| [JIP-0002](jip-0002.md) | Git Support for Containers | Draft |

Draft

Enable Solid containers to function as Git repositories, allowing standard `git clone`, `git push`, and `git pull` operations for versioned, offline-capable data management.

1. **Familiar workflow** - Developers already know Git

2. **Offline editing** - Clone pod locally, work offline, push when ready

3. **Collaboration** - Branch, merge, and collaborate on pod content

4. **Backup** - Clone provides automatic incremental backup

5. **Version history** - Built-in audit trail for all resource changes

6. **Tooling** - Leverage existing Git ecosystem (editors, diff tools, CI/CD)

JSS SHALL implement the [Git Smart HTTP Protocol](https://git-scm.com/docs/http-protocol) by delegating to `git http-backend`.

Git requests are identified by URL patterns:

| Pattern | Operation |

|---------|-----------|

| `*/info/refs?service=git-upload-pack` | Clone/fetch negotiation |

| `*/info/refs?service=git-receive-pack` | Push negotiation |

| `*/git-upload-pack` | Clone/fetch data transfer |

| `*/git-receive-pack` | Push data transfer |

The server MAY also recognize `.git` suffix on container URLs.

Each container MAY have an associated Git repository:

The server SHOULD use bare repositories for efficiency:

The actual container contents serve as the working tree.

The handler SHALL set CGI environment variables for `git http-backend`:

{

GIT_PROJECT_ROOT: '<data-root>',

GIT_HTTP_EXPORT_ALL: '1',

GIT_HTTP_RECEIVE_PACK: 'true',

REQUEST_METHOD: request.method,

PATH_INFO: '/<pod>/.git' + gitPath,

QUERY_STRING: request.queryString,

CONTENT_TYPE: request.headers['content-type'],

CONTENT_LENGTH: request.headers['content-length'],

HTTP_CONTENT_ENCODING: request.headers['content-encoding'],

GIT_CONFIG_PARAMETERS: "'uploadpack.allowTipSHA1InWant=true'"

}

Git operations SHALL use existing WAC authorization:

| Git Operation | Required Mode |

|---------------|---------------|

| `clone` / `fetch` | `acl:Read` on container |

| `push` | `acl:Write` on container |

The server MUST check authorization before invoking `git http-backend`.

POST to container with `Link: <http://git-scm.com/>; rel="type"`:

Response:

The server MAY auto-initialize a Git repository on first clone attempt if the container exists but has no `.git`.

Containers are cloneable at their LDP URL:

git clone https://example.com/alice/projects/

Or with explicit `.git` suffix:

git clone https://example.com/alice/projects/.git

CORS headers MUST be applied before Git handling to support browser-based Git clients:

When a Git client requests `/info/refs`, the server detects this via:

- Query parameter: `?service=git-upload-pack` or `?service=git-receive-pack`

- User-Agent containing "git"

Non-Git requests to the same URL return normal LDP container listing.

Based on [nosdav/server](https://github.com/nosdav/server) git support:

import { spawn } from 'child_process';

const GIT_PATHS = ['/info/refs', '/git-upload-pack', '/git-receive-pack'];

function isGitRequest(url) {

return GIT_PATHS.some(p => url.includes(p)) || url.endsWith('.git');

}

async function handleGit(request, reply) {

const repoPath = extractRepoPath(request.url);

// Check authorization

const canRead = await checkAccess(repoPath, request.webId, 'read');

const canWrite = await checkAccess(repoPath, request.webId, 'write');

if (request.url.includes('receive-pack') && !canWrite) {

return reply.code(403).send({ error: 'Write access denied' });

}

if (!canRead) {

return reply.code(403).send({ error: 'Read access denied' });

}

// Spawn git http-backend

const git = spawn('git', ['http-backend'], {

env: {

...process.env,

GIT_PROJECT_ROOT: DATA_ROOT,

GIT_HTTP_EXPORT_ALL: '1',

GIT_HTTP_RECEIVE_PACK: canWrite ? 'true' : 'false',

REQUEST_METHOD: request.method,

PATH_INFO: repoPath,

QUERY_STRING: request.url.split('?')[1] || '',

CONTENT_TYPE: request.headers['content-type'] || '',

GIT_CONFIG_PARAMETERS: "'uploadpack.allowTipSHA1InWant=true'"

}

});

// Pipe request body to git stdin

request.raw.pipe(git.stdin);

// Parse CGI response headers

let headersParsed = false;

git.stdout.on('data', (chunk) => {

if (!headersParsed) {

const headerEnd = chunk.indexOf('\r\n\r\n');

if (headerEnd !== -1) {

const headers = chunk.slice(0, headerEnd).toString();

// Parse and set response headers

headersParsed = true;

}

}

});

// Pipe git stdout to response

git.stdout.pipe(reply.raw);

}

Tracking issue: [#5](https://github.com/JavaScriptSolidServer/JavaScriptSolidServer/issues/5)

1. **Path Traversal**: Validate repository paths to prevent access outside data root

2. **Resource Exhaustion**: Large pushes could exhaust disk; consider quotas

3. **Executable Content**: Git hooks are disabled by default on server

4. **Authentication**: Reuse existing Bearer/DPoP/Nostr auth before git operations

| Spec | Compatibility |

|------|---------------|

| [Solid Protocol](https://solidproject.org/TR/protocol) | Compatible - containers remain LDP-accessible |

| [LDP](https://www.w3.org/TR/ldp/) | Compatible - Git is additive |

| [WAC](https://solidproject.org/TR/wac) | Uses for authorization |

| [Git HTTP Protocol](https://git-scm.com/docs/http-protocol) | Implements |

- **[nosdav/server](https://github.com/nosdav/server)** - Git support via `git http-backend`

- **[QuitStore](https://github.com/AKSW/QuitStore)** - "Quads in Git" - Git + RDF/SPARQL versioning

- **[express-git](https://www.npmjs.com/package/express-git)** - Express middleware for Git HTTP

- **[git-http-backend npm](https://www.npmjs.com/package/git-http-backend)** - Node.js wrapper

- [Git Smart HTTP](https://git-scm.com/book/en/v2/Git-on-the-Server-Smart-HTTP)

- [git-http-backend Documentation](https://git-scm.com/docs/git-http-backend)

- [Git HTTP Protocol](https://git-scm.com/docs/http-protocol)

- [nosdav git commits](https://github.com/nosdav/server/commits/gh-pages/)

- 2024-12-27: Initial draft