javascript-solid-server 0.0.8 → 0.0.9

package/.claude/settings.local.json

@@ -13,7 +13,9 @@
       "Bash(pkill:*)",
       "Bash(curl:*)",
       "Bash(npm test:*)",
-      "Bash(git add:*)"
+      "Bash(git add:*)",
+      "WebFetch(domain:solid.github.io)",
+      "Bash(node:*)"
     ]
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.8",
+  "version": "0.0.9",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",
@@ -10,6 +10,7 @@
     "test": "node --test --test-concurrency=1"
   },
   "dependencies": {
+    "@fastify/websocket": "^8.3.1",
     "fastify": "^4.25.2",
     "fs-extra": "^11.2.0",
     "jose": "^6.1.3",

package/src/handlers/container.js

@@ -5,6 +5,7 @@ import { generateProfile, generatePreferences, generateTypeIndex, serialize } fr
 import { generateOwnerAcl, generatePrivateAcl, generateInboxAcl, serializeAcl } from '../wac/parser.js';
 import { createToken } from '../auth/token.js';
 import { canAcceptInput, toJsonLd, getVaryHeader, RDF_TYPES } from '../rdf/conneg.js';
+import { emitChange } from '../notifications/events.js';
 
 /**
  * Handle POST request to container (create new resource)
@@ -97,6 +98,12 @@ export async function handlePost(request, reply) {
   headers['Vary'] = getVaryHeader(connegEnabled);
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
+
+  // Emit change notification for WebSocket subscribers
+  if (request.notificationsEnabled) {
+    emitChange(resourceUrl);
+  }
+
   return reply.code(201).send();
 }
 

package/src/handlers/resource.js

@@ -11,6 +11,7 @@ import {
   getVaryHeader,
   RDF_TYPES
 } from '../rdf/conneg.js';
+import { emitChange } from '../notifications/events.js';
 
 /**
  * Handle GET request
@@ -226,6 +227,12 @@ export async function handlePut(request, reply) {
   headers['Vary'] = getVaryHeader(connegEnabled);
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
+
+  // Emit change notification for WebSocket subscribers
+  if (request.notificationsEnabled) {
+    emitChange(resourceUrl);
+  }
+
   return reply.code(existed ? 204 : 201).send();
 }
 
@@ -250,6 +257,11 @@ export async function handleDelete(request, reply) {
   const headers = getAllHeaders({ isContainer: false, origin, resourceUrl });
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
 
+  // Emit change notification for WebSocket subscribers
+  if (request.notificationsEnabled) {
+    emitChange(resourceUrl);
+  }
+
   return reply.code(204).send();
 }
 
@@ -365,5 +377,10 @@ export async function handlePatch(request, reply) {
   const headers = getAllHeaders({ isContainer: false, origin, resourceUrl });
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
 
+  // Emit change notification for WebSocket subscribers
+  if (request.notificationsEnabled) {
+    emitChange(resourceUrl);
+  }
+
   return reply.code(204).send();
 }

package/src/ldp/headers.js

@@ -49,7 +49,7 @@ export function getAclUrl(resourceUrl, isContainer) {
  * @param {object} options
  * @returns {object}
  */
-export function getResponseHeaders({ isContainer = false, etag = null, contentType = null, resourceUrl = null, wacAllow = null, connegEnabled = false }) {
+export function getResponseHeaders({ isContainer = false, etag = null, contentType = null, resourceUrl = null, wacAllow = null, connegEnabled = false, updatesVia = null }) {
   // Calculate ACL URL if resource URL provided
   const aclUrl = resourceUrl ? getAclUrl(resourceUrl, isContainer) : null;
 
@@ -65,6 +65,11 @@ export function getResponseHeaders({ isContainer = false, etag = null, contentTy
   const acceptHeaders = getAcceptHeaders(connegEnabled, isContainer);
   Object.assign(headers, acceptHeaders);
 
