AtomGraph · namedgraph · Oct 25, 2025 · Oct 15, 2025 · Oct 15, 2025 · Oct 19, 2025
diff --git a/Dockerfile b/Dockerfile
@@ -145,12 +145,18 @@ COPY platform/import-letsencrypt-stg-roots.sh import-letsencrypt-stg-roots.sh
 
 COPY platform/select-root-services.rq select-root-services.rq
 
+COPY platform/select-agent-metadata.rq select-agent-metadata.rq
+
 # copy the metadata of built-in agents
 
 COPY platform/root-secretary.trig.template root-secretary.trig.template
 
 COPY platform/root-owner.trig.template root-owner.trig.template
 
+COPY platform/root-secretary-authorization.trig.template root-secretary-authorization.trig.template
+
+COPY platform/root-owner-authorization.trig.template root-owner-authorization.trig.template
+
 # copy the metadata of the namespace ontology
 
 COPY platform/namespace-ontology.trig.template namespace-ontology.trig.template

diff --git a/bin/add-generic-service.sh b/bin/add-generic-service.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/add-result-set-chart.sh b/bin/add-result-set-chart.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/add-select.sh b/bin/add-select.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/add-view.sh b/bin/add-view.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/admin/acl/add-agent-to-group.sh b/bin/admin/acl/add-agent-to-group.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {
@@ -79,4 +80,4 @@ sparql+="}\n"
 
 # PATCH SPARQL to the named graph
 
-echo -e "$sparql" | curl -X PATCH --data-binary @- -s -k -E "$cert_pem_file":"$cert_password" "$target" -H "Content-Type: application/sparql-update"
+echo -e "$sparql" | curl -f -X PATCH --data-binary @- -s -k -E "$cert_pem_file":"$cert_password" "$target" -H "Content-Type: application/sparql-update"
diff --git a/bin/admin/acl/create-authorization.sh b/bin/admin/acl/create-authorization.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/admin/acl/create-group.sh b/bin/admin/acl/create-group.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/admin/add-ontology-import.sh b/bin/admin/add-ontology-import.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {
@@ -80,4 +81,4 @@ sparql+="}\n"
 
 # PATCH SPARQL to the named graph
 
-echo -e "$sparql" | curl -X PATCH --data-binary @- -v -k -E "$cert_pem_file":"$cert_password" "$target" -H "Content-Type: application/sparql-update"
+echo -e "$sparql" | curl -f -X PATCH --data-binary @- -v -k -E "$cert_pem_file":"$cert_password" "$target" -H "Content-Type: application/sparql-update"
diff --git a/bin/admin/model/add-class.sh b/bin/admin/model/add-class.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/admin/model/add-construct.sh b/bin/admin/model/add-construct.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/admin/model/add-property-constraint.sh b/bin/admin/model/add-property-constraint.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/admin/model/add-restriction.sh b/bin/admin/model/add-restriction.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/admin/model/add-select.sh b/bin/admin/model/add-select.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/admin/model/create-ontology.sh b/bin/admin/model/create-ontology.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/content/add-object-block.sh b/bin/content/add-object-block.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/content/add-xhtml-block.sh b/bin/content/add-xhtml-block.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/create-container.sh b/bin/create-container.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/create-item.sh b/bin/create-item.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/get.sh b/bin/get.sh
@@ -84,7 +84,7 @@ fi
 # GET RDF document
 
 if [ -n "$head" ] ; then
-    curl -v -k -E "$cert_pem_file":"$cert_password" -H "Accept: ${accept}" "$target" --head
+    curl -f -v -k -E "$cert_pem_file":"$cert_password" -H "Accept: ${accept}" "$target" --head
 else
-    curl -v -k -E "$cert_pem_file":"$cert_password" -H "Accept: ${accept}" "$target"
+    curl -f -v -k -E "$cert_pem_file":"$cert_password" -H "Accept: ${accept}" "$target"
 fi
diff --git a/bin/imports/create-csv-import.sh b/bin/imports/create-csv-import.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/imports/create-file.sh b/bin/imports/create-file.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {
@@ -176,7 +177,7 @@ if [ -n "$proxy" ]; then
 fi
 
 # POST RDF/POST multipart form and capture the effective URL
-effective_url=$(echo -e "$rdf_post" | curl -w '%{url_effective}' -v -s -k -X PUT -H "Accept: text/turtle" -E "$cert_pem_file":"$cert_password" -o /dev/null --config - "$target")
+effective_url=$(echo -e "$rdf_post" | curl -w '%{url_effective}' -f -v -s -k -X PUT -H "Accept: text/turtle" -E "$cert_pem_file":"$cert_password" -o /dev/null --config - "$target")
 
