javascript-solid-server 0.0.77 → 0.0.79

package/README.md

@@ -6,8 +6,9 @@ A minimal, fast, JSON-LD native Solid server.
 
 ## Features
 
-### Implemented (v0.0.77)
+### Implemented (v0.0.79)
 
+- **Schnorr SSO** - Passwordless login via BIP-340 Schnorr signatures using NIP-07 browser extensions (Podkey, nos2x, Alby)
 - **Passkey Authentication** - WebAuthn/FIDO2 passwordless login with Touch ID, Face ID, or security keys
 - **HTTP Range Requests** - Partial content delivery for large files and media streaming
 - **Single-User Mode** - Simplified setup for personal pod servers
@@ -180,6 +181,31 @@ Then: `jss start --config config.json`
 
 ### Creating a Pod
 
+### Single-User Mode
+
+For personal pod servers where only one user needs access:
+
+```bash
+# Basic single-user mode (creates pod at /me/)
+jss start --single-user --idp
+
+# Custom username
+jss start --single-user --single-user-name alice --idp
+
+# Root-level pod (pod at /, WebID at /profile/card#me)
+jss start --single-user --single-user-name '' --idp
+
+# Via environment
+JSS_SINGLE_USER=true jss start --idp
+```
+
+**Features:**
+- Pod auto-created on first startup with full structure (inbox, public, private, profile, Settings)
+- Registration endpoint disabled (returns 403)
+- Login still works for the single user
+- Proper ACLs generated automatically
+
+
 ```bash
 curl -X POST http://localhost:3000/.pods \
   -H "Content-Type: application/json" \
@@ -693,6 +719,29 @@ jss start --idp
 
 Passkeys are stored per-account and work across devices via platform sync (iCloud Keychain, Google Password Manager, etc.).
 
+### Schnorr SSO (v0.0.79+)
+
+Sign in with your Nostr key using NIP-07 browser extensions:
+
+```bash
+jss start --idp
+```
+
+**How it works:**
+1. User clicks "Sign in with Schnorr" on the login page
+2. NIP-07 extension (Podkey, nos2x, Alby) signs a NIP-98 auth event
+3. Server verifies BIP-340 Schnorr signature
+4. User authenticated via linked did:nostr identity
+
+**Requirements:**
+- Account must have a `did:nostr:<pubkey>` WebID linked
+- User needs a NIP-07 compatible browser extension
+
+**Benefits:**
+- No passwords - cryptographic authentication
+- Works with existing Nostr identity
+- Single sign-on across Solid and Nostr ecosystems
+
 ### Solid-OIDC (External IdP)
 
 The server also accepts DPoP-bound access tokens from external Solid identity providers:

package/bin/jss.js

@@ -72,6 +72,8 @@ program
   .option('--ap-nostr-pubkey <hex>', 'Nostr pubkey for identity linking')
   .option('--invite-only', 'Require invite code for registration')
   .option('--no-invite-only', 'Allow open registration')
+  .option('--single-user', 'Single-user mode (creates pod on startup, disables registration)')
+  .option('--single-user-name <name>', 'Username for single-user mode (default: me)')
   .option('--webid-tls', 'Enable WebID-TLS client certificate authentication')
   .option('--no-webid-tls', 'Disable WebID-TLS authentication')
   .option('-q, --quiet', 'Suppress log output')
@@ -127,6 +129,8 @@ program
         apNostrPubkey: config.apNostrPubkey,
         inviteOnly: config.inviteOnly,
         webidTls: config.webidTls,
+        singleUser: config.singleUser,
+        singleUserName: config.singleUserName,
       });
 
       await server.listen({ port: config.port, host: config.host });
@@ -149,7 +153,8 @@ program
         if (config.git) console.log('  Git: enabled (clone/push support)');
         if (config.nostr) console.log(`  Nostr: enabled (${config.nostrPath})`);
         if (config.activitypub) console.log(`  ActivityPub: enabled (@${config.apUsername || 'me'})`);
-        if (config.inviteOnly) console.log('  Registration: invite-only');
+        if (config.singleUser) console.log(`  Single-user: ${config.singleUserName || 'me'} (registration disabled)`);
+        else if (config.inviteOnly) console.log('  Registration: invite-only');
         if (config.webidTls) console.log('  WebID-TLS: enabled (client certificate auth)');
         console.log('\n  Press Ctrl+C to stop\n');
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.77",
+  "version": "0.0.79",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/config.js

@@ -63,6 +63,10 @@ export const defaults = {
   // Invite-only registration
   inviteOnly: false,
 
+  // Single-user mode (personal pod server)
+  singleUser: false,
+  singleUserName: 'me',
+
   // WebID-TLS client certificate authentication
   webidTls: false,
 
@@ -109,6 +113,8 @@ const envMap = {
   JSS_AP_SUMMARY: 'apSummary',
   JSS_AP_NOSTR_PUBKEY: 'apNostrPubkey',
   JSS_INVITE_ONLY: 'inviteOnly',
+  JSS_SINGLE_USER: 'singleUser',
+  JSS_SINGLE_USER_NAME: 'singleUserName',
   JSS_WEBID_TLS: 'webidTls',
   JSS_DEFAULT_QUOTA: 'defaultQuota',
 };

package/src/idp/index.js

@@ -15,6 +15,8 @@ import {
   handleRegisterPost,
   handlePasskeyComplete,
   handlePasskeySkip,
+  handleSchnorrLogin,
+  handleSchnorrComplete,
 } from './interactions.js';
 import {
   handleCredentials,
@@ -30,7 +32,7 @@ import { addTrustedIssuer } from '../auth/solid-oidc.js';
  * @param {string} options.issuer - The issuer URL
  */
 export async function idpPlugin(fastify, options) {
-  const { issuer, inviteOnly = false } = options;
+  const { issuer, inviteOnly = false, singleUser = false } = options;
 
   if (!issuer) {
     throw new Error('IdP requires issuer URL');
