javascript-solid-server 0.0.110 → 0.0.112

package/docs/payments.md

@@ -0,0 +1,94 @@
+## HTTP 402 Paid Access
+
+Monetize API endpoints with per-request satoshi payments. Resources under `/pay/*` require NIP-98 authentication and a positive balance.
+
+```bash
+jss start --pay --pay-cost 10 --pay-address your-address --pay-token PODS --pay-rate 10
+```
+
+### Routes
+
+| Method | Path | Description |
+|--------|------|-------------|
+| GET | `/pay/.info` | Public: cost, token info, chains, pool |
+| GET | `/pay/.balance` | Check your balance (NIP-98 auth) |
+| POST | `/pay/.deposit` | Deposit sats via TXO URI or MRC20 state proof |
+| POST | `/pay/.buy` | Buy tokens with sat balance (requires `--pay-token`) |
+| POST | `/pay/.withdraw` | Withdraw balance as portable tokens (requires `--pay-token`) |
+| GET | `/pay/.offers` | List open sell orders (secondary market) |
+| POST | `/pay/.sell` | Create a sell order (requires `--pay-token`) |
+| POST | `/pay/.swap` | Execute a swap against a sell order |
+| GET | `/pay/.pool` | AMM pool state (requires `--pay-chains`) |
+| POST | `/pay/.pool` | AMM swap, add/remove liquidity |
+| GET | `/pay/*` | Paid resource access (deducts balance) |
+
+### How It Works
+
+1. Authenticate with NIP-98 (Nostr HTTP Auth)
+2. Check balance at `/pay/.balance`
+3. Deposit sats by POSTing a TXO URI to `/pay/.deposit`
+4. Access paid resources — each request deducts the configured cost
+5. Optionally buy tokens (`/pay/.buy`) or withdraw as portable tokens (`/pay/.withdraw`)
+6. Balance tracked in a [Web Ledger](https://webledgers.org/) at `/.well-known/webledgers/webledgers.json`
+
+### Example
+
+```bash
+# Check balance
+curl -H "Authorization: Nostr <base64-event>" http://localhost:3000/pay/.balance
+
+# Deposit (post a confirmed transaction output)
+curl -X POST -H "Authorization: Nostr <base64-event>" \
+  http://localhost:3000/pay/.deposit \
+  -d "txid:vout"
+
+# Access paid resource
+curl -H "Authorization: Nostr <base64-event>" http://localhost:3000/pay/my-resource
+
+# Buy tokens with sat balance
+curl -X POST -H "Authorization: Nostr <base64-event>" \
+  -H "Content-Type: application/json" \
+  http://localhost:3000/pay/.buy \
+  -d '{"amount": 100}'
+
+# Withdraw entire balance as portable tokens
+curl -X POST -H "Authorization: Nostr <base64-event>" \
+  -H "Content-Type: application/json" \
+  http://localhost:3000/pay/.withdraw \
+  -d '{"all": true}'
+```
+
+Deposit verification uses the mempool API (default: testnet4). The `X-Balance` and `X-Cost` headers are returned on successful paid requests. Buy and withdraw return portable MRC20 proofs with Bitcoin anchor data for independent verification.
+
+### Secondary Market
+
+Users can trade tokens peer-to-peer through the pod. Sell orders are created via `/pay/.sell` and filled via `/pay/.swap`. The pod acts as escrow — transferring tokens on the Bitcoin-anchored MRC20 trail and settling sats in the webledger.
+
+### Multi-Chain AMM
+
+Enable multi-chain deposits and an automated market maker:
+
+```bash
+jss start --pay --pay-chains "tbtc3,tbtc4"
+```
+
+Deposits detect the chain from the TXO URI prefix (`txo:tbtc3:txid:vout`). Each chain's balance is tracked separately. The AMM uses a constant-product formula (x × y = k) with a 0.3% fee.
+
+```bash
+# Add liquidity
+curl -X POST -H "Authorization: Nostr <token>" \
+  -H "Content-Type: application/json" \
+  http://localhost:3000/pay/.pool \
+  -d '{"action": "add-liquidity", "tbtc3": 1000, "tbtc4": 5000}'
+
+# Swap
+curl -X POST -H "Authorization: Nostr <token>" \
+  -H "Content-Type: application/json" \
+  http://localhost:3000/pay/.pool \
+  -d '{"action": "swap", "sell": "tbtc3", "amount": 100}'
+
+# Check pool state
+curl http://localhost:3000/pay/.pool
+```
+
+Supported chains: `btc`, `tbtc3`, `tbtc4`, `ltc`, `signet`.

