javascript-solid-server 0.0.38 → 0.0.39

package/.claude/settings.local.json

@@ -119,7 +119,19 @@
       "Bash(DATA_ROOT=/tmp/jss-git-test JSS_PORT=4444 timeout 3 node:*)",
       "Bash(pm2 show:*)",
       "Bash(git config:*)",
-      "Bash(npm version:*)"
+      "Bash(npm version:*)",
+      "Bash(git init:*)",
+      "Bash(gh repo create:*)",
+      "Bash(./bin/git-credential-nostr generate:*)",
+      "Bash(./bin/git-credential-nostr get:*)",
+      "Bash(git-credential-nostr:*)",
+      "Bash(git branch:*)",
+      "Bash(GIT_TRACE=1 GIT_CURL_VERBOSE=1 git push:*)",
+      "Bash(GIT_CURL_VERBOSE=1 git push:*)",
+      "Bash(git reset:*)",
+      "Bash(echo:*)",
+      "Bash(unset DATA_ROOT)",
+      "Bash(timeout 30 npm test:*)"
     ]
   }
 }

package/README.md

@@ -4,7 +4,7 @@ A minimal, fast, JSON-LD native Solid server.
 
 ## Features
 
-### Implemented (v0.0.37)
+### Implemented (v0.0.39)
 
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
 - **N3 Patch** - Solid's native patch format for RDF updates
@@ -356,47 +356,25 @@ Git operations respect WAC permissions - clone requires Read access, push requir
 
 ### Git Push with Nostr Authentication
 
-Git push supports NIP-98 authentication via Basic Auth. Create a credential helper:
+Git push supports NIP-98 authentication via Basic Auth. Install the credential helper:
 
-```javascript
-// git-credential-nostr.js
-import { getPublicKey, finalizeEvent } from 'nostr-tools/pure';
-import { hexToBytes } from '@noble/hashes/utils';
-import fs from 'fs';
-import readline from 'readline';
-
-const sk = hexToBytes(fs.readFileSync('.nostr-key', 'utf8').trim());
-const rl = readline.createInterface({ input: process.stdin });
-const params = {};
-for await (const line of rl) {
-  if (!line) break;
-  const [key, ...vals] = line.split('=');
-  params[key] = vals.join('=');
-}
-
-if (params.protocol && params.host) {
-  let path = params.path || '/';
-  path = path.replace(/\/info\/refs$/, '').replace(/\/git-.*$/, '');
-  const baseUrl = `${params.protocol}://${params.host}${path}`;
-
-  const event = finalizeEvent({
-    kind: 27235,
-    created_at: Math.floor(Date.now() / 1000),
-    tags: [['u', baseUrl], ['method', '*']],
-    content: ''
-  }, sk);
-
-  console.log('username=nostr');
-  console.log('password=' + Buffer.from(JSON.stringify(event)).toString('base64'));
-}
+```bash
+npm install -g git-credential-nostr
+git config --global credential.helper nostr
 ```
 
-Configure git to use it:
+Generate or configure your Nostr key:
 
 ```bash
-git config credential.helper 'node /path/to/git-credential-nostr.js'
+# Generate a new keypair
+git-credential-nostr generate
+
+# Or use an existing private key
+git config --global nostr.privkey YOUR_64_CHAR_HEX_PRIVKEY
 ```
 
+See [git-credential-nostr](https://github.com/JavaScriptSolidServer/git-credential-nostr) for more details.
