javascript-solid-server 0.0.37 → 0.0.39

package/.claude/settings.local.json

@@ -116,7 +116,22 @@
       "Bash(fi)",
       "Bash(timeout 45 node:*)",
       "Bash(gh issue list:*)",
-      "Bash(DATA_ROOT=/tmp/jss-git-test JSS_PORT=4444 timeout 3 node:*)"
+      "Bash(DATA_ROOT=/tmp/jss-git-test JSS_PORT=4444 timeout 3 node:*)",
+      "Bash(pm2 show:*)",
+      "Bash(git config:*)",
+      "Bash(npm version:*)",
+      "Bash(git init:*)",
+      "Bash(gh repo create:*)",
+      "Bash(./bin/git-credential-nostr generate:*)",
+      "Bash(./bin/git-credential-nostr get:*)",
+      "Bash(git-credential-nostr:*)",
+      "Bash(git branch:*)",
+      "Bash(GIT_TRACE=1 GIT_CURL_VERBOSE=1 git push:*)",
+      "Bash(GIT_CURL_VERBOSE=1 git push:*)",
+      "Bash(git reset:*)",
+      "Bash(echo:*)",
+      "Bash(unset DATA_ROOT)",
+      "Bash(timeout 30 npm test:*)"
     ]
   }
 }

package/README.md

@@ -4,7 +4,7 @@ A minimal, fast, JSON-LD native Solid server.
 
 ## Features
 
-### Implemented (v0.0.31)
+### Implemented (v0.0.39)
 
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
 - **N3 Patch** - Solid's native patch format for RDF updates
@@ -19,13 +19,15 @@ A minimal, fast, JSON-LD native Solid server.
 - **Mashlib Data Browser** - Optional SolidOS UI (CDN or local hosting)
 - **WebID Profiles** - HTML with JSON-LD data islands, rendered with mashlib-jss + solidos-lite
 - **Web Access Control (WAC)** - `.acl` file-based authorization
-- **Solid-OIDC Identity Provider** - Built-in IdP with DPoP, dynamic registration
+- **Solid-OIDC Identity Provider** - Built-in IdP with DPoP, RS256/ES256, dynamic registration
 - **Solid-OIDC Resource Server** - Accept DPoP-bound access tokens from external IdPs
 - **NSS-style Registration** - Username/password auth compatible with Solid apps
 - **Nostr Authentication** - NIP-98 HTTP Auth with Schnorr signatures
 - **Simple Auth Tokens** - Built-in token authentication for development
 - **Content Negotiation** - Turtle <-> JSON-LD conversion, including HTML data islands
 - **CORS Support** - Full cross-origin resource sharing
+- **Git HTTP Backend** - Clone and push to containers via `git` protocol
+- **Security** - Blocks access to dotfiles (`.git/`, `.env`, etc.) except Solid-specific ones
 
 ### HTTP Methods
 
@@ -94,6 +96,7 @@ jss --help             # Show help
 | `--mashlib` | Enable Mashlib (local mode) | false |
 | `--mashlib-cdn` | Enable Mashlib (CDN mode) | false |
 | `--mashlib-version <ver>` | Mashlib CDN version | 2.0.0 |
+| `--git` | Enable Git HTTP backend | false |
 | `-q, --quiet` | Suppress logs | false |
 
 ### Environment Variables
@@ -318,6 +321,71 @@ Server: ack http://localhost:3000/alice/public/data.json
 Server: pub http://localhost:3000/alice/public/data.json  (on change)
 ```
 
+## Git Support
+
+Enable Git HTTP backend to clone and push to pod containers:
+
+```bash
+jss start --git
+```
+
+### Initialize a Repository
+
+```bash
+# Create a git repo in a pod container
+cd data/alice/myrepo
+git init
+echo "# My Project" > README.md
+git add . && git commit -m "Initial commit"
+```
+
+### Clone and Push
+
+```bash
+# Clone (public read access)
+git clone http://localhost:3000/alice/myrepo
+
+# Push (requires write access via WAC)
+cd myrepo
+echo "New content" >> README.md
+git add . && git commit -m "Update"
+git push
+```
+
+Git operations respect WAC permissions - clone requires Read access, push requires Write access.
+
+### Git Push with Nostr Authentication
+
+Git push supports NIP-98 authentication via Basic Auth. Install the credential helper:
+
+```bash
+npm install -g git-credential-nostr
+git config --global credential.helper nostr
+```
+
+Generate or configure your Nostr key:
+
+```bash
+# Generate a new keypair
+git-credential-nostr generate
+
+# Or use an existing private key
+git config --global nostr.privkey YOUR_64_CHAR_HEX_PRIVKEY
+```
+
+See [git-credential-nostr](https://github.com/JavaScriptSolidServer/git-credential-nostr) for more details.
+
+Add the Nostr identity to your ACL:
+
+```turtle
+<#nostr-writer>
+    a acl:Authorization;
+    acl:agent <did:nostr:YOUR_64_CHAR_HEX_PUBKEY>;
+    acl:accessTo <./>;
+    acl:default <./>;
+    acl:mode acl:Read, acl:Write.
+```
+
 ## Authentication
 
 ### Simple Tokens (Development)
@@ -490,7 +558,7 @@ npm run benchmark
 npm test
 ```
 
