docs: Standardize all IndieAuth spec references to W3C URL

- Updated 42 references from indieauth.spec.indieweb.org to www.w3.org/TR/indieauth
- Ensures consistency across all documentation
- Points to the authoritative W3C specification
- No functional changes, documentation update only

Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>

docs/decisions/ADR-005-indielogin-authentication.md

@@ -416,6 +416,6 @@ SESSION_SECRET=your-random-secret-key-here
 ## References
 - IndieLogin.com: https://indielogin.com/
 - IndieLogin API Documentation: https://indielogin.com/api
-- IndieAuth Specification: https://indieauth.spec.indieweb.org/
+- IndieAuth Specification: https://www.w3.org/TR/indieauth/
 - OAuth 2.0 Spec: https://oauth.net/2/
 - Web Authentication Best Practices: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

docs/decisions/ADR-010-authentication-module-design.md

@@ -205,7 +205,7 @@ Balance between security and usability:
 ## References
 
 - [ADR-005: IndieLogin Authentication](/home/phil/Projects/starpunk/docs/decisions/ADR-005-indielogin-authentication.md)
-- [IndieAuth Specification](https://indieauth.spec.indieweb.org/)
+- [IndieAuth Specification](https://www.w3.org/TR/indieauth/)
 - [OWASP Session Management](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
 - [Flask Security Best Practices](https://flask.palletsprojects.com/en/3.0.x/security/)
 

docs/decisions/ADR-016-indieauth-client-discovery.md

@@ -283,7 +283,7 @@ This allows gradual migration without breaking existing integrations.
 
 ## References
 
-- [IndieAuth Specification](https://indieauth.spec.indieweb.org/)
+- [IndieAuth Specification](https://www.w3.org/TR/indieauth/)
 - [Microformats2 h-app](https://microformats.org/wiki/h-app)
 - [IndieLogin.com](https://indielogin.com/)
 - [OAuth 2.0 Client ID Metadata Document](https://www.rfc-editor.org/rfc/rfc7591.html)

docs/decisions/ADR-017-oauth-client-metadata-document.md

@@ -162,7 +162,7 @@ def oauth_client_metadata():
     Returns JSON metadata about this IndieAuth client for authorization
     server discovery. Required by IndieAuth specification section 4.2.
 
-    See: https://indieauth.spec.indieweb.org/#client-information-discovery
+    See: https://www.w3.org/TR/indieauth/#client-information-discovery
     """
     metadata = {
         'issuer': current_app.config['SITE_URL'],
@@ -468,7 +468,7 @@ Assume IndieLogin.com has a bug and wait for them to fix it.
 ## References
 
 ### Specifications
-- [IndieAuth Specification](https://indieauth.spec.indieweb.org/)
+- [IndieAuth Specification](https://www.w3.org/TR/indieauth/)
 - [OAuth Client ID Metadata Document](https://www.ietf.org/archive/id/draft-parecki-oauth-client-id-metadata-document-00.html)
 - [RFC 7591 - OAuth 2.0 Dynamic Client Registration](https://www.rfc-editor.org/rfc/rfc7591.html)
 - [RFC 3986 - URI Generic Syntax](https://www.rfc-editor.org/rfc/rfc3986)

docs/decisions/ADR-018-indieauth-detailed-logging.md

@@ -819,7 +819,7 @@ LOG_LEVEL=DEBUG
 - [Python Logging Documentation](https://docs.python.org/3/library/logging.html)
 - [OWASP Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)
 - [OAuth 2.0 Security Best Current Practice](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics)
-- [IndieAuth Specification](https://indieauth.spec.indieweb.org/)
+- [IndieAuth Specification](https://www.w3.org/TR/indieauth/)
 - [Flask Logging Documentation](https://flask.palletsprojects.com/en/3.0.x/logging/)
 
 ## Related Documents

docs/decisions/ADR-019-indieauth-correct-implementation.md

@@ -1298,7 +1298,7 @@ Implementation is successful when:
 
 - **PKCE Specification (RFC 7636)**: https://www.rfc-editor.org/rfc/rfc7636
 - **OAuth 2.0 (RFC 6749)**: https://www.rfc-editor.org/rfc/rfc6749
-- **IndieAuth Specification**: https://indieauth.spec.indieweb.org/ (for context only)
+- **IndieAuth Specification**: https://www.w3.org/TR/indieauth/ (for context only)
 
 ### Internal Documentation
 

docs/decisions/ADR-021-indieauth-provider-strategy.md

@@ -505,7 +505,7 @@ If there is user demand for a more integrated solution, V2 could add:
 ## References
 