+
 Add the Nostr identity to your ACL:
 
 ```turtle
@@ -580,7 +558,7 @@ npm run benchmark
 npm test
 ```
 
-Currently passing: **182 tests** (including 27 conformance tests)
+Currently passing: **187 tests** (including 27 conformance tests)
 
 ### Conformance Test Harness (CTH)
 
@@ -628,7 +606,8 @@ src/
 ├── auth/
 │   ├── middleware.js     # Auth hook
 │   ├── token.js          # Simple token auth
-│   └── solid-oidc.js     # DPoP verification
+│   ├── solid-oidc.js     # DPoP verification
+│   └── nostr.js          # NIP-98 Nostr authentication
 ├── wac/
 │   ├── parser.js         # ACL parsing
 │   └── checker.js        # Permission checking

package/cth.env

@@ -5,11 +5,11 @@ SOLID_IDENTITY_PROVIDER=http://localhost:3456
 RESOURCE_SERVER_ROOT=http://localhost:3456
 TEST_CONTAINER=alice/public/
 
-USERS_ALICE_WEBID=http://localhost:3456/alice/#me
+USERS_ALICE_WEBID=http://localhost:3456/alice/profile/card#me
 USERS_ALICE_USERNAME=alice@test.local
 USERS_ALICE_PASSWORD=alicepassword123
 
-USERS_BOB_WEBID=http://localhost:3456/bob/#me
+USERS_BOB_WEBID=http://localhost:3456/bob/profile/card#me
 USERS_BOB_USERNAME=bob@test.local
 USERS_BOB_PASSWORD=bobpassword123
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.38",
+  "version": "0.0.39",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/middleware.js

@@ -13,9 +13,11 @@ import { getEffectiveUrlPath } from '../utils/url.js';
  * Check if request is authorized
  * @param {object} request - Fastify request
  * @param {object} reply - Fastify reply
+ * @param {object} options - Optional settings
+ * @param {string} options.requiredMode - Override the required access mode (e.g., 'Write' for git push)
  * @returns {Promise<{authorized: boolean, webId: string|null, wacAllow: string, authError: string|null}>}
  */
-export async function authorize(request, reply) {
+export async function authorize(request, reply, options = {}) {
   const urlPath = request.url.split('?')[0];
   const method = request.method;
 
@@ -44,8 +46,8 @@ export async function authorize(request, reply) {
   // Build resource URL (uses actual request hostname which may be subdomain)
   const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
 
-  // Get required access mode for this method
-  const requiredMode = getRequiredMode(method);
+  // Get required access mode - use override if provided, otherwise derive from method
+  const requiredMode = options.requiredMode || getRequiredMode(method);
 
   // For write operations on non-existent resources, check parent container
   let checkPath = storagePath;

package/src/handlers/resource.js

@@ -320,10 +320,19 @@ export async function handleGet(request, reply) {
   }
 
   // Serve content as-is (no conneg or non-RDF resource)
+  // For extensionless files (like profile/card), detect HTML by content
+  let actualContentType = storedContentType;
+  if (storedContentType === 'application/octet-stream') {
+    const contentStr = content.toString().trimStart();
+    if (contentStr.startsWith('<!DOCTYPE') || contentStr.startsWith('<html')) {
+      actualContentType = 'text/html';
+    }
+  }
+
   const headers = getAllHeaders({
     isContainer: false,
     etag: stats.etag,
-    contentType: storedContentType,
+    contentType: actualContentType,
     origin,
     resourceUrl,
     connegEnabled

package/src/server.js

@@ -9,6 +9,7 @@ import { authorize, handleUnauthorized } from './auth/middleware.js';
 import { notificationsPlugin } from './notifications/index.js';
 import { idpPlugin } from './idp/index.js';
 import { isGitRequest, isGitWriteOperation, handleGit } from './handlers/git.js';
+import { AccessMode } from './wac/parser.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 
@@ -135,7 +136,7 @@ export function createServer(options = {}) {
   // Security: Block access to dotfiles except allowed Solid-specific ones
   // This prevents exposure of .git/, .env, .htpasswd, etc.
   // Git protocol requests bypass this check when git is enabled
-  const ALLOWED_DOTFILES = ['.well-known', '.acl', '.meta'];
+  const ALLOWED_DOTFILES = ['.well-known', '.acl', '.meta', '.pods', '.notifications'];
   fastify.addHook('onRequest', async (request, reply) => {
     // Allow git protocol requests through when git is enabled
     if (gitEnabled && isGitRequest(request.url)) {
@@ -162,15 +163,22 @@ export function createServer(options = {}) {
         return;
       }
 
-      // Run WAC authorization - checkAccess already verifies the required mode
-      const { authorized, webId, wacAllow, authError } = await authorize(request, reply);
+      // Determine required mode: Write for push, Read for clone/fetch
+      const needsWrite = isGitWriteOperation(request.url);
+      const requiredMode = needsWrite ? AccessMode.WRITE : AccessMode.READ;
+
+      // Run WAC authorization with the correct mode for git operations
+      const { authorized, webId, wacAllow, authError } = await authorize(request, reply, { requiredMode });
       request.webId = webId;
       request.wacAllow = wacAllow;
 
       if (!authorized) {
-        const needsWrite = isGitWriteOperation(request.url);
         const message = needsWrite ? 'Write access required for push' : 'Read access required for clone';
         reply.header('WAC-Allow', wacAllow);
+        if (!webId) {
+          // No authentication - request Basic auth for git clients
+          reply.header('WWW-Authenticate', 'Basic realm="Solid"');
+        }
         return reply.code(webId ? 403 : 401).send({ error: message });
       }
 

package/src/storage/filesystem.js

@@ -1,10 +1,9 @@
 import fs from 'fs-extra';
 import path from 'path';
 import crypto from 'crypto';
-import { DATA_ROOT, urlToPath, isContainer } from '../utils/url.js';
+import { getDataRoot, urlToPath, isContainer } from '../utils/url.js';
 
-// Ensure data directory exists
-fs.ensureDirSync(DATA_ROOT);
+// Note: Data directory is ensured in server.js after DATA_ROOT is set
 
 /**
  * Check if resource exists

package/src/utils/url.js

@@ -1,7 +1,19 @@
 import path from 'path';
 
 // Base directory for storing all pods
-export const DATA_ROOT = process.env.DATA_ROOT || './data';
+// Use a getter function to read env var at runtime (not import time)
+// This is necessary because ES modules are loaded before the CLI sets the env var
+export function getDataRoot() {
+  return process.env.DATA_ROOT || './data';
+}
+
+// Legacy export - kept for compatibility, but callers should use getDataRoot()
+export let DATA_ROOT = './data';
+
+// Update DATA_ROOT when env var is set (called from storage init)
+export function updateDataRoot() {
+  DATA_ROOT = getDataRoot();
+}
 
 /**
  * Convert URL path to filesystem path
@@ -16,7 +28,7 @@ export function urlToPath(urlPath) {
   // Security: prevent path traversal
   normalized = normalized.replace(/\.\./g, '');
 
-  return path.join(DATA_ROOT, normalized);
+  return path.join(getDataRoot(), normalized);
 }
 
 /**
@@ -35,7 +47,7 @@ export function urlToPathWithPod(urlPath, podName) {
   normalized = normalized.replace(/\.\./g, '');
 
   // Prepend pod name to path
-  return path.join(DATA_ROOT, podName, normalized);
+  return path.join(getDataRoot(), podName, normalized);
 }
 
 /**

package/src/wac/checker.js

@@ -33,19 +33,20 @@ export async function checkAccess({
     return { allowed: true, wacAllow: 'user="read write append control", public="read write append"' };
   }
 
-  const { authorizations, isDefault, targetUrl } = aclResult;
+  const { authorizations, isDefault, targetUrl: aclContainerUrl } = aclResult;
 
   // Check authorizations
+  // Note: For default ACLs, we check if the ACL's default rules apply to the actual resource URL
   const allowed = checkAuthorizations(
     authorizations,
-    targetUrl,
+    resourceUrl,  // Use actual resource URL, not the ACL container URL
     agentWebId,
     requiredMode,
     isDefault
   );
 
   // Calculate WAC-Allow header
-  const wacAllow = calculateWacAllow(authorizations, targetUrl, agentWebId, isDefault);
+  const wacAllow = calculateWacAllow(authorizations, resourceUrl, agentWebId, isDefault);
 
   return { allowed, wacAllow };
 }
@@ -117,13 +118,17 @@ function getParentPath(path) {
  */
 function checkAuthorizations(authorizations, targetUrl, agentWebId, requiredMode, isDefault) {
   for (const auth of authorizations) {
-    // Check if this authorization applies to the resource
-    const appliesToResource = isDefault
-      ? auth.default.some(d => urlMatches(d, targetUrl))
-      : auth.accessTo.some(a => urlMatches(a, targetUrl));
-
-    if (!appliesToResource && !isDefault) continue;
-    if (isDefault && auth.default.length === 0) continue;