package/docs/quotas.md

@@ -0,0 +1,36 @@
+# Storage Quotas
+
+Limit storage per pod to prevent abuse and manage resources.
+
+```bash
+jss start --default-quota 50MB
+```
+
+## Managing Quotas
+
+```bash
+# Set quota for a user (overrides default)
+jss quota set alice 100MB
+
+# Show quota info
+jss quota show alice
+#   alice:
+#     Used:  12.5 MB
+#     Limit: 100 MB
+#     Free:  87.5 MB
+#     Usage: 12%
+
+# Recalculate from actual disk usage
+jss quota reconcile alice
+```
+
+## How It Works
+
+- Quotas are tracked incrementally on PUT, POST, and DELETE operations
+- When quota is exceeded, the server returns HTTP 507 Insufficient Storage
+- Each pod stores its quota in `/{pod}/.quota.json`
+- Use `reconcile` to fix quota drift from manual file changes
+
+## Size Formats
+
+Supported formats: `50MB`, `1GB`, `500KB`, `1TB`

package/docs/remotestorage.md

@@ -0,0 +1,86 @@
+## remoteStorage
+
+JSS implements the [remoteStorage protocol](https://remotestorage.io/spec/draft-dejong-remotestorage-22). The storage routes are always available, but WebFinger discovery and OAuth require `--activitypub` (which provides the WebFinger and OAuth endpoints). Any remoteStorage-compatible app can store and sync data on your pod.
+
+```bash
+jss start --activitypub --idp
+```
+
+### Discovery
+
+remoteStorage clients discover the storage endpoint via WebFinger:
+
+```bash
+curl "http://localhost:3000/.well-known/webfinger?resource=acct:me@localhost:3000"
+```
+
+The response includes a `remotestorage` link relation pointing to `/storage/me/`.
+
+### Endpoints
+
+| Method | Endpoint | Description |
+|--------|----------|-------------|
+| `GET` | `/storage/:user/*` | Read file or list folder (JSON-LD) |
+| `HEAD` | `/storage/:user/*` | Get metadata (ETag, Content-Type, size) |
+| `PUT` | `/storage/:user/*` | Write file (creates parent folders) |
+| `DELETE` | `/storage/:user/*` | Delete file |
+
+### How It Works
+
+- **Auth**: Bearer token via OAuth 2.0 (same flow as Mastodon clients)
+- **Public folder**: `/storage/me/public/*` is readable without auth
+- **Conditional requests**: If-Match, If-None-Match (uses shared ETag utilities)
+- **Dotfile protection**: `.acl`, `.meta`, and other dotfiles are blocked
+- **Read-only mode**: Respects `--read-only` flag
+- **Streaming**: Large files are streamed, not buffered
+
+### Testing
+
+```bash
+# Write a file (needs Bearer token from OAuth flow)
+curl -X PUT http://localhost:3000/storage/me/documents/hello.txt \
+  -H "Authorization: Bearer YOUR_TOKEN" \
+  -H "Content-Type: text/plain" \
+  -d "Hello, remoteStorage!"
+
+# Read it back
+curl -H "Authorization: Bearer YOUR_TOKEN" \
+  http://localhost:3000/storage/me/documents/hello.txt
+
+# List a folder
+curl -H "Authorization: Bearer YOUR_TOKEN" \
+  http://localhost:3000/storage/me/documents/
+
+# Read from public folder (no auth needed)
+curl http://localhost:3000/storage/me/public/readme.txt
+```
+
+### Linking Nostr to WebID (did:nostr)
+
+Bridge your Nostr identity to a Solid WebID for seamless authentication:
+
+**Step 1:** Add your WebID to your Nostr profile (kind 0 event):
+```json
+{
+  "name": "alice",
+  "alsoKnownAs": ["https://solid.social/alice/profile/card#me"]
+}
+```
+
+**Step 2:** Add the did:nostr link to your WebID profile:
+```json
+{
+  "@id": "#me",
+  "owl:sameAs": "did:nostr:<your-64-char-hex-pubkey>"
+}
+```
+
+**How it works:**
+1. NIP-98 signature is verified (existing flow)
+2. DID document is fetched from `nostr.social/.well-known/did/nostr/<pubkey>.json`
+3. `alsoKnownAs` is checked for a WebID URL
+4. WebID profile is fetched and `owl:sameAs` verified
+5. If bidirectional link exists → authenticated as WebID
+
+This enables Nostr users to access their Solid pods using existing NIP-07 browser extensions.
+

