Fix IndieAuth client identification by making h-app visible

Following diagnosis in /docs/architecture/indieauth-client-diagnosis.md
and decision in /docs/decisions/ADR-006-indieauth-client-identification.md

Problem: The h-app microformat had hidden aria-hidden="true" attributes
that made it invisible to IndieAuth parsers, causing "client_id is not
registered" errors when authenticating with external providers.

Solution: Remove hidden attributes from h-app div in templates/base.html
to allow IndieAuth parsers to discover client metadata.

This ensures IndieAuth providers can validate our application during
the authorization flow.

Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

.env.example

@@ -78,9 +78,6 @@ FEED_CACHE_SECONDS=300
 # CONTAINER CONFIGURATION
 # =============================================================================
 
-# Application version (for health check endpoint)
-VERSION=0.6.0
-
 # Environment: development or production
 ENVIRONMENT=production
 

docs/architecture/indieauth-client-diagnosis.md

@@ -0,0 +1,139 @@
+# IndieAuth Client Registration Issue - Diagnosis Report
+
+**Date:** 2025-11-19
+**Issue:** IndieLogin.com reports "This client_id is not registered"
+**Client ID:** https://starpunk.thesatelliteoflove.com
+
+## Executive Summary
+
+The issue is caused by the h-app microformat on StarPunk being **hidden** with both `hidden` and `aria-hidden="true"` attributes. This makes the client identification invisible to IndieAuth parsers.
+
+## Analysis Results
+
+### 1. Identity Domain (https://thesatelliteoflove.com) ✅
+
+**Status:** PROPERLY CONFIGURED
+
+The identity page has all required IndieAuth elements:
+
+```html
+<!-- IndieAuth endpoints are correctly declared -->
+<link rel="authorization_endpoint" href="https://indieauth.com/auth">
+<link rel="token_endpoint" href="https://tokens.indieauth.com/token">
+
+<!-- h-card is properly structured -->
+<div class="h-card">
+  <h1 class="p-name">Phil Skents</h1>
+  <p class="identity-url">
+    <a class="u-url u-uid" href="https://thesatelliteoflove.com">
+      https://thesatelliteoflove.com
+    </a>
+  </p>
+</div>
+```
+
+### 2. StarPunk Client (https://starpunk.thesatelliteoflove.com) ❌
+
+**Status:** MISCONFIGURED - Client identification is hidden
+
+The h-app microformat exists but is **invisible** to parsers:
+
+```html
+<!-- PROBLEM: hidden and aria-hidden attributes -->
+<div class="h-app" hidden aria-hidden="true">
+  <a href="https://starpunk.thesatelliteoflove.com" class="u-url p-name">StarPunk</a>
+</div>
+```
+
+## Root Cause
+
+IndieAuth clients must be identifiable through visible h-app or h-x-app microformats. The `hidden` attribute makes the element completely invisible to:
+1. Microformat parsers
+2. Screen readers
+3. Search engines
+4. IndieAuth verification services
+
+When IndieLogin.com attempts to verify the client_id, it cannot find any client identification because the h-app is hidden from the DOM.
+
+## IndieAuth Client Verification Process
+
+1. User initiates auth with client_id=https://starpunk.thesatelliteoflove.com
+2. IndieLogin fetches the client URL
+3. IndieLogin parses for h-app/h-x-app microformats
+4. **FAILS:** No visible h-app found due to `hidden` attribute
+5. Returns error: "This client_id is not registered"
+
+## Solution
+
+Remove the `hidden` and `aria-hidden="true"` attributes from the h-app div:
+
+### Current (Broken):
+```html
+<div class="h-app" hidden aria-hidden="true">
+  <a href="https://starpunk.thesatelliteoflove.com" class="u-url p-name">StarPunk</a>
+</div>
+```
+
+### Fixed:
+```html
+<div class="h-app">
+  <a href="https://starpunk.thesatelliteoflove.com" class="u-url p-name">StarPunk</a>
+</div>
+```
+
+If visual hiding is desired, use CSS instead:
+
+```css
+.h-app {
+  position: absolute;
+  left: -9999px;
+  width: 1px;
+  height: 1px;
+  overflow: hidden;
+}
+```
+
+However, **best practice** is to keep it visible as client identification, possibly styled as:
+```html
+<footer>
+  <div class="h-app">
+    <p>
+      <a href="https://starpunk.thesatelliteoflove.com" class="u-url p-name">StarPunk</a>
+      <span class="p-version">v0.6.1</span>
+    </p>
+  </div>
+</footer>
+```
+
+## Verification Steps
+
+After fixing:
+
+1. Deploy the updated HTML without `hidden` attributes
+2. Test at https://indiewebify.me/ - verify h-app is detected
+3. Clear any caches (CloudFlare, browser, etc.)
+4. Test authentication flow at https://indielogin.com/
+
+## Additional Recommendations
+
+1. **Add more client metadata** for better identification:
+   ```html
+   <div class="h-app">
+     <img src="/static/logo.png" class="u-logo" alt="StarPunk logo">
+     <a href="https://starpunk.thesatelliteoflove.com" class="u-url p-name">StarPunk</a>
+     <p class="p-summary">A minimal IndieWeb CMS</p>
+   </div>
+   ```
+
+2. **Consider adding redirect_uri registration** if using fixed callback URLs
+
+3. **Test with multiple IndieAuth parsers**:
+   - https://indiewebify.me/
+   - https://sturdy-backbone.glitch.me/
+   - https://microformats.io/
+
+## References
+
+- [IndieAuth Spec - Client Information Discovery](https://indieauth.spec.indieweb.org/#client-information-discovery)
+- [Microformats h-app](http://microformats.org/wiki/h-app)
+- [IndieWeb Client ID](https://indieweb.org/client_id)