-Currently passing: **182 tests** (including 27 conformance tests)
+Currently passing: **187 tests** (including 27 conformance tests)
 
 ### Conformance Test Harness (CTH)
 
@@ -531,13 +599,15 @@ src/
 ├── server.js             # Fastify setup
 ├── handlers/
 │   ├── resource.js       # GET, PUT, DELETE, HEAD, PATCH
-│   └── container.js      # POST, pod creation
+│   ├── container.js      # POST, pod creation
+│   └── git.js            # Git HTTP backend
 ├── storage/
 │   └── filesystem.js     # File operations
 ├── auth/
 │   ├── middleware.js     # Auth hook
 │   ├── token.js          # Simple token auth
-│   └── solid-oidc.js     # DPoP verification
+│   ├── solid-oidc.js     # DPoP verification
+│   └── nostr.js          # NIP-98 Nostr authentication
 ├── wac/
 │   ├── parser.js         # ACL parsing
 │   └── checker.js        # Permission checking

package/cth.env

@@ -5,11 +5,11 @@ SOLID_IDENTITY_PROVIDER=http://localhost:3456
 RESOURCE_SERVER_ROOT=http://localhost:3456
 TEST_CONTAINER=alice/public/
 
-USERS_ALICE_WEBID=http://localhost:3456/alice/#me
+USERS_ALICE_WEBID=http://localhost:3456/alice/profile/card#me
 USERS_ALICE_USERNAME=alice@test.local
 USERS_ALICE_PASSWORD=alicepassword123
 
-USERS_BOB_WEBID=http://localhost:3456/bob/#me
+USERS_BOB_WEBID=http://localhost:3456/bob/profile/card#me
 USERS_BOB_USERNAME=bob@test.local
 USERS_BOB_PASSWORD=bobpassword123
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.37",
+  "version": "0.0.39",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/middleware.js

@@ -13,9 +13,11 @@ import { getEffectiveUrlPath } from '../utils/url.js';
  * Check if request is authorized
  * @param {object} request - Fastify request
  * @param {object} reply - Fastify reply
+ * @param {object} options - Optional settings
+ * @param {string} options.requiredMode - Override the required access mode (e.g., 'Write' for git push)
  * @returns {Promise<{authorized: boolean, webId: string|null, wacAllow: string, authError: string|null}>}
  */
-export async function authorize(request, reply) {
+export async function authorize(request, reply, options = {}) {
   const urlPath = request.url.split('?')[0];
   const method = request.method;
 
@@ -44,8 +46,8 @@ export async function authorize(request, reply) {
   // Build resource URL (uses actual request hostname which may be subdomain)
   const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
 
-  // Get required access mode for this method
-  const requiredMode = getRequiredMode(method);
+  // Get required access mode - use override if provided, otherwise derive from method
+  const requiredMode = options.requiredMode || getRequiredMode(method);
 
   // For write operations on non-existent resources, check parent container
   let checkPath = storagePath;

package/src/auth/nostr.js

@@ -22,24 +22,58 @@ const TIMESTAMP_TOLERANCE = 60;
 
 /**
  * Check if request has Nostr authentication
+ * Supports both "Nostr <token>" and "Basic <base64(nostr:token)>" formats
+ * The Basic format allows git clients to authenticate via NIP-98
  * @param {object} request - Fastify request object
  * @returns {boolean}
  */
 export function hasNostrAuth(request) {
   const authHeader = request.headers.authorization;
-  return authHeader && authHeader.startsWith('Nostr ');
+  if (!authHeader) return false;
+
+  // Direct Nostr header
+  if (authHeader.startsWith('Nostr ')) return true;
+
+  // Basic auth with username=nostr (for git clients)
+  if (authHeader.startsWith('Basic ')) {
+    try {
+      const decoded = Buffer.from(authHeader.slice(6), 'base64').toString('utf8');
+      return decoded.startsWith('nostr:');
+    } catch {
+      return false;
+    }
+  }
+
+  return false;
 }
 
 /**
  * Extract token from Nostr authorization header
+ * Supports both "Nostr <token>" and "Basic <base64(nostr:token)>" formats
  * @param {string} authHeader - Authorization header value
  * @returns {string|null}
  */
 export function extractNostrToken(authHeader) {
-  if (!authHeader || !authHeader.startsWith('Nostr ')) {
-    return null;
+  if (!authHeader) return null;
+
+  // Direct Nostr header
+  if (authHeader.startsWith('Nostr ')) {
+    return authHeader.slice(6).trim();
+  }
+
+  // Basic auth with username=nostr, password=token
+  if (authHeader.startsWith('Basic ')) {
+    try {
+      const decoded = Buffer.from(authHeader.slice(6), 'base64').toString('utf8');
+      if (decoded.startsWith('nostr:')) {
+        return decoded.slice(6); // Remove "nostr:" prefix to get token
+      }
+    } catch {
+      return null;
+    }
   }
-  return authHeader.slice(6).trim();
+
+  return null;
 }
 
 /**
@@ -125,16 +159,27 @@ export async function verifyNostrAuth(request) {
   const normalizedRequestUrl = fullUrl.replace(/\/$/, '');
   const normalizedRequestUrlNoQuery = fullUrl.split('?')[0].replace(/\/$/, '');
 
-  if (normalizedEventUrl !== normalizedRequestUrl && normalizedEventUrl !== normalizedRequestUrlNoQuery) {
+  // Check for exact match first
+  let urlMatches = normalizedEventUrl === normalizedRequestUrl ||
+                   normalizedEventUrl === normalizedRequestUrlNoQuery;
+
+  // For git clients: allow prefix matching (event URL is base of request URL)
+  // This enables git credential helpers that sign for the repo base URL
+  if (!urlMatches && normalizedRequestUrlNoQuery.startsWith(normalizedEventUrl + '/')) {
+    urlMatches = true;
+  }
+
+  if (!urlMatches) {
     return { webId: null, error: `URL mismatch: event URL "${eventUrl}" does not match request URL "${fullUrl}"` };
   }
 
   // Validate method tag matches request method
+  // For git clients: allow '*' as wildcard method
   const eventMethod = getTagValue(event, 'method');
   if (!eventMethod) {
     return { webId: null, error: 'Missing method tag in event' };
   }
-  if (eventMethod.toUpperCase() !== request.method.toUpperCase()) {
+  if (eventMethod !== '*' && eventMethod.toUpperCase() !== request.method.toUpperCase()) {
     return { webId: null, error: `Method mismatch: expected ${request.method}, got ${eventMethod}` };
   }
 

package/src/handlers/resource.js

@@ -320,10 +320,19 @@ export async function handleGet(request, reply) {
   }
 
   // Serve content as-is (no conneg or non-RDF resource)
+  // For extensionless files (like profile/card), detect HTML by content
+  let actualContentType = storedContentType;
+  if (storedContentType === 'application/octet-stream') {
+    const contentStr = content.toString().trimStart();
+    if (contentStr.startsWith('<!DOCTYPE') || contentStr.startsWith('<html')) {
+      actualContentType = 'text/html';
+    }
+  }
+
   const headers = getAllHeaders({
     isContainer: false,
     etag: stats.etag,
-    contentType: storedContentType,
+    contentType: actualContentType,
     origin,
     resourceUrl,
     connegEnabled

package/src/server.js

@@ -9,6 +9,7 @@ import { authorize, handleUnauthorized } from './auth/middleware.js';
 import { notificationsPlugin } from './notifications/index.js';
 import { idpPlugin } from './idp/index.js';
 import { isGitRequest, isGitWriteOperation, handleGit } from './handlers/git.js';
+import { AccessMode } from './wac/parser.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 
@@ -135,7 +136,7 @@ export function createServer(options = {}) {
   // Security: Block access to dotfiles except allowed Solid-specific ones
   // This prevents exposure of .git/, .env, .htpasswd, etc.
   // Git protocol requests bypass this check when git is enabled
-  const ALLOWED_DOTFILES = ['.well-known', '.acl', '.meta'];
+  const ALLOWED_DOTFILES = ['.well-known', '.acl', '.meta', '.pods', '.notifications'];
   fastify.addHook('onRequest', async (request, reply) => {
     // Allow git protocol requests through when git is enabled
     if (gitEnabled && isGitRequest(request.url)) {
@@ -162,15 +163,22 @@ export function createServer(options = {}) {
         return;
       }
 
-      // Run WAC authorization - checkAccess already verifies the required mode
-      const { authorized, webId, wacAllow, authError } = await authorize(request, reply);
+      // Determine required mode: Write for push, Read for clone/fetch
+      const needsWrite = isGitWriteOperation(request.url);
+      const requiredMode = needsWrite ? AccessMode.WRITE : AccessMode.READ;
+
+      // Run WAC authorization with the correct mode for git operations
+      const { authorized, webId, wacAllow, authError } = await authorize(request, reply, { requiredMode });
       request.webId = webId;
       request.wacAllow = wacAllow;
 
       if (!authorized) {
-        const needsWrite = isGitWriteOperation(request.url);
         const message = needsWrite ? 'Write access required for push' : 'Read access required for clone';
         reply.header('WAC-Allow', wacAllow);
+        if (!webId) {
+          // No authentication - request Basic auth for git clients
+          reply.header('WWW-Authenticate', 'Basic realm="Solid"');
+        }
         return reply.code(webId ? 403 : 401).send({ error: message });
       }
 

package/src/storage/filesystem.js

@@ -1,10 +1,9 @@
 import fs from 'fs-extra';
 import path from 'path';
 import crypto from 'crypto';
-import { DATA_ROOT, urlToPath, isContainer } from '../utils/url.js';
+import { getDataRoot, urlToPath, isContainer } from '../utils/url.js';
 