package/docs/security.md

@@ -0,0 +1,96 @@
+## Security
+
+### Root ACL Required
+
+JSS uses **restrictive mode** by default: if no ACL file exists for a resource, access is denied. This prevents unauthorized writes to unprotected containers.
+
+**You must create a root `.acl` file** in your data directory. Example (JSON-LD format):
+
+```json
+{
+  "@context": {
+    "acl": "http://www.w3.org/ns/auth/acl#",
+    "foaf": "http://xmlns.com/foaf/0.1/"
+  },
+  "@graph": [
+    {
+      "@id": "#owner",
+      "@type": "acl:Authorization",
+      "acl:agent": { "@id": "https://your-domain.com/profile/card#me" },
+      "acl:accessTo": { "@id": "https://your-domain.com/" },
+      "acl:default": { "@id": "https://your-domain.com/" },
+      "acl:mode": [
+        { "@id": "acl:Read" },
+        { "@id": "acl:Write" },
+        { "@id": "acl:Control" }
+      ]
+    },
+    {
+      "@id": "#public",
+      "@type": "acl:Authorization",
+      "acl:agentClass": { "@id": "foaf:Agent" },
+      "acl:accessTo": { "@id": "https://your-domain.com/" },
+      "acl:default": { "@id": "https://your-domain.com/" },
+      "acl:mode": [
+        { "@id": "acl:Read" }
+      ]
+    }
+  ]
+}
+```
+
+Save this as `data/.acl` (replacing `your-domain.com` with your actual domain).
+
+See [Issue #32](https://github.com/JavaScriptSolidServer/JavaScriptSolidServer/issues/32) for background.
+
+## Subdomain Mode (XSS Protection)
+
+By default, JSS uses **path-based pods** (`/alice/`, `/bob/`). This is simple but has a security limitation: all pods share the same origin, making cross-site scripting (XSS) attacks possible between pods.
+
+**Subdomain mode** provides **origin isolation** - each pod gets its own subdomain (`alice.example.com`, `bob.example.com`), preventing XSS attacks between pods.
+
+### Why Subdomain Mode?
+
+| Mode | URL | Origin | XSS Risk |
+|------|-----|--------|----------|
+| Path-based | `example.com/alice/` | `example.com` | Shared origin - pods can XSS each other |
+| Subdomain | `alice.example.com/` | `alice.example.com` | Isolated - browser's Same-Origin Policy protects |
+
+### Enabling Subdomain Mode
+
+```bash
+jss start --subdomains --base-domain example.com
+```
+
+Or via environment variables:
+
+```bash
+export JSS_SUBDOMAINS=true
+export JSS_BASE_DOMAIN=example.com
+jss start
+```
+
+### DNS Configuration
+
+You need a **wildcard DNS record** pointing to your server:
+
+```
+*.example.com  A  <your-server-ip>
+```
+
+### Pod URLs in Subdomain Mode
+
+| Path Mode | Subdomain Mode |
+|-----------|----------------|
+| `example.com/alice/` | `alice.example.com/` |
+| `example.com/alice/public/file.txt` | `alice.example.com/public/file.txt` |
+| `example.com/alice/#me` | `alice.example.com/#me` |
+
+Pod creation still uses the main domain:
+
+```bash
+curl -X POST https://example.com/.pods \
+  -H "Content-Type: application/json" \
+  -d '{"name": "alice"}'
+```
+