docs/architecture/indieauth-identity-page.md

@@ -0,0 +1,155 @@
+# IndieAuth Identity Page Architecture
+
+## Overview
+
+An IndieAuth identity page serves as the authoritative source for a user's online identity in the IndieWeb ecosystem. This document defines the minimal requirements and best practices for creating a static HTML page that functions as an IndieAuth identity URL.
+
+## Purpose
+
+The identity page serves three critical functions:
+
+1. **Authentication Endpoint Discovery** - Provides rel links to IndieAuth endpoints
+2. **Identity Verification** - Contains h-card microformats with user information
+3. **Social Proof** - Optional rel="me" links for identity consolidation
+
+## Technical Requirements
+
+### 1. HTML Structure
+
+```
+DOCTYPE html5
+├── head
+│   ├── meta charset="utf-8"
+│   ├── meta viewport (responsive)
+│   ├── title (user's name)
+│   ├── rel="authorization_endpoint"
+│   ├── rel="token_endpoint"
+│   └── optional: rel="micropub"
+└── body
+    └── h-card
+        ├── p-name (full name)
+        ├── u-url (identity URL)
+        ├── u-photo (optional avatar)
+        └── rel="me" links (optional)
+```
+
+### 2. IndieAuth Discovery
+
+The page MUST include these link elements in the `<head>`:
+
+```html
+<link rel="authorization_endpoint" href="https://indieauth.com/auth">
+<link rel="token_endpoint" href="https://tokens.indieauth.com/token">
+```
+
+These endpoints:
+- **authorization_endpoint**: Handles the OAuth 2.0 authorization flow
+- **token_endpoint**: Issues access tokens for API access
+
+### 3. Microformats2 h-card
+
+The h-card provides machine-readable identity information:
+
+```html
+<div class="h-card">
+  <h1 class="p-name">User Name</h1>
+  <a class="u-url" href="https://example.com" rel="me">https://example.com</a>
+</div>
+```
+
+Required properties:
+- `p-name`: The person's full name
+- `u-url`: The canonical identity URL (must match the page URL)
+
+Optional properties:
+- `u-photo`: Avatar image URL
+- `p-note`: Brief biography
+- `u-email`: Contact email (consider privacy implications)
+
+### 4. rel="me" Links
+
+For identity consolidation and social proof:
+
+```html
+<a href="https://github.com/username" rel="me">GitHub</a>
+```
+
+Best practices:
+- Only include links to profiles you control
+- Ensure reciprocal rel="me" links where possible
+- Use HTTPS URLs whenever available
+
+## Security Considerations
+
+### 1. HTTPS Requirement
+- Identity URLs MUST use HTTPS
+- All linked endpoints MUST use HTTPS
+- Mixed content will break authentication flows
+
+### 2. Content Security
+- No inline JavaScript required or recommended
+- Minimal inline CSS only if necessary
+- No external dependencies for core functionality
+
+### 3. Privacy
+- Consider what information to make public
+- Email addresses can attract spam
+- Phone numbers should generally be avoided
+
+## Testing Strategy
+
+### 1. IndieAuth Validation
+- Test with https://indielogin.com/
+- Verify endpoint discovery works
+- Complete a full authentication flow
+
+### 2. Microformats Validation
+- Use https://indiewebify.me/
+- Verify h-card is properly parsed
+- Check all properties are detected
+
+### 3. HTML Validation
+- Validate with W3C validator
+- Ensure semantic HTML5 compliance
+- Check accessibility basics
+
+## Common Pitfalls
+
+### 1. Missing or Wrong URLs
+- Identity URL must be absolute and match the actual page URL
+- Endpoints must be absolute URLs
+- rel="me" links must be to HTTPS when available
+
+### 2. Incorrect Microformats
+- Missing required h-card properties
+- Using old hCard format instead of h-card
+- Nesting errors in microformat classes
+
+### 3. Authentication Failures
+- Using HTTP instead of HTTPS
+- Incorrect or missing endpoint declarations
+- Not including trailing slashes consistently
+
+## Minimal Implementation Checklist
+
+- [ ] HTML5 DOCTYPE declaration
+- [ ] UTF-8 character encoding
+- [ ] Viewport meta tag for mobile
+- [ ] Authorization endpoint link
+- [ ] Token endpoint link
+- [ ] h-card with p-name
+- [ ] h-card with u-url matching page URL
+- [ ] All URLs use HTTPS
+- [ ] No broken links or empty hrefs
+- [ ] Valid HTML5 structure
+
+## Reference Implementations
+
+See `/docs/examples/identity-page.html` for a complete, working example that can be customized for any IndieAuth user.
+
+## Standards References
+
+- [IndieAuth Specification](https://indieauth.spec.indieweb.org/)
+- [Microformats2 h-card](http://microformats.org/wiki/h-card)
+- [rel="me" specification](https://microformats.org/wiki/rel-me)
+- [IndieWeb Authentication](https://indieweb.org/authentication)