 ### IndieAuth Specifications
-- [IndieAuth Spec](https://indieauth.spec.indieweb.org/) - Official W3C specification
+- [IndieAuth Spec](https://www.w3.org/TR/indieauth/) - Official W3C specification
 - [OAuth 2.0](https://oauth.net/2/) - Underlying OAuth 2.0 foundation
 - [Client Identifier](https://www.oauth.com/oauth2-servers/indieauth/) - How client_id works in IndieAuth
 

docs/decisions/ADR-022-auth-route-prefix-fix.md

@@ -165,7 +165,7 @@ After implementation:
 5. Test full IndieAuth flow with real provider
 
 ## References
-- [IndieAuth Specification](https://indieauth.spec.indieweb.org/) - Section on redirect URIs
+- [IndieAuth Specification](https://www.w3.org/TR/indieauth/) - Section on redirect URIs
 - [OAuth 2.0 RFC 6749](https://tools.ietf.org/html/rfc6749) - Section 3.1.2 on redirection endpoints
 - [RESTful API Design](https://restfulapi.net/resource-naming/) - URL naming conventions
 - Current implementation: `/home/phil/Projects/starpunk/starpunk/routes/auth.py`, `/home/phil/Projects/starpunk/starpunk/auth.py`

docs/decisions/ADR-023-indieauth-client-identification.md

@@ -91,7 +91,7 @@ Implementation:
 
 ## References
 
-- [IndieAuth Spec Section 4.2.2](https://indieauth.spec.indieweb.org/#client-information-discovery)
+- [IndieAuth Spec Section 4.2.2](https://www.w3.org/TR/indieauth/#client-information-discovery)
 - [Microformats h-app](http://microformats.org/wiki/h-app)
 - [IndieWeb Client Information](https://indieweb.org/client-id)
 

docs/decisions/ADR-024-static-identity-page.md

@@ -138,7 +138,7 @@ Users should test their identity page with:
 
 ## References
 
-- [IndieAuth Specification](https://indieauth.spec.indieweb.org/)
+- [IndieAuth Specification](https://www.w3.org/TR/indieauth/)
 - [Microformats2 h-card](http://microformats.org/wiki/h-card)
 - [IndieWeb Authentication](https://indieweb.org/authentication)
 - [indieauth.com](https://indieauth.com/)

docs/decisions/ADR-025-indieauth-pkce-authentication.md

@@ -202,7 +202,7 @@ The technical implementation is documented in:
 ### Supporting Specifications
 - **PKCE Specification (RFC 7636)**: https://www.rfc-editor.org/rfc/rfc7636
 - **OAuth 2.0 (RFC 6749)**: https://www.rfc-editor.org/rfc/rfc6749
-- **IndieAuth Specification**: https://indieauth.spec.indieweb.org/ (context only)
+- **IndieAuth Specification**: https://www.w3.org/TR/indieauth/ (context only)
 
 ### Internal Documentation
 - ADR-005: IndieLogin Authentication Integration (conceptual flow)

docs/decisions/ADR-028-micropub-implementation.md

@@ -204,7 +204,7 @@ We will implement a **minimal but complete Micropub server** for V1, focusing on
 ## References
 
 - [W3C Micropub Specification](https://www.w3.org/TR/micropub/)
-- [IndieAuth Specification](https://indieauth.spec.indieweb.org/)
+- [IndieAuth Specification](https://www.w3.org/TR/indieauth/)
 - [OAuth 2.0 Bearer Token Usage](https://tools.ietf.org/html/rfc6750)
 - [Micropub Rocks Validator](https://micropub.rocks/)
 

docs/decisions/ADR-029-micropub-indieauth-integration.md

@@ -518,8 +518,8 @@ DELETE FROM auth_state WHERE expires_at < datetime('now');
 
 ## References
 
-- [IndieAuth Spec - Token Endpoint](https://indieauth.spec.indieweb.org/#token-endpoint)
-- [IndieAuth Spec - Authorization Code](https://indieauth.spec.indieweb.org/#authorization-code)
+- [IndieAuth Spec - Token Endpoint](https://www.w3.org/TR/indieauth/#token-endpoint)
+- [IndieAuth Spec - Authorization Code](https://www.w3.org/TR/indieauth/#authorization-code)
 - [Micropub Spec - Authentication](https://www.w3.org/TR/micropub/#authentication)
 - [OAuth 2.0 Security Best Practices](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics)