javascript-solid-server 0.0.56 → 0.0.58

package/.claude/settings.local.json

@@ -207,7 +207,9 @@
       "WebFetch(domain:solid-chat.com)",
       "WebFetch(domain:developer.chrome.com)",
       "WebFetch(domain:css-tricks.com)",
-      "Bash(node bin/jss.js:*)"
+      "Bash(node bin/jss.js:*)",
+      "WebFetch(domain:nostr.social)",
+      "Bash(xargs curl -s)"
     ]
   }
 }

package/README.md

@@ -6,7 +6,7 @@ A minimal, fast, JSON-LD native Solid server.
 
 ## Features
 
-### Implemented (v0.0.56)
+### Implemented (v0.0.57)
 
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
 - **N3 Patch** - Solid's native patch format for RDF updates
@@ -24,12 +24,13 @@ A minimal, fast, JSON-LD native Solid server.
 - **Solid-OIDC Identity Provider** - Built-in IdP with DPoP, RS256/ES256, dynamic registration
 - **Solid-OIDC Resource Server** - Accept DPoP-bound access tokens from external IdPs
 - **NSS-style Registration** - Username/password auth compatible with Solid apps
-- **Nostr Authentication** - NIP-98 HTTP Auth with Schnorr signatures
+- **Nostr Authentication** - NIP-98 HTTP Auth with Schnorr signatures, did:nostr → WebID resolution
 - **Simple Auth Tokens** - Built-in token authentication for development
 - **Content Negotiation** - Turtle <-> JSON-LD conversion, including HTML data islands
 - **CORS Support** - Full cross-origin resource sharing
 - **Git HTTP Backend** - Clone and push to containers via `git` protocol
 - **Invite-Only Registration** - CLI-managed invite codes for controlled signups
+- **Storage Quotas** - Per-user storage limits with CLI management
 - **Security** - Blocks access to dotfiles (`.git/`, `.env`, etc.) except Solid-specific ones
 
 ### HTTP Methods
@@ -78,6 +79,7 @@ jss start --port 8443 --ssl-key ./key.pem --ssl-cert ./cert.pem
 jss start [options]    # Start the server
 jss init [options]     # Initialize configuration
 jss invite <cmd>       # Manage invite codes (create, list, revoke)
+jss quota <cmd>        # Manage storage quotas (set, show, reconcile)
 jss --help             # Show help
 ```
 
@@ -102,6 +104,7 @@ jss --help             # Show help
 | `--mashlib-version <ver>` | Mashlib CDN version | 2.0.0 |
 | `--git` | Enable Git HTTP backend | false |
 | `--invite-only` | Require invite code for registration | false |
+| `--default-quota <size>` | Default storage quota per pod (e.g., 50MB) | 50MB |
 | `-q, --quiet` | Suppress logs | false |
 
 ### Environment Variables
@@ -117,6 +120,7 @@ export JSS_SUBDOMAINS=true
 export JSS_BASE_DOMAIN=example.com
 export JSS_MASHLIB=true
 export JSS_INVITE_ONLY=true
+export JSS_DEFAULT_QUOTA=100MB
 jss start
 ```
 
@@ -383,6 +387,35 @@ git add .acl && git commit -m "Add ACL"
 
 See [git-credential-nostr](https://github.com/JavaScriptSolidServer/git-credential-nostr) for more details.
 
+### Linking Nostr to WebID (did:nostr)
+
+Bridge your Nostr identity to a Solid WebID for seamless authentication:
+
+**Step 1:** Add your WebID to your Nostr profile (kind 0 event):
+```json
+{
+  "name": "alice",
+  "alsoKnownAs": ["https://solid.social/alice/profile/card#me"]
+}
+```
+
+**Step 2:** Add the did:nostr link to your WebID profile:
+```json
+{
+  "@id": "#me",
+  "owl:sameAs": "did:nostr:<your-64-char-hex-pubkey>"
+}
+```
+
+**How it works:**
+1. NIP-98 signature is verified (existing flow)
+2. DID document is fetched from `nostr.social/.well-known/did/nostr/<pubkey>.json`
+3. `alsoKnownAs` is checked for a WebID URL
+4. WebID profile is fetched and `owl:sameAs` verified
+5. If bidirectional link exists → authenticated as WebID
+
+This enables Nostr users to access their Solid pods using existing NIP-07 browser extensions.
+
 ## Invite-Only Registration
 
 Control who can create accounts by requiring invite codes:
@@ -427,6 +460,43 @@ When `--invite-only` is enabled:
 
 Invite codes are stored in `.server/invites.json` in your data directory.
 
+## Storage Quotas
+
+Limit storage per pod to prevent abuse and manage resources:
+
+```bash
+jss start --default-quota 50MB
+```
+
+### Managing Quotas
+
+```bash
+# Set quota for a user (overrides default)
+jss quota set alice 100MB
+
+# Show quota info
+jss quota show alice
+#   alice:
+#     Used:  12.5 MB
+#     Limit: 100 MB
+#     Free:  87.5 MB
+#     Usage: 12%
+
+# Recalculate from actual disk usage
+jss quota reconcile alice
+```
+
+### How It Works
+
+- Quotas are tracked incrementally on PUT, POST, and DELETE operations
+- When quota is exceeded, the server returns HTTP 507 Insufficient Storage
+- Each pod stores its quota in `/{pod}/.quota.json`
+- Use `reconcile` to fix quota drift from manual file changes
+
+### Size Formats
+
+Supported formats: `50MB`, `1GB`, `500KB`, `1TB`
+
 ## Authentication
 
 ### Simple Tokens (Development)
@@ -688,12 +758,14 @@ src/
 │   ├── container.js      # POST, pod creation
 │   └── git.js            # Git HTTP backend
 ├── storage/
-│   └── filesystem.js     # File operations
+│   ├── filesystem.js     # File operations
+│   └── quota.js          # Storage quota management
 ├── auth/
 │   ├── middleware.js     # Auth hook
 │   ├── token.js          # Simple token auth
 │   ├── solid-oidc.js     # DPoP verification
-│   └── nostr.js          # NIP-98 Nostr authentication
+│   ├── nostr.js          # NIP-98 Nostr authentication
+│   └── did-nostr.js      # did:nostr → WebID resolution
 ├── wac/
 │   ├── parser.js         # ACL parsing
 │   └── checker.js        # Permission checking

package/bin/jss.js

@@ -12,6 +12,8 @@ import { Command } from 'commander';
 import { createServer } from '../src/server.js';
 import { loadConfig, saveConfig, printConfig, defaults } from '../src/config.js';
 import { createInvite, listInvites, revokeInvite } from '../src/idp/invites.js';
+import { setQuotaLimit, getQuotaInfo, reconcileQuota, formatBytes } from '../src/storage/quota.js';
+import { parseSize } from '../src/config.js';
 import fs from 'fs-extra';
 import path from 'path';
 import { fileURLToPath } from 'url';
@@ -307,6 +309,92 @@ inviteCmd
     }
   });
 
+/**
+ * Quota command - manage storage quotas
+ */
+const quotaCmd = program
+  .command('quota')
+  .description('Manage storage quotas for pods');
+
+quotaCmd
+  .command('set <username> <size>')
+  .description('Set quota limit for a user (e.g., 50MB, 1GB)')
+  .option('-r, --root <path>', 'Data directory')
+  .action(async (username, size, options) => {
+    try {
+      if (options.root) {
+        process.env.DATA_ROOT = path.resolve(options.root);
+      }
+
+      const bytes = parseSize(size);
+      if (bytes === 0) {
+        console.error('Invalid size format. Use e.g., 50MB, 1GB');
+        process.exit(1);
+      }
+
+      const quota = await setQuotaLimit(username, bytes);
+      console.log(`\nQuota set for ${username}: ${formatBytes(quota.limit)}`);
+      console.log(`Current usage: ${formatBytes(quota.used)} (${Math.round(quota.used / quota.limit * 100)}%)\n`);
+    } catch (err) {
+      console.error(`Error: ${err.message}`);
+      process.exit(1);
+    }
+  });
+
+quotaCmd
+  .command('show <username>')
+  .description('Show quota info for a user')
+  .option('-r, --root <path>', 'Data directory')
+  .action(async (username, options) => {
+    try {
+      if (options.root) {
+        process.env.DATA_ROOT = path.resolve(options.root);
+      }
+
+      const quota = await getQuotaInfo(username);
+
+      if (quota.limit === 0) {
+        console.log(`\n${username}: No quota set (unlimited)\n`);
+      } else {
+        console.log(`\n${username}:`);
+        console.log(`  Used:  ${formatBytes(quota.used)}`);
+        console.log(`  Limit: ${formatBytes(quota.limit)}`);
+        console.log(`  Free:  ${formatBytes(quota.limit - quota.used)}`);
+        console.log(`  Usage: ${quota.percent}%\n`);
+      }
+    } catch (err) {
+      console.error(`Error: ${err.message}`);
+      process.exit(1);
+    }
+  });
+
+quotaCmd
+  .command('reconcile <username>')
+  .description('Recalculate quota usage from actual disk usage')
+  .option('-r, --root <path>', 'Data directory')
+  .action(async (username, options) => {
+    try {
+      if (options.root) {
+        process.env.DATA_ROOT = path.resolve(options.root);
+      }
+
+      console.log(`Calculating actual disk usage for ${username}...`);
+      const quota = await reconcileQuota(username);
+
+      if (quota.limit === 0) {
+        console.log(`\n${username}: No quota configured\n`);
+      } else {
+        console.log(`\nReconciled ${username}:`);
+        console.log(`  Used:  ${formatBytes(quota.used)}`);
+        console.log(`  Limit: ${formatBytes(quota.limit)}`);
+        console.log(`  Usage: ${Math.round(quota.used / quota.limit * 100)}%\n`);
+      }
+    } catch (err) {
+      console.error(`Error: ${err.message}`);
+      process.exit(1);
+    }
+  });
+
 /**
  * Helper: Prompt for input
  */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.56",
+  "version": "0.0.58",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/did-nostr.js

@@ -0,0 +1,205 @@
+/**
+ * DID:nostr Resolution
+ *
+ * Resolves did:nostr:<pubkey> to a Solid WebID by:
+ * 1. Fetching DID document from nostr.social
+ * 2. Extracting alsoKnownAs WebID
+ * 3. Verifying bidirectional link (WebID links back to did:nostr)
+ */
+
+// Default DID resolver endpoint
+const DEFAULT_DID_RESOLVER = 'https://nostr.social/.well-known/did/nostr';
+
+// Cache for resolved DIDs (pubkey -> webId or null)
+const cache = new Map();
+const CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+
+/**
+ * Fetch with timeout
+ */
+async function fetchWithTimeout(url, options = {}, timeout = 5000) {
+  const controller = new AbortController();
+  const id = setTimeout(() => controller.abort(), timeout);
+  try {
+    const response = await fetch(url, { ...options, signal: controller.signal });
+    clearTimeout(id);
+    return response;
+  } catch (err) {
+    clearTimeout(id);
+    throw err;
+  }
+}
+
+/**
+ * Resolve did:nostr pubkey to WebID via DID document
+ * @param {string} pubkey - 64-char hex Nostr pubkey
+ * @param {string} resolverUrl - DID resolver base URL
+ * @returns {Promise<string|null>} WebID URL or null
+ */
+export async function resolveDidNostrToWebId(pubkey, resolverUrl = DEFAULT_DID_RESOLVER) {
+  if (!pubkey || pubkey.length !== 64) {
+    return null;
+  }
+
+  // Check cache
+  const cacheKey = pubkey.toLowerCase();
+  const cached = cache.get(cacheKey);
+  if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
+    return cached.webId;
+  }
+
+  try {
+    // Fetch DID document
+    const didUrl = `${resolverUrl}/${pubkey}.json`;
+    const didRes = await fetchWithTimeout(didUrl, {
+      headers: { 'Accept': 'application/did+json, application/json' }
+    });
+
+    if (!didRes.ok) {
+      cache.set(cacheKey, { webId: null, timestamp: Date.now() });
+      return null;
+    }
+
+    const didDoc = await didRes.json();
+
+    // Extract WebID from alsoKnownAs (array) or profile.webid or profile.sameAs
+    let webId = null;
+
+    if (Array.isArray(didDoc.alsoKnownAs) && didDoc.alsoKnownAs.length > 0) {
+      // Find first HTTP(S) URL that looks like a WebID
+      webId = didDoc.alsoKnownAs.find(aka =>
+        typeof aka === 'string' && aka.startsWith('https://'));
+    }
+
+    // Fallback to profile fields
+    if (!webId && didDoc.profile) {
+      webId = didDoc.profile.webid || didDoc.profile.sameAs;
+    }
+
+    if (!webId) {
+      cache.set(cacheKey, { webId: null, timestamp: Date.now() });
+      return null;
+    }
+
+    // Verify bidirectional link - WebID must link back to did:nostr
+    const verified = await verifyWebIdBacklink(webId, pubkey);
+
+    if (verified) {
+      cache.set(cacheKey, { webId, timestamp: Date.now() });
+      return webId;
+    }
+
+    cache.set(cacheKey, { webId: null, timestamp: Date.now() });
+    return null;
+
+  } catch (err) {
+    // Network error or timeout - don't cache failures
+    console.error(`DID resolution error for ${pubkey}:`, err.message);
+    return null;
+  }
+}
+
+/**
+ * Verify WebID profile links back to did:nostr
+ * @param {string} webId - WebID URL
+ * @param {string} pubkey - Nostr pubkey
+ * @returns {Promise<boolean>}
+ */
+async function verifyWebIdBacklink(webId, pubkey) {
+  try {
+    const expectedDid = `did:nostr:${pubkey.toLowerCase()}`;
+
+    // Fetch WebID profile
+    const res = await fetchWithTimeout(webId, {
+      headers: { 'Accept': 'application/ld+json, application/json, text/html' }
+    });
+
+    if (!res.ok) {
+      return false;
+    }
+
+    const contentType = res.headers.get('content-type') || '';
+    const text = await res.text();
+
+    // Handle HTML with JSON-LD data island
+    if (contentType.includes('text/html')) {
+      const jsonLdMatch = text.match(/<script\s+type=["']application\/ld\+json["']\s*>([\s\S]*?)<\/script>/i);
+      if (jsonLdMatch) {
+        try {
+          const jsonLd = JSON.parse(jsonLdMatch[1]);
+          return checkSameAsLink(jsonLd, expectedDid);
+        } catch {
+          return false;
+        }
+      }
+      return false;
+    }
+
+    // Handle JSON-LD directly
+    if (contentType.includes('json')) {
+      try {
+        const jsonLd = JSON.parse(text);
+        return checkSameAsLink(jsonLd, expectedDid);
+      } catch {
+        return false;
+      }
+    }
+
+    return false;
+
+  } catch (err) {
+    console.error(`WebID backlink verification error for ${webId}:`, err.message);
+    return false;
+  }
+}
+
+/**
+ * Check if JSON-LD contains sameAs/owl:sameAs link to expected DID
+ * @param {object} jsonLd - Parsed JSON-LD
+ * @param {string} expectedDid - Expected did:nostr:pubkey
+ * @returns {boolean}
+ */
+function checkSameAsLink(jsonLd, expectedDid) {
+  // Check various sameAs fields
+  const sameAsFields = [
+    jsonLd['owl:sameAs'],
+    jsonLd['sameAs'],
+    jsonLd['schema:sameAs'],
+    jsonLd['http://www.w3.org/2002/07/owl#sameAs']
+  ];
+
+  for (const field of sameAsFields) {
+    if (!field) continue;
+
+    // Handle string value
+    if (typeof field === 'string' && field.toLowerCase() === expectedDid) {
+      return true;
+    }
+
+    // Handle object with @id
+    if (field && typeof field === 'object' && field['@id']?.toLowerCase() === expectedDid) {
+      return true;
+    }
+
+    // Handle array
+    if (Array.isArray(field)) {
+      for (const item of field) {
+        if (typeof item === 'string' && item.toLowerCase() === expectedDid) {
+          return true;
+        }
+        if (item && typeof item === 'object' && item['@id']?.toLowerCase() === expectedDid) {
+          return true;
+        }
+      }
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Clear the resolution cache (for testing)
+ */
+export function clearCache() {
+  cache.clear();
+}

package/src/auth/nostr.js

@@ -13,6 +13,7 @@
 
 import { verifyEvent } from 'nostr-tools';
 import crypto from 'crypto';
+import { resolveDidNostrToWebId } from './did-nostr.js';
 
 // NIP-98 event kind (references RFC 7235)
 const HTTP_AUTH_KIND = 27235;
@@ -223,7 +224,15 @@ export async function verifyNostrAuth(request) {
     return { webId: null, error: 'Invalid Schnorr signature' };
   }
 
-  // Return did:nostr as the agent identifier
+  // Try to resolve did:nostr to a linked WebID
+  // This checks if the pubkey has an alsoKnownAs pointing to a WebID
+  // and verifies the WebID links back to did:nostr (bidirectional)
+  const resolvedWebId = await resolveDidNostrToWebId(event.pubkey);
+  if (resolvedWebId) {
+    return { webId: resolvedWebId, error: null };
+  }
+
+  // Fall back to did:nostr as the agent identifier
   const didNostr = pubkeyToDidNostr(event.pubkey);
 
   return { webId: didNostr, error: null };

package/src/config.js

@@ -48,6 +48,9 @@ export const defaults = {
   // Invite-only registration
   inviteOnly: false,
 
+  // Storage quota (bytes) - 50MB default
+  defaultQuota: 50 * 1024 * 1024,
+
   // Logging
   logger: true,
   quiet: false,
@@ -79,8 +82,22 @@ const envMap = {
   JSS_MASHLIB_VERSION: 'mashlibVersion',
   JSS_GIT: 'git',
   JSS_INVITE_ONLY: 'inviteOnly',
+  JSS_DEFAULT_QUOTA: 'defaultQuota',
 };
 
+/**
+ * Parse a size string like "50MB" or "1GB" to bytes
+ */
+export function parseSize(str) {
+  const match = str.match(/^(\d+(?:\.\d+)?)\s*(B|KB|MB|GB|TB)?$/i);
+  if (!match) return parseInt(str, 10) || 0;
+
+  const num = parseFloat(match[1]);
+  const unit = (match[2] || 'B').toUpperCase();
+  const multipliers = { B: 1, KB: 1024, MB: 1024**2, GB: 1024**3, TB: 1024**4 };
+  return Math.floor(num * (multipliers[unit] || 1));
+}
+
 /**
  * Parse a value from environment variable string
  */
@@ -96,6 +113,11 @@ function parseEnvValue(value, key) {
     return parseInt(value, 10);
   }
 
+  // Size values (quota)
+  if (key === 'defaultQuota') {
+    return parseSize(value);
+  }
+
   return value;
 }
 

package/src/handlers/container.js

@@ -1,6 +1,7 @@
 import * as storage from '../storage/filesystem.js';
+import { initializeQuota, checkQuota, updateQuotaUsage } from '../storage/quota.js';
 import { getAllHeaders } from '../ldp/headers.js';
-import { isContainer, getEffectiveUrlPath } from '../utils/url.js';
+import { isContainer, getEffectiveUrlPath, getPodName } from '../utils/url.js';
 import { generateProfile, generatePreferences, generateTypeIndex, serialize } from '../webid/profile.js';
 import { generateOwnerAcl, generatePrivateAcl, generateInboxAcl, generatePublicFolderAcl, serializeAcl } from '../wac/parser.js';
 import { createToken } from '../auth/token.js';
@@ -106,7 +107,21 @@ export async function handlePost(request, reply) {
       }
     }
 
+    // Check storage quota before writing
+    const podName = getPodName(request);
+    if (podName) {
+      const { allowed, error } = await checkQuota(podName, content.length, request.defaultQuota || 0);
+      if (!allowed) {
+        return reply.code(507).send({ error: 'Insufficient Storage', message: error });
+      }
+    }
+
     success = await storage.write(newStoragePath, content);
+
+    // Update quota usage after successful write
+    if (success && podName) {
+      await updateQuotaUsage(podName, content.length);
+    }
   }
 
   if (!success) {
@@ -139,8 +154,9 @@ export async function handlePost(request, reply) {
  * @param {string} webId - User's WebID URI
  * @param {string} podUri - Pod root URI (e.g., https://alice.example.com/ or https://example.com/alice/)
  * @param {string} issuer - OIDC issuer URI
+ * @param {number} defaultQuota - Default storage quota in bytes (optional)
  */
-export async function createPodStructure(name, webId, podUri, issuer) {
+export async function createPodStructure(name, webId, podUri, issuer, defaultQuota = 0) {
   const podPath = `/${name}/`;
 