package/docs/webrtc.md

@@ -0,0 +1,66 @@
+## WebRTC Signaling
+
+Peer-to-peer communication via WebRTC, using JSS as the signaling server. Once peers are connected, all media and data flows directly between them.
+
+```bash
+jss start --webrtc
+```
+
+### How It Works
+
+1. Both peers connect to `wss://your.pod/.webrtc` (WebID auth required)
+2. Caller sends an SDP offer targeting the callee's WebID
+3. JSS relays the offer/answer and ICE candidates between peers
+4. Once a direct path is found, the peer-to-peer connection is established
+5. JSS steps out — video, audio, files, and data flow directly between peers
+
+### Protocol
+
+Messages are JSON over WebSocket:
+
+```js
+// Send an offer to another user
+{ "type": "offer", "to": "https://bob.example/profile/card#me", "sdp": "..." }
+
+// Receive an offer from another user
+{ "type": "offer", "from": "https://alice.example/profile/card#me", "sdp": "..." }
+
+// ICE candidate exchange
+{ "type": "candidate", "to": "https://bob.example/profile/card#me", "candidate": {...} }
+
+// Hang up
+{ "type": "hangup", "to": "https://bob.example/profile/card#me" }
+```
+
+On connect, peers receive a list of online users and get notified when others join or leave.
+
+## Tunnel Proxy (Decentralized ngrok)
+
+Expose a local dev server to the internet through your JSS pod. A tunnel client connects via WebSocket, registers a name, and receives proxied HTTP requests.
+
+```bash
+jss start --tunnel
+```
+
+### How It Works
+
+1. Tunnel client connects to `wss://your.pod/.tunnel` (WebID auth required)
+2. Client registers a name: `{ "type": "register", "name": "myapp" }`
+3. Public URL becomes available at `https://your.pod/tunnel/myapp/`
+4. HTTP requests to that URL are serialized and sent to the tunnel client over WebSocket
+5. Tunnel client forwards to localhost, returns the response
+
+### Tunnel Client Protocol
+
+```js
+// 1. Register a tunnel
+→ { "type": "register", "name": "myapp" }
+← { "type": "registered", "name": "myapp", "url": "/tunnel/myapp/" }
+
+// 2. Receive proxied HTTP requests
+← { "type": "request", "id": "uuid", "method": "GET", "path": "/api/hello", "headers": {...} }
+
+// 3. Return the response
+→ { "type": "response", "id": "uuid", "status": 200, "headers": {...}, "body": "..." }
+```
+

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.110",
+  "version": "0.0.112",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/middleware.js

@@ -9,7 +9,7 @@ import { checkAccess, getRequiredMode } from '../wac/checker.js';
 import { AccessMode } from '../wac/parser.js';
 import * as storage from '../storage/filesystem.js';
 import { getEffectiveUrlPath } from '../utils/url.js';
-import { generateDatabrowserHtml, generateModuleDatabrowserHtml, generateSolidosUiHtml } from '../mashlib/index.js';
+import { generateDatabrowserHtml, generateModuleDatabrowserHtml } from '../mashlib/index.js';
 
 /**
  * Build a resource URL for WAC checking, normalizing path-based pod access
@@ -148,12 +148,9 @@ export function handleUnauthorized(request, reply, isAuthenticated, wacAllow, au
     // If mashlib is enabled, serve mashlib instead of static error page
     // Mashlib has built-in login functionality via panes.runDataBrowser()
     if (request.mashlibEnabled) {
-      // Use SolidOS UI if enabled, ES module if configured, otherwise classic mashlib
-      const html = request.solidosUiEnabled
-        ? generateSolidosUiHtml()
-        : request.mashlibModule
-          ? generateModuleDatabrowserHtml(request.mashlibModule)
-          : generateDatabrowserHtml(request.url, request.mashlibCdn ? request.mashlibVersion : null);
+      const html = request.mashlibModule
+        ? generateModuleDatabrowserHtml(request.mashlibModule)
+        : generateDatabrowserHtml(request.url, request.mashlibCdn ? request.mashlibVersion : null);
       return reply.code(statusCode).type('text/html').send(html);
     }
     return reply.code(statusCode).type('text/html').send(getErrorPage(statusCode, isAuthenticated, request));