 # If using proxy, rewrite the effective URL back to original hostname
 if [ -n "$proxy" ]; then

diff --git a/bin/imports/create-query.sh b/bin/imports/create-query.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/imports/create-rdf-import.sh b/bin/imports/create-rdf-import.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -eo pipefail
 
 print_usage()
 {

diff --git a/bin/patch.sh b/bin/patch.sh
@@ -70,4 +70,4 @@ fi
 
 # resolve SPARQL update from stdin against base URL and PATCH it to the server
 # uparse currently does not support --base: https://github.com/apache/jena/issues/3296
-cat - | curl -v -k -E "$cert_pem_file":"$cert_password" --data-binary @- -H "Content-Type: application/sparql-update" -X PATCH -o /dev/null "$final_url"
+cat - | curl -f -v -k -E "$cert_pem_file":"$cert_password" --data-binary @- -H "Content-Type: application/sparql-update" -X PATCH -o /dev/null "$final_url"
diff --git a/bin/post.sh b/bin/post.sh
@@ -80,7 +80,7 @@ else
 fi
 
 # resolve RDF document from stdin against base URL and POST to the server and print request URL
-effective_url=$(cat - | turtle --base="$url" | curl -w '%{url_effective}' -v -k -E "$cert_pem_file":"$cert_password" -d @- -H "Content-Type: ${content_type}" -H "Accept: text/turtle" -o /dev/null "$final_url")
+effective_url=$(cat - | turtle --base="$url" | curl -w '%{url_effective}' -f -v -k -E "$cert_pem_file":"$cert_password" -d @- -H "Content-Type: ${content_type}" -H "Accept: text/turtle" -o /dev/null "$final_url") || exit $?
 
 # If using proxy, rewrite the effective URL back to original hostname
 if [ -n "$proxy" ]; then

diff --git a/bin/put.sh b/bin/put.sh
@@ -80,7 +80,7 @@ else
 fi
 
 # resolve RDF document from stdin against base URL and PUT to the server and print request URL
-effective_url=$(cat - | turtle --base="$url" | curl -w '%{url_effective}' -v -k -E "$cert_pem_file":"$cert_password" -d @- -X PUT -H "Content-Type: ${content_type}" -H "Accept: text/turtle" -o /dev/null "$final_url")
+effective_url=$(cat - | turtle --base="$url" | curl -w '%{url_effective}' -f -v -k -E "$cert_pem_file":"$cert_password" -d @- -X PUT -H "Content-Type: ${content_type}" -H "Accept: text/turtle" -o /dev/null "$final_url") || exit $?
 
 # If using proxy, rewrite the effective URL back to original hostname
 if [ -n "$proxy" ]; then

diff --git a/http-tests/admin/acl/add-delete-authorization.sh b/http-tests/admin/acl/add-delete-authorization.sh
@@ -28,7 +28,27 @@ container=$(create-container.sh \
   --slug "$slug" \
   --parent "$END_USER_BASE_URL")
 
-# create authorization
+# create fake test.localhost authorization (should be filtered out)
+
+create-authorization.sh \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  -b "https://admin.test.localhost:4443/" \
+  --label "Fake DELETE authorization from test.localhost" \
+  --agent "$AGENT_URI" \
+  --to "$container" \
+  --write
+
+# access is still denied (fake authorization filtered out)
+
+curl -k -w "%{http_code}\n" -o /dev/null -s \
+  -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+  -H "Accept: application/n-triples" \
+  -X DELETE \
+  "$container" \
+| grep -q "$STATUS_FORBIDDEN"
+
+# create real localhost authorization
 
 create-authorization.sh \
   -f "$OWNER_CERT_FILE" \
@@ -39,7 +59,7 @@ create-authorization.sh \
   --to "$container" \
   --write
 
-# access is allowed after authorization is created
+# access is allowed after real authorization is created
 
 curl -k -w "%{http_code}\n" -o /dev/null -f -s \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \

diff --git a/http-tests/admin/acl/add-delete-class-authorization.sh b/http-tests/admin/acl/add-delete-class-authorization.sh
@@ -28,7 +28,27 @@ container=$(create-container.sh \
   --slug "$slug" \
   --parent "$END_USER_BASE_URL")
 
-# create authorization
+# create fake test.localhost authorization (should be filtered out)
+
+create-authorization.sh \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  -b "https://admin.test.localhost:4443/" \
+  --label "Fake DELETE class authorization from test.localhost" \
+  --agent "$AGENT_URI" \
+  --to-all-in "https://www.w3.org/ns/ldt/document-hierarchy#Container" \
+  --write
+
+# access is still denied (fake authorization filtered out)
+
+curl -k -w "%{http_code}\n" -o /dev/null -s \
+  -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+  -H "Accept: application/n-triples" \
+  -X DELETE \
+  "$container" \
+| grep -q "$STATUS_FORBIDDEN"
+
+# create real localhost authorization
 
 create-authorization.sh \
   -f "$OWNER_CERT_FILE" \
@@ -39,7 +59,7 @@ create-authorization.sh \
   --to-all-in "https://www.w3.org/ns/ldt/document-hierarchy#Container" \
   --write
 