+    // For default ACLs, check if auth has default rules and matches target
+    // For direct ACLs, check if accessTo matches target
+    if (isDefault) {
+      // Skip if no default rules defined
+      if (auth.default.length === 0) continue;
+      // Skip if target URL doesn't match any default URL prefix
+      if (!auth.default.some(d => urlMatches(d, targetUrl, true))) continue;
+    } else {
+      // Skip if accessTo doesn't match target
+      if (!auth.accessTo.some(a => urlMatches(a, targetUrl))) continue;
+    }
 
     // Check if agent is authorized
     const agentAuthorized = isAgentAuthorized(auth, agentWebId);
@@ -172,10 +177,20 @@ function isAgentAuthorized(auth, agentWebId) {
 
 /**
  * Check if URLs match (handles trailing slashes)
+ * @param {string} pattern - The ACL URL pattern
+ * @param {string} url - The target URL to check
+ * @param {boolean} prefixMatch - If true, check if url starts with pattern (for acl:default)
  */
-function urlMatches(pattern, url) {
+function urlMatches(pattern, url, prefixMatch = false) {
   const normalizedPattern = pattern.replace(/\/$/, '');
   const normalizedUrl = url.replace(/\/$/, '');
+
+  if (prefixMatch) {
+    // For default ACLs: target must be same as or under the pattern
+    return normalizedUrl === normalizedPattern ||
+           normalizedUrl.startsWith(normalizedPattern + '/');
+  }
+
   return normalizedPattern === normalizedUrl;
 }
 
@@ -187,12 +202,13 @@ function calculateWacAllow(authorizations, targetUrl, agentWebId, isDefault) {
   const publicModes = new Set();
 
   for (const auth of authorizations) {
-    // Check if applies to resource
-    const applies = isDefault
-      ? auth.default.length > 0
-      : auth.accessTo.some(a => urlMatches(a, targetUrl));
-
-    if (!applies && !isDefault) continue;
+    // Check if applies to resource - use same logic as checkAuthorizations
+    if (isDefault) {
+      if (auth.default.length === 0) continue;
+      if (!auth.default.some(d => urlMatches(d, targetUrl, true))) continue;
+    } else {
+      if (!auth.accessTo.some(a => urlMatches(a, targetUrl))) continue;
+    }
 
     // Check what modes this grants
     const modes = auth.modes.map(m => {

package/test/pod.test.js

@@ -36,7 +36,7 @@ describe('Pod Lifecycle', () => {
 
       const data = await res.json();
       assert.strictEqual(data.name, 'alice');
-      assert.ok(data.webId.endsWith('/alice/#me'));
+      assert.ok(data.webId.endsWith('/alice/profile/card#me'));
       assert.ok(data.podUri.endsWith('/alice/'));
     });
 
@@ -95,24 +95,24 @@ describe('Pod Lifecycle', () => {
       const priv = await request('/carol/private/', { auth: 'carol' });
       assertStatus(priv, 200);
 
-      // Check settings exists (needs auth)
-      const settings = await request('/carol/settings/', { auth: 'carol' });
+      // Check Settings exists (needs auth)
+      const settings = await request('/carol/Settings/', { auth: 'carol' });
       assertStatus(settings, 200);
     });
 
     it('should create settings files', async () => {
       await createTestPod('dan');
 
-      // Check prefs (needs auth - settings is private)
-      const prefs = await request('/dan/settings/prefs', { auth: 'dan' });
+      // Check Preferences.ttl (needs auth - Settings is private)
+      const prefs = await request('/dan/Settings/Preferences.ttl', { auth: 'dan' });
       assertStatus(prefs, 200);
 
       // Check public type index (needs auth)
-      const pubIndex = await request('/dan/settings/publicTypeIndex', { auth: 'dan' });
+      const pubIndex = await request('/dan/Settings/publicTypeIndex.ttl', { auth: 'dan' });
       assertStatus(pubIndex, 200);
 
       // Check private type index (needs auth)
-      const privIndex = await request('/dan/settings/privateTypeIndex', { auth: 'dan' });
+      const privIndex = await request('/dan/Settings/privateTypeIndex.ttl', { auth: 'dan' });
       assertStatus(privIndex, 200);
     });
   });

package/test/webid.test.js

@@ -30,119 +30,87 @@ describe('WebID Profile', () => {
   });
 
   describe('Profile Document', () => {
-    it('should serve profile as HTML at pod root', async () => {
-      const res = await request('/webidtest/');
+    // Profile is at /pod/profile/card following Solid convention