+  // Add Updates-Via header for WebSocket notifications discovery
+  if (updatesVia) {
+    headers['Updates-Via'] = updatesVia;
+  }
+
   if (etag) {
     headers['ETag'] = etag;
   }
@@ -86,7 +91,7 @@ export function getCorsHeaders(origin) {
     'Access-Control-Allow-Origin': origin || '*',
     'Access-Control-Allow-Methods': 'GET, HEAD, POST, PUT, DELETE, PATCH, OPTIONS',
     'Access-Control-Allow-Headers': 'Accept, Authorization, Content-Type, If-Match, If-None-Match, Link, Slug, Origin',
-    'Access-Control-Expose-Headers': 'Accept-Patch, Accept-Post, Allow, Content-Type, ETag, Link, Location, WAC-Allow',
+    'Access-Control-Expose-Headers': 'Accept-Patch, Accept-Post, Allow, Content-Type, ETag, Link, Location, Updates-Via, WAC-Allow',
     'Access-Control-Allow-Credentials': 'true',
     'Access-Control-Max-Age': '86400'
   };
@@ -97,9 +102,9 @@ export function getCorsHeaders(origin) {
  * @param {object} options
  * @returns {object}
  */
-export function getAllHeaders({ isContainer = false, etag = null, contentType = null, origin = null, resourceUrl = null, wacAllow = null, connegEnabled = false }) {
+export function getAllHeaders({ isContainer = false, etag = null, contentType = null, origin = null, resourceUrl = null, wacAllow = null, connegEnabled = false, updatesVia = null }) {
   return {
-    ...getResponseHeaders({ isContainer, etag, contentType, resourceUrl, wacAllow, connegEnabled }),
+    ...getResponseHeaders({ isContainer, etag, contentType, resourceUrl, wacAllow, connegEnabled, updatesVia }),
     ...getCorsHeaders(origin)
   };
 }

package/src/notifications/events.js

@@ -0,0 +1,22 @@
+/**
+ * Resource Events Emitter
+ *
+ * Singleton EventEmitter for resource change notifications.
+ * Handlers emit 'change' events here, WebSocket broadcasts to subscribers.
+ */
+
+import { EventEmitter } from 'events';
+
+// Singleton event emitter for resource changes
+export const resourceEvents = new EventEmitter();
+
+// Increase max listeners since many WebSocket connections may subscribe
+resourceEvents.setMaxListeners(1000);
+
+/**
+ * Emit a resource change event
+ * @param {string} resourceUrl - Full URL of the changed resource
+ */
+export function emitChange(resourceUrl) {
+  resourceEvents.emit('change', resourceUrl);
+}

package/src/notifications/index.js

@@ -0,0 +1,49 @@
+/**
+ * Notifications Plugin
+ *
+ * Fastify plugin that adds WebSocket notification support.
+ * Implements the legacy "solid-0.1" protocol for SolidOS compatibility.
+ *
+ * Usage:
+ *   createServer({ notifications: true })
+ *
+ * Discovery:
+ *   OPTIONS /resource returns Updates-Via header with WebSocket URL
+ *
+ * Client usage:
+ *   const ws = new WebSocket(updatesViaUrl);
+ *   ws.send('sub http://example.org/resource');
+ *   ws.onmessage = (e) => { if (e.data.startsWith('pub ')) ... }
+ */
+
+import websocket from '@fastify/websocket';
+import { handleWebSocket, getConnectionCount, getSubscriptionCount } from './websocket.js';
+export { emitChange } from './events.js';
+
+/**
+ * Register the notifications plugin with Fastify
+ * @param {FastifyInstance} fastify
+ * @param {object} options
+ */
+export async function notificationsPlugin(fastify, options) {
+  // Register the WebSocket plugin
+  await fastify.register(websocket);
+
+  // WebSocket route for notifications (dedicated path to avoid route conflicts)
+  // Clients discover this via Updates-Via header
+  // In @fastify/websocket v8, handler receives (connection, request) where connection.socket is the raw WebSocket
+  fastify.get('/.notifications', { websocket: true }, (connection, request) => {
+    handleWebSocket(connection.socket, request);
+  });
+
+  // Optional: Status endpoint for monitoring
+  fastify.get('/.well-known/solid/notifications', async (request, reply) => {
+    return {
+      connections: getConnectionCount(),
+      subscriptions: getSubscriptionCount(),
+      protocol: 'solid-0.1'
+    };
+  });
+}
+
+export default notificationsPlugin;

package/src/notifications/websocket.js

@@ -0,0 +1,183 @@
+/**
+ * WebSocket Handler for Solid Notifications
+ *
+ * Implements the legacy "solid-0.1" protocol used by SolidOS/mashlib.
+ *
+ * Protocol:
+ * - Server sends: "protocol solid-0.1" on connect
+ * - Client sends: "sub <uri>" to subscribe
+ * - Server sends: "ack <uri>" to acknowledge
+ * - Server sends: "pub <uri>" when resource changes
+ */
+
+import { resourceEvents } from './events.js';
+
+// Track subscriptions: WebSocket -> Set<url>
+const subscriptions = new Map();
+
+// Reverse lookup: url -> Set<WebSocket>
+const subscribers = new Map();
+
+/**
+ * Handle new WebSocket connection
+ * @param {WebSocket} socket - The WebSocket connection
+ * @param {Request} request - The HTTP request
+ */
+export function handleWebSocket(socket, request) {
+  // Send protocol greeting
+  socket.send('protocol solid-0.1');
+
+  // Initialize subscription set for this socket
+  subscriptions.set(socket, new Set());
+
+  // Handle incoming messages
+  socket.on('message', (message) => {
+    const msg = message.toString().trim();
+
+    // Handle subscription request
+    if (msg.startsWith('sub ')) {
+      const url = msg.slice(4).trim();
+      if (url) {
+        subscribe(socket, url);
+        socket.send(`ack ${url}`);
+      }
+    }
+
+    // Handle unsubscribe (optional extension)
+    if (msg.startsWith('unsub ')) {
+      const url = msg.slice(6).trim();
+      if (url) {
+        unsubscribe(socket, url);
+      }
+    }
+  });
+
+  // Clean up on close
+  socket.on('close', () => {
+    cleanup(socket);
+  });
+
+  // Clean up on error
+  socket.on('error', () => {
+    cleanup(socket);
+  });
+}
+
+/**
+ * Subscribe a socket to a resource URL
+ */
+function subscribe(socket, url) {
+  // Add to socket's subscriptions
+  const socketSubs = subscriptions.get(socket);
+  if (socketSubs) {
+    socketSubs.add(url);
+  }
+
+  // Add to URL's subscribers
+  if (!subscribers.has(url)) {
+    subscribers.set(url, new Set());
+  }
+  subscribers.get(url).add(socket);
+}
+
+/**
+ * Unsubscribe a socket from a resource URL
+ */
+function unsubscribe(socket, url) {
+  // Remove from socket's subscriptions
+  const socketSubs = subscriptions.get(socket);
+  if (socketSubs) {
+    socketSubs.delete(url);
+  }
+
+  // Remove from URL's subscribers
+  const urlSubs = subscribers.get(url);
+  if (urlSubs) {
+    urlSubs.delete(socket);
+    if (urlSubs.size === 0) {
+      subscribers.delete(url);
+    }
+  }
+}
+
+/**
+ * Clean up all subscriptions for a socket
+ */
+function cleanup(socket) {
+  const urls = subscriptions.get(socket);
+  if (urls) {
+    for (const url of urls) {
+      unsubscribe(socket, url);
+    }
+  }
+  subscriptions.delete(socket);
+}
+
+/**
+ * Broadcast a change notification to all subscribers of a URL
+ * Also notifies subscribers of parent containers
+ */
+export function broadcast(url) {
+  // Notify direct subscribers
+  notifySubscribers(url);
+
+  // Also notify container subscribers (parent directory)
+  // This allows subscribing to a container and getting notified of all child changes
+  const containerUrl = getParentContainer(url);
+  if (containerUrl && containerUrl !== url) {
+    notifySubscribers(containerUrl);
+  }
+}
+
+/**
+ * Send pub message to all subscribers of a URL
+ */
+function notifySubscribers(url) {
+  const subs = subscribers.get(url);
+  if (subs) {
+    const message = `pub ${url}`;
+    for (const socket of subs) {
+      if (socket.readyState === 1) { // WebSocket.OPEN
+        try {
+          socket.send(message);
+        } catch (e) {
+          // Socket may have closed, will be cleaned up on close event
+        }
+      }
+    }
+  }
+}
+
+/**
+ * Get parent container URL from a resource URL
+ */
+function getParentContainer(url) {
+  // Remove trailing slash if present
+  const normalized = url.endsWith('/') ? url.slice(0, -1) : url;
+  const lastSlash = normalized.lastIndexOf('/');
+  if (lastSlash > 0) {
+    return normalized.substring(0, lastSlash + 1);
+  }
+  return null;
+}
+
+/**
+ * Get count of active subscriptions (for monitoring)
+ */
+export function getSubscriptionCount() {
+  let count = 0;
+  for (const urls of subscriptions.values()) {
+    count += urls.size;
+  }
+  return count;
+}
+
+/**
+ * Get count of active connections (for monitoring)
+ */
+export function getConnectionCount() {
+  return subscriptions.size;
+}
+
+// Listen to resource change events and broadcast
+resourceEvents.on('change', broadcast);

package/src/server.js

@@ -3,16 +3,20 @@ import { handleGet, handleHead, handlePut, handleDelete, handleOptions, handlePa
 import { handlePost, handleCreatePod } from './handlers/container.js';
 import { getCorsHeaders } from './ldp/headers.js';
 import { authorize, handleUnauthorized } from './auth/middleware.js';
+import { notificationsPlugin } from './notifications/index.js';
 
 /**
  * Create and configure Fastify server
  * @param {object} options - Server options
  * @param {boolean} options.logger - Enable logging (default true)
  * @param {boolean} options.conneg - Enable content negotiation for RDF (default false)
+ * @param {boolean} options.notifications - Enable WebSocket notifications (default false)
  */
 export function createServer(options = {}) {
   // Content negotiation is OFF by default - we're a JSON-LD native server
   const connegEnabled = options.conneg ?? false;
+  // WebSocket notifications are OFF by default
+  const notificationsEnabled = options.notifications ?? false;
 
   const fastify = Fastify({
     logger: options.logger ?? true,
@@ -28,16 +32,29 @@ export function createServer(options = {}) {
 
   // Attach server config to requests
   fastify.decorateRequest('connegEnabled', null);
+  fastify.decorateRequest('notificationsEnabled', null);
   fastify.addHook('onRequest', async (request) => {
     request.connegEnabled = connegEnabled;
+    request.notificationsEnabled = notificationsEnabled;
   });
 
+  // Register WebSocket notifications plugin if enabled
+  if (notificationsEnabled) {
+    fastify.register(notificationsPlugin);
+  }
+
   // Global CORS preflight
   fastify.addHook('onRequest', async (request, reply) => {
     // Add CORS headers to all responses
     const corsHeaders = getCorsHeaders(request.headers.origin);
     Object.entries(corsHeaders).forEach(([k, v]) => reply.header(k, v));
 
+    // Add Updates-Via header for WebSocket notification discovery
+    if (notificationsEnabled) {
+      const wsProtocol = request.protocol === 'https' ? 'wss' : 'ws';
+      reply.header('Updates-Via', `${wsProtocol}://${request.hostname}/.notifications`);
+    }
+
     // Handle preflight OPTIONS
     if (request.method === 'OPTIONS') {
       // Add Allow header for LDP compliance