@@ -275,23 +277,41 @@ export async function idpPlugin(fastify, options) {
     return handleAbort(request, reply, provider);
   });
 
-  // Registration routes
-  fastify.get('/idp/register', async (request, reply) => {
-    return handleRegisterGet(request, reply, inviteOnly);
-  });
+  // Registration routes (disabled in single-user mode)
+  if (singleUser) {
+    // Single-user mode: registration disabled
+    fastify.get('/idp/register', async (request, reply) => {
+      return reply.code(403).type('text/html').send(`
+        <!DOCTYPE html>
+        <html><head><title>Registration Disabled</title></head>
+        <body style="font-family: system-ui; padding: 2rem; text-align: center;">
+          <h1>Registration Disabled</h1>
+          <p>This server is running in single-user mode. Registration is not available.</p>
+          <p><a href="/idp/login">Login</a></p>
+        </body></html>
+      `);
+    });
+    fastify.post('/idp/register', async (request, reply) => {
+      return reply.code(403).send({ error: 'Registration disabled in single-user mode' });
+    });
+  } else {
+    fastify.get('/idp/register', async (request, reply) => {
+      return handleRegisterGet(request, reply, inviteOnly);
+    });
 
-  // Registration - rate limited to prevent spam accounts
-  fastify.post('/idp/register', {
-    config: {
-      rateLimit: {
-        max: 5,
-        timeWindow: '1 hour',
-        keyGenerator: (request) => request.ip
+    // Registration - rate limited to prevent spam accounts
+    fastify.post('/idp/register', {
+      config: {
+        rateLimit: {
+          max: 5,
+          timeWindow: '1 hour',
+          keyGenerator: (request) => request.ip
+        }
       }
-    }
-  }, async (request, reply) => {
-    return handleRegisterPost(request, reply, issuer, inviteOnly);
-  });
+    }, async (request, reply) => {
+      return handleRegisterPost(request, reply, issuer, inviteOnly);
+    });
+  }
 
   // Passkey routes
   // Registration options - rate limited to prevent DoS
@@ -355,7 +375,24 @@ export async function idpPlugin(fastify, options) {
     return handlePasskeySkip(request, reply, provider);
   });
 
-  fastify.log.info(`IdP initialized with issuer: ${issuer}`);
+  // Schnorr (NIP-98) interaction handlers
+  fastify.post('/idp/interaction/:uid/schnorr-login', {
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '1 minute'
+      }
+    }
+  }, async (request, reply) => {
+    return handleSchnorrLogin(request, reply, provider);
+  });
+
+  fastify.get('/idp/interaction/:uid/schnorr-complete', async (request, reply) => {
+    return handleSchnorrComplete(request, reply, provider);
+  });
+
+  const modeInfo = singleUser ? ' (single-user mode, registration disabled)' : inviteOnly ? ' (invite-only)' : '';
+  fastify.log.info(`IdP initialized with issuer: ${issuer}${modeInfo}`);
 }
 
 export default idpPlugin;

package/src/idp/interactions.js

@@ -3,11 +3,12 @@
  * Handles the user-facing parts of the authentication flow
  */
 
-import { authenticate, findById, createAccount, updateLastLogin, setPasskeyPromptDismissed } from './accounts.js';
+import { authenticate, findById, findByWebId, createAccount, updateLastLogin, setPasskeyPromptDismissed } from './accounts.js';
 import { loginPage, consentPage, errorPage, registerPage, passkeyPromptPage } from './views.js';
 import * as storage from '../storage/filesystem.js';
 import { createPodStructure } from '../handlers/container.js';
 import { validateInvite } from './invites.js';
+import { verifyNostrAuth } from '../auth/nostr.js';
 
 // Security: Maximum body size for IdP form submissions (1MB)
 const MAX_BODY_SIZE = 1024 * 1024;
@@ -542,3 +543,120 @@ export async function handlePasskeySkip(request, reply, provider) {
     return reply.code(500).type('text/html').send(errorPage('Error', err.message));
   }
 }
+
+/**
+ * Handle POST /idp/interaction/:uid/schnorr-login
+ * Authenticates user via Schnorr signature (NIP-98)
+ */
+export async function handleSchnorrLogin(request, reply, provider) {
+  const { uid } = request.params;
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('application/json').send({
+        success: false,
+        error: 'Session expired. Please try again.'
+      });
+    }
+
+    // Verify the Schnorr signature
+    const authResult = await verifyNostrAuth(request);
+
+    if (authResult.error) {
+      request.log.warn({ error: authResult.error }, 'Schnorr auth failed');
+      return reply.code(401).type('application/json').send({
+        success: false,
+        error: authResult.error
+      });
+    }
+
+    // authResult.webId is either a resolved WebID or did:nostr:pubkey
+    const identity = authResult.webId;
+    request.log.info({ identity, uid }, 'Schnorr auth verified');
+
+    // Try to find an existing account linked to this identity
+    let account = await findByWebId(identity);
+
+    if (!account) {
+      // No account linked to this did:nostr
+      // For now, return error - user needs to link their did:nostr to an account
+      // Future: could auto-create account or prompt for linking
+      return reply.code(403).type('application/json').send({
+        success: false,
+        error: 'No account linked to this identity. Please register or link your Schnorr key to an existing account.'