-# access is allowed after authorization is created
+# access is allowed after real authorization is created
 
 curl -k -w "%{http_code}\n" -o /dev/null -f -s \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \

diff --git a/http-tests/admin/acl/add-delete-group-authorization.sh b/http-tests/admin/acl/add-delete-group-authorization.sh
@@ -44,7 +44,27 @@ container=$(create-container.sh \
   --slug "$slug" \
   --parent "$END_USER_BASE_URL")
 
-# create authorization
+# create fake test.localhost authorization (should be filtered out)
+
+create-authorization.sh \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  -b "https://admin.test.localhost:4443/" \
+  --label "Fake DELETE group authorization from test.localhost" \
+  --agent-group "$group" \
+  --to "$container" \
+  --write
+
+# access is still denied (fake authorization filtered out)
+
+curl -k -w "%{http_code}\n" -o /dev/null -s \
+  -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+  -H "Accept: application/n-triples" \
+  -X DELETE \
+  "$container" \
+| grep -q "$STATUS_FORBIDDEN"
+
+# create real localhost authorization
 
 create-authorization.sh \
   -f "$OWNER_CERT_FILE" \
@@ -55,7 +75,7 @@ create-authorization.sh \
   --to "$container" \
   --write
 
-# access is allowed after authorization is created
+# access is allowed after real authorization is created
 
 curl -k -w "%{http_code}\n" -o /dev/null -f -s \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \

diff --git a/http-tests/admin/acl/add-get-authorization.sh b/http-tests/admin/acl/add-get-authorization.sh
@@ -15,7 +15,26 @@ curl -k -w "%{http_code}\n" -o /dev/null -s \
   "$END_USER_BASE_URL" \
 | grep -q "$STATUS_FORBIDDEN"
 
-# create authorization
+# create fake test.localhost authorization (should be filtered out)
+
+create-authorization.sh \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  -b "https://admin.test.localhost:4443/" \
+  --label "Fake GET authorization from test.localhost" \
+  --agent "$AGENT_URI" \
+  --to "$END_USER_BASE_URL" \
+  --read
+
+# access is still denied (fake authorization filtered out)
+
+curl -k -w "%{http_code}\n" -o /dev/null -s \
+  -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+  -H "Accept: application/n-triples" \
+  "$END_USER_BASE_URL" \
+| grep -q "$STATUS_FORBIDDEN"
+
+# create real localhost authorization
 
 create-authorization.sh \
   -f "$OWNER_CERT_FILE" \
@@ -26,7 +45,7 @@ create-authorization.sh \
   --to "$END_USER_BASE_URL" \
   --read
 
-# access is allowed after authorization is created
+# access is allowed after real authorization is created
 
 curl -k -w "%{http_code}\n" -o /dev/null -f -s \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \

diff --git a/http-tests/admin/acl/add-get-class-authorization.sh b/http-tests/admin/acl/add-get-class-authorization.sh
@@ -15,7 +15,26 @@ curl -k -w "%{http_code}\n" -o /dev/null -s \
   "$END_USER_BASE_URL" \
 | grep -q "$STATUS_FORBIDDEN"
 
-# create authorization
+# create fake test.localhost authorization (should be filtered out)
+
+create-authorization.sh \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  -b "https://admin.test.localhost:4443/" \
+  --label "Fake GET Container authorization from test.localhost" \
+  --agent "$AGENT_URI" \
+  --to-all-in "https://w3id.org/atomgraph/linkeddatahub/default#Root" \
+  --read
+
+# access is still denied (fake authorization filtered out)
+
+curl -k -w "%{http_code}\n" -o /dev/null -s \
+  -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+  -H "Accept: application/n-triples" \
+  "$END_USER_BASE_URL" \
+| grep -q "$STATUS_FORBIDDEN"
+
+# create real localhost authorization
 
 create-authorization.sh \
   -f "$OWNER_CERT_FILE" \
@@ -26,7 +45,7 @@ create-authorization.sh \
   --to-all-in "https://w3id.org/atomgraph/linkeddatahub/default#Root" \
   --read
 
-# access is allowed after authorization is created
+# access is allowed after real authorization is created
 
 curl -k -w "%{http_code}\n" -o /dev/null -f -s \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \