javascript-solid-server 0.0.111 → 0.0.113

package/.claude/settings.local.json

@@ -327,7 +327,8 @@
       "Bash(gh label:*)",
       "Bash(mongosh --eval \"db.runCommand\\({ ping: 1 }\\)\" 2>&1 | head -5)",
       "Bash(which jss && jss --version 2>&1)",
-      "Bash(jss start --help 2>&1 | grep -i mongo)"
+      "Bash(jss start --help 2>&1 | grep -i mongo)",
+      "Bash(grep -A5 '\"\"files\"\"' package.json)"
     ]
   }
 }

package/README.md

@@ -91,23 +91,28 @@ Full options: [docs/configuration.md](docs/configuration.md)
 |-------|------|
 | Configuration & Options | [docs/configuration.md](docs/configuration.md) |
 | Authentication | [docs/authentication.md](docs/authentication.md) |
+| Mashlib / SolidOS UI | [docs/mashlib.md](docs/mashlib.md) |
+| WebSocket Notifications | [docs/notifications.md](docs/notifications.md) |
 | Git Support | [docs/git-support.md](docs/git-support.md) |
+| Nostr Relay | [docs/nostr.md](docs/nostr.md) |
 | ActivityPub & Mastodon API | [docs/activitypub.md](docs/activitypub.md) |
 | remoteStorage | [docs/remotestorage.md](docs/remotestorage.md) |
-| Security & Subdomain Mode | [docs/security.md](docs/security.md) |
-| HTTP 402 Payments | [docs/payments.md](docs/payments.md) |
 | WebRTC & Tunnel | [docs/webrtc.md](docs/webrtc.md) |
 | MongoDB `/db/` Route | [docs/mongodb.md](docs/mongodb.md) |
+| HTTP 402 Payments | [docs/payments.md](docs/payments.md) |
+| Storage Quotas | [docs/quotas.md](docs/quotas.md) |
+| Invite-Only Registration | [docs/invites.md](docs/invites.md) |
+| Security & Subdomain Mode | [docs/security.md](docs/security.md) |
 | Architecture & Structure | [docs/architecture.md](docs/architecture.md) |
 
 ## Comparison
 
-| Server | Size | Deps | Notes |
-|--------|------|------|-------|
-| [JSS](https://github.com/JavaScriptSolidServer/JavaScriptSolidServer) | ~14K LoC | 14 | Minimal, JSON-LD native |
-| [NSS](https://github.com/nodeSolidServer/node-solid-server) | 777 KB | 58 | Original Solid server |
-| [CSS](https://github.com/CommunitySolidServer/CommunitySolidServer) | 5.8 MB | 70 | Modular, configurable |
-| [Pivot](https://github.com/solid-contrib/pivot) | ~6 MB | 70+ | Built on CSS |
+| Server | Package | Packages | node_modules |
+|--------|---------|----------|-------------|
+| [JSS](https://github.com/JavaScriptSolidServer/JavaScriptSolidServer) | ~1 MB | ~191 | ~77 MB |
+| [CSS](https://github.com/CommunitySolidServer/CommunitySolidServer) | ~6 MB | ~311 | ~152 MB |
+| [Pivot](https://github.com/solid-contrib/pivot) | ~6 MB | ~311+ | ~152 MB |
+| [NSS](https://github.com/nodeSolidServer/node-solid-server) | ~7 MB | ~670 | ~539 MB |
 
 ## Performance
 

package/bin/jss.js

@@ -53,12 +53,10 @@ program
   .option('--subdomains', 'Enable subdomain-based pods (XSS protection)')
   .option('--no-subdomains', 'Disable subdomain-based pods')
   .option('--base-domain <domain>', 'Base domain for subdomain pods (e.g., "example.com")')
-  .option('--mashlib', 'Enable Mashlib data browser (local mode, requires mashlib in node_modules)')
-  .option('--mashlib-cdn', 'Enable Mashlib data browser (CDN mode, no local files needed)')
+  .option('--mashlib-cdn', 'Enable Mashlib data browser (CDN mode)')
   .option('--mashlib-module <url>', 'Enable ES module data browser from a URL')
   .option('--no-mashlib', 'Disable Mashlib data browser')
   .option('--mashlib-version <version>', 'Mashlib version for CDN mode (default: 2.0.0)')
-  .option('--solidos-ui', 'Enable modern Nextcloud-style UI (requires --mashlib)')
   .option('--git', 'Enable Git HTTP backend (clone/push support)')
   .option('--no-git', 'Disable Git HTTP backend')
   .option('--nostr', 'Enable Nostr relay')
@@ -143,7 +141,6 @@ program
         mashlibCdn: config.mashlibCdn,
         mashlibVersion: config.mashlibVersion,
         mashlibModule: config.mashlibModule,
-        solidosUi: config.solidosUi,
         git: config.git,
         nostr: config.nostr,
         nostrPath: config.nostrPath,
@@ -193,7 +190,6 @@ program
           console.log(`  Mashlib: local (data browser enabled)`);
         }
         if (config.mashlibModule) console.log(`  Mashlib module: ${config.mashlibModule}`);
-        if (config.solidosUi) console.log('  SolidOS UI: enabled (modern interface)');
         if (config.git) console.log('  Git: enabled (clone/push support)');
         if (config.nostr) console.log(`  Nostr: enabled (${config.nostrPath})`);
         if (config.webrtc) console.log(`  WebRTC: enabled (${config.webrtcPath || '/.webrtc'})`);