   // Create pod directory structure
@@ -193,6 +209,11 @@ export async function createPodStructure(name, webId, podUri, issuer) {
   const profileAcl = generatePublicFolderAcl(`${podUri}profile/`, webId);
   await storage.write(`${podPath}profile/.acl`, serializeAcl(profileAcl));
 
+  // Initialize storage quota if configured
+  if (defaultQuota > 0) {
+    await initializeQuota(name, defaultQuota);
+  }
+
   return { podPath, podUri };
 }
 

package/src/handlers/resource.js

@@ -1,7 +1,8 @@
 import * as storage from '../storage/filesystem.js';
+import { checkQuota, updateQuotaUsage } from '../storage/quota.js';
 import { getAllHeaders, getNotFoundHeaders } from '../ldp/headers.js';
 import { generateContainerJsonLd, serializeJsonLd } from '../ldp/container.js';
-import { isContainer, getContentType, isRdfContentType, getEffectiveUrlPath, safeJsonParse } from '../utils/url.js';
+import { isContainer, getContentType, isRdfContentType, getEffectiveUrlPath, safeJsonParse, getPodName } from '../utils/url.js';
 import { parseN3Patch, applyN3Patch, validatePatch } from '../patch/n3-patch.js';
 import { parseSparqlUpdate, applySparqlUpdate } from '../patch/sparql-update.js';
 import {
@@ -504,11 +505,28 @@ export async function handlePut(request, reply) {
     }
   }
 
+  // Check storage quota before writing
+  const podName = getPodName(request);
+  const oldSize = stats?.size || 0;
+  const sizeDelta = content.length - oldSize;
+
+  if (podName && sizeDelta > 0) {
+    const { allowed, error } = await checkQuota(podName, sizeDelta, request.defaultQuota || 0);
+    if (!allowed) {
+      return reply.code(507).send({ error: 'Insufficient Storage', message: error });
+    }
+  }
+
   const success = await storage.write(storagePath, content);
   if (!success) {
     return reply.code(500).send({ error: 'Write failed' });
   }
 
+  // Update quota usage after successful write
+  if (podName && sizeDelta !== 0) {
+    await updateQuotaUsage(podName, sizeDelta);
+  }
+
   const origin = request.headers.origin;
   const headers = getAllHeaders({ isContainer: false, origin, resourceUrl, connegEnabled });
   headers['Location'] = resourceUrl;
@@ -549,11 +567,20 @@ export async function handleDelete(request, reply) {
     }
   }
 
+  // Get file size before deletion for quota update
+  const fileSize = stats.size || 0;
+
   const success = await storage.remove(storagePath);
   if (!success) {
     return reply.code(500).send({ error: 'Delete failed' });
   }
 
+  // Update quota usage (subtract deleted file size)
+  const podName = getPodName(request);
+  if (podName && fileSize > 0) {
+    await updateQuotaUsage(podName, -fileSize);
+  }
+
   const origin = request.headers.origin;
   const headers = getAllHeaders({ isContainer: false, origin, resourceUrl });
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));

package/src/server.js

@@ -48,6 +48,8 @@ export function createServer(options = {}) {
   const gitEnabled = options.git ?? false;
   // Invite-only registration is OFF by default - open registration
   const inviteOnly = options.inviteOnly ?? false;
+  // Default storage quota per pod (50MB default, 0 = unlimited)
+  const defaultQuota = options.defaultQuota ?? 50 * 1024 * 1024;
 