docs/decisions/ADR-006-indieauth-client-identification.md

@@ -0,0 +1,101 @@
+# ADR-006: IndieAuth Client Identification Strategy
+
+## Status
+Accepted
+
+## Context
+
+StarPunk needs to identify itself as an IndieAuth client when initiating authentication flows. The current implementation uses a hidden h-app microformat which causes IndieAuth services to reject the client_id with "This client_id is not registered" errors.
+
+IndieAuth specification requires clients to provide discoverable information about themselves using microformats. This allows authorization endpoints to:
+- Display client information to users
+- Verify the client is legitimate
+- Show what application is requesting access
+
+## Decision
+
+StarPunk will use **visible h-app microformats** in the footer of all pages to identify itself as an IndieAuth client.
+
+The h-app will include:
+- Application name (p-name)
+- Application URL (u-url)
+- Version number (p-version)
+- Optional: logo (u-logo)
+- Optional: description (p-summary)
+
+Implementation:
+```html
+<footer>
+  <div class="h-app">
+    <p>
+      Powered by <a href="https://starpunk.thesatelliteoflove.com" class="u-url p-name">StarPunk</a>
+      <span class="p-version">v0.6.1</span>
+    </p>
+  </div>
+</footer>
+```
+
+## Rationale
+
+1. **Specification Compliance**: IndieAuth spec requires client information to be discoverable via microformats parsing
+2. **Transparency**: Users should see what software they're using
+3. **Simplicity**: No JavaScript or complex rendering needed
+4. **Debugging**: Visible markup is easier to verify and debug
+5. **SEO Benefits**: Search engines can understand the application structure
+
+## Consequences
+
+### Positive
+- IndieAuth flows will work correctly
+- Client identification is transparent to users
+- Easier to debug authentication issues
+- Follows IndieWeb principles of visible metadata
+- Can be styled to match site design
+
+### Negative
+- Takes up visual space in the footer (minimal)
+- Cannot be completely hidden from view
+- Must be maintained on all pages that might be used as client_id
+
+## Alternatives Considered
+
+### 1. Hidden h-app with display:none
+**Rejected**: Some microformat parsers ignore display:none elements
+
+### 2. Off-screen positioning
+**Rejected**: Considered deceptive by some services, accessibility issues
+
+### 3. Separate client information endpoint
+**Rejected**: Adds complexity, not standard practice
+
+### 4. HTTP headers
+**Rejected**: Not part of IndieAuth specification, wouldn't work
+
+### 5. Meta tags
+**Rejected**: IndieAuth uses microformats, not meta tags
+
+## Implementation Guidelines
+
+1. **Placement**: Always in the footer, consistent across all pages
+2. **Styling**: Subtle but visible, matching site design
+3. **Content**: Minimum of name and URL, optional logo and description
+4. **Testing**: Verify with microformats parsers before deployment
+
+## Testing Checklist
+
+- [ ] h-app is visible in HTML source
+- [ ] No hidden, display:none, or visibility:hidden attributes
+- [ ] Validates at https://indiewebify.me/
+- [ ] Parses correctly at https://microformats.io/
+- [ ] IndieAuth flow works at https://indielogin.com/
+
+## References
+
+- [IndieAuth Spec Section 4.2.2](https://indieauth.spec.indieweb.org/#client-information-discovery)
+- [Microformats h-app](http://microformats.org/wiki/h-app)
+- [IndieWeb Client Information](https://indieweb.org/client-id)
+
+## Related ADRs
+
+- ADR-003: Authentication Strategy (establishes IndieAuth as auth method)
+- ADR-004: Frontend Architecture (defines template structure)

docs/decisions/ADR-010-static-identity-page.md

@@ -0,0 +1,144 @@
+# ADR-010: Static HTML Identity Pages for IndieAuth
+
+## Status
+Accepted
+
+## Context
+
+Users need a way to establish their identity on the web for IndieAuth authentication. This identity page serves as the authoritative source for:
+- Discovering authentication endpoints
+- Providing identity information (h-card)
+- Establishing social proof through rel="me" links
+
+The challenge is creating something that:
+- Works immediately without any server-side code
+- Has zero dependencies
+- Can be hosted anywhere (static hosting, GitHub Pages, etc.)
+- Is simple enough for non-technical users to customize
+
+## Decision
+
+We will provide a single, self-contained HTML file that serves as a complete IndieAuth identity page with:
+
+1. **No external dependencies** - Everything needed is in one file
+2. **No JavaScript** - Pure HTML with optional inline CSS
+3. **Public IndieAuth endpoints** - Use indieauth.com's free service
+4. **Comprehensive documentation** - Comments explaining every section
+5. **Minimal but complete** - Only what's required, nothing more
+
+## Rationale
+
+### Why Static HTML?
+
+1. **Maximum Portability**: Can be hosted anywhere that serves HTML
+2. **Zero Maintenance**: No updates, no dependencies, no security patches
+3. **Instant Setup**: Upload one file and it works
+4. **Educational**: Users can read and understand the entire implementation
+
+### Why Use indieauth.com?
+
+1. **Free and Reliable**: Public service maintained by Aaron Parecki
+2. **No Registration**: Works for any domain immediately
+3. **Standards Compliant**: Reference implementation of IndieAuth
+4. **Privacy Focused**: Doesn't store user data
+
+### Why Inline Documentation?
+
+1. **Self-Teaching**: The file explains itself
+2. **No External Docs**: Everything needed is in the file
+3. **Copy-Paste Friendly**: Users can take what they need
+4. **Reduces Errors**: Instructions are right next to the code
+
+## Consequences
+
+### Positive
+
+1. **Lowest Possible Barrier**: Anyone who can edit HTML can use this
+2. **Future Proof**: HTML5 won't break backward compatibility
+3. **Perfect for Examples**: Ideal reference implementation
+4. **No Lock-in**: Users own their identity completely
+5. **Immediate Testing**: Can validate instantly with online tools
+
+### Negative
+
+1. **Limited Functionality**: Can't do dynamic content without JavaScript
+2. **Manual Updates**: Users must edit HTML directly
+3. **No Analytics**: Can't track usage without JavaScript
+4. **Basic Styling**: Limited to inline CSS for single-file approach
+
+### Mitigation
+
+For users who need more functionality:
+- Can progressively enhance with JavaScript
+- Can move to server-side rendering later
+- Can use as a template for dynamic generation
+- Can extend with additional microformats
+
+## Alternatives Considered
+
+### 1. JavaScript-Based Solution
+
+**Rejected because**:
+- Adds complexity and dependencies
+- Requires ongoing maintenance
+- Can break with browser updates
+- Not necessary for core functionality
+
+### 2. Server-Side Generation
+
+**Rejected because**:
+- Requires server infrastructure
+- Increases hosting complexity
+- Not portable across platforms
+- Overkill for static identity data
+
+### 3. External Stylesheet
+
+**Rejected because**:
+- Creates a dependency
+- Can break if CSS file is moved
+- Increases HTTP requests
+- Inline CSS is small enough to not matter
+
+### 4. Using Multiple Files
+
+**Rejected because**:
+- Complicates deployment
+- Increases chance of errors
+- Makes sharing/copying harder
+- Benefits don't outweigh complexity
+
+## Implementation Notes
+
+The reference implementation (`/docs/examples/identity-page.html`) includes:
+
+1. **Complete HTML5 structure** with semantic markup
+2. **All required IndieAuth elements** properly configured
+3. **h-card microformat** with required and optional properties
+4. **Inline CSS** for basic but pleasant styling
+5. **Extensive comments** explaining each section
+6. **Testing instructions** embedded in HTML comments
+7. **Common pitfalls** documented inline
+
+## Testing Strategy
+
+Users should test their identity page with:
+
+1. **https://indielogin.com/** - Full authentication flow
+2. **https://indiewebify.me/** - h-card validation
+3. **W3C Validator** - HTML5 compliance
+4. **Real authentication** - Sign in to an IndieWeb service
+
+## Security Considerations
+
+1. **HTTPS Only**: Page must be served over HTTPS
+2. **No Secrets**: Everything in the file is public
+3. **No JavaScript**: Eliminates XSS vulnerabilities
+4. **No External Resources**: No CSRF or resource injection risks
+
+## References
+
+- [IndieAuth Specification](https://indieauth.spec.indieweb.org/)
+- [Microformats2 h-card](http://microformats.org/wiki/h-card)
+- [IndieWeb Authentication](https://indieweb.org/authentication)
+- [indieauth.com](https://indieauth.com/)