+    const profilePath = '/webidtest/profile/card';
+
+    it('should serve profile as HTML', async () => {
+      const res = await request(profilePath);
 
       assertStatus(res, 200);
       assertHeaderContains(res, 'Content-Type', 'text/html');
     });
 
     it('should contain JSON-LD structured data', async () => {
-      const res = await request('/webidtest/');
+      const res = await request(profilePath);
       const html = await res.text();
 
       const jsonLd = extractJsonLdFromHtml(html);
       assert.ok(jsonLd['@context'], 'Should have @context');
-      assert.ok(jsonLd['@graph'], 'Should have @graph');
+      // Profile uses flat structure, not @graph
+      assert.ok(jsonLd['@id'], 'Should have @id');
     });
 
     it('should have correct WebID URI', async () => {
-      const res = await request('/webidtest/');
+      const res = await request(profilePath);
       const html = await res.text();
       const jsonLd = extractJsonLdFromHtml(html);
 
-      // Find the Person in the graph
-      const person = jsonLd['@graph'].find(node =>
-        Array.isArray(node['@type'])
-          ? node['@type'].includes('foaf:Person')
-          : node['@type'] === 'foaf:Person'
-      );
-
-      assert.ok(person, 'Should have a foaf:Person');
-      assert.ok(person['@id'].endsWith('/webidtest/#me'), 'WebID should end with /#me');
+      // Profile is a flat structure with the person as the main entity
+      assert.ok(jsonLd['@id'].endsWith('/webidtest/profile/card#me'), 'WebID should end with /profile/card#me');
     });
 
     it('should have foaf:name', async () => {
-      const res = await request('/webidtest/');
+      const res = await request(profilePath);
       const html = await res.text();
       const jsonLd = extractJsonLdFromHtml(html);
 
-      const person = jsonLd['@graph'].find(node =>
-        Array.isArray(node['@type'])
-          ? node['@type'].includes('foaf:Person')
-          : node['@type'] === 'foaf:Person'
-      );
-
-      assert.strictEqual(person['foaf:name'], 'webidtest');
+      assert.strictEqual(jsonLd['foaf:name'], 'webidtest');
     });
 
     it('should have solid:oidcIssuer', async () => {
-      const res = await request('/webidtest/');
+      const res = await request(profilePath);
       const html = await res.text();
       const jsonLd = extractJsonLdFromHtml(html);
 
-      const person = jsonLd['@graph'].find(node =>
-        Array.isArray(node['@type'])
-          ? node['@type'].includes('foaf:Person')
-          : node['@type'] === 'foaf:Person'
-      );
-
-      assert.ok(person['oidcIssuer'], 'Should have oidcIssuer');
+      assert.ok(jsonLd['oidcIssuer'], 'Should have oidcIssuer');
     });
 
     it('should have pim:storage pointing to pod', async () => {
-      const res = await request('/webidtest/');
+      const res = await request(profilePath);
       const html = await res.text();
       const jsonLd = extractJsonLdFromHtml(html);
 
-      const person = jsonLd['@graph'].find(node =>
-        Array.isArray(node['@type'])
-          ? node['@type'].includes('foaf:Person')
-          : node['@type'] === 'foaf:Person'
-      );
-
-      assert.ok(person['storage'].endsWith('/webidtest/'), 'Storage should point to pod');
+      assert.ok(jsonLd['storage'].endsWith('/webidtest/'), 'Storage should point to pod');
     });
 
     it('should have ldp:inbox', async () => {
-      const res = await request('/webidtest/');
+      const res = await request(profilePath);
       const html = await res.text();
       const jsonLd = extractJsonLdFromHtml(html);
 
-      const person = jsonLd['@graph'].find(node =>
-        Array.isArray(node['@type'])
-          ? node['@type'].includes('foaf:Person')
-          : node['@type'] === 'foaf:Person'
-      );
-
-      assert.ok(person['inbox'].endsWith('/webidtest/inbox/'), 'Should have inbox');
+      assert.ok(jsonLd['inbox'].endsWith('/webidtest/inbox/'), 'Should have inbox');
     });
 
-    it('should have PersonalProfileDocument', async () => {
-      const res = await request('/webidtest/');
+    it('should have mainEntityOfPage', async () => {
+      const res = await request(profilePath);
       const html = await res.text();
       const jsonLd = extractJsonLdFromHtml(html);
 
-      const doc = jsonLd['@graph'].find(node =>