+      });
+    }
+
+    // Update last login
+    await updateLastLogin(account.id);
+
+    // Complete the OIDC interaction
+    const result = {
+      login: {
+        accountId: account.id,
+        remember: true,
+      },
+    };
+
+    // Save the login result
+    interaction.result = result;
+    await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
+
+    request.log.info({ accountId: account.id, identity, uid }, 'Schnorr login successful');
+
+    // Return success with redirect URL
+    // The client will follow this redirect
+    const redirectUrl = `/idp/interaction/${uid}/schnorr-complete?accountId=${encodeURIComponent(account.id)}`;
+
+    return reply.type('application/json').send({
+      success: true,
+      redirectUrl
+    });
+  } catch (err) {
+    request.log.error(err, 'Schnorr login error');
+    return reply.code(500).type('application/json').send({
+      success: false,
+      error: err.message
+    });
+  }
+}
+
+/**
+ * Handle GET /idp/interaction/:uid/schnorr-complete
+ * Completes OIDC interaction after Schnorr login
+ */
+export async function handleSchnorrComplete(request, reply, provider) {
+  const { uid } = request.params;
+  const { accountId } = request.query;
+
+  if (!accountId) {
+    return reply.code(400).type('text/html').send(errorPage('Missing account', 'Account ID is required.'));
+  }
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Session expired', 'Please try logging in again.'));
+    }
+
+    // Validate accountId matches the interaction result
+    if (interaction.result?.login?.accountId !== accountId) {
+      request.log.warn({ expected: interaction.result?.login?.accountId, provided: accountId }, 'AccountId mismatch in schnorr complete');
+      return reply.code(403).type('text/html').send(errorPage('Access denied', 'Account mismatch.'));
+    }
+
+    const account = await findById(accountId);
+    if (!account) {
+      return reply.code(404).type('text/html').send(errorPage('Account not found', 'The account could not be found.'));
+    }
+
+    request.log.info({ accountId: account.id, uid }, 'Schnorr login completed');
+
+    reply.hijack();
+    return provider.interactionFinished(request.raw, reply.raw, interaction.result, { mergeWithLastSubmission: false });
+  } catch (err) {
+    request.log.error(err, 'Schnorr complete error');
+    return reply.code(500).type('text/html').send(errorPage('Error', err.message));
+  }
+}

package/src/idp/views.js

@@ -121,6 +121,23 @@ const styles = `
     width: 20px;
     height: 20px;
   }
+  .btn-schnorr {
+    background: #7b1fa2;
+    color: white;
+    width: 100%;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    gap: 8px;
+    margin-top: 12px;
+  }
+  .btn-schnorr:hover {
+    background: #6a1b9a;
+  }
+  .btn-schnorr svg {
+    width: 20px;
+    height: 20px;
+  }
   .divider {
     display: flex;
     align-items: center;
@@ -187,6 +204,12 @@ const passkeyIcon = `
 </svg>
 `;
 
+const schnorrIcon = `
+<svg viewBox="0 0 24 24" fill="currentColor" xmlns="http://www.w3.org/2000/svg">
+  <path d="M18 8h-1V6c0-2.76-2.24-5-5-5S7 3.24 7 6v2H6c-1.1 0-2 .9-2 2v10c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V10c0-1.1-.9-2-2-2zm-6 9c-1.1 0-2-.9-2-2s.9-2 2-2 2 .9 2 2-.9 2-2 2zm3.1-9H8.9V6c0-1.71 1.39-3.1 3.1-3.1 1.71 0 3.1 1.39 3.1 3.1v2z"/>
+</svg>
+`;
+
 const scopeDescriptions = {
   openid: 'Access your identity',
   webid: 'Access your WebID',
@@ -213,7 +236,7 @@ function escapeJs(text) {
 /**
  * Login page HTML
  */
-export function loginPage(uid, clientId, error = null, passkeyEnabled = true) {
+export function loginPage(uid, clientId, error = null, passkeyEnabled = true, schnorrEnabled = true) {
   const appName = clientId || 'An application';
   const safeUid = escapeJs(uid);
 
@@ -222,7 +245,18 @@ export function loginPage(uid, clientId, error = null, passkeyEnabled = true) {
       ${passkeyIcon}
       Sign in with Passkey
     </button>
+  ` : '';
 
+  const schnorrSection = schnorrEnabled ? `
+    <button type="button" class="btn btn-schnorr" onclick="loginWithSchnorr()" id="schnorrBtn">
+      ${schnorrIcon}
+      Sign in with Schnorr
+    </button>
+  ` : '';
+
+  const ssoSection = (passkeyEnabled || schnorrEnabled) ? `
+    ${passkeySection}
+    ${schnorrSection}
     <div class="divider"><span>or</span></div>
   ` : '';
 
@@ -315,6 +349,73 @@ export function loginPage(uid, clientId, error = null, passkeyEnabled = true) {
   </script>
   ` : '';
 
+  const schnorrScript = schnorrEnabled ? `
+  <script>
+    async function loginWithSchnorr() {
+      const btn = document.getElementById('schnorrBtn');
+
+      // Check for NIP-07 extension (window.nostr)
+      if (typeof window.nostr === 'undefined') {
+        alert('No Schnorr signer found. Please install a NIP-07 compatible extension like Podkey, nos2x, or Alby.');
+        return;
+      }
+
+      btn.disabled = true;
+      btn.textContent = 'Signing...';
+
+      try {
+        // Get the current URL for the auth event
+        const authUrl = window.location.origin + '/idp/interaction/${safeUid}/schnorr-login';
+
+        // Create NIP-98 event (kind 27235)
+        const event = {
+          kind: 27235,
+          created_at: Math.floor(Date.now() / 1000),
+          tags: [
+            ['u', authUrl],
+            ['method', 'POST']
+          ],
+          content: ''
+        };
+
+        // Sign with NIP-07 extension
+        const signedEvent = await window.nostr.signEvent(event);
+
+        // Send to server
+        const response = await fetch(authUrl, {
+          method: 'POST',
+          headers: {
+            'Authorization': 'Nostr ' + btoa(JSON.stringify(signedEvent))
+          }
+        });
+
+        const result = await response.json();
+
+        if (result.success && result.redirectUrl) {
+          window.location.href = result.redirectUrl;
+        } else if (result.error) {
+          alert('Schnorr login failed: ' + result.error);
+          btn.disabled = false;
+          btn.textContent = 'Sign in with Schnorr';
+        } else {
+          alert('Schnorr login failed: Unknown error');
+          btn.disabled = false;
+          btn.textContent = 'Sign in with Schnorr';
+        }
+      } catch (err) {
+        console.error('Schnorr login error:', err);
+        if (err.message && err.message.includes('User rejected')) {
+          // User cancelled signing - do nothing
+        } else {
+          alert('Schnorr login failed: ' + err.message);
+        }
+        btn.disabled = false;
+        btn.textContent = 'Sign in with Schnorr';
+      }
+    }
+  </script>
+  ` : '';
+
   return `
 <!DOCTYPE html>
 <html lang="en">
@@ -337,7 +438,7 @@ export function loginPage(uid, clientId, error = null, passkeyEnabled = true) {
 
     ${error ? `<div class="error">${escapeHtml(error)}</div>` : ''}
 
-    ${passkeySection}
+    ${ssoSection}
 
     <form method="POST" action="/idp/interaction/${uid}/login">
       <label for="username">Username</label>
@@ -358,6 +459,7 @@ export function loginPage(uid, clientId, error = null, passkeyEnabled = true) {
     </p>
   </div>
   ${passkeyScript}
+  ${schnorrScript}
 </body>
 </html>
   `;

package/src/server.js

@@ -4,7 +4,8 @@ import { readFile } from 'fs/promises';
 import { join, dirname } from 'path';
 import { fileURLToPath } from 'url';
 import { handleGet, handleHead, handlePut, handleDelete, handleOptions, handlePatch } from './handlers/resource.js';
-import { handlePost, handleCreatePod } from './handlers/container.js';
+import { handlePost, handleCreatePod, createPodStructure } from './handlers/container.js';
+import * as storage from './storage/filesystem.js';
 import { getCorsHeaders } from './ldp/headers.js';
 import { authorize, handleUnauthorized } from './auth/middleware.js';
 import { notificationsPlugin } from './notifications/index.js';
@@ -71,6 +72,9 @@ export function createServer(options = {}) {
   const apNostrPubkey = options.apNostrPubkey ?? null;
   // Invite-only registration is OFF by default - open registration
   const inviteOnly = options.inviteOnly ?? false;
+  // Single-user mode - creates pod on startup, disables registration
+  const singleUser = options.singleUser ?? false;
+  const singleUserName = options.singleUserName ?? 'me';
   // Default storage quota per pod (50MB default, 0 = unlimited)
   const defaultQuota = options.defaultQuota ?? 50 * 1024 * 1024;
   // WebID-TLS client certificate authentication is OFF by default
@@ -165,7 +169,7 @@ export function createServer(options = {}) {
 
   // Register Identity Provider plugin if enabled
   if (idpEnabled) {
-    fastify.register(idpPlugin, { issuer: idpIssuer, inviteOnly });
+    fastify.register(idpPlugin, { issuer: idpIssuer, inviteOnly, singleUser });
   }
 
   // Register Nostr relay if enabled
@@ -447,6 +451,91 @@ export function createServer(options = {}) {
   fastify.options('/', handleOptions);
   fastify.post('/', writeRateLimit, handlePost);
 
+  // Single-user mode: create pod on startup if it doesn't exist
+  if (singleUser) {
+    fastify.addHook('onReady', async () => {
+      // Determine base URL for pod URIs
+      const protocol = options.ssl ? 'https' : 'http';
+      const host = options.host === '0.0.0.0' ? 'localhost' : (options.host || 'localhost');
+      const port = options.port || 3000;
+      const baseUrl = idpIssuer?.replace(/\/$/, '') || `${protocol}://${host}:${port}`;
+      const issuer = idpIssuer || `${baseUrl}/`;
+
+      // Root-level pod (empty or '/' name) vs named pod
+      const isRootPod = !singleUserName || singleUserName === '/';
+      const podPath = isRootPod ? '/' : `/${singleUserName}/`;
+      const podUri = isRootPod ? `${baseUrl}/` : `${baseUrl}/${singleUserName}/`;
+      const webId = `${podUri}profile/card#me`;
+      const displayName = isRootPod ? 'me' : singleUserName;
+
+      // Check if pod already exists (profile/card is the indicator)
+      const profileExists = await storage.exists(`${podPath}profile/card`);
+
+      if (!profileExists) {
+        fastify.log.info(`Creating single-user pod at ${podUri}...`);
+
+        if (isRootPod) {
+          // Root-level pod - create structure directly at /
+          await createRootPodStructure(webId, podUri, issuer, displayName);
+        } else {
+          // Named pod at /{name}/
+          await createPodStructure(singleUserName, webId, podUri, issuer, defaultQuota);
+        }
+        fastify.log.info(`Single-user pod created at ${podUri}`);
+      }
+    });
+  }
+
+  /**
+   * Create root-level pod structure (for single-user mode with pod at /)
+   */
+  async function createRootPodStructure(webId, podUri, issuer, displayName) {
+    const { generateProfile, generatePreferences, generateTypeIndex, serialize } = await import('./webid/profile.js');
+    const { generateOwnerAcl, generatePrivateAcl, generateInboxAcl, generatePublicFolderAcl, serializeAcl } = await import('./wac/parser.js');
+
+    // Create directories at root
+    await storage.createContainer('/inbox/');
+    await storage.createContainer('/public/');
+    await storage.createContainer('/private/');
+    await storage.createContainer('/Settings/');
+    await storage.createContainer('/profile/');
+
+    // Generate profile
+    const profileHtml = generateProfile({ webId, name: displayName, podUri, issuer });
+    await storage.write('/profile/card', profileHtml);
+
+    // Preferences and type indexes
+    const prefs = generatePreferences({ webId, podUri });
+    await storage.write('/Settings/Preferences.ttl', serialize(prefs));
+
+    const publicTypeIndex = generateTypeIndex(`${podUri}Settings/publicTypeIndex.ttl`);
+    await storage.write('/Settings/publicTypeIndex.ttl', serialize(publicTypeIndex));
+
+    const privateTypeIndex = generateTypeIndex(`${podUri}Settings/privateTypeIndex.ttl`);
+    await storage.write('/Settings/privateTypeIndex.ttl', serialize(privateTypeIndex));
+
+    // ACL files
+    const rootAcl = generateOwnerAcl(podUri, webId, true);
+    await storage.write('/.acl', serializeAcl(rootAcl));
+
+    const privateAcl = generatePrivateAcl(`${podUri}private/`, webId);
+    await storage.write('/private/.acl', serializeAcl(privateAcl));
+
+    const settingsAcl = generatePrivateAcl(`${podUri}Settings/`, webId);
+    await storage.write('/Settings/.acl', serializeAcl(settingsAcl));
+
+    const inboxAcl = generateInboxAcl(`${podUri}inbox/`, webId);
+    await storage.write('/inbox/.acl', serializeAcl(inboxAcl));
+
+    const publicAcl = generatePublicFolderAcl(`${podUri}public/`, webId);
+    await storage.write('/public/.acl', serializeAcl(publicAcl));
+
+    const profileAcl = generatePublicFolderAcl(`${podUri}profile/`, webId);
+    await storage.write('/profile/.acl', serializeAcl(profileAcl));
+
+    // Note: Quota not initialized for root-level pods (no user directory)
+  }
+
   return fastify;
 }
 

package/.claude/settings.local.json

@@ -1,266 +0,0 @@
-{
-  "permissions": {
-    "allow": [
-      "WebSearch",
-      "WebFetch(domain:github.com)",
-      "WebFetch(domain:raw.githubusercontent.com)",
-      "Bash(cat:*)",
-      "WebFetch(domain:www.inrupt.com)",
-      "Bash(npm install:*)",
-      "Bash(timeout 3 node:*)",
-      "Bash(PORT=3030 timeout 3 node:*)",
-      "Bash(git commit:*)",
-      "Bash(pkill:*)",
-      "Bash(curl:*)",
-      "Bash(npm test:*)",
-      "Bash(git add:*)",
-      "WebFetch(domain:solid.github.io)",
-      "Bash(node:*)",
-      "WebFetch(domain:solidservers.org)",
-      "WebFetch(domain:solid-contrib.github.io)",
-      "Bash(git clone:*)",
-      "Bash(chmod:*)",
-      "Bash(JSS_PORT=4000 JSS_CONNEG=true node bin/jss.js:*)",
-      "Bash(find:*)",
-      "Bash(timeout 5 node:*)",
-      "Bash(npm view:*)",
-      "Bash(npm ls:*)",
-      "Bash(timeout 10 node:*)",
-      "Bash(npm run test:cth:*)",
-      "Bash(__NEW_LINE__ curl -s -X POST http://localhost:4000/.pods )",
-      "Bash(lsof:*)",
-      "Bash(xargs kill -9)",
-      "Bash(docker:*)",
-      "Bash(solidproject/conformance-test-harness )",
-      "Bash(timeout 30 node:*)",
-      "Bash(timeout 20 node:*)",
-      "Bash(timeout 25 node:*)",
-      "Bash(JSS_PORT=4000 JSS_CONNEG=true timeout 5 node:*)",
-      "Bash(pgrep:*)",
-      "Bash(python3:*)",
-      "Bash(ls:*)",
-      "Bash(timeout 15 node:*)",
-      "Bash(echo 'No .idp folder' echo find /home/melvin/remote/github.com/JavaScriptSolidServer/JavaScriptSolidServer/data/.idp/ -name *.json)",