docs/examples/identity-page-customization-guide.md

@@ -0,0 +1,334 @@
+# IndieAuth Identity Page Customization Guide
+
+## Quick Start
+
+The identity page template (`identity-page.html`) is a complete, working IndieAuth identity page. To use it:
+
+1. Download `identity-page.html`
+2. Edit the marked sections with your information
+3. Upload to your domain root as `index.html`
+4. Test at https://indielogin.com/
+
+## What to Customize
+
+### Required Changes
+
+These MUST be changed for the page to work correctly:
+
+#### 1. Your Name
+```html
+<!-- Change this -->
+<title>Phil Skents</title>
+<h1 class="p-name">Phil Skents</h1>
+
+<!-- To this -->
+<title>Your Name</title>
+<h1 class="p-name">Your Name</h1>
+```
+
+#### 2. Your Domain
+```html
+<!-- Change this -->
+<a class="u-url" href="https://thesatelliteoflove.com" rel="me">
+    https://thesatelliteoflove.com
+</a>
+
+<!-- To this (must match where you host this file) -->
+<a class="u-url" href="https://yourdomain.com" rel="me">
+    https://yourdomain.com
+</a>
+```
+
+### Optional Customizations
+
+#### Add Your Photo
+```html
+<!-- Uncomment and modify this line -->
+<img class="u-photo" src="/avatar.jpg" alt="Your Name">
+```
+
+Photo tips:
+- Use a square image (1:1 ratio)
+- 240x240 pixels minimum recommended
+- JPEG or PNG format
+- Under 100KB for fast loading
+
+#### Add Your Bio
+```html
+<p class="p-note">
+    Your bio here. Keep it brief - 1-2 sentences.
+</p>
+```
+
+#### Add Social Media Links
+
+Uncomment and modify the social links section:
+
+```html
+<li>
+    <a href="https://github.com/yourusername" rel="me">
+        GitHub: @yourusername
+    </a>
+</li>
+```
+
+**Important**: Only add profiles you control. Some services that support rel="me":
+- GitHub (automatic)
+- Mastodon (automatic)
+- Personal websites
+- Some IndieWeb services
+
+#### Add Micropub Endpoint
+
+If you have a Micropub server (like StarPunk):
+
+```html
+<link rel="micropub" href="https://yourmicropub.example.com/micropub">
+```
+
+## Advanced Customizations
+
+### Custom Styling
+
+The template includes minimal inline CSS. To customize:
+
+1. **Colors**: Change the color values in the `<style>` section
+   ```css
+   color: #333;        /* Text color */
+   background: #fff;   /* Background color */
+   color: #0066cc;     /* Link color */
+   ```
+
+2. **Fonts**: Modify the font-family stack
+   ```css
+   font-family: Georgia, serif;  /* For a more classic look */
+   ```
+
+3. **Layout**: Adjust spacing and widths
+   ```css
+   max-width: 800px;   /* Wider content */
+   padding: 4rem;      /* More padding */
+   ```
+
+### Multiple Profiles
+
+For multiple online identities, add more h-cards:
+
+```html
+<div class="h-card">
+    <h2 class="p-name">Professional Name</h2>
+    <a class="u-url" href="https://professional.com" rel="me">
+        https://professional.com
+    </a>
+</div>
+
+<div class="h-card">
+    <h2 class="p-name">Personal Name</h2>
+    <a class="u-url" href="https://personal.com" rel="me">
+        https://personal.com
+    </a>
+</div>
+```
+
+### Language Support
+
+For non-English pages:
+
+```html
+<html lang="es">  <!-- Spanish -->
+<meta charset="utf-8">  <!-- Supports all Unicode characters -->
+```
+
+### Accessibility Improvements
+
+```html
+<!-- Add language attributes -->
+<html lang="en">
+
+<!-- Add descriptive alt text -->
+<img class="u-photo" src="/avatar.jpg" alt="Headshot of Your Name">
+
+<!-- Add skip navigation -->
+<a href="#main" class="skip-link">Skip to content</a>
+```
+
+## Testing Your Customizations
+
+### 1. Local Testing
+
+Open the file in your browser:
+```
+file:///path/to/identity-page.html
+```
+
+Check:
+- [ ] Your name appears correctly
+- [ ] Links work (won't authenticate locally)
+- [ ] Page looks good on mobile (resize browser)
+
+### 2. HTML Validation
+
+Visit https://validator.w3.org/:
+1. Choose "Validate by File Upload"
+2. Upload your modified file
+3. Fix any errors shown
+
+### 3. Microformats Testing
+
+Visit https://indiewebify.me/:
+1. After uploading to your domain
+2. Use "Validate h-card"
+3. Enter your domain
+4. Verify your information is detected
+
+### 4. IndieAuth Testing
+
+Visit https://indielogin.com/:
+1. Enter your domain
+2. Should see "IndieAuth.com" as option
+3. Click to authenticate
+4. Should complete successfully
+
+## Common Mistakes to Avoid
+
+### 1. URL Mismatches
+
+❌ **Wrong**:
+```html
+<!-- Hosted at https://example.com but u-url says: -->
+<a class="u-url" href="https://different.com">
+```
+
+✅ **Correct**:
+```html
+<!-- URLs must match exactly -->
+<a class="u-url" href="https://example.com">
+```
+
+### 2. Missing HTTPS
+
+❌ **Wrong**:
+```html
+<a class="u-url" href="http://example.com">
+```
+
+✅ **Correct**:
+```html
+<a class="u-url" href="https://example.com">
+```
+
+### 3. Broken Social Links
+
+❌ **Wrong**:
+```html
+<!-- Empty href -->
+<a href="" rel="me">GitHub</a>
+
+<!-- Placeholder text -->
+<a href="https://github.com/yourusername" rel="me">
+```
+
+✅ **Correct**:
+```html
+<!-- Real, working link -->
+<a href="https://github.com/actualusername" rel="me">GitHub</a>
+```
+
+### 4. Multiple u-url Values
+
+❌ **Wrong**:
+```html
+<a class="u-url" href="https://example.com">Example</a>
+<a class="u-url" href="https://other.com">Other</a>
+```
+
+✅ **Correct**:
+```html
+<!-- Only one u-url that matches your domain -->
+<a class="u-url" href="https://example.com">Example</a>
+<a href="https://other.com">Other</a>  <!-- No u-url class -->
+```
+
+## Deployment Options
+
+### Static Hosting Services
+
+The identity page works on any static host:
+
+1. **GitHub Pages**
+   - Free with GitHub account
+   - Upload as `index.html` in repository
+   - Enable Pages in repository settings
+
+2. **Netlify**
+   - Drag and drop deployment
+   - Free tier available
+   - Automatic HTTPS
+
+3. **Vercel**
+   - Simple deployment
+   - Free tier available
+   - Good performance
+
+4. **Traditional Web Hosting**
+   - Upload via FTP/SFTP
+   - Place in document root
+   - Ensure HTTPS is enabled
+
+### File Naming
+
+- `index.html` - For domain root (https://example.com/)
+- `identity.html` - For subfolder (https://example.com/identity.html)
+- Any name works, but update your StarPunk configuration accordingly
+
+## Integration with StarPunk
+
+Once your identity page is working:
+
+1. **Configure StarPunk** to use your identity URL:
+   ```
+   IDENTITY_URL=https://yourdomain.com
+   ```
+
+2. **Test Authentication**:
+   - Visit your StarPunk instance
+   - Click "Sign In"
+   - Enter your identity URL
+   - Should authenticate successfully
+
+3. **Add Micropub Endpoint** (after StarPunk is running):
+   ```html
+   <link rel="micropub" href="https://starpunk.yourdomain.com/micropub">
+   ```
+
+## Troubleshooting
+
+### Page Not Found
+- Ensure file is named correctly (usually `index.html`)
+- Check file is in correct directory (document root)
+- Verify domain is configured correctly
+
+### Authentication Fails
+- Verify HTTPS is working
+- Check u-url matches actual URL exactly
+- Ensure no typos in endpoint URLs
+- Test with browser developer tools for errors
+
+### h-card Not Detected
+- Check class names are exact (`h-card`, `p-name`, `u-url`)
+- Ensure HTML structure is valid
+- Verify no typos in microformat classes
+
+### Social Links Not Working
+- Only include rel="me" on profiles you control
+- Check URLs are correct and working
+- Some services don't support rel="me" back-linking
+
+## Getting Help
+
+- **IndieWeb Chat**: https://indieweb.org/discuss
+- **StarPunk Issues**: [GitHub repository]
+- **IndieAuth Spec**: https://indieauth.spec.indieweb.org/
+- **Microformats Wiki**: http://microformats.org/
+
+Remember: The simplest solution is often the best. Don't add complexity unless you need it.