package/src/config.js

@@ -43,9 +43,6 @@ export const defaults = {
   mashlibVersion: '2.0.0',
   mashlibModule: false,
 
-  // SolidOS UI (modern Nextcloud-style interface)
-  solidosUi: false,
-
   // Git HTTP backend
   git: false,
 
@@ -137,7 +134,6 @@ const envMap = {
   JSS_MASHLIB_CDN: 'mashlibCdn',
   JSS_MASHLIB_VERSION: 'mashlibVersion',
   JSS_MASHLIB_MODULE: 'mashlibModule',
-  JSS_SOLIDOS_UI: 'solidosUi',
   JSS_GIT: 'git',
   JSS_NOSTR: 'nostr',
   JSS_NOSTR_PATH: 'nostrPath',
@@ -331,8 +327,7 @@ export function printConfig(config) {
   console.log(`  Notifications: ${config.notifications}`);
   console.log(`  IdP:           ${config.idp ? (config.idpIssuer || 'enabled') : 'disabled'}`);
   console.log(`  Subdomains:    ${config.subdomains ? (config.baseDomain || 'enabled') : 'disabled'}`);
-  console.log(`  Mashlib:       ${config.mashlibModule ? `module (${config.mashlibModule})` : config.mashlibCdn ? `CDN v${config.mashlibVersion}` : config.mashlib ? 'local' : 'disabled'}`);
-  console.log(`  SolidOS UI:    ${config.solidosUi ? 'enabled' : 'disabled'}`);
+  console.log(`  Mashlib:       ${config.mashlibModule ? `module (${config.mashlibModule})` : config.mashlibCdn ? `CDN v${config.mashlibVersion}` : 'disabled'}`);
   if (config.pay) {
     console.log(`  Pay:           ${config.payCost} sat/req`);
     if (config.payToken) console.log(`  Token:         ${config.payToken} @ ${config.payRate} sat/token`);

package/src/handlers/resource.js

@@ -15,7 +15,7 @@ import {
 } from '../rdf/conneg.js';
 import { emitChange } from '../notifications/events.js';
 import { checkIfMatch, checkIfNoneMatchForGet, checkIfNoneMatchForWrite } from '../utils/conditional.js';
-import { generateDatabrowserHtml, generateModuleDatabrowserHtml, generateSolidosUiHtml, shouldServeMashlib } from '../mashlib/index.js';
+import { generateDatabrowserHtml, generateModuleDatabrowserHtml, shouldServeMashlib } from '../mashlib/index.js';
 
 /**
  * Live reload script - injected into HTML when --live-reload is enabled
@@ -230,12 +230,9 @@ export async function handleGet(request, reply) {
 