-        node['@type'] === 'foaf:PersonalProfileDocument'
-      );
-
-      assert.ok(doc, 'Should have PersonalProfileDocument');
-      assert.ok(doc['foaf:maker'], 'Should have foaf:maker');
-      assert.ok(doc['foaf:primaryTopic'], 'Should have foaf:primaryTopic');
+      // Check for mainEntityOfPage which links to the profile document
+      assert.ok(jsonLd['mainEntityOfPage'], 'Should have mainEntityOfPage');
     });
   });
 
   describe('WebID Resolution', () => {
     it('should return LDP headers', async () => {
-      const res = await request('/webidtest/');
+      const res = await request('/webidtest/profile/card');
 
       assertHeaderContains(res, 'Link', 'ldp#Resource');
       assertHeader(res, 'WAC-Allow');
     });
 
     it('should return CORS headers', async () => {
-      const res = await request('/webidtest/', {
+      const res = await request('/webidtest/profile/card', {
         headers: { 'Origin': 'https://example.com' }
       });
 

package/test-git-nostr-auth.js

@@ -0,0 +1,285 @@
+#!/usr/bin/env node
+/**
+ * Test git push/pull with Nostr NIP-98 authentication
+ *
+ * Usage: node test-git-nostr-auth.js
+ *
+ * Prerequisites:
+ * - JSS server running on localhost:4000 with --git flag
+ * - git-credential-nostr installed globally
+ * - git config --global credential.helper nostr
+ *
+ * This script:
+ * 1. Creates a test git repo on the server
+ * 2. Sets up ACL with authorized Nostr DID
+ * 3. Tests clone (public read)
+ * 4. Tests push with authorized key (should succeed)
+ * 5. Tests push with unauthorized key (should fail with 403)
+ * 6. Cleans up
+ */
+
+import { generateSecretKey, getPublicKey } from 'nostr-tools/pure';
+import { bytesToHex } from '@noble/hashes/utils';
+import { execSync, spawn } from 'child_process';
+import fs from 'fs-extra';
+import path from 'path';
+import os from 'os';
+
+const BASE_URL = process.env.TEST_URL || 'http://localhost:4000';
+const DATA_ROOT = process.env.DATA_ROOT || '/home/melvin/jss/data';
+const TEST_POD = 'test-git-nostr';
+const TEST_REPO = 'test-repo';
+
+// Generate keypairs for testing
+const authorizedSk = generateSecretKey();
+const authorizedPk = getPublicKey(authorizedSk);
+const authorizedPrivHex = bytesToHex(authorizedSk);
+
+const unauthorizedSk = generateSecretKey();
+const unauthorizedPk = getPublicKey(unauthorizedSk);
+const unauthorizedPrivHex = bytesToHex(unauthorizedSk);
+
+let tempDir;
+let passed = 0;
+let failed = 0;
+
+function log(msg) {
+  console.log(`  ${msg}`);
+}
+
+function pass(test) {
+  console.log(`✓ ${test}`);
+  passed++;
+}
+
+function fail(test, error) {
+  console.log(`✗ ${test}`);
+  console.log(`  Error: ${error}`);
+  failed++;
+}
+
+function exec(cmd, options = {}) {
+  try {
+    return execSync(cmd, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'], ...options });
+  } catch (e) {
+    if (options.allowFail) {
+      return { error: true, stderr: e.stderr, stdout: e.stdout, status: e.status };
+    }
+    throw e;
+  }
+}
+
+async function setup() {
+  console.log('\n=== Setup ===\n');
+
+  // Create temp directory for client repos
+  tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'git-nostr-test-'));
+  log(`Temp directory: ${tempDir}`);
+
+  // Create test pod directory
+  const podPath = path.join(DATA_ROOT, TEST_POD);
+  fs.ensureDirSync(podPath);
+  log(`Created pod: ${podPath}`);
+
+  // Create bare git repo
+  const repoPath = path.join(podPath, TEST_REPO);
+  fs.ensureDirSync(repoPath);
+  exec(`git init --bare`, { cwd: repoPath });
+  exec(`git config --local receive.denyCurrentBranch ignore`, { cwd: repoPath });
+  exec(`git config --local http.receivepack true`, { cwd: repoPath });
+  exec(`git symbolic-ref HEAD refs/heads/main`, { cwd: repoPath });
+  log(`Created bare repo: ${repoPath}`);
+
+  // Create ACL with authorized Nostr DID
+  const acl = {
+    "@context": {
+      "acl": "http://www.w3.org/ns/auth/acl#",
+      "foaf": "http://xmlns.com/foaf/0.1/"
+    },
+    "@graph": [
+      {
+        "@id": "#nostr",
+        "@type": "acl:Authorization",
+        "acl:agent": { "@id": `did:nostr:${authorizedPk}` },
+        "acl:accessTo": { "@id": `${BASE_URL}/${TEST_POD}/` },
+        "acl:mode": [
+          { "@id": "acl:Read" },
+          { "@id": "acl:Write" }
+        ],
+        "acl:default": { "@id": `${BASE_URL}/${TEST_POD}/` }
+      },
+      {
+        "@id": "#public",
+        "@type": "acl:Authorization",
+        "acl:agentClass": { "@id": "foaf:Agent" },
+        "acl:accessTo": { "@id": `${BASE_URL}/${TEST_POD}/` },
+        "acl:mode": [{ "@id": "acl:Read" }],
+        "acl:default": { "@id": `${BASE_URL}/${TEST_POD}/` }
+      }
+    ]
+  };
+
+  fs.writeJsonSync(path.join(podPath, '.acl'), acl, { spaces: 2 });
+  log(`Created ACL with authorized DID: did:nostr:${authorizedPk.slice(0, 16)}...`);
+
+  // Create initial commit in a temp client repo
+  const initRepo = path.join(tempDir, 'init');
+  fs.ensureDirSync(initRepo);
+  exec('git init', { cwd: initRepo });
+  exec('git config user.email "test@example.com"', { cwd: initRepo });
+  exec('git config user.name "Test User"', { cwd: initRepo });
+  fs.writeFileSync(path.join(initRepo, 'README.md'), '# Test Repo\n');
+  exec('git add .', { cwd: initRepo });
+  exec('git commit -m "Initial commit"', { cwd: initRepo });
+  exec('git branch -m main', { cwd: initRepo });
+  exec(`git remote add origin ${BASE_URL}/${TEST_POD}/${TEST_REPO}/`, { cwd: initRepo });
+
+  // Configure authorized key for initial push
+  exec(`git config nostr.privkey ${authorizedPrivHex}`, { cwd: initRepo });
+
+  log('Created initial commit');
+}
+
+async function testClone() {
+  console.log('\n=== Test: Clone (public read) ===\n');
+
+  const cloneDir = path.join(tempDir, 'clone-test');
+  try {
+    exec(`git clone ${BASE_URL}/${TEST_POD}/${TEST_REPO}/ ${cloneDir}`);
+    if (fs.existsSync(path.join(cloneDir, '.git'))) {
+      pass('Clone succeeded (public read works)');
+    } else {
+      fail('Clone', 'No .git directory created');
+    }
+  } catch (e) {
+    // Clone might fail if repo is empty, that's ok
+    if (e.message.includes('empty repository')) {
+      pass('Clone of empty repo handled correctly');
+    } else {
+      fail('Clone', e.message);
+    }
+  }
+}
+
+async function testPushAuthorized() {
+  console.log('\n=== Test: Push with authorized key ===\n');
+
+  const initRepo = path.join(tempDir, 'init');
+  try {
+    // Push should work with authorized key
+    exec('git push -u origin main', { cwd: initRepo });
+    pass('Push with authorized key succeeded');
+  } catch (e) {
+    fail('Push with authorized key', e.stderr || e.message);
+  }
+}
+
+async function testPushUnauthorized() {
+  console.log('\n=== Test: Push with unauthorized key ===\n');
+
+  const cloneDir = path.join(tempDir, 'unauthorized-test');
+
+  try {
+    // Clone first (should work - public read)
+    exec(`git clone ${BASE_URL}/${TEST_POD}/${TEST_REPO}/ ${cloneDir}`);
+    exec('git config user.email "test@example.com"', { cwd: cloneDir });
+    exec('git config user.name "Test User"', { cwd: cloneDir });
+
+    // Configure unauthorized key
+    exec(`git config nostr.privkey ${unauthorizedPrivHex}`, { cwd: cloneDir });
+
+    // Make a change
+    fs.appendFileSync(path.join(cloneDir, 'README.md'), '\nUnauthorized change\n');
+    exec('git add .', { cwd: cloneDir });
+    exec('git commit -m "Unauthorized change"', { cwd: cloneDir });
+
+    // Push should fail with 403
+    const result = exec('git push 2>&1', { cwd: cloneDir, allowFail: true });
+
+    if (result.error && (result.stderr?.includes('403') || result.stdout?.includes('403'))) {
+      pass('Push with unauthorized key correctly rejected (403)');
+    } else if (result.error) {
+      // Check if it failed for the right reason
+      if (result.stderr?.includes('Authentication failed') || result.stderr?.includes('403')) {
+        pass('Push with unauthorized key correctly rejected');
+      } else {
+        fail('Push with unauthorized key', `Unexpected error: ${result.stderr}`);
+      }
+    } else {
+      fail('Push with unauthorized key', 'Push should have failed but succeeded');
+    }
+  } catch (e) {
+    if (e.stderr?.includes('403') || e.message?.includes('403')) {
+      pass('Push with unauthorized key correctly rejected (403)');
+    } else {
+      fail('Push with unauthorized key', e.stderr || e.message);
+    }
+  }
+}
+
+async function testPullAfterPush() {
+  console.log('\n=== Test: Pull after push ===\n');
+
+  const pullDir = path.join(tempDir, 'pull-test');
+
+  try {
+    exec(`git clone ${BASE_URL}/${TEST_POD}/${TEST_REPO}/ ${pullDir}`);