docs/examples/identity-page.html

@@ -0,0 +1,271 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <!--
+    ============================================================
+    IndieAuth Identity Page - Minimal Reference Implementation
+    ============================================================
+
+    This is a complete, working IndieAuth identity page that requires:
+    - Zero JavaScript
+    - Zero external dependencies
+    - Only this single HTML file
+
+    To use this template:
+    1. Replace "Phil Skents" with your name
+    2. Replace "https://thesatelliteoflove.com" with your domain
+    3. Optionally add your social media profiles with rel="me"
+    4. Upload to your domain root (e.g., index.html)
+    5. Test at https://indielogin.com/
+
+    ============================================================
+    -->
+
+    <!-- Required: Character encoding -->
+    <meta charset="utf-8">
+
+    <!-- Required: Responsive viewport -->
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+
+    <!-- Page title: Your name -->
+    <title>Phil Skents</title>
+
+    <!--
+    ============================================================
+    CRITICAL: IndieAuth Endpoint Discovery
+    These links tell IndieAuth clients where to authenticate.
+    Using indieauth.com as a public service that works for everyone.
+    ============================================================
+    -->
+
+    <!-- Required: Authorization endpoint for IndieAuth -->
+    <link rel="authorization_endpoint" href="https://indieauth.com/auth">
+
+    <!-- Required: Token endpoint for obtaining access tokens -->
+    <link rel="token_endpoint" href="https://tokens.indieauth.com/token">
+
+    <!--
+    Optional: If you have a Micropub server (like StarPunk), add:
+    <link rel="micropub" href="https://starpunk.thesatelliteoflove.com/micropub">
+    -->
+
+    <!-- Optional: Minimal styling for readability -->
+    <style>
+        /* Reset and base styles */
+        * {
+            margin: 0;
+            padding: 0;
+            box-sizing: border-box;
+        }
+
+        body {
+            font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto,
+                         "Helvetica Neue", Arial, sans-serif;
+            line-height: 1.6;
+            color: #333;
+            background: #fff;
+            padding: 2rem;
+            max-width: 600px;
+            margin: 0 auto;
+        }
+
+        /* Typography */
+        h1 {
+            font-size: 2rem;
+            margin-bottom: 0.5rem;
+            color: #000;
+        }
+
+        p {
+            margin: 1rem 0;
+        }
+
+        a {
+            color: #0066cc;
+            text-decoration: none;
+        }
+
+        a:hover {
+            text-decoration: underline;
+        }
+
+        /* Layout */
+        .h-card {
+            margin: 2rem 0;
+        }
+
+        .identity-url {
+            font-size: 1.1rem;
+            color: #666;
+            margin-bottom: 1.5rem;
+        }
+
+        .social-links {
+            margin-top: 2rem;
+            padding-top: 2rem;
+            border-top: 1px solid #eee;
+        }
+
+        .social-links h2 {
+            font-size: 1.2rem;
+            margin-bottom: 1rem;
+            color: #666;
+        }
+
+        .social-links ul {
+            list-style: none;
+        }
+
+        .social-links li {
+            margin: 0.5rem 0;
+        }
+
+        /* Optional: Avatar styling */
+        .u-photo {
+            width: 120px;
+            height: 120px;
+            border-radius: 60px;
+            margin-bottom: 1rem;
+        }
+
+        /* Info box */
+        .info-box {
+            background: #f5f5f5;
+            border-left: 4px solid #0066cc;
+            padding: 1rem;
+            margin: 2rem 0;
+        }
+
+        .info-box h3 {
+            margin-bottom: 0.5rem;
+        }
+
+        .info-box p {
+            margin: 0.5rem 0;
+            font-size: 0.9rem;
+        }
+    </style>
+</head>
+<body>
+    <!--
+    ============================================================
+    h-card Microformat: Your Identity Information
+    This is machine-readable markup that IndieAuth uses to
+    identify you. The h-card is the IndieWeb's business card.
+    ============================================================
+    -->
+    <div class="h-card">
+        <!-- Optional: Your photo/avatar
+        <img class="u-photo" src="/avatar.jpg" alt="Phil Skents">
+        -->
+
+        <!-- Required: Your name (p-name) -->
+        <h1 class="p-name">Phil Skents</h1>
+
+        <!-- Required: Your identity URL (u-url)
+             MUST match the URL where this page is hosted -->
+        <div class="identity-url">
+            <a class="u-url" href="https://thesatelliteoflove.com" rel="me">
+                https://thesatelliteoflove.com
+            </a>
+        </div>
+
+        <!-- Optional: Brief bio or description -->
+        <p class="p-note">
+            IndieWeb enthusiast building minimal, standards-compliant web tools.
+            Creator of StarPunk CMS.
+        </p>
+
+        <!--
+        ============================================================
+        Optional: Social Media Links with rel="me"
+        These create a web of trust by linking your identities.
+        Only include profiles you control.
+        The receiving site should link back with rel="me" for
+        bidirectional verification (GitHub and some others do this).
+        ============================================================
+        -->
+        <div class="social-links">
+            <h2>Also me on the web</h2>
+            <ul>
+                <!-- Example social links - replace with your actual profiles -->
+                <!--
+                <li>
+                    <a href="https://github.com/yourusername" rel="me">
+                        GitHub: @yourusername
+                    </a>
+                </li>
+                <li>
+                    <a href="https://mastodon.social/@yourusername" rel="me">
+                        Mastodon: @yourusername@mastodon.social
+                    </a>
+                </li>
+                <li>
+                    <a href="https://twitter.com/yourusername" rel="me">
+                        Twitter: @yourusername
+                    </a>
+                </li>
+                -->
+
+                <!-- For now, just a note about StarPunk -->
+                <li>
+                    Publishing with
+                    <a href="https://starpunk.thesatelliteoflove.com">
+                        StarPunk
+                    </a>
+                </li>
+            </ul>
+        </div>
+    </div>
+
+    <!--
+    ============================================================
+    Information Box: How This Works
+    This section is optional but helpful for visitors.
+    ============================================================
+    -->
+    <div class="info-box">
+        <h3>About This Page</h3>
+        <p>
+            This is my IndieAuth identity page. It allows me to sign in to
+            IndieWeb services using my domain name instead of passwords.
+        </p>
+        <p>
+            <strong>Technical:</strong> This page uses
+            <a href="https://indieauth.spec.indieweb.org/">IndieAuth</a> for
+            authentication and
+            <a href="http://microformats.org/wiki/h-card">h-card microformats</a>
+            for identity markup.
+        </p>
+        <p>
+            <strong>Privacy:</strong> Authentication is handled by
+            <a href="https://indieauth.com">IndieAuth.com</a>.
+            No passwords or personal data are stored on this site.
+        </p>
+    </div>
+
+    <!--
+    ============================================================
+    Testing Your Identity Page
+
+    After uploading this file to your domain:
+
+    1. Visit https://indielogin.com/
+    2. Enter your domain (e.g., https://thesatelliteoflove.com)
+    3. You should see IndieAuth.com as an option
+    4. Complete the authentication flow
+
+    To validate your h-card:
+    1. Visit https://indiewebify.me/
+    2. Use the h-card validator
+    3. Enter your domain
+    4. Verify all information is detected
+
+    Common Issues:
+    - URL mismatch: The u-url must exactly match your domain
+    - Missing HTTPS: Both your domain and endpoints need HTTPS
+    - Wrong endpoints: The endpoint URLs must be exactly as shown
+    ============================================================
+    -->
+</body>
+</html>

docs/reports/identity-domain-validation-2025-11-19.md

@@ -0,0 +1,249 @@
+# Identity Domain Validation Report
+**Domain**: https://thesatelliteoflove.com
+**Date**: 2025-11-19
+**Validator**: StarPunk Architect Agent
+**Purpose**: Validate IndieAuth configuration for StarPunk authentication
+
+## Executive Summary
+
+**STATUS**: PARTIALLY READY - Configuration present but has critical issues
+
+The identity domain `https://thesatelliteoflove.com` has the core IndieAuth metadata in place, but contains several configuration errors that will prevent successful authentication. The domain requires fixes before it can be used with StarPunk.
+
+## IndieAuth Configuration Analysis
+
+### 1. Authorization Endpoint ✓ PRESENT (with issues)
+```html
+<link rel="authorization_endpoint" href="https://indieauth.com/auth">
+```
+- **Status**: Configured
+- **Endpoint**: IndieAuth.com (established IndieAuth service)
+- **Issue**: HEAD request returned HTTP 400, suggesting the endpoint may have issues or requires specific parameters
+- **Impact**: May cause authentication to fail
+
+### 2. Token Endpoint ✓ PRESENT
+```html
+<link rel="token_endpoint" href="https://tokens.indieauth.com/token">
+```
+- **Status**: Configured
+- **Endpoint**: tokens.indieauth.com (official token service)
+- **Validation**: Returns HTTP 200, endpoint is accessible
+- **Impact**: Token generation should work correctly
+
+### 3. Micropub Endpoint ⚠️ DUPLICATE CONFIGURATION
+```html
+<link rel="micropub" href="https://thesatelliteoflove.com//micropub">
+<link rel="micropub" href="" />
+```
+- **Issue**: Two micropub declarations, one empty
+- **Impact**: May confuse clients; the empty one should be removed
+- **Note**: The first one points to the domain but has double slash (//)
+
+## Identity Information (h-card)
+
+### Body-level h-card ✓ PRESENT (incomplete)
+```html
+<body class="h-card">
+```
+- **Status**: Configured at body level
+- **Issue**: The entire page is marked as an h-card, which is technically valid but not best practice
+
+### Identity Properties Found:
+
+1. **Name (p-name)**: ✓ PRESENT
+   ```html
+   <a class="u-url p-name" href="/">Home</a>
+   <span class="p-author h-card">Phil Skents</span>
+   ```
+   - Conflicting names: "Home" vs "Phil Skents"
+   - Best practice: Should have a single, clear p-name property
+
+2. **URL (u-url)**: ✓ PRESENT
+   ```html
+   <a class="u-url p-name" href="/">Home</a>
+   ```
+   - Links to homepage
+   - Should be full URL (https://thesatelliteoflove.com) for clarity
+
+3. **Photo (u-photo)**: ✗ MISSING
+   - No photo property found
+   - Recommended for complete identity representation
+
+4. **Email (u-email)**: Potentially present
+   ```html
+   <link href="mailto:phil@thesatelliteoflove.com" rel="me">
+   ```
+   - Present as rel="me" link, not as u-email property
+
+## Social Proof (rel="me" links)
+
+### Links Found:
+1. ✗ **Empty rel="me"**: `<link rel="me" href="" />`
+2. ✓ **Email**: `<link href="mailto:phil@thesatelliteoflove.com" rel="me">`
+
+**Issues**:
+- One empty rel="me" link should be removed
+- No links to social media profiles (GitHub, Mastodon, etc.)
+- Missing bidirectional verification for rel="me" web sign-in
+
+## Security Assessment
+
+### HTTPS Configuration: ✓ PASS
+- Domain properly serves over HTTPS
+- No mixed content detected in initial inspection
+
+### Endpoint Accessibility:
+- Token endpoint: ✓ Accessible (HTTP 200)
+- Authorization endpoint: ⚠️ Returns HTTP 400 (may need investigation)
+
+### Domain Redirects:
+- No redirects detected
+- Clean HTTPS delivery
+
+## IndieWeb Microformats
+
+### Found:
+- `h-card`: Present (body-level)
+- `h-feed`: Present on homepage
+- `h-entry`: Present for content items
+- `p-name`, `u-url`, `dt-published`: Properly used in feed items
+- `p-author`: Present in footer
+
+**Assessment**: Good microformats2 markup for content, but identity h-card needs refinement.
+
+## Critical Issues Requiring Fixes
+
+### Priority 1: Must Fix Before Production
+1. **Remove empty links**:
+   - Empty `rel="me"` link
+   - Empty `rel="micropub"` link
+   - Empty `rel="webmention"` link
+   - Empty `rel="pingback"` link
+
+2. **Fix micropub double-slash**:
+   - Change `https://thesatelliteoflove.com//micropub`
+   - To: `https://starpunk.thesatelliteoflove.com/micropub`
+   - (This should point to StarPunk, not the identity domain)
+
+3. **Clarify h-card identity**:
+   - Create a dedicated h-card element (not body-level)
+   - Use consistent p-name ("Phil Skents", not "Home")
+   - Add u-url with full domain URL
+   - Consider adding u-photo
+
+### Priority 2: Should Fix for Best Practice
+1. **Add social proof**:
+   - Add rel="me" links to social profiles
+   - Ensure bidirectional linking for web sign-in
+
+2. **Simplify h-card structure**:
+   - Move h-card from body to specific element (header or aside)
+   - Reduce confusion with multiple p-name properties
+
+3. **Investigation needed**:
+   - Determine why https://indieauth.com/auth returns HTTP 400
+   - May need to test full authentication flow
+
+## Expected Authentication Flow
+
+### Current State:
+1. User enters `https://thesatelliteoflove.com` as identity URL
+2. StarPunk fetches the page and finds:
+   - Authorization endpoint: `https://indieauth.com/auth`
+   - Token endpoint: `https://tokens.indieauth.com/token`
+3. StarPunk redirects to IndieAuth.com with:
+   - client_id: `https://starpunk.thesatelliteoflove.com/`
+   - redirect_uri: `https://starpunk.thesatelliteoflove.com/auth/callback`
+   - state: (random value)
+4. IndieAuth.com verifies the identity domain
+5. User approves the authorization
+6. IndieAuth.com redirects back with auth code
+7. StarPunk exchanges code for token at tokens.indieauth.com
+8. User is authenticated
+
+### Potential Issues:
+- Empty rel="me" links may confuse IndieAuth.com
+- HTTP 400 from authorization endpoint needs investigation
+- Micropub endpoint configuration may cause client confusion
+
+## Recommendations
+
+### Immediate Actions:
+1. **Clean up the HTML head**:
+   ```html
+   <!-- Remove these: -->
+   <link rel="me" href="" />
+   <link rel="webmention" href="" />
+   <link rel="pingback" href="" />
+   <link rel="micropub" href="" />
+
+   <!-- Fix this: -->
+   <link rel="micropub" href="https://starpunk.thesatelliteoflove.com/micropub">
+   ```
+
+2. **Improve h-card**:
+   ```html
+   <header class="h-card">
+       <a class="u-url u-uid" href="https://thesatelliteoflove.com">
+           <span class="p-name">Phil Skents</span>
+       </a>
+       <a class="u-email" href="mailto:phil@thesatelliteoflove.com">Email</a>
+   </header>
+   ```
+
+3. **Add social verification**:
+   ```html
+   <link rel="me" href="https://github.com/yourprofile">
+   <link rel="me" href="https://mastodon.social/@yourhandle">
+   ```
+
+### Testing Actions:
+1. Test full IndieAuth flow with IndieLogin.com
+2. Verify authorization endpoint functionality
+3. Test with StarPunk once fixes are applied
+4. Validate h-card parsing with microformats validator
+
+## Architectural Compliance
+
+### IndieWeb Standards: ⚠️ PARTIAL
+- Has required IndieAuth endpoints
+- Has microformats markup
+- Missing complete identity information
+- Has configuration errors
+
+### Security Standards: ✓ PASS
+- HTTPS properly configured
+- Using established IndieAuth services
+- No obvious security issues
+
+### Best Practices: ⚠️ NEEDS IMPROVEMENT
+- Multiple empty link elements (code smell)
+- Duplicate micropub declarations
+- Inconsistent identity markup
+- Missing social proof
+
+## Conclusion
+
+**Can authentication work right now?** POSSIBLY, but with high risk of failure.
+
+**Should it be used in production?** NO, not until critical issues are fixed.
+
+**Estimated time to fix**: 15-30 minutes of HTML editing.
+
+The domain has the foundational IndieAuth configuration in place, which is excellent. However, the presence of empty link elements and duplicate declarations suggests the site may have been generated from a template with placeholder values that weren't fully configured.
+
+Once the empty links are removed, the micropub endpoint is corrected to point to StarPunk, and the h-card is refined, this domain will be fully ready for IndieAuth authentication.
+
+## Next Steps
+
+1. Fix the identity domain HTML (see Immediate Actions above)
+2. Test authentication flow with IndieLogin.com directly
+3. Verify StarPunk can discover and use the endpoints
+4. Document successful authentication in test report
+5. Consider creating a validation script for identity domain setup
+
+---
+
+**Document Status**: Complete
+**Last Updated**: 2025-11-19
+**Maintained By**: StarPunk Architect Agent

starpunk/config.py

@@ -61,8 +61,9 @@ def load_config(app, config_override=None):
     app.config["DEV_MODE"] = os.getenv("DEV_MODE", "false").lower() == "true"
     app.config["DEV_ADMIN_ME"] = os.getenv("DEV_ADMIN_ME", "")
 
-    # Application version
+    # Application version (use __version__ from package)
-    app.config["VERSION"] = os.getenv("VERSION", "0.6.0")
+    from starpunk import __version__
+    app.config["VERSION"] = os.getenv("VERSION", __version__)
 
     # RSS feed configuration
     app.config["FEED_MAX_ITEMS"] = int(os.getenv("FEED_MAX_ITEMS", "50"))

templates/base.html

@@ -42,7 +42,7 @@
     <p>StarPunk v{{ config.get('VERSION', '0.5.0') }}</p>
 
     <!-- IndieAuth client discovery (h-app microformats) -->
-    <div class="h-app" hidden aria-hidden="true">
+    <div class="h-app">
       <a href="{{ config.SITE_URL }}" class="u-url p-name">{{ config.get('SITE_NAME', 'StarPunk') }}</a>
     </div>
   </footer>