-      "Bash(echo '=== Interactions ===' ls -la /home/melvin/remote/github.com/JavaScriptSolidServer/JavaScriptSolidServer/data/.idp/interaction/ echo echo '=== Latest interaction ===' cat /home/melvin/remote/github.com/JavaScriptSolidServer/JavaScriptSolidServer/data/.idp/interaction/*.json)",
-      "Bash(1 echo \"\" echo \"=== Server errors ===\" grep -E \"(error|Error)\" /tmp/jss.log)",
-      "Bash(echo 'Server not ready' curl -s -X POST http://localhost:4000/.pods -H 'Content-Type: application/json' -d {\"\"name\"\":\"\"alice\"\",\"\"email\"\":\"\"alice@example.com\"\",\"\"password\"\":\"\"alicepassword123\"\"})",
-      "Bash(head -1 curl -s -X POST http://localhost:4000/.pods -H \"Content-Type: application/json\" -d '{\"\"\"\"name\"\"\"\":\"\"\"\"bob\"\"\"\",\"\"\"\"email\"\"\"\":\"\"\"\"bob@example.com\"\"\"\",\"\"\"\"password\"\"\"\":\"\"\"\"bobpassword123\"\"\"\"}')",
-      "Bash(xargs:*)",
-      "Bash(fuser:*)",
-      "Bash(kill:*)",
-      "Bash(ACCESS_TOKEN=\"eyJhbGciOiJFUzI1NiIsImtpZCI6IjQwY2U0YzIzLWY2OWQtNDU4NS05ODg2LTE4MDQzZWIyZjU2ZCJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjQwMDAvIiwic3ViIjoiYjhlZjY5YWUtODc0ZS00MDg5LThiMDktOGQwY2QyM2VlZWY3IiwiYXVkIjoic29saWQiLCJ3ZWJpZCI6Imh0dHA6Ly9sb2NhbGhvc3Q0MDAwL2FsaWNlLyNtZSIsImlhdCI6MTc2NjgyOTQ5MiwiZXhwIjoxNzY2ODMzMDkyLCJqdGkiOiIwMWY4ODVlZS05ZjY2LTQ3M2MtYmZkNC05MWM4ZGU3NGJhZjYiLCJjbGllbnRfaWQiOiJjcmVkZW50aWFsc19jbGllbnQiLCJzY29wZSI6Im9wZW5pZCB3ZWJpZCJ9.DYTlSRkORyDN28XtXk-zbR7xNLViD97KkPqUKb6chV860BaIgwa1suif4TxHQDnK_ejvbvmZ46_n5WwwRnf_Zw\" curl -sI -X PUT http://localhost:4000/alice/cth-test/ -H \"Content-Type: text/turtle\" -H \"Authorization: Bearer $ACCESS_TOKEN\")",
-      "Bash(timeout 60 docker run:*)",
-      "Bash(rm:*)",
-      "Bash(mkdir:*)",
-      "WebFetch(domain:communitysolidserver.github.io)",
-      "WebFetch(domain:solidos.github.io)",
-      "WebFetch(domain:solidcommunity.net)",
-      "WebFetch(domain:www.npmjs.com)",
-      "Bash(pm2 list:*)",
-      "Bash(pm2 logs:*)",
-      "Bash(pm2 restart:*)",
-      "Bash(timeout 60 npm test:*)",
-      "Bash(pm2 stop:*)",
-      "Bash(pm2 delete:*)",
-      "Bash(pm2 start:*)",
-      "Bash(DATA_ROOT=/home/melvin/jss/data pm2 start:*)",
-      "Bash(pm2 save:*)",
-      "Bash(gh issue create:*)",
-      "Bash(gh issue view:*)",
-      "Bash(gh issue edit:*)",
-      "WebFetch(domain:nostrcg.github.io)",
-      "WebFetch(domain:melvincarvalho.github.io)",
-      "WebFetch(domain:dev.to)",
-      "WebFetch(domain:solidproject.org)",
-      "WebFetch(domain:www.w3.org)",
-      "Bash(wc:*)",
-      "Bash(TOKEN=\"eyJraW5kIjoyNzIzNSwidGFncyI6W1sidSIsImh0dHA6Ly9sb2NhbGhvc3Q6NDAwMC9kZW1vL25vc3RyLXpvbmUvIl0sWyJtZXRob2QiLCJHRVQiXV0sImNyZWF0ZWRfYXQiOjE3NjY5MzQ1NjksImNvbnRlbnQiOiIiLCJwdWJrZXkiOiI4OTg5OWNmOWEyNGE5ZTdlMTNmODU3MGRkMGI1MmJiOTQyMjllNDI2OGM1MGQ1OWZhNjdhMzQ0MGQ0NmFhZTdkIiwiaWQiOiJiNTUyMDUyOTVmYmQwYzhjZDYwMzk1NTgwOWYxZGM5Y2MwMjdlY2U4N2NjYmNlNzcwNWY2MjdmNmQ0ODk1MGJkIiwic2lnIjoiOWYzN2Y0NzIyZDlkNmFmZGQ5OTNkYTM0MDg2MWQ2YzQ4MmY1NzQ1MmFmZTIwZmY2YmI5OTAxNGIwOTU3NjUwMWZiNTgyZjEzNzNlZmVhNjI4ZDI5ZjlhMzhmZTgyODU0ODlmMzAzYzlmYmJjYWE0OTQxZjUyZGZlMWYxNzVkOWMifQ==\")",
-      "WebFetch(domain:solid-lite.org)",
-      "Bash(git push:*)",
-      "WebFetch(domain:linkedwebstorage.com)",
-      "WebFetch(domain:w3c.github.io)",
-      "WebFetch(domain:socialdocs.org)",
-      "WebFetch(domain:nosdav.com)",
-      "WebFetch(domain:sandy-mount.com)",
-      "WebFetch(domain:ditto.pub)",
-      "WebFetch(domain:blocktrails.org)",
-      "WebFetch(domain:microfed.org)",
-      "WebFetch(domain:soliddocs.org)",
-      "WebFetch(domain:agenticalliance.com)",
-      "WebFetch(domain:activitypub.rocks)",
-      "WebFetch(domain:nostrgit.org)",
-      "Bash(convert:*)",
-      "WebFetch(domain:instantdomainsearch.com)",
-      "Bash(for domain in jss.dev jss.sh jss.io jss.app solidserver.dev solid-server.dev)",
-      "Bash(do echo -n '$domain: ')",
-      "Bash(whois $domain)",
-      "Bash(done)",
-      "Bash(for domain in jss.dev jss.sh jss.io jss.app solidserver.dev)",
-      "Bash(host:*)",
-      "WebFetch(domain:nostr-components.github.io)",
-      "Bash(ssh melvincarvalho.com \"pm2 list && echo ''---HAPROXY---'' && cat /etc/haproxy/haproxy.cfg 2>/dev/null | grep -A5 ''melvin\\|backend\\|frontend\\|acl host''\")",
-      "Bash(ssh:*)",
-      "Bash(time curl -s --connect-timeout 10 https://melvin.solid.live/credit/count.ttl)",
-      "Bash(time curl -s --connect-timeout 10 https://melvin.solid.live/)",
-      "Bash(time curl:*)",
-      "Bash(time curl -s 'https://melvin.solid.live/credit/count.ttl')",
-      "Bash(grep:*)",
-      "Bash(scp:*)",
-      "Bash(for i in 1 2 3)",
-      "Bash(do echo \"Attempt $i:\")",
-      "Bash(for i in 1 2 3 4 5)",
-      "Bash(do curl -so /dev/null -w \"%{http_code} \" https://melvincarvalho.com/js/handlemutation.js)",