package/docs/configuration.md

@@ -355,43 +355,6 @@ jss quota reconcile alice
 
 Supported formats: `50MB`, `1GB`, `500KB`, `1TB`
 
-## Storage Quotas
-
-Limit storage per pod to prevent abuse and manage resources:
-
-```bash
-jss start --default-quota 50MB
-```
-
-### Managing Quotas
-
-```bash
-# Set quota for a user (overrides default)
-jss quota set alice 100MB
-
-# Show quota info
-jss quota show alice
-#   alice:
-#     Used:  12.5 MB
-#     Limit: 100 MB
-#     Free:  87.5 MB
-#     Usage: 12%
-
-# Recalculate from actual disk usage
-jss quota reconcile alice
-```
-
-### How It Works
-
-- Quotas are tracked incrementally on PUT, POST, and DELETE operations
-- When quota is exceeded, the server returns HTTP 507 Insufficient Storage
-- Each pod stores its quota in `/{pod}/.quota.json`
-- Use `reconcile` to fix quota drift from manual file changes
-
-### Size Formats
-
-Supported formats: `50MB`, `1GB`, `500KB`, `1TB`
-
 ### Mashlib Data Browser
 
 Enable the [SolidOS Mashlib](https://github.com/SolidOS/mashlib) data browser for RDF resources. Two modes are available:

package/docs/invites.md

@@ -0,0 +1,43 @@
+# Invite-Only Registration
+
+Control who can create accounts by requiring invite codes.
+
+```bash
+jss start --idp --invite-only
+```
+
+## Managing Invite Codes
+
+```bash
+# Create a single-use invite
+jss invite create
+# Created invite code: ABCD1234
+
+# Create multi-use invite with note
+jss invite create -u 5 -n "For team members"
+
+# List all active invites
+jss invite list
+#   CODE        USES     CREATED      NOTE
+#   -------------------------------------------------------
+#   ABCD1234    0/1      2026-01-03
+#   EFGH5678    2/5      2026-01-03   For team members
+
+# Revoke an invite
+jss invite revoke ABCD1234
+```
+
+## How It Works
+
+| Mode | Registration | Pod Creation |
+|------|--------------|--------------|
+| Open (default) | Anyone can register | Anyone can create pods |
+| Invite-only | Requires valid invite code | Via registration only |
+
+When `--invite-only` is enabled:
+- The registration page shows an "Invite Code" field
+- Invalid or expired codes are rejected with an error
+- Each use decrements the invite's remaining uses
+- Depleted invites are automatically removed
+
+Invite codes are stored in `.server/invites.json` in your data directory.

package/docs/mashlib.md

@@ -0,0 +1,58 @@
+# Mashlib Data Browser
+
+Enable the [SolidOS Mashlib](https://github.com/SolidOS/mashlib) data browser for RDF resources.
+
+## Modes
+
+**CDN Mode** (recommended for getting started):
+```bash
+jss start --mashlib-cdn --conneg
+```
+Loads mashlib from unpkg.com CDN. Zero footprint — no local files needed.
+
+**Local Mode** (for production/offline):
+```bash
+jss start --mashlib --conneg
+```
+Serves mashlib from `src/mashlib-local/dist/`. Requires building mashlib locally:
+```bash
+cd src/mashlib-local
+npm install && npm run build
+```
+
+**ES Module Mode** (for custom or next-gen mashlib builds):
+```bash
+jss start --mashlib-module https://example.com/mashlib.js
+```
+Loads an ES module-based data browser from any URL. Uses `<script type="module">` and `<div id="mashlib">` (self-initializing). CSS is auto-derived by replacing `.js` with `.css`. Content negotiation is auto-enabled.
+
+## How It Works
+
+1. Browser requests `/alice/public/data.ttl` with `Accept: text/html`
+2. Server returns Mashlib HTML wrapper
+3. Mashlib fetches the actual data via content negotiation
+4. Mashlib renders an interactive, editable view
+
+**Note:** Mashlib works best with `--conneg` enabled for Turtle support.
+
+## Modern UI (SolidOS UI)
+
+```bash
+jss start --mashlib --solidos-ui --conneg
+```
+
+Serves a modern Nextcloud-style UI shell while reusing mashlib's data layer:
+- Modern file browser with breadcrumb navigation
+- Profile, Contacts, Sharing, and Settings views
+- Path-based URLs (browser URL reflects current resource)
+- Responsive design for mobile devices
+
+Requires solidos-ui dist files in `src/mashlib-local/dist/solidos-ui/`. See [solidos-ui](https://github.com/solidos/solidos/tree/main/workspaces/solidos-ui) for details.
+
+## Profile Pages
+
+Pod profiles (`/alice/`) use HTML with embedded JSON-LD data islands and are rendered using:
+- [mashlib-jss](https://github.com/JavaScriptSolidServer/mashlib-jss) — A fork of mashlib with `getPod()` fix for path-based pods
+- [solidos-lite](https://github.com/SolidOS/solidos-lite) — Parses JSON-LD data islands into the RDF store
+
+This allows profiles to work without server-side content negotiation while still providing full SolidOS editing capabilities.

package/docs/nostr.md

@@ -0,0 +1,56 @@
+# Nostr Relay
+
+Integrated NIP-01/NIP-11/NIP-16 Nostr relay running on the same port as the Solid server.
+
+```bash
+jss start --nostr
+```
+
+## Endpoint
+
+`wss://your.pod/relay` (configurable via `--nostr-path`)
+
+## Supported NIPs
+
+- **NIP-01** — Basic protocol flow (EVENT, REQ, CLOSE)
+- **NIP-11** — Relay information document (`GET /relay` with `Accept: application/nostr+json`)
+- **NIP-16** — Event treatment (regular, replaceable, ephemeral)
+
+## Options
+
+| Option | Description | Default |
+|--------|-------------|---------|
+| `--nostr` | Enable Nostr relay | false |
+| `--nostr-path <path>` | WebSocket path | /relay |
+| `--nostr-max-events <n>` | Max events in memory | 1000 |
+
+## How It Works
+
+- Events are stored in memory (up to `--nostr-max-events`)
+- Replaceable events (kinds 0, 3, 10000-19999) replace previous events by the same pubkey
+- Ephemeral events (kinds 20000-29999) are broadcast but not stored
+- Parameterized replaceable events (kinds 30000-39999) use the `d` tag for deduplication
+- Rate limiting: 60 events per socket per minute
+
+## Client Usage
+
+```javascript
+import { Relay } from 'nostr-tools';
+
+const relay = await Relay.connect('wss://your.pod/relay');
+
+// Subscribe
+const sub = relay.subscribe([{ kinds: [1], limit: 10 }], {
+  onevent(event) { console.log(event); }
+});
+
+// Publish
+await relay.publish(signedEvent);
+```
+
+## Nostr Authentication (NIP-98)
+
+JSS also supports NIP-98 HTTP Auth for Solid operations. See [docs/authentication.md](authentication.md) for details on:
+- NIP-98 Schnorr signature authentication
+- `did:nostr` → WebID resolution
+- Linking Nostr identity to your WebID profile

package/docs/notifications.md

@@ -0,0 +1,50 @@
+# WebSocket Notifications
+
+Real-time notifications for resource changes using the solid-0.1 protocol (SolidOS compatible).
+
+```bash
+jss start --notifications
+```
+
+## Discovery
+
+Clients discover the WebSocket URL via the `Updates-Via` header:
+
+```bash
+curl -I http://localhost:3000/alice/public/
+# Updates-Via: ws://localhost:3000/.notifications
+```
+
+## Protocol
+
+```
+Server: protocol solid-0.1
+Client: sub http://localhost:3000/alice/public/data.json
+Server: ack http://localhost:3000/alice/public/data.json
+Server: pub http://localhost:3000/alice/public/data.json  (on change)
+```
+
+## How It Works
+
+1. Client connects to the WebSocket URL from `Updates-Via`
+2. Server sends `protocol solid-0.1` greeting
+3. Client subscribes: `sub <resource-url>`
+4. Server acknowledges: `ack <resource-url>`
+5. On any change (PUT, PATCH, DELETE), server broadcasts: `pub <resource-url>`
+6. Container subscriptions also fire when child resources change
+
+## ACL Enforcement
+
+- Anonymous clients can subscribe to public resources
+- Private resource subscriptions require authentication
+- Cross-origin subscriptions are rejected
+
+## Live Reload
+
+For development, `--live-reload` injects a script that auto-refreshes the browser when files change on disk:
+
+```bash
+jss start --live-reload --notifications
+```
+
+File system changes (editing files directly) also trigger WebSocket notifications.

package/docs/quotas.md

@@ -0,0 +1,36 @@
+# Storage Quotas
+
+Limit storage per pod to prevent abuse and manage resources.
+
+```bash
+jss start --default-quota 50MB
+```
+
+## Managing Quotas
+
+```bash
+# Set quota for a user (overrides default)
+jss quota set alice 100MB
+
+# Show quota info
+jss quota show alice
+#   alice:
+#     Used:  12.5 MB
+#     Limit: 100 MB
+#     Free:  87.5 MB
+#     Usage: 12%
+
+# Recalculate from actual disk usage
+jss quota reconcile alice
+```
+
+## How It Works
+
+- Quotas are tracked incrementally on PUT, POST, and DELETE operations
+- When quota is exceeded, the server returns HTTP 507 Insufficient Storage
+- Each pod stores its quota in `/{pod}/.quota.json`
+- Use `reconcile` to fix quota drift from manual file changes
+
+## Size Formats
+
+Supported formats: `50MB`, `1GB`, `500KB`, `1TB`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.111",
+  "version": "0.0.113",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/middleware.js

@@ -9,7 +9,7 @@ import { checkAccess, getRequiredMode } from '../wac/checker.js';
 import { AccessMode } from '../wac/parser.js';
 import * as storage from '../storage/filesystem.js';
 import { getEffectiveUrlPath } from '../utils/url.js';
-import { generateDatabrowserHtml, generateModuleDatabrowserHtml, generateSolidosUiHtml } from '../mashlib/index.js';
+import { generateDatabrowserHtml, generateModuleDatabrowserHtml } from '../mashlib/index.js';
 
 /**
  * Build a resource URL for WAC checking, normalizing path-based pod access
@@ -148,12 +148,9 @@ export function handleUnauthorized(request, reply, isAuthenticated, wacAllow, au
     // If mashlib is enabled, serve mashlib instead of static error page
     // Mashlib has built-in login functionality via panes.runDataBrowser()
     if (request.mashlibEnabled) {
-      // Use SolidOS UI if enabled, ES module if configured, otherwise classic mashlib
-      const html = request.solidosUiEnabled
-        ? generateSolidosUiHtml()
-        : request.mashlibModule
-          ? generateModuleDatabrowserHtml(request.mashlibModule)
-          : generateDatabrowserHtml(request.url, request.mashlibCdn ? request.mashlibVersion : null);
+      const html = request.mashlibModule
+        ? generateModuleDatabrowserHtml(request.mashlibModule)
+        : generateDatabrowserHtml(request.url, request.mashlibCdn ? request.mashlibVersion : null);
       return reply.code(statusCode).type('text/html').send(html);
     }
     return reply.code(statusCode).type('text/html').send(getErrorPage(statusCode, isAuthenticated, request));

package/src/config.js

@@ -43,9 +43,6 @@ export const defaults = {
   mashlibVersion: '2.0.0',
   mashlibModule: false,
 
-  // SolidOS UI (modern Nextcloud-style interface)
-  solidosUi: false,
-
   // Git HTTP backend
   git: false,
 
@@ -137,7 +134,6 @@ const envMap = {
   JSS_MASHLIB_CDN: 'mashlibCdn',
   JSS_MASHLIB_VERSION: 'mashlibVersion',
   JSS_MASHLIB_MODULE: 'mashlibModule',
-  JSS_SOLIDOS_UI: 'solidosUi',
   JSS_GIT: 'git',
   JSS_NOSTR: 'nostr',
   JSS_NOSTR_PATH: 'nostrPath',
@@ -331,8 +327,7 @@ export function printConfig(config) {
   console.log(`  Notifications: ${config.notifications}`);
   console.log(`  IdP:           ${config.idp ? (config.idpIssuer || 'enabled') : 'disabled'}`);
   console.log(`  Subdomains:    ${config.subdomains ? (config.baseDomain || 'enabled') : 'disabled'}`);
-  console.log(`  Mashlib:       ${config.mashlibModule ? `module (${config.mashlibModule})` : config.mashlibCdn ? `CDN v${config.mashlibVersion}` : config.mashlib ? 'local' : 'disabled'}`);
-  console.log(`  SolidOS UI:    ${config.solidosUi ? 'enabled' : 'disabled'}`);
+  console.log(`  Mashlib:       ${config.mashlibModule ? `module (${config.mashlibModule})` : config.mashlibCdn ? `CDN v${config.mashlibVersion}` : 'disabled'}`);
   if (config.pay) {
     console.log(`  Pay:           ${config.payCost} sat/req`);
     if (config.payToken) console.log(`  Token:         ${config.payToken} @ ${config.payRate} sat/token`);

package/src/handlers/resource.js

@@ -15,7 +15,7 @@ import {
 } from '../rdf/conneg.js';
 import { emitChange } from '../notifications/events.js';
 import { checkIfMatch, checkIfNoneMatchForGet, checkIfNoneMatchForWrite } from '../utils/conditional.js';
-import { generateDatabrowserHtml, generateModuleDatabrowserHtml, generateSolidosUiHtml, shouldServeMashlib } from '../mashlib/index.js';
+import { generateDatabrowserHtml, generateModuleDatabrowserHtml, shouldServeMashlib } from '../mashlib/index.js';
 
 /**
  * Live reload script - injected into HTML when --live-reload is enabled
@@ -230,12 +230,9 @@ export async function handleGet(request, reply) {
 
     // Check if we should serve Mashlib data browser for containers
     if (shouldServeMashlib(request, request.mashlibEnabled, 'application/ld+json')) {
-      // Use SolidOS UI if enabled, ES module if configured, otherwise classic mashlib
-      const html = request.solidosUiEnabled
-        ? generateSolidosUiHtml()
-        : request.mashlibModule
-          ? generateModuleDatabrowserHtml(request.mashlibModule)
-          : generateDatabrowserHtml(resourceUrl, request.mashlibCdn ? request.mashlibVersion : null);
+      const html = request.mashlibModule
+        ? generateModuleDatabrowserHtml(request.mashlibModule)
+        : generateDatabrowserHtml(resourceUrl, request.mashlibCdn ? request.mashlibVersion : null);
       const headers = getAllHeaders({
         isContainer: true,
         etag: stats.etag,
@@ -309,12 +306,9 @@ export async function handleGet(request, reply) {
   // Check if we should serve Mashlib data browser
   // Only for RDF resources when Accept: text/html is requested
   if (shouldServeMashlib(request, request.mashlibEnabled, storedContentType)) {
-    // Use SolidOS UI if enabled, ES module if configured, otherwise classic mashlib
-    const html = request.solidosUiEnabled
-      ? generateSolidosUiHtml()
-      : request.mashlibModule
-        ? generateModuleDatabrowserHtml(request.mashlibModule)
-        : generateDatabrowserHtml(resourceUrl, request.mashlibCdn ? request.mashlibVersion : null);
+    const html = request.mashlibModule
+      ? generateModuleDatabrowserHtml(request.mashlibModule)
+      : generateDatabrowserHtml(resourceUrl, request.mashlibCdn ? request.mashlibVersion : null);
     const headers = getAllHeaders({
       isContainer: false,
       etag: stats.etag,

package/src/server.js

@@ -62,14 +62,11 @@ export function createServer(options = {}) {
   const subdomainsEnabled = options.subdomains ?? false;
   const baseDomain = options.baseDomain || null;
   // Mashlib data browser is OFF by default
-  // mashlibCdn: if true, load from CDN; if false, serve locally
-  // mashlibModule: URL to ES module entry point (alternative to classic mashlib)
+  // mashlibCdn: load from CDN; mashlibModule: URL to ES module entry point
   const mashlibModule = options.mashlibModule ?? false;
-  const mashlibEnabled = options.mashlib || !!mashlibModule;
   const mashlibCdn = options.mashlibCdn ?? false;
+  const mashlibEnabled = mashlibCdn || !!mashlibModule;
   const mashlibVersion = options.mashlibVersion ?? '2.0.0';
-  // SolidOS UI (modern Nextcloud-style interface) - requires mashlib
-  const solidosUiEnabled = options.solidosUi ?? false;
   // Git HTTP backend is OFF by default - enables clone/push via git protocol
   const gitEnabled = options.git ?? false;
   // Nostr relay is OFF by default
@@ -179,7 +176,6 @@ export function createServer(options = {}) {
   fastify.decorateRequest('mashlibCdn', null);
   fastify.decorateRequest('mashlibVersion', null);
   fastify.decorateRequest('mashlibModule', null);
-  fastify.decorateRequest('solidosUiEnabled', null);
   fastify.decorateRequest('defaultQuota', null);
   fastify.decorateRequest('config', null);
   fastify.decorateRequest('liveReloadEnabled', null);
@@ -193,7 +189,6 @@ export function createServer(options = {}) {
     request.mashlibCdn = mashlibCdn;
     request.mashlibVersion = mashlibVersion;
     request.mashlibModule = mashlibModule;
-    request.solidosUiEnabled = solidosUiEnabled;
     request.defaultQuota = defaultQuota;
     request.config = { public: options.public, readOnly: options.readOnly };
     request.liveReloadEnabled = liveReloadEnabled;
@@ -410,7 +405,7 @@ export function createServer(options = {}) {
   // Authorization hook - check WAC permissions
   // Skip for pod creation endpoint (needs special handling)
   fastify.addHook('preHandler', async (request, reply) => {
-    // Skip auth for pod creation, OPTIONS, IdP routes, mashlib, solidos-ui, well-known, notifications, nostr, git, and AP
+    // Skip auth for pod creation, OPTIONS, IdP routes, mashlib, well-known, notifications, nostr, git, and AP
     const mashlibPaths = ['/mashlib.min.js', '/mash.css', '/841.mashlib.min.js'];
     const apPaths = ['/inbox', '/profile/card/inbox', '/profile/card/outbox', '/profile/card/followers', '/profile/card/following',
       '/api/v1/apps', '/api/v1/instance', '/api/v1/accounts/verify_credentials',
@@ -424,7 +419,6 @@ export function createServer(options = {}) {
         request.method === 'OPTIONS' ||
         request.url.startsWith('/idp/') ||
         request.url.startsWith('/.well-known/') ||
-        request.url.startsWith('/solidos-ui/') ||
         (nostrEnabled && request.url.startsWith(nostrPath)) ||
         (gitEnabled && isGitRequest(request.url)) ||
         (activitypubEnabled && apPaths.some(p => request.url === p || request.url.startsWith(p + '?'))) ||
@@ -464,72 +458,15 @@ export function createServer(options = {}) {
     }
   }, handleCreatePod);
 
-  // Mashlib static files (served from root like NSS does)
-  if (mashlibEnabled) {
-    if (mashlibCdn) {
-      // CDN mode: redirect chunk requests to CDN
-      // Mashlib uses code splitting, so it loads chunks like 789.mashlib.min.js
-      const cdnBase = `https://unpkg.com/mashlib@${mashlibVersion}/dist`;
-      const chunkPattern = /^\/\d+\.mashlib\.min\.js(\.map)?$/;
-
-      fastify.addHook('onRequest', async (request, reply) => {
-        if (chunkPattern.test(request.url)) {
-          const filename = request.url.split('/').pop();
-          return reply.redirect(302, `${cdnBase}/${filename}`);
-        }
-      });
-    } else {
-      // Local mode: serve from local files
-      const mashlibDir = join(__dirname, 'mashlib-local', 'dist');
-      const mashlibFiles = {
-        '/mashlib.min.js': { file: 'mashlib.min.js', type: 'application/javascript' },
-        '/mashlib.min.js.map': { file: 'mashlib.min.js.map', type: 'application/json' },
-        '/mash.css': { file: 'mash.css', type: 'text/css' },
-        '/mash.css.map': { file: 'mash.css.map', type: 'application/json' },
-        '/841.mashlib.min.js': { file: '841.mashlib.min.js', type: 'application/javascript' },
-        '/841.mashlib.min.js.map': { file: '841.mashlib.min.js.map', type: 'application/json' }
-      };
-
-      for (const [path, config] of Object.entries(mashlibFiles)) {
-        fastify.get(path, async (request, reply) => {
-          try {
-            const content = await readFile(join(mashlibDir, config.file));
-            return reply.type(config.type).send(content);
-          } catch {
-            return reply.code(404).send({ error: 'Not Found' });
-          }
-        });
-      }
-    }
-  }
+  // Mashlib CDN mode: redirect chunk requests to CDN
+  if (mashlibEnabled && mashlibCdn) {
+    const cdnBase = `https://unpkg.com/mashlib@${mashlibVersion}/dist`;
+    const chunkPattern = /^\/\d+\.mashlib\.min\.js(\.map)?$/;
 
-  // SolidOS UI static files (modern Nextcloud-style interface)
-  // Serves from /solidos-ui/* - requires mashlib to be enabled as well
-  if (solidosUiEnabled && mashlibEnabled) {
-    const solidosUiDir = join(__dirname, 'mashlib-local', 'dist', 'solidos-ui');
-
-    // Serve all files under /solidos-ui/* path
-    fastify.get('/solidos-ui/*', async (request, reply) => {
-      try {
-        // Get the path after /solidos-ui/
-        const filePath = request.url.replace('/solidos-ui/', '').split('?')[0];
-        const fullPath = join(solidosUiDir, filePath);
-
-        // Determine content type based on extension
-        const ext = filePath.split('.').pop()?.toLowerCase();
-        const contentTypes = {
-          'js': 'application/javascript',
-          'css': 'text/css',
-          'map': 'application/json',
-          'html': 'text/html'
-        };
-        const contentType = contentTypes[ext] || 'application/octet-stream';
-
-        const content = await readFile(fullPath);
-        return reply.type(contentType).send(content);
-      } catch (err) {
-        request.log.error(err, 'Failed to serve solidos-ui file');
-        return reply.code(404).send({ error: 'Not Found' });
+    fastify.addHook('onRequest', async (request, reply) => {
+      if (chunkPattern.test(request.url)) {
+        const filename = request.url.split('/').pop();
+        return reply.redirect(302, `${cdnBase}/${filename}`);
       }
     });
   }

package/src/webrtc/index.js

@@ -2,13 +2,18 @@
  * WebRTC Signaling Server Plugin
  *
  * Lightweight signaling server for WebRTC peer-to-peer connections.
- * Relays SDP offers/answers and ICE candidates between authenticated users.
- * The actual media/data flow directly between peers — JSS just introduces them.
+ * Supports two discovery modes:
+ *
+ * 1. Identity-based — connect to a specific peer by WebID
+ * 2. Content-addressed — find peers sharing the same resource hash
+ *
+ * Relays SDP offers/answers and ICE candidates between peers.
+ * The actual media/data flows directly between peers — JSS just introduces them.
  *
  * Usage: jss start --webrtc
  * Endpoint: wss://your.pod/.webrtc
  *
- * Protocol (JSON over WebSocket):
+ * Identity-based protocol (JSON over WebSocket):
  *   → { type: "offer",     to: "<webid>", sdp: "..." }
  *   → { type: "answer",    to: "<webid>", sdp: "..." }
  *   → { type: "candidate", to: "<webid>", candidate: {...} }
@@ -21,6 +26,14 @@
  *   ← { type: "peers",     you: "<webid>", peers: ["<webid>", ...] }
  *   ← { type: "peer-joined", webId: "<webid>" }
  *   ← { type: "peer-left",   webId: "<webid>" }
+ *
+ * Content-addressed protocol (JSON over WebSocket):
+ *   → { type: "announce",  resource: "<hash>", offers: [{ sdp: "...", offer_id: "..." }, ...] }
+ *   → { type: "answer",    resource: "<hash>", to: "<peer_id>", offer_id: "...", sdp: "..." }
+ *   → { type: "leave",     resource: "<hash>" }
+ *   ← { type: "offer",     resource: "<hash>", from: "<peer_id>", offer_id: "...", sdp: "..." }
+ *   ← { type: "answer",    resource: "<hash>", from: "<peer_id>", offer_id: "...", sdp: "..." }
+ *   ← { type: "resource-peers", resource: "<hash>", count: <n> }
  */
 
 import websocket from '@fastify/websocket';
@@ -28,6 +41,9 @@ import { getWebIdFromRequestAsync } from '../auth/token.js';
 
 const ALLOWED_TYPES = new Set(['offer', 'answer', 'candidate', 'hangup']);
 const MAX_MESSAGE_SIZE = 64 * 1024; // 64KB
+const MAX_OFFERS_PER_ANNOUNCE = 10;
+const MAX_RESOURCES_PER_PEER = 50;
+const RESOURCE_HASH_RE = /^[a-fA-F0-9]{8,128}$/;
 
 /**
  * Register WebRTC signaling routes on Fastify instance
@@ -39,9 +55,20 @@ const MAX_MESSAGE_SIZE = 64 * 1024; // 64KB
 export async function webrtcPlugin(fastify, options = {}) {
   const path = options.path || '/.webrtc';
 
-  // Instance-scoped peer state
+  // Instance-scoped peer state (identity-based)
   const peers = new Map();
 
+  // Instance-scoped resource state (content-addressed)
+  // Map<resourceHash, Map<peerId, socket>>
+  const resources = new Map();
+
+  // Track which resources each peer has joined
+  // Map<peerId, Set<resourceHash>>
+  const peerResources = new Map();
+
+  // Peer ID counter for content-addressed mode
+  let nextPeerId = 1;
+
   // Only register @fastify/websocket if not already registered
   if (!fastify.websocketServer) {
     await fastify.register(websocket);
@@ -53,6 +80,8 @@ export async function webrtcPlugin(fastify, options = {}) {
       socket.close();
     }
     peers.clear();
+    resources.clear();
+    peerResources.clear();
   });
 
   function broadcast(senderWebId, msg) {
@@ -64,6 +93,130 @@ export async function webrtcPlugin(fastify, options = {}) {
     }
   }
 