-// Ensure data directory exists
-fs.ensureDirSync(DATA_ROOT);
+// Note: Data directory is ensured in server.js after DATA_ROOT is set
 
 /**
  * Check if resource exists

package/src/utils/url.js

@@ -1,7 +1,19 @@
 import path from 'path';
 
 // Base directory for storing all pods
-export const DATA_ROOT = process.env.DATA_ROOT || './data';
+// Use a getter function to read env var at runtime (not import time)
+// This is necessary because ES modules are loaded before the CLI sets the env var
+export function getDataRoot() {
+  return process.env.DATA_ROOT || './data';
+}
+
+// Legacy export - kept for compatibility, but callers should use getDataRoot()
+export let DATA_ROOT = './data';
+
+// Update DATA_ROOT when env var is set (called from storage init)
+export function updateDataRoot() {
+  DATA_ROOT = getDataRoot();
+}
 
 /**
  * Convert URL path to filesystem path
@@ -16,7 +28,7 @@ export function urlToPath(urlPath) {
   // Security: prevent path traversal
   normalized = normalized.replace(/\.\./g, '');
 
-  return path.join(DATA_ROOT, normalized);
+  return path.join(getDataRoot(), normalized);
 }
 
 /**
@@ -35,7 +47,7 @@ export function urlToPathWithPod(urlPath, podName) {
   normalized = normalized.replace(/\.\./g, '');
 
   // Prepend pod name to path
-  return path.join(DATA_ROOT, podName, normalized);
+  return path.join(getDataRoot(), podName, normalized);
 }
 
 /**

package/src/wac/checker.js

@@ -33,19 +33,20 @@ export async function checkAccess({
     return { allowed: true, wacAllow: 'user="read write append control", public="read write append"' };
   }
 
-  const { authorizations, isDefault, targetUrl } = aclResult;
+  const { authorizations, isDefault, targetUrl: aclContainerUrl } = aclResult;
 
   // Check authorizations
+  // Note: For default ACLs, we check if the ACL's default rules apply to the actual resource URL
   const allowed = checkAuthorizations(
     authorizations,
-    targetUrl,
+    resourceUrl,  // Use actual resource URL, not the ACL container URL
     agentWebId,
     requiredMode,
     isDefault
   );
 
   // Calculate WAC-Allow header
-  const wacAllow = calculateWacAllow(authorizations, targetUrl, agentWebId, isDefault);
+  const wacAllow = calculateWacAllow(authorizations, resourceUrl, agentWebId, isDefault);
 
   return { allowed, wacAllow };
 }
@@ -117,13 +118,17 @@ function getParentPath(path) {
  */
 function checkAuthorizations(authorizations, targetUrl, agentWebId, requiredMode, isDefault) {
   for (const auth of authorizations) {
-    // Check if this authorization applies to the resource
-    const appliesToResource = isDefault
-      ? auth.default.some(d => urlMatches(d, targetUrl))
-      : auth.accessTo.some(a => urlMatches(a, targetUrl));
-
-    if (!appliesToResource && !isDefault) continue;
-    if (isDefault && auth.default.length === 0) continue;
+    // For default ACLs, check if auth has default rules and matches target
+    // For direct ACLs, check if accessTo matches target
+    if (isDefault) {
+      // Skip if no default rules defined
+      if (auth.default.length === 0) continue;
+      // Skip if target URL doesn't match any default URL prefix
+      if (!auth.default.some(d => urlMatches(d, targetUrl, true))) continue;
+    } else {
+      // Skip if accessTo doesn't match target
+      if (!auth.accessTo.some(a => urlMatches(a, targetUrl))) continue;
+    }
 
     // Check if agent is authorized
     const agentAuthorized = isAgentAuthorized(auth, agentWebId);
@@ -172,10 +177,20 @@ function isAgentAuthorized(auth, agentWebId) {
 
 /**
  * Check if URLs match (handles trailing slashes)
+ * @param {string} pattern - The ACL URL pattern
+ * @param {string} url - The target URL to check
+ * @param {boolean} prefixMatch - If true, check if url starts with pattern (for acl:default)
  */
-function urlMatches(pattern, url) {
+function urlMatches(pattern, url, prefixMatch = false) {
   const normalizedPattern = pattern.replace(/\/$/, '');
   const normalizedUrl = url.replace(/\/$/, '');
+
+  if (prefixMatch) {
+    // For default ACLs: target must be same as or under the pattern
+    return normalizedUrl === normalizedPattern ||
+           normalizedUrl.startsWith(normalizedPattern + '/');
+  }
+
   return normalizedPattern === normalizedUrl;
 }
 