     // Check if we should serve Mashlib data browser for containers
     if (shouldServeMashlib(request, request.mashlibEnabled, 'application/ld+json')) {
-      // Use SolidOS UI if enabled, ES module if configured, otherwise classic mashlib
-      const html = request.solidosUiEnabled
-        ? generateSolidosUiHtml()
-        : request.mashlibModule
-          ? generateModuleDatabrowserHtml(request.mashlibModule)
-          : generateDatabrowserHtml(resourceUrl, request.mashlibCdn ? request.mashlibVersion : null);
+      const html = request.mashlibModule
+        ? generateModuleDatabrowserHtml(request.mashlibModule)
+        : generateDatabrowserHtml(resourceUrl, request.mashlibCdn ? request.mashlibVersion : null);
       const headers = getAllHeaders({
         isContainer: true,
         etag: stats.etag,
@@ -309,12 +306,9 @@ export async function handleGet(request, reply) {
   // Check if we should serve Mashlib data browser
   // Only for RDF resources when Accept: text/html is requested
   if (shouldServeMashlib(request, request.mashlibEnabled, storedContentType)) {
-    // Use SolidOS UI if enabled, ES module if configured, otherwise classic mashlib
-    const html = request.solidosUiEnabled
-      ? generateSolidosUiHtml()
-      : request.mashlibModule
-        ? generateModuleDatabrowserHtml(request.mashlibModule)
-        : generateDatabrowserHtml(resourceUrl, request.mashlibCdn ? request.mashlibVersion : null);
+    const html = request.mashlibModule
+      ? generateModuleDatabrowserHtml(request.mashlibModule)
+      : generateDatabrowserHtml(resourceUrl, request.mashlibCdn ? request.mashlibVersion : null);
     const headers = getAllHeaders({
       isContainer: false,
       etag: stats.etag,

package/src/server.js

@@ -62,14 +62,11 @@ export function createServer(options = {}) {
   const subdomainsEnabled = options.subdomains ?? false;
   const baseDomain = options.baseDomain || null;
   // Mashlib data browser is OFF by default
-  // mashlibCdn: if true, load from CDN; if false, serve locally
-  // mashlibModule: URL to ES module entry point (alternative to classic mashlib)
+  // mashlibCdn: load from CDN; mashlibModule: URL to ES module entry point
   const mashlibModule = options.mashlibModule ?? false;
-  const mashlibEnabled = options.mashlib || !!mashlibModule;
   const mashlibCdn = options.mashlibCdn ?? false;
+  const mashlibEnabled = mashlibCdn || !!mashlibModule;
   const mashlibVersion = options.mashlibVersion ?? '2.0.0';
-  // SolidOS UI (modern Nextcloud-style interface) - requires mashlib
-  const solidosUiEnabled = options.solidosUi ?? false;
   // Git HTTP backend is OFF by default - enables clone/push via git protocol
   const gitEnabled = options.git ?? false;
   // Nostr relay is OFF by default
@@ -179,7 +176,6 @@ export function createServer(options = {}) {
   fastify.decorateRequest('mashlibCdn', null);
   fastify.decorateRequest('mashlibVersion', null);
   fastify.decorateRequest('mashlibModule', null);
-  fastify.decorateRequest('solidosUiEnabled', null);
   fastify.decorateRequest('defaultQuota', null);
   fastify.decorateRequest('config', null);
   fastify.decorateRequest('liveReloadEnabled', null);
@@ -193,7 +189,6 @@ export function createServer(options = {}) {
     request.mashlibCdn = mashlibCdn;
     request.mashlibVersion = mashlibVersion;
     request.mashlibModule = mashlibModule;
-    request.solidosUiEnabled = solidosUiEnabled;
     request.defaultQuota = defaultQuota;
     request.config = { public: options.public, readOnly: options.readOnly };
     request.liveReloadEnabled = liveReloadEnabled;
@@ -410,7 +405,7 @@ export function createServer(options = {}) {
   // Authorization hook - check WAC permissions
   // Skip for pod creation endpoint (needs special handling)
   fastify.addHook('preHandler', async (request, reply) => {
-    // Skip auth for pod creation, OPTIONS, IdP routes, mashlib, solidos-ui, well-known, notifications, nostr, git, and AP
+    // Skip auth for pod creation, OPTIONS, IdP routes, mashlib, well-known, notifications, nostr, git, and AP
     const mashlibPaths = ['/mashlib.min.js', '/mash.css', '/841.mashlib.min.js'];
     const apPaths = ['/inbox', '/profile/card/inbox', '/profile/card/outbox', '/profile/card/followers', '/profile/card/following',
       '/api/v1/apps', '/api/v1/instance', '/api/v1/accounts/verify_credentials',
@@ -424,7 +419,6 @@ export function createServer(options = {}) {
         request.method === 'OPTIONS' ||
         request.url.startsWith('/idp/') ||
         request.url.startsWith('/.well-known/') ||
-        request.url.startsWith('/solidos-ui/') ||
         (nostrEnabled && request.url.startsWith(nostrPath)) ||
         (gitEnabled && isGitRequest(request.url)) ||
         (activitypubEnabled && apPaths.some(p => request.url === p || request.url.startsWith(p + '?'))) ||
@@ -464,72 +458,15 @@ export function createServer(options = {}) {
     }
   }, handleCreatePod);
 