   // Set data root via environment variable if provided
   if (options.root) {
@@ -95,6 +97,7 @@ export function createServer(options = {}) {
   fastify.decorateRequest('mashlibEnabled', null);
   fastify.decorateRequest('mashlibCdn', null);
   fastify.decorateRequest('mashlibVersion', null);
+  fastify.decorateRequest('defaultQuota', null);
   fastify.addHook('onRequest', async (request) => {
     request.connegEnabled = connegEnabled;
     request.notificationsEnabled = notificationsEnabled;
@@ -104,6 +107,7 @@ export function createServer(options = {}) {
     request.mashlibEnabled = mashlibEnabled;
     request.mashlibCdn = mashlibCdn;
     request.mashlibVersion = mashlibVersion;
+    request.defaultQuota = defaultQuota;
 
     // Extract pod name from subdomain if enabled
     if (subdomainsEnabled && baseDomain) {

package/src/storage/quota.js

@@ -0,0 +1,202 @@
+/**
+ * Storage quota management
+ * Tracks and enforces per-pod storage limits
+ */
+
+import { promises as fs } from 'fs';
+import { join } from 'path';
+import { getDataRoot } from '../utils/url.js';
+
+const QUOTA_FILE = '.quota.json';
+
+/**
+ * Get quota file path for a pod
+ */
+function getQuotaPath(podName) {
+  return join(getDataRoot(), podName, QUOTA_FILE);
+}
+
+/**
+ * Load quota data for a pod
+ * @param {string} podName - The pod name
+ * @returns {Promise<{limit: number, used: number}>}
+ */
+export async function loadQuota(podName) {
+  try {
+    const data = await fs.readFile(getQuotaPath(podName), 'utf-8');
+    return JSON.parse(data);
+  } catch (err) {
+    if (err.code === 'ENOENT') {
+      // No quota file - return defaults (will be initialized on first write)
+      return { limit: 0, used: 0 };
+    }
+    throw err;
+  }
+}
+
+/**
+ * Save quota data for a pod
+ * @param {string} podName - The pod name
+ * @param {object} quota - Quota data
+ */
+export async function saveQuota(podName, quota) {
+  await fs.writeFile(getQuotaPath(podName), JSON.stringify(quota, null, 2));
+}
+
+/**
+ * Initialize quota for a new pod
+ * @param {string} podName - The pod name
+ * @param {number} limit - Quota limit in bytes
+ */
+export async function initializeQuota(podName, limit) {
+  const quota = { limit, used: 0 };
+  await saveQuota(podName, quota);
+  return quota;
+}
+
+/**
+ * Calculate actual disk usage for a pod (for reconciliation)
+ * @param {string} podName - The pod name
+ * @returns {Promise<number>} Total bytes used
+ */
+export async function calculatePodSize(podName) {
+  const podPath = join(getDataRoot(), podName);
+  return calculateDirSize(podPath);
+}
+
+/**
+ * Recursively calculate directory size
+ */
+async function calculateDirSize(dirPath) {
+  let total = 0;
+
+  try {
+    const entries = await fs.readdir(dirPath, { withFileTypes: true });
+
+    for (const entry of entries) {
+      const fullPath = join(dirPath, entry.name);
+
+      // Skip quota file itself
+      if (entry.name === QUOTA_FILE) continue;
+
+      if (entry.isDirectory()) {
+        total += await calculateDirSize(fullPath);
+      } else if (entry.isFile()) {
+        const stat = await fs.stat(fullPath);
+        total += stat.size;
+      }
+    }
+  } catch (err) {
+    // Directory might not exist or be inaccessible
+    if (err.code !== 'ENOENT') {
+      throw err;
+    }
+  }
+
+  return total;
+}
+
+/**
+ * Check if a write operation would exceed quota
+ * @param {string} podName - The pod name
+ * @param {number} additionalBytes - Bytes to be added
+ * @param {number} defaultQuota - Default quota limit
+ * @returns {Promise<{allowed: boolean, quota: object, error?: string}>}
+ */
+export async function checkQuota(podName, additionalBytes, defaultQuota) {
+  let quota = await loadQuota(podName);
+
+  // Initialize if no quota set
+  if (quota.limit === 0 && defaultQuota > 0) {
+    quota = await initializeQuota(podName, defaultQuota);
+  }
+
+  // No quota enforcement if limit is 0
+  if (quota.limit === 0) {
+    return { allowed: true, quota };
+  }
+
+  const projectedUsage = quota.used + additionalBytes;
+
+  if (projectedUsage > quota.limit) {
+    const usedMB = (quota.used / (1024 * 1024)).toFixed(2);
+    const limitMB = (quota.limit / (1024 * 1024)).toFixed(2);
+    return {
+      allowed: false,
+      quota,
+      error: `Storage quota exceeded. Used: ${usedMB}MB / ${limitMB}MB`
+    };
+  }
+
+  return { allowed: true, quota };
+}
+
+/**
+ * Update quota usage after a write
+ * @param {string} podName - The pod name
+ * @param {number} bytesChange - Bytes added (positive) or removed (negative)
+ */
+export async function updateQuotaUsage(podName, bytesChange) {
+  const quota = await loadQuota(podName);
+
+  // Skip if no quota initialized
+  if (quota.limit === 0) return quota;
+
+  quota.used = Math.max(0, quota.used + bytesChange);
+  await saveQuota(podName, quota);
+  return quota;
+}
+
+/**
+ * Set quota limit for a pod
+ * @param {string} podName - The pod name
+ * @param {number} limit - New limit in bytes
+ */
+export async function setQuotaLimit(podName, limit) {
+  let quota = await loadQuota(podName);
+
+  // If no quota exists, calculate current usage
+  if (quota.limit === 0) {
+    quota.used = await calculatePodSize(podName);
+  }
+
+  quota.limit = limit;
+  await saveQuota(podName, quota);
+  return quota;
+}
+
+/**
+ * Get quota info for a pod
+ * @param {string} podName - The pod name
+ * @returns {Promise<{limit: number, used: number, percent: number}>}
+ */
+export async function getQuotaInfo(podName) {
+  const quota = await loadQuota(podName);
+  const percent = quota.limit > 0 ? Math.round((quota.used / quota.limit) * 100) : 0;
+  return { ...quota, percent };
+}
+
+/**
+ * Reconcile quota with actual disk usage
+ * @param {string} podName - The pod name
+ */
+export async function reconcileQuota(podName) {
+  const quota = await loadQuota(podName);
+  if (quota.limit === 0) return quota;
+
+  const actualUsed = await calculatePodSize(podName);
+  quota.used = actualUsed;
+  await saveQuota(podName, quota);
+  return quota;
+}
+
+/**
+ * Format bytes as human-readable string
+ */
+export function formatBytes(bytes) {
+  if (bytes === 0) return '0 B';
+  const k = 1024;
+  const sizes = ['B', 'KB', 'MB', 'GB', 'TB'];
+  const i = Math.floor(Math.log(bytes) / Math.log(k));
+  return parseFloat((bytes / Math.pow(k, i)).toFixed(2)) + ' ' + sizes[i];
+}