-      "Bash(for i in 1 2 3 4 5 6 7 8 9 10)",
-      "Bash(if [ ! -d \"jose\" ])",
-      "Bash(then git clone --depth 1 --branch v0.7.0 https://github.com/solid/jose.git)",
-      "Bash(fi)",
-      "Bash(timeout 45 node:*)",
-      "Bash(gh issue list:*)",
-      "Bash(DATA_ROOT=/tmp/jss-git-test JSS_PORT=4444 timeout 3 node:*)",
-      "Bash(pm2 show:*)",
-      "Bash(git config:*)",
-      "Bash(npm version:*)",
-      "Bash(git init:*)",
-      "Bash(gh repo create:*)",
-      "Bash(./bin/git-credential-nostr generate:*)",
-      "Bash(./bin/git-credential-nostr get:*)",
-      "Bash(git-credential-nostr:*)",
-      "Bash(git branch:*)",
-      "Bash(GIT_TRACE=1 GIT_CURL_VERBOSE=1 git push:*)",
-      "Bash(GIT_CURL_VERBOSE=1 git push:*)",
-      "Bash(git reset:*)",
-      "Bash(echo:*)",
-      "Bash(unset DATA_ROOT)",
-      "Bash(timeout 30 npm test:*)",
-      "Bash(/home/melvin/remote/github.com/JavaScriptSolidServer/git-credential-nostr/bin/git-credential-nostr acl:*)",
-      "Bash(npm cache clean:*)",
-      "Bash(git checkout:*)",
-      "Bash(gh gist edit:*)",
-      "Bash(gh gist view:*)",
-      "Bash(./bin/git-credential-nostr acl:*)",
-      "Bash(DATA_ROOT=/tmp/jss-git-test/data node:*)",
-      "Bash(git remote set-url:*)",
-      "Bash(for:*)",
-      "Bash(^/**\" | head -1 | sed ''''s/.*\\* //'''')\")",
-      "Bash(if [ ! -d \"node-solid-server\" ])",
-      "Bash(then git clone --depth 1 https://github.com/nodeSolidServer/node-solid-server.git)",
-      "Bash(node test-local-nss2.js:*)",
-      "Bash(npm test)",
-      "Bash(repos.json)",
-      "Bash(*.log)",
-      "Bash(node --check:*)",
-      "Bash(gh repo view:*)",
-      "Bash(noskey --help:*)",
-      "Bash(npx noskey --help:*)",
-      "Bash(noskey:*)",
-      "Bash(node -e:*)",
-      "Bash(node src/publish.js:*)",
-      "Bash(git remote add:*)",
-      "Bash(git fetch:*)",
-      "Bash(git rev-parse:*)",
-      "Bash(f502f06c1d7553f4b7159e8d57a1e14819dc3053b59399e080882cc8e6bb62ad )",
-      "Bash(798715377357003683b979b41c5d99c0312e6e788d789f0d5df710465483aa3e )",
-      "Bash(f810e7491da3390109ddc13a74a1fff985ba3a4735024f2b714c12d213f5ea11 )",
-      "Bash(1 )",
-      "Bash(911912000 )",
-      "Bash(4ccef8c68cf18f8f156a0bb017dfd6e0cc7ebf1672fa2d769e02e2efc700328b 1000000 )",
-      "Bash(798715377357003683b979b41c5d99c0312e6e788d789f0d5df710465483aa3e 910911000 )",
-      "Bash(~/.gitmark/faucet.txt)",
-      "Bash(blocktrails --version:*)",
-      "Bash(blocktrails --help:*)",
-      "Bash(blocktrails show:*)",
-      "Bash(git restore:*)",
-      "Bash(npm show:*)",
-      "WebFetch(domain:gitlab.com)",
-      "Bash(gh repo edit:*)",
-      "WebFetch(domain:blocktrails.github.io)",
-      "Bash(jq:*)",
-      "Bash(SOLID_SYNC=true timeout 45 node:*)",
-      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm status)",
-      "Bash(SOLID_SYNC=true ANCHOR=true timeout 8 node:*)",
-      "Bash(SOLID_SYNC=true ANCHOR=true node:*)",
-      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm diff src/watcher.js)",
-      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add src/watcher.js)",
-      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"$\\(cat <<''EOF''\nAdd transfer API and HTTP 402 middleware\n\n- Add POST /transfer endpoint for user-to-user token transfers\n- Add verify402Payment middleware for token-gated APIs\n- Add GET /api/quote demo endpoint \\(costs 1 GSAT\\)\n- Add GET /balance/:did and GET /state endpoints\n- Fix anchor function to use encodeBech32m for address derivation\n- Remove OP_RETURN from anchor tx \\(state hash stored in state.json\\)\nEOF\n\\)\")",
-      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm push)",
-      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add demo.html src/watcher.js debug.html paywall.html transfer.html)",
-      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"$\\(cat <<''EOF''\nAdd NIP-98 paywall, transfer, withdraw, and debug pages\n\n- Implement NIP-98 \\(kind 27235\\) for HTTP 402 authentication\n- Add paywall.html demo page showing NIP-98 flow\n- Add transfer.html for user-to-user GSAT transfers\n- Add debug.html with anchors, state, verify, withdraw, and users tabs\n- Add POST /withdraw endpoint for sats → Bitcoin address\n- Add navigation to demo.html linking all pages\nEOF\n\\)\")",
-      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add test-amm.mjs package.json)",
-      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"$\\(cat <<''EOF''\nAdd AMM tests for math, signatures, and NIP-98\n\n- AMM math tests \\(calculateGsatOut, calculateSatsOut, slippage, k invariant\\)\n- Signature verification tests \\(sell, transfer, withdraw requests\\)\n- NIP-98 event creation, verification, and encoding tests\n- Update package.json with test script\nEOF\n\\)\")",