@@ -187,12 +202,13 @@ function calculateWacAllow(authorizations, targetUrl, agentWebId, isDefault) {
   const publicModes = new Set();
 
   for (const auth of authorizations) {
-    // Check if applies to resource
-    const applies = isDefault
-      ? auth.default.length > 0
-      : auth.accessTo.some(a => urlMatches(a, targetUrl));
-
-    if (!applies && !isDefault) continue;
+    // Check if applies to resource - use same logic as checkAuthorizations
+    if (isDefault) {
+      if (auth.default.length === 0) continue;
+      if (!auth.default.some(d => urlMatches(d, targetUrl, true))) continue;
+    } else {
+      if (!auth.accessTo.some(a => urlMatches(a, targetUrl))) continue;
+    }
 
     // Check what modes this grants
     const modes = auth.modes.map(m => {

package/test/pod.test.js

@@ -36,7 +36,7 @@ describe('Pod Lifecycle', () => {
 
       const data = await res.json();
       assert.strictEqual(data.name, 'alice');
-      assert.ok(data.webId.endsWith('/alice/#me'));
+      assert.ok(data.webId.endsWith('/alice/profile/card#me'));
       assert.ok(data.podUri.endsWith('/alice/'));
     });
 
@@ -95,24 +95,24 @@ describe('Pod Lifecycle', () => {
       const priv = await request('/carol/private/', { auth: 'carol' });
       assertStatus(priv, 200);
 
-      // Check settings exists (needs auth)
-      const settings = await request('/carol/settings/', { auth: 'carol' });
+      // Check Settings exists (needs auth)
+      const settings = await request('/carol/Settings/', { auth: 'carol' });
       assertStatus(settings, 200);
     });
 
     it('should create settings files', async () => {
       await createTestPod('dan');
 
-      // Check prefs (needs auth - settings is private)
-      const prefs = await request('/dan/settings/prefs', { auth: 'dan' });
+      // Check Preferences.ttl (needs auth - Settings is private)
+      const prefs = await request('/dan/Settings/Preferences.ttl', { auth: 'dan' });
       assertStatus(prefs, 200);
 
       // Check public type index (needs auth)
-      const pubIndex = await request('/dan/settings/publicTypeIndex', { auth: 'dan' });
+      const pubIndex = await request('/dan/Settings/publicTypeIndex.ttl', { auth: 'dan' });
       assertStatus(pubIndex, 200);
 
       // Check private type index (needs auth)
-      const privIndex = await request('/dan/settings/privateTypeIndex', { auth: 'dan' });
+      const privIndex = await request('/dan/Settings/privateTypeIndex.ttl', { auth: 'dan' });
       assertStatus(privIndex, 200);
     });
   });

package/test/webid.test.js

@@ -30,119 +30,87 @@ describe('WebID Profile', () => {
   });
 
   describe('Profile Document', () => {
-    it('should serve profile as HTML at pod root', async () => {
-      const res = await request('/webidtest/');
+    // Profile is at /pod/profile/card following Solid convention
+    const profilePath = '/webidtest/profile/card';
+
+    it('should serve profile as HTML', async () => {
+      const res = await request(profilePath);
 
       assertStatus(res, 200);
       assertHeaderContains(res, 'Content-Type', 'text/html');
     });
 
     it('should contain JSON-LD structured data', async () => {
-      const res = await request('/webidtest/');
+      const res = await request(profilePath);
       const html = await res.text();
 
       const jsonLd = extractJsonLdFromHtml(html);
       assert.ok(jsonLd['@context'], 'Should have @context');
-      assert.ok(jsonLd['@graph'], 'Should have @graph');
+      // Profile uses flat structure, not @graph
+      assert.ok(jsonLd['@id'], 'Should have @id');
     });
 
     it('should have correct WebID URI', async () => {
-      const res = await request('/webidtest/');
+      const res = await request(profilePath);
       const html = await res.text();
       const jsonLd = extractJsonLdFromHtml(html);
 
-      // Find the Person in the graph
-      const person = jsonLd['@graph'].find(node =>
-        Array.isArray(node['@type'])
-          ? node['@type'].includes('foaf:Person')
-          : node['@type'] === 'foaf:Person'
-      );
-
-      assert.ok(person, 'Should have a foaf:Person');
-      assert.ok(person['@id'].endsWith('/webidtest/#me'), 'WebID should end with /#me');
+      // Profile is a flat structure with the person as the main entity
+      assert.ok(jsonLd['@id'].endsWith('/webidtest/profile/card#me'), 'WebID should end with /profile/card#me');
     });
 
     it('should have foaf:name', async () => {
-      const res = await request('/webidtest/');
+      const res = await request(profilePath);
       const html = await res.text();
       const jsonLd = extractJsonLdFromHtml(html);
 