package/src/utils/url.js

@@ -143,6 +143,43 @@ export function getResourceName(urlPath) {
   return parts[parts.length - 1];
 }
 
+/**
+ * Extract pod name from URL path or request
+ * @param {string|object} pathOrRequest - URL path string or Fastify request object
+ * @returns {string|null} - Pod name or null if not found
+ */
+export function getPodName(pathOrRequest) {
+  // If it's a request object
+  if (typeof pathOrRequest === 'object') {
+    // Subdomain mode: pod name from hostname
+    if (pathOrRequest.subdomainsEnabled && pathOrRequest.podName) {
+      return pathOrRequest.podName;
+    }
+    // Path mode: extract from URL
+    const urlPath = pathOrRequest.url?.split('?')[0] || '';
+    return getPodNameFromPath(urlPath);
+  }
+
+  // If it's a string path
+  return getPodNameFromPath(pathOrRequest);
+}
+
+/**
+ * Extract pod name from URL path
+ * @param {string} urlPath - URL path (e.g., /alice/public/file.txt)
+ * @returns {string|null} - Pod name or null
+ */
+function getPodNameFromPath(urlPath) {
+  const parts = urlPath.split('/').filter(Boolean);
+  if (parts.length === 0) return null;
+
+  // First segment is the pod name (skip system paths)
+  const firstPart = parts[0];
+  if (firstPart.startsWith('.')) return null; // .well-known, .acl, etc.
+
+  return firstPart;
+}
+
 /**
  * Determine content type from file extension
  * @param {string} filePath