+  // --- Content-addressed helpers ---
+
+  function getResourcePeers(resourceHash) {
+    let group = resources.get(resourceHash);
+    if (!group) {
+      group = new Map();
+      resources.set(resourceHash, group);
+    }
+    return group;
+  }
+
+  function addPeerToResource(peerId, socket, resourceHash) {
+    const group = getResourcePeers(resourceHash);
+    group.set(peerId, socket);
+
+    let tracked = peerResources.get(peerId);
+    if (!tracked) {
+      tracked = new Set();
+      peerResources.set(peerId, tracked);
+    }
+    tracked.add(resourceHash);
+  }
+
+  function removePeerFromResource(peerId, resourceHash) {
+    const group = resources.get(resourceHash);
+    if (group) {
+      group.delete(peerId);
+      if (group.size === 0) resources.delete(resourceHash);
+    }
+    const tracked = peerResources.get(peerId);
+    if (tracked) {
+      tracked.delete(resourceHash);
+      if (tracked.size === 0) peerResources.delete(peerId);
+    }
+  }
+
+  function removePeerFromAllResources(peerId) {
+    const tracked = peerResources.get(peerId);
+    if (!tracked) return;
+    for (const hash of tracked) {
+      const group = resources.get(hash);
+      if (group) {
+        group.delete(peerId);
+        if (group.size === 0) resources.delete(hash);
+      }
+    }
+    peerResources.delete(peerId);
+  }
+
+  function handleAnnounce(socket, peerId, msg) {
+    const hash = msg.resource;
+    if (!hash || typeof hash !== 'string' || !RESOURCE_HASH_RE.test(hash)) {
+      socket.send(JSON.stringify({ type: 'error', message: 'Invalid resource hash' }));
+      return;
+    }
+
+    // Limit resources per peer
+    const tracked = peerResources.get(peerId);
+    if (tracked && tracked.size >= MAX_RESOURCES_PER_PEER && !tracked.has(hash)) {
+      socket.send(JSON.stringify({ type: 'error', message: 'Too many resources' }));
+      return;
+    }
+
+    const group = getResourcePeers(hash);
+    addPeerToResource(peerId, socket, hash);
+
+    // Relay offers to existing peers in the group
+    const offers = Array.isArray(msg.offers) ? msg.offers.slice(0, MAX_OFFERS_PER_ANNOUNCE) : [];
+    const existingPeers = [...group.entries()].filter(([id]) => id !== peerId);
+
+    for (let i = 0; i < offers.length && i < existingPeers.length; i++) {
+      const offer = offers[i];
+      const [targetId, targetSocket] = existingPeers[i];
+      if (targetSocket.readyState !== 1) continue;
+      if (typeof offer.sdp !== 'string') continue;
+
+      const relay = Object.create(null);
+      relay.type = 'offer';
+      relay.resource = hash;
+      relay.from = peerId;
+      relay.offer_id = typeof offer.offer_id === 'string' ? offer.offer_id : String(i);
+      relay.sdp = offer.sdp;
+      try { targetSocket.send(JSON.stringify(relay)); } catch { /* peer gone */ }
+    }
+
+    // Tell the announcer how many peers are in the group
+    socket.send(JSON.stringify({
+      type: 'resource-peers',
+      resource: hash,
+      count: group.size - 1
+    }));
+  }
+
+  function handleResourceAnswer(socket, peerId, msg) {
+    const hash = msg.resource;
+    if (!hash || typeof hash !== 'string') return;
+
+    const group = resources.get(hash);
+    if (!group) return;
+
+    const targetId = msg.to;
+    const targetSocket = group.get(targetId);
+    if (!targetSocket || targetSocket.readyState !== 1) {
+      socket.send(JSON.stringify({ type: 'error', message: 'Peer not in resource group' }));
+      return;
+    }
+
+    const relay = Object.create(null);
+    relay.type = 'answer';
+    relay.resource = hash;
+    relay.from = peerId;
+    if (typeof msg.offer_id === 'string') relay.offer_id = msg.offer_id;
+    if (typeof msg.sdp === 'string') relay.sdp = msg.sdp;
+    try { targetSocket.send(JSON.stringify(relay)); } catch { /* peer gone */ }
+  }
+
+  function handleLeave(socket, peerId, msg) {
+    const hash = msg.resource;
+    if (!hash || typeof hash !== 'string') return;
+    removePeerFromResource(peerId, hash);
+  }
+
+  // --- WebSocket handler ---
+
   fastify.get(path, { websocket: true }, async (connection, request) => {
     const socket = connection.socket;
 
@@ -75,10 +228,16 @@ export async function webrtcPlugin(fastify, options = {}) {
       return;
     }
 
+    // Assign a stable peer ID for content-addressed mode
+    const peerId = String(nextPeerId++);
+    socket._peerId = peerId;
+
     // Register this peer (close old connection if reconnecting)
     const existing = peers.get(webId);
     const isReconnect = !!existing;
     if (existing) {
+      // Clean up old connection's resource memberships
+      if (existing._peerId) removePeerFromAllResources(existing._peerId);
       peers.delete(webId);
       existing.close();
     }
@@ -89,6 +248,7 @@ export async function webrtcPlugin(fastify, options = {}) {
     socket.send(JSON.stringify({
       type: 'peers',
       you: webId,
+      peerId: peerId,
       peers: [...peers.keys()].filter(id => id !== webId)
     }));
 
@@ -113,8 +273,28 @@ export async function webrtcPlugin(fastify, options = {}) {
         return;
       }
 
-      if (!msg.to || !msg.type) {
-        socket.send(JSON.stringify({ type: 'error', message: 'Missing "to" or "type" field' }));
+      if (!msg.type) {
+        socket.send(JSON.stringify({ type: 'error', message: 'Missing "type" field' }));
+        return;
+      }
+
+      // Content-addressed messages
+      if (msg.type === 'announce') {
+        handleAnnounce(socket, peerId, msg);
+        return;
+      }
+      if (msg.type === 'answer' && msg.resource) {
+        handleResourceAnswer(socket, peerId, msg);
+        return;
+      }
+      if (msg.type === 'leave') {
+        handleLeave(socket, peerId, msg);
+        return;
+      }
+
+      // Identity-based messages require "to" field
+      if (!msg.to) {
+        socket.send(JSON.stringify({ type: 'error', message: 'Missing "to" field' }));
         return;
       }
 