-      const person = jsonLd['@graph'].find(node =>
-        Array.isArray(node['@type'])
-          ? node['@type'].includes('foaf:Person')
-          : node['@type'] === 'foaf:Person'
-      );
-
-      assert.strictEqual(person['foaf:name'], 'webidtest');
+      assert.strictEqual(jsonLd['foaf:name'], 'webidtest');
     });
 
     it('should have solid:oidcIssuer', async () => {
-      const res = await request('/webidtest/');
+      const res = await request(profilePath);
       const html = await res.text();
       const jsonLd = extractJsonLdFromHtml(html);
 
-      const person = jsonLd['@graph'].find(node =>
-        Array.isArray(node['@type'])
-          ? node['@type'].includes('foaf:Person')
-          : node['@type'] === 'foaf:Person'
-      );
-
-      assert.ok(person['oidcIssuer'], 'Should have oidcIssuer');
+      assert.ok(jsonLd['oidcIssuer'], 'Should have oidcIssuer');
     });
 
     it('should have pim:storage pointing to pod', async () => {
-      const res = await request('/webidtest/');
+      const res = await request(profilePath);
       const html = await res.text();
       const jsonLd = extractJsonLdFromHtml(html);
 
-      const person = jsonLd['@graph'].find(node =>
-        Array.isArray(node['@type'])
-          ? node['@type'].includes('foaf:Person')
-          : node['@type'] === 'foaf:Person'
-      );
-
-      assert.ok(person['storage'].endsWith('/webidtest/'), 'Storage should point to pod');
+      assert.ok(jsonLd['storage'].endsWith('/webidtest/'), 'Storage should point to pod');
     });
 
     it('should have ldp:inbox', async () => {
-      const res = await request('/webidtest/');
+      const res = await request(profilePath);
       const html = await res.text();
       const jsonLd = extractJsonLdFromHtml(html);
 
-      const person = jsonLd['@graph'].find(node =>
-        Array.isArray(node['@type'])
-          ? node['@type'].includes('foaf:Person')
-          : node['@type'] === 'foaf:Person'
-      );
-
-      assert.ok(person['inbox'].endsWith('/webidtest/inbox/'), 'Should have inbox');
+      assert.ok(jsonLd['inbox'].endsWith('/webidtest/inbox/'), 'Should have inbox');
     });
 
-    it('should have PersonalProfileDocument', async () => {
-      const res = await request('/webidtest/');
+    it('should have mainEntityOfPage', async () => {
+      const res = await request(profilePath);
       const html = await res.text();
       const jsonLd = extractJsonLdFromHtml(html);
 
-      const doc = jsonLd['@graph'].find(node =>
-        node['@type'] === 'foaf:PersonalProfileDocument'
-      );
-
-      assert.ok(doc, 'Should have PersonalProfileDocument');
-      assert.ok(doc['foaf:maker'], 'Should have foaf:maker');
-      assert.ok(doc['foaf:primaryTopic'], 'Should have foaf:primaryTopic');
+      // Check for mainEntityOfPage which links to the profile document
+      assert.ok(jsonLd['mainEntityOfPage'], 'Should have mainEntityOfPage');
     });
   });
 
   describe('WebID Resolution', () => {
     it('should return LDP headers', async () => {
-      const res = await request('/webidtest/');
+      const res = await request('/webidtest/profile/card');
 
       assertHeaderContains(res, 'Link', 'ldp#Resource');
       assertHeader(res, 'WAC-Allow');
     });
 
     it('should return CORS headers', async () => {
-      const res = await request('/webidtest/', {
+      const res = await request('/webidtest/profile/card', {
         headers: { 'Origin': 'https://example.com' }
       });
 

package/test-git-nostr-auth.js

@@ -0,0 +1,285 @@
+#!/usr/bin/env node
+/**
+ * Test git push/pull with Nostr NIP-98 authentication
+ *
+ * Usage: node test-git-nostr-auth.js
+ *
+ * Prerequisites:
+ * - JSS server running on localhost:4000 with --git flag
+ * - git-credential-nostr installed globally
+ * - git config --global credential.helper nostr
+ *
+ * This script:
+ * 1. Creates a test git repo on the server
+ * 2. Sets up ACL with authorized Nostr DID
+ * 3. Tests clone (public read)
+ * 4. Tests push with authorized key (should succeed)
+ * 5. Tests push with unauthorized key (should fail with 403)
+ * 6. Cleans up
+ */
+
+import { generateSecretKey, getPublicKey } from 'nostr-tools/pure';
+import { bytesToHex } from '@noble/hashes/utils';
+import { execSync, spawn } from 'child_process';
+import fs from 'fs-extra';
+import path from 'path';
+import os from 'os';
+
+const BASE_URL = process.env.TEST_URL || 'http://localhost:4000';
+const DATA_ROOT = process.env.DATA_ROOT || '/home/melvin/jss/data';
+const TEST_POD = 'test-git-nostr';
+const TEST_REPO = 'test-repo';
+
+// Generate keypairs for testing
+const authorizedSk = generateSecretKey();
+const authorizedPk = getPublicKey(authorizedSk);
+const authorizedPrivHex = bytesToHex(authorizedSk);
+
+const unauthorizedSk = generateSecretKey();
+const unauthorizedPk = getPublicKey(unauthorizedSk);
+const unauthorizedPrivHex = bytesToHex(unauthorizedSk);
+
+let tempDir;
+let passed = 0;
+let failed = 0;
+
+function log(msg) {
+  console.log(`  ${msg}`);
+}
+
+function pass(test) {
+  console.log(`✓ ${test}`);
+  passed++;
+}
+
+function fail(test, error) {
+  console.log(`✗ ${test}`);
+  console.log(`  Error: ${error}`);
+  failed++;
+}
+
+function exec(cmd, options = {}) {
+  try {
+    return execSync(cmd, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'], ...options });
+  } catch (e) {
+    if (options.allowFail) {
+      return { error: true, stderr: e.stderr, stdout: e.stdout, status: e.status };
+    }
+    throw e;
+  }
+}
+
+async function setup() {
+  console.log('\n=== Setup ===\n');
+
+  // Create temp directory for client repos
+  tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'git-nostr-test-'));
+  log(`Temp directory: ${tempDir}`);
+
+  // Create test pod directory
+  const podPath = path.join(DATA_ROOT, TEST_POD);
+  fs.ensureDirSync(podPath);
+  log(`Created pod: ${podPath}`);
+
+  // Create bare git repo
+  const repoPath = path.join(podPath, TEST_REPO);
+  fs.ensureDirSync(repoPath);
+  exec(`git init --bare`, { cwd: repoPath });
+  exec(`git config --local receive.denyCurrentBranch ignore`, { cwd: repoPath });
+  exec(`git config --local http.receivepack true`, { cwd: repoPath });
+  exec(`git symbolic-ref HEAD refs/heads/main`, { cwd: repoPath });
+  log(`Created bare repo: ${repoPath}`);
+
+  // Create ACL with authorized Nostr DID
+  const acl = {
+    "@context": {
+      "acl": "http://www.w3.org/ns/auth/acl#",
+      "foaf": "http://xmlns.com/foaf/0.1/"
+    },
+    "@graph": [
+      {
+        "@id": "#nostr",
+        "@type": "acl:Authorization",
+        "acl:agent": { "@id": `did:nostr:${authorizedPk}` },
+        "acl:accessTo": { "@id": `${BASE_URL}/${TEST_POD}/` },
+        "acl:mode": [
+          { "@id": "acl:Read" },
+          { "@id": "acl:Write" }
+        ],
+        "acl:default": { "@id": `${BASE_URL}/${TEST_POD}/` }
+      },
+      {
+        "@id": "#public",
+        "@type": "acl:Authorization",
+        "acl:agentClass": { "@id": "foaf:Agent" },
+        "acl:accessTo": { "@id": `${BASE_URL}/${TEST_POD}/` },
+        "acl:mode": [{ "@id": "acl:Read" }],
+        "acl:default": { "@id": `${BASE_URL}/${TEST_POD}/` }
+      }
+    ]
+  };
+
+  fs.writeJsonSync(path.join(podPath, '.acl'), acl, { spaces: 2 });
+  log(`Created ACL with authorized DID: did:nostr:${authorizedPk.slice(0, 16)}...`);
+
+  // Create initial commit in a temp client repo
+  const initRepo = path.join(tempDir, 'init');
+  fs.ensureDirSync(initRepo);
+  exec('git init', { cwd: initRepo });
+  exec('git config user.email "test@example.com"', { cwd: initRepo });
+  exec('git config user.name "Test User"', { cwd: initRepo });
+  fs.writeFileSync(path.join(initRepo, 'README.md'), '# Test Repo\n');
+  exec('git add .', { cwd: initRepo });
+  exec('git commit -m "Initial commit"', { cwd: initRepo });
+  exec('git branch -m main', { cwd: initRepo });
+  exec(`git remote add origin ${BASE_URL}/${TEST_POD}/${TEST_REPO}/`, { cwd: initRepo });
+
+  // Configure authorized key for initial push
+  exec(`git config nostr.privkey ${authorizedPrivHex}`, { cwd: initRepo });
+
+  log('Created initial commit');
+}
+
+async function testClone() {
+  console.log('\n=== Test: Clone (public read) ===\n');