-      "Bash(SOLID_SYNC=true node src/watcher.js:*)",
-      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add demo.html src/watcher.js)",
-      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"$\\(cat <<''EOF''\nAdd smart polling with manual deposit check\n\n- Change poll interval from 30s to 10 minutes\n- Add POST /check endpoint for manual deposit scan\n- Add 10-second rate limit between manual checks\n- Add \"Check Deposits\" button to demo.html\nEOF\n\\)\")",
-      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add:*)",
-      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"Use blocktrails npm package instead of local path\")",
-      "Bash(for addr in tb1pdypd4k38q4x0qz5x7hqavjhfpgt2n4tm0egggx587aafqn3wsnds8gm3yf tb1pqxmrkvuyea9v7vv323tmptjfle5tj9y6cpe5g8wqvlz6d5xmfhlqctx7py tb1p0fv2683x2j5htf9n7fkpmxsy4h7yuxmetelq2c6vp8u2zw9rhp2s5kha7v)",
-      "Bash(do echo -n \"$addr: \" curl -s \"https://mempool.space/testnet4/api/address/$addr\")",
-      "WebFetch(domain:webledgers.org)",
-      "Bash(npm pack:*)",
-      "Bash(npm info:*)",
-      "Bash(tar:*)",
-      "Bash(TEST_API=1 API_URL=https://api.solid.social node:*)",
-      "Bash(webledgers show:*)",
-      "Bash(webledgers set-balance:*)",
-      "Bash(ssh melvincarvalho.com \"pm2 list | grep jss\")",
-      "Bash(ssh melvincarvalho.com \"cd /home/ubuntu/jss && git pull && pm2 restart jss\")",
-      "WebFetch(domain:registry.npmjs.org)",
-      "WebFetch(domain:solid-chat.com)",
-      "WebFetch(domain:developer.chrome.com)",
-      "WebFetch(domain:css-tricks.com)",
-      "Bash(node bin/jss.js:*)",
-      "WebFetch(domain:nostr.social)",
-      "Bash(xargs curl -s)",
-      "Bash(ssh phone:*)",
-      "Bash(dig:*)",
-      "WebFetch(domain:fonstr.com)",
-      "Bash(node -e \"import\\(''nostr-tools''\\).then\\(m => console.log\\(Object.keys\\(m\\).join\\(''\\\\n''\\)\\)\\)\":*)",
-      "Bash(gh repo list:*)",
-      "Bash(gh search:*)",
-      "Bash(__NEW_LINE__ echo \"\")",
-      "WebFetch(domain:webfinger.net)",
-      "Bash(npm update:*)",
-      "Bash(timeout 8 node:*)",
-      "Bash(gh pr view:*)",
-      "Bash(gh pr diff:*)",
-      "Bash(gh pr review:*)",
-      "Bash(gh api:*)",
-      "Bash(gh pr comment:*)",
-      "Bash(git pull:*)",
-      "Bash(gh pr:*)",
-      "Bash(node --test:*)",
-      "Bash(TOKEN_SECRET=test node --test:*)",
-      "Bash(gh search issues:*)",
-      "Bash(timeout 60 bash:*)",
-      "Bash(timeout 90 bash -c:*)",
-      "Bash(git commit -m \"$\\(cat <<''EOF''\nsecurity: add ACL check on WebSocket subscription requests\n\nCheck WAC read permission before allowing subscription to prevent\ninformation leakage via notifications. Unauthorized subscriptions\nnow receive ''err <url> forbidden'' response.\n\nSecurity improvements:\n- Check ACL read access before allowing subscription\n- Validate URLs are on this server \\(prevents SSRF-like probing\\)\n- Add subscription limit and URL length validation\n\nFixes #62\nEOF\n\\)\")",
-      "Bash(gh repo fork:*)",
-      "Bash(timeout 180 npm test:*)",
-      "Bash(git show:*)",
-      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline -30 -- \"test/integration/acl-tls-test.mjs\" \"test-esm/integration/acl-tls-test.js\")",
-      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline --follow -30 -- \"test/integration/acl-tls-test.mjs\")",
-      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server show 778095ad --stat)",
-      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server show 778095ad)",
-      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server show b183c7a0)",
-      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline --before=\"2019-10-29\" --after=\"2019-10-01\" -20)",
-      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server show 1a92a912 --stat)",
-      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline --all --grep=jaxoncreed)",
-      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline --author=\"jaxoncreed\" -30)",
-      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline --author=\"[Dd]mitri\" -20)",
-      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline --all --grep=\"oidc\" -20)",
-      "Bash(npm install)",
-      "Bash(timeout 60 npx mocha:*)",
-      "Bash(timeout 120 npx mocha:*)",
-      "Bash(timeout 30 npx mocha:*)",
-      "Bash(openssl x509:*)",
-      "Bash(gh pr checks:*)",
-      "Bash(gh run view:*)",
-      "Bash(gh pr edit:*)",
-      "WebFetch(domain:patch-diff.githubusercontent.com)",
-      "Bash(git rebase:*)",
-      "Bash(timeout 10 npm start)",
-      "Bash(node bin/jss.js start:*)",
-      "Bash(ssh solid.social \"cd /var/www/jss && git pull && pm2 restart jss\")",
-      "Bash(ssh solid.social:*)"
-    ]
-  }
-}