@@ -144,6 +324,9 @@ export async function webrtcPlugin(fastify, options = {}) {
     });
 
     socket.on('close', () => {
+      // Clean up content-addressed resource memberships
+      removePeerFromAllResources(peerId);
+
       // Only remove if this socket is still the registered one (not replaced by reconnect)
       if (peers.get(webId) === socket) {
         peers.delete(webId);

package/test/webrtc.test.js

@@ -209,4 +209,158 @@ describe('WebRTC Signaling', () => {
       await new Promise(r => setTimeout(r, 50));
     });
   });
+
+  describe('Content-Addressed Peer Discovery', () => {
+    const RESOURCE_HASH = 'a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2';
+
+    it('should return peer count on announce', async () => {
+      const { ws: alice } = await connectAndWait('alice');
+
+      alice.send(JSON.stringify({
+        type: 'announce',
+        resource: RESOURCE_HASH,
+        offers: []
+      }));
+
+      const msg = await waitForMessage(alice, 'resource-peers');
+      assert.strictEqual(msg.resource, RESOURCE_HASH);
+      assert.strictEqual(msg.count, 0);
+
+      alice.close();
+      await new Promise(r => setTimeout(r, 50));
+    });
+
+    it('should relay offers between peers sharing a resource', async () => {
+      const { ws: alice, peerId: alicePeerId } = await connectAndWait('alice');
+
+      // Alice announces with no offers (first in group)
+      alice.send(JSON.stringify({
+        type: 'announce',
+        resource: RESOURCE_HASH,
+        offers: []
+      }));
+      await waitForMessage(alice, 'resource-peers');
+
+      // Bob announces with an offer — should be relayed to Alice
+      const offerPromise = waitForMessage(alice, 'offer');
+      const { ws: bob, peerId: bobPeerId } = await connectAndWait('bob');
+
+      bob.send(JSON.stringify({
+        type: 'announce',
+        resource: RESOURCE_HASH,
+        offers: [{ sdp: 'v=0\r\nbob-offer', offer_id: 'offer1' }]
+      }));
+
+      const offer = await offerPromise;
+      assert.strictEqual(offer.type, 'offer');
+      assert.strictEqual(offer.resource, RESOURCE_HASH);
+      assert.strictEqual(offer.from, bobPeerId);
+      assert.strictEqual(offer.offer_id, 'offer1');
+      assert.ok(offer.sdp.includes('bob-offer'));
+
+      // Alice answers Bob
+      const answerPromise = waitForMessage(bob, 'answer');
+      alice.send(JSON.stringify({
+        type: 'answer',
+        resource: RESOURCE_HASH,
+        to: bobPeerId,
+        offer_id: 'offer1',
+        sdp: 'v=0\r\nalice-answer'
+      }));
+
+      const answer = await answerPromise;
+      assert.strictEqual(answer.type, 'answer');
+      assert.strictEqual(answer.resource, RESOURCE_HASH);
+      assert.strictEqual(answer.from, alicePeerId);
+      assert.ok(answer.sdp.includes('alice-answer'));
+
+      alice.close();
+      bob.close();
+      await new Promise(r => setTimeout(r, 50));
+    });
+
+    it('should clean up resources on disconnect', async () => {
+      const { ws: alice } = await connectAndWait('alice');
+
+      alice.send(JSON.stringify({
+        type: 'announce',
+        resource: RESOURCE_HASH,
+        offers: []
+      }));
+      await waitForMessage(alice, 'resource-peers');
+
+      // Bob joins the resource group
+      const { ws: bob } = await connectAndWait('bob');
+      bob.send(JSON.stringify({
+        type: 'announce',
+        resource: RESOURCE_HASH,
+        offers: []
+      }));
+      const bobPeers = await waitForMessage(bob, 'resource-peers');
+      assert.strictEqual(bobPeers.count, 1); // alice is there
+
+      // Alice disconnects
+      alice.close();
+      await new Promise(r => setTimeout(r, 200));
+
+      // Charlie joins — should see only bob
+      const { ws: charlie } = await connectAndWait('bob'); // reuse bob pod
+      charlie.send(JSON.stringify({
+        type: 'announce',
+        resource: RESOURCE_HASH,
+        offers: []
+      }));
+      const charliePeers = await waitForMessage(charlie, 'resource-peers');
+      // bob was reconnected (old connection closed), so count depends on timing
+      assert.ok(charliePeers.count >= 0);
+
+      bob.close();
+      charlie.close();
+      await new Promise(r => setTimeout(r, 50));
+    });
+
+    it('should handle leave message', async () => {
+      const { ws: alice } = await connectAndWait('alice');
+
+      alice.send(JSON.stringify({
+        type: 'announce',
+        resource: RESOURCE_HASH,
+        offers: []
+      }));
+      await waitForMessage(alice, 'resource-peers');
+
+      // Leave the resource group
+      alice.send(JSON.stringify({ type: 'leave', resource: RESOURCE_HASH }));
+
+      // Bob joins — should see 0 peers (alice left)
+      const { ws: bob } = await connectAndWait('bob');
+      bob.send(JSON.stringify({
+        type: 'announce',
+        resource: RESOURCE_HASH,
+        offers: []
+      }));
+      const msg = await waitForMessage(bob, 'resource-peers');
+      assert.strictEqual(msg.count, 0);
+
+      alice.close();
+      bob.close();
+      await new Promise(r => setTimeout(r, 50));
+    });
+
+    it('should reject invalid resource hash', async () => {
+      const { ws: alice } = await connectAndWait('alice');
+
+      alice.send(JSON.stringify({
+        type: 'announce',
+        resource: 'not-a-hex-hash!',
+        offers: []
+      }));
+
+      const err = await waitForMessage(alice, 'error');
+      assert.ok(err.message.includes('Invalid resource hash'));
+
+      alice.close();
+      await new Promise(r => setTimeout(r, 50));
+    });
+  });
 });