-  // Mashlib static files (served from root like NSS does)
-  if (mashlibEnabled) {
-    if (mashlibCdn) {
-      // CDN mode: redirect chunk requests to CDN
-      // Mashlib uses code splitting, so it loads chunks like 789.mashlib.min.js
-      const cdnBase = `https://unpkg.com/mashlib@${mashlibVersion}/dist`;
-      const chunkPattern = /^\/\d+\.mashlib\.min\.js(\.map)?$/;
-
-      fastify.addHook('onRequest', async (request, reply) => {
-        if (chunkPattern.test(request.url)) {
-          const filename = request.url.split('/').pop();
-          return reply.redirect(302, `${cdnBase}/${filename}`);
-        }
-      });
-    } else {
-      // Local mode: serve from local files
-      const mashlibDir = join(__dirname, 'mashlib-local', 'dist');
-      const mashlibFiles = {
-        '/mashlib.min.js': { file: 'mashlib.min.js', type: 'application/javascript' },
-        '/mashlib.min.js.map': { file: 'mashlib.min.js.map', type: 'application/json' },
-        '/mash.css': { file: 'mash.css', type: 'text/css' },
-        '/mash.css.map': { file: 'mash.css.map', type: 'application/json' },
-        '/841.mashlib.min.js': { file: '841.mashlib.min.js', type: 'application/javascript' },
-        '/841.mashlib.min.js.map': { file: '841.mashlib.min.js.map', type: 'application/json' }
-      };
-
-      for (const [path, config] of Object.entries(mashlibFiles)) {
-        fastify.get(path, async (request, reply) => {
-          try {
-            const content = await readFile(join(mashlibDir, config.file));
-            return reply.type(config.type).send(content);
-          } catch {
-            return reply.code(404).send({ error: 'Not Found' });
-          }
-        });
-      }
-    }
-  }
+  // Mashlib CDN mode: redirect chunk requests to CDN
+  if (mashlibEnabled && mashlibCdn) {
+    const cdnBase = `https://unpkg.com/mashlib@${mashlibVersion}/dist`;
+    const chunkPattern = /^\/\d+\.mashlib\.min\.js(\.map)?$/;
 
-  // SolidOS UI static files (modern Nextcloud-style interface)
-  // Serves from /solidos-ui/* - requires mashlib to be enabled as well
-  if (solidosUiEnabled && mashlibEnabled) {
-    const solidosUiDir = join(__dirname, 'mashlib-local', 'dist', 'solidos-ui');
-
-    // Serve all files under /solidos-ui/* path
-    fastify.get('/solidos-ui/*', async (request, reply) => {
-      try {
-        // Get the path after /solidos-ui/
-        const filePath = request.url.replace('/solidos-ui/', '').split('?')[0];
-        const fullPath = join(solidosUiDir, filePath);
-
-        // Determine content type based on extension
-        const ext = filePath.split('.').pop()?.toLowerCase();
-        const contentTypes = {
-          'js': 'application/javascript',
-          'css': 'text/css',
-          'map': 'application/json',
-          'html': 'text/html'
-        };
-        const contentType = contentTypes[ext] || 'application/octet-stream';
-
-        const content = await readFile(fullPath);
-        return reply.type(contentType).send(content);
-      } catch (err) {
-        request.log.error(err, 'Failed to serve solidos-ui file');
-        return reply.code(404).send({ error: 'Not Found' });
+    fastify.addHook('onRequest', async (request, reply) => {
+      if (chunkPattern.test(request.url)) {
+        const filename = request.url.split('/').pop();
+        return reply.redirect(302, `${cdnBase}/${filename}`);
       }
     });
   }