - uses git http-backend CGI
+  // Authorization: Read for clone/fetch, Write for push
+  if (gitEnabled) {
+    fastify.addHook('preHandler', async (request, reply) => {
+      if (!isGitRequest(request.url)) {
+        return;
+      }
+
+      // Run WAC authorization - checkAccess already verifies the required mode
+      const { authorized, webId, wacAllow, authError } = await authorize(request, reply);
+      request.webId = webId;
+      request.wacAllow = wacAllow;
+
+      if (!authorized) {
+        const needsWrite = isGitWriteOperation(request.url);
+        const message = needsWrite ? 'Write access required for push' : 'Read access required for clone';
+        reply.header('WAC-Allow', wacAllow);
+        return reply.code(webId ? 403 : 401).send({ error: message });
+      }
+
+      // Handle the git request directly
+      return handleGit(request, reply);
+    });
+  }
+
   // Authorization hook - check WAC permissions
   // Skip for pod creation endpoint (needs special handling)
   fastify.addHook('preHandler', async (request, reply) => {
-    // Skip auth for pod creation, OPTIONS, IdP routes, mashlib, well-known, and notifications
+    // Skip auth for pod creation, OPTIONS, IdP routes, mashlib, well-known, notifications, and git
     const mashlibPaths = ['/mashlib.min.js', '/mash.css', '/841.mashlib.min.js'];
     if (request.url === '/.pods' ||
         request.url === '/.notifications' ||
         request.method === 'OPTIONS' ||
         request.url.startsWith('/idp/') ||
         request.url.startsWith('/.well-known/') ||
+        (gitEnabled && isGitRequest(request.url)) ||
         mashlibPaths.some(p => request.url === p || request.url.startsWith(p + '.'))) {
       return;
     }