+    const readme = fs.readFileSync(path.join(pullDir, 'README.md'), 'utf8');
+
+    if (readme.includes('Test Repo')) {
+      pass('Pull retrieved pushed content');
+    } else {
+      fail('Pull after push', 'Content mismatch');
+    }
+  } catch (e) {
+    fail('Pull after push', e.stderr || e.message);
+  }
+}
+
+async function cleanup() {
+  console.log('\n=== Cleanup ===\n');
+
+  // Remove temp directory
+  if (tempDir) {
+    fs.removeSync(tempDir);
+    log(`Removed temp directory: ${tempDir}`);
+  }
+
+  // Remove test pod
+  const podPath = path.join(DATA_ROOT, TEST_POD);
+  if (fs.existsSync(podPath)) {
+    fs.removeSync(podPath);
+    log(`Removed test pod: ${podPath}`);
+  }
+}
+
+async function main() {
+  console.log('╔════════════════════════════════════════════════════╗');
+  console.log('║   Git Push/Pull with Nostr Authentication Test    ║');
+  console.log('╚════════════════════════════════════════════════════╝');
+
+  console.log(`\nServer: ${BASE_URL}`);
+  console.log(`Data root: ${DATA_ROOT}`);
+  console.log(`Authorized pubkey: ${authorizedPk.slice(0, 16)}...`);
+  console.log(`Unauthorized pubkey: ${unauthorizedPk.slice(0, 16)}...`);
+
+  try {
+    await setup();
+    await testPushAuthorized();
+    await testClone();
+    await testPullAfterPush();
+    await testPushUnauthorized();
+  } catch (e) {
+    console.error('\nFatal error:', e.message);
+  } finally {
+    await cleanup();
+  }
+
+  console.log('\n╔════════════════════════════════════════════════════╗');
+  console.log(`║   Results: ${passed} passed, ${failed} failed${' '.repeat(27 - String(passed).length - String(failed).length)}║`);
+  console.log('╚════════════════════════════════════════════════════╝\n');
+
+  process.exit(failed > 0 ? 1 : 0);
+}
+
+main().catch(console.error);

package/data/.idp/keys/jwks.json

@@ -1,37 +0,0 @@
-{
-  "jwks": {
-    "keys": [
-      {
-        "kty": "RSA",
-        "n": "zVVbuPqzcpJI4er_VpHQQd8UgRDI-PcLlwUGRG3DGqMvAWzB4UX2m5e5Uhc2vnzBC2U_1bZ5u3ovhZZhXqqj0ItBTOWjhjOZz4YpaPiwM68sqp_JUNNZPSLljhXnEhEv8q57Wcl0N8orJeuSmfjh7shsLKN-3nbWjCbQr4oAUneQ_2HNvazUTgRLKYCniS0SaI_ogTwuIJlNdFIc3FAHs4yNoSaXZDkdGWhGn49wYdB58nkjJ2ja8wc-rwNtcKEG7HZWNhoVCredav9jswWgAGodJofAxP_PCjguqn6-TzvGodXM3p0Rj1qaf27Ok39GbtOEwX4upwFKj-yJaZETQQ",
-        "e": "AQAB",
-        "d": "BAgqbUkP876bW4NMqP-jPB3kJk4k8h2QvtIIj9iraXcdlcyzyGeCKoc5ynq99pLWzBFchebnwEaLjxcXOZ-GaLKJUVgbhEe4XBa1crQaaqNkkEOjtXh28sBAC3CS6VwIyd5C-g3-gBdyTjPwXKFiV1jcZep-c-IXv6gF9kJyk-vv3aT6VabcqRBOk4PeNxL_VJt65x5JQBqyV06fv7OBrt15ez0dZL-fYMPhMhBZom0YGCkMVAC4VHAOmoVuHk3hQQCQv5x9-hq27qfgHAlkSKxTEDp2aJi4nIfzqEnFHrBqB9BwR0JEyV3ankVPzBcfEGffi5XY3kWK3EDE3oX9SQ",
-        "p": "6ZGd_spW6xSiTNwlU-to7Qr06dr1hXzWLyFbJM9_APFxE761WJtAsN50oNg-rKRQk2JdlC0N04OFYWBED-pvJ0AIEVnKJfWsxEQaBkRueZefUcf-0L1M2Q7-LQdqz9qTR3hSZ42lJhPKMdLRI2WrxTz1v1p0w0yl3bwcbBRLtTk",
-        "q": "4Q2QFyMKQUQhr4-JlQbI3VtBhfP-65oZg-13hG5Xc9kT0qo_-79YCK_4wMUX4WaSH6fG6lobTgZento3d6MXCAFpEl8WM4uRRNlzTLCC2FDZXms8i6hJHN89QFPLEPQd5bDXsw8pmA3ANIeHcwzR243VuWAYeQfeOJ-qymUjlkk",
-        "dp": "AUldDm885VSaxEOeLQUp8cxSpwseuRqD74SGhQBjmbS6w7oUM6W_SHohOFWYmsjY7Mbo7w0Ee3rI_E1UcqX-8L9oi_frpiPhTL93STuNRDwyk3e_jpTMXJG5krPswbJZh1ZBVfKwyzHmtjmMD17bAF4imGg-JmlArKUBnxLJi_k",
-        "dq": "A6Z7qtRnqy1WuolCewdUJLsBMhIGFX43YbttT9mWU4u21ZjrVsMAw4tPJplLzN0kC51mDZEOllJmIH97nNYpXnjfYmvmaUmfPpWkWB8Y0Ddnfy-QGNfO78fzL2LsjUbYYUxgA0iArTWz42Y7XTNdCAmh6NLVMslc4mA8nfHMBPk",
-        "qi": "Wikwy4ljfyLLHDO1Fpm2hn-_G7rWbwOP0ANJzY62cIEorbyyr4zAaaPflGMrDJHadlLdww_x2L1g2lNePN7mY97kFJVL0ceuwUmxDr434LqyRZWTrTP5qP6vrkjGjMImBuJEftXdOyJElcqHgtpvltydZRjlvhugnxcOKRble3Y",
-        "kid": "509868cc-c850-4708-9331-8e38273df4db",
-        "use": "sig",
-        "alg": "RS256",
-        "iat": 1767263929
-      },
-      {
-        "kty": "EC",
-        "x": "KSGjhPP_QyoqHu8v891hEk_TsF5yuQUN0hFBY_qq26o",
-        "y": "aTYYEwxOR0tM82FtJoCVJ7u8xtf3y0exoWVJzJAZQ24",
-        "crv": "P-256",
-        "d": "Mkm_Oh4_emAzg2MbxoMuHcJZo3E-O_-YlK8mlSHWU8M",
-        "kid": "92009452-c551-4389-97fd-314ddd59b7d4",
-        "use": "sig",
-        "alg": "ES256",
-        "iat": 1767263929
-      }
-    ]
-  },
-  "cookieKeys": [
-    "IiO299-8bui4UVILu0azGvlCnNTckSGMPMPQSG2HqHw",
-    "NbeOVkfw-xN9T4J0_1uzAmDp6tYOwFW-yTJLSd7nqDU"
-  ],
-  "createdAt": "2026-01-01T10:38:49.528Z"
-}