+
+  const cloneDir = path.join(tempDir, 'clone-test');
+  try {
+    exec(`git clone ${BASE_URL}/${TEST_POD}/${TEST_REPO}/ ${cloneDir}`);
+    if (fs.existsSync(path.join(cloneDir, '.git'))) {
+      pass('Clone succeeded (public read works)');
+    } else {
+      fail('Clone', 'No .git directory created');
+    }
+  } catch (e) {
+    // Clone might fail if repo is empty, that's ok
+    if (e.message.includes('empty repository')) {
+      pass('Clone of empty repo handled correctly');
+    } else {
+      fail('Clone', e.message);
+    }
+  }
+}
+
+async function testPushAuthorized() {
+  console.log('\n=== Test: Push with authorized key ===\n');
+
+  const initRepo = path.join(tempDir, 'init');
+  try {
+    // Push should work with authorized key
+    exec('git push -u origin main', { cwd: initRepo });
+    pass('Push with authorized key succeeded');
+  } catch (e) {
+    fail('Push with authorized key', e.stderr || e.message);
+  }
+}
+
+async function testPushUnauthorized() {
+  console.log('\n=== Test: Push with unauthorized key ===\n');
+
+  const cloneDir = path.join(tempDir, 'unauthorized-test');
+
+  try {
+    // Clone first (should work - public read)
+    exec(`git clone ${BASE_URL}/${TEST_POD}/${TEST_REPO}/ ${cloneDir}`);
+    exec('git config user.email "test@example.com"', { cwd: cloneDir });
+    exec('git config user.name "Test User"', { cwd: cloneDir });
+
+    // Configure unauthorized key
+    exec(`git config nostr.privkey ${unauthorizedPrivHex}`, { cwd: cloneDir });
+
+    // Make a change
+    fs.appendFileSync(path.join(cloneDir, 'README.md'), '\nUnauthorized change\n');
+    exec('git add .', { cwd: cloneDir });
+    exec('git commit -m "Unauthorized change"', { cwd: cloneDir });
+
+    // Push should fail with 403
+    const result = exec('git push 2>&1', { cwd: cloneDir, allowFail: true });
+
+    if (result.error && (result.stderr?.includes('403') || result.stdout?.includes('403'))) {
+      pass('Push with unauthorized key correctly rejected (403)');
+    } else if (result.error) {
+      // Check if it failed for the right reason
+      if (result.stderr?.includes('Authentication failed') || result.stderr?.includes('403')) {
+        pass('Push with unauthorized key correctly rejected');
+      } else {
+        fail('Push with unauthorized key', `Unexpected error: ${result.stderr}`);
+      }
+    } else {
+      fail('Push with unauthorized key', 'Push should have failed but succeeded');
+    }
+  } catch (e) {
+    if (e.stderr?.includes('403') || e.message?.includes('403')) {
+      pass('Push with unauthorized key correctly rejected (403)');
+    } else {
+      fail('Push with unauthorized key', e.stderr || e.message);
+    }
+  }
+}
+
+async function testPullAfterPush() {
+  console.log('\n=== Test: Pull after push ===\n');
+
+  const pullDir = path.join(tempDir, 'pull-test');
+
+  try {
+    exec(`git clone ${BASE_URL}/${TEST_POD}/${TEST_REPO}/ ${pullDir}`);
+    const readme = fs.readFileSync(path.join(pullDir, 'README.md'), 'utf8');
+
+    if (readme.includes('Test Repo')) {
+      pass('Pull retrieved pushed content');
+    } else {
+      fail('Pull after push', 'Content mismatch');
+    }
+  } catch (e) {
+    fail('Pull after push', e.stderr || e.message);
+  }
+}
+
+async function cleanup() {
+  console.log('\n=== Cleanup ===\n');
+
+  // Remove temp directory
+  if (tempDir) {
+    fs.removeSync(tempDir);
+    log(`Removed temp directory: ${tempDir}`);
+  }
+
+  // Remove test pod
+  const podPath = path.join(DATA_ROOT, TEST_POD);
+  if (fs.existsSync(podPath)) {
+    fs.removeSync(podPath);
+    log(`Removed test pod: ${podPath}`);
+  }
+}
+
+async function main() {
+  console.log('╔════════════════════════════════════════════════════╗');
+  console.log('║   Git Push/Pull with Nostr Authentication Test    ║');
+  console.log('╚════════════════════════════════════════════════════╝');
+
+  console.log(`\nServer: ${BASE_URL}`);
+  console.log(`Data root: ${DATA_ROOT}`);
+  console.log(`Authorized pubkey: ${authorizedPk.slice(0, 16)}...`);
+  console.log(`Unauthorized pubkey: ${unauthorizedPk.slice(0, 16)}...`);
+
+  try {
+    await setup();
+    await testPushAuthorized();
+    await testClone();
+    await testPullAfterPush();
+    await testPushUnauthorized();
+  } catch (e) {
+    console.error('\nFatal error:', e.message);
+  } finally {
+    await cleanup();
+  }
+
+  console.log('\n╔════════════════════════════════════════════════════╗');
+  console.log(`║   Results: ${passed} passed, ${failed} failed${' '.repeat(27 - String(passed).length - String(failed).length)}║`);
+  console.log('╚════════════════════════════════════════════════════╝\n');
+
+  process.exit(failed > 0 ? 1 : 0);
+}
+
+main().catch(console.error);