package/test/notifications.test.js

@@ -0,0 +1,348 @@
+/**
+ * WebSocket Notifications Tests
+ *
+ * Tests the solid-0.1 WebSocket notification protocol.
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import { WebSocket } from 'ws';
+import {
+  startTestServer,
+  stopTestServer,
+  request,
+  createTestPod,
+  getBaseUrl,
+  assertStatus,
+  assertHeader,
+  assertHeaderContains
+} from './helpers.js';
+
+describe('WebSocket Notifications (notifications enabled)', () => {
+  let wsUrl;
+
+  before(async () => {
+    // Start server with notifications ENABLED
+    await startTestServer({ notifications: true });
+    await createTestPod('notifytest');
+
+    // Get WebSocket URL from Updates-Via header
+    const res = await request('/notifytest/', { method: 'OPTIONS' });
+    wsUrl = res.headers.get('Updates-Via');
+  });
+
+  after(async () => {
+    await stopTestServer();
+  });
+
+  describe('Discovery', () => {
+    it('should return Updates-Via header in OPTIONS response', async () => {
+      const res = await request('/notifytest/public/', { method: 'OPTIONS' });
+      assertStatus(res, 204);
+      const updatesVia = res.headers.get('Updates-Via');
+      assert.ok(updatesVia, 'Should have Updates-Via header');
+      assert.ok(updatesVia.startsWith('ws://') || updatesVia.startsWith('wss://'),
+        'Updates-Via should be a WebSocket URL');
+    });
+
+    it('should return Updates-Via header in GET response', async () => {
+      const res = await request('/notifytest/');
+      assertStatus(res, 200);
+      const updatesVia = res.headers.get('Updates-Via');
+      assert.ok(updatesVia, 'GET response should have Updates-Via header');
+    });
+
+    it('should expose Updates-Via in CORS headers', async () => {
+      const res = await request('/notifytest/', {
+        headers: { 'Origin': 'http://example.org' }
+      });
+      const expose = res.headers.get('Access-Control-Expose-Headers');
+      assert.ok(expose && expose.includes('Updates-Via'),
+        'Updates-Via should be in exposed headers');
+    });
+  });
+
+  describe('WebSocket Protocol', () => {
+    it('should connect and receive protocol greeting', async () => {
+      const ws = new WebSocket(wsUrl);
+
+      const message = await new Promise((resolve, reject) => {
+        ws.on('open', () => {});
+        ws.on('message', (data) => resolve(data.toString()));
+        ws.on('error', reject);
+        setTimeout(() => reject(new Error('Timeout')), 5000);
+      });
+
+      assert.strictEqual(message, 'protocol solid-0.1');
+      ws.close();
+    });
+
+    it('should acknowledge subscription', async () => {
+      const ws = new WebSocket(wsUrl);
+      const baseUrl = getBaseUrl();
+      const resourceUrl = `${baseUrl}/notifytest/public/test.json`;
+
+      const messages = [];
+
+      await new Promise((resolve, reject) => {
+        ws.on('open', () => {
+          ws.send(`sub ${resourceUrl}`);
+        });
+        ws.on('message', (data) => {
+          messages.push(data.toString());
+          if (messages.length >= 2) resolve();
+        });
+        ws.on('error', reject);
+        setTimeout(() => resolve(), 2000);
+      });
+
+      assert.ok(messages.includes('protocol solid-0.1'), 'Should receive protocol greeting');
+      assert.ok(messages.some(m => m.startsWith('ack ')), 'Should receive ack');
+      ws.close();
+    });
+  });
+
+  describe('Notifications', () => {
+    it('should receive pub notification on PUT', async () => {
+      const ws = new WebSocket(wsUrl);
+      const baseUrl = getBaseUrl();
+      const resourceUrl = `${baseUrl}/notifytest/public/notify-put.json`;
+
+      const notifications = [];
+
+      await new Promise((resolve) => {
+        ws.on('open', () => {
+          ws.send(`sub ${resourceUrl}`);
+        });
+        ws.on('message', (data) => {
+          const msg = data.toString();
+          if (msg.startsWith('pub ')) {
+            notifications.push(msg);
+            resolve();
+          }
+        });
+
+        // Wait for subscription to be established
+        setTimeout(async () => {
+          // Create the resource
+          await request('/notifytest/public/notify-put.json', {
+            method: 'PUT',
+            headers: { 'Content-Type': 'application/ld+json' },
+            body: JSON.stringify({ '@id': '#test', 'http://example.org/p': 'value' }),
+            auth: 'notifytest'
+          });
+        }, 500);
+
+        setTimeout(() => resolve(), 3000);
+      });
+
+      assert.ok(notifications.length > 0, 'Should receive pub notification');
+      assert.ok(notifications[0].includes(resourceUrl), 'Notification should include resource URL');
+      ws.close();
+    });
+
+    it('should receive pub notification on PATCH', async () => {
+      const baseUrl = getBaseUrl();
+      const resourceUrl = `${baseUrl}/notifytest/public/notify-patch2.json`;
+
+      // First create the resource
+      await request('/notifytest/public/notify-patch2.json', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/ld+json' },
+        body: JSON.stringify({ '@id': '#test', 'http://example.org/name': 'Original' }),
+        auth: 'notifytest'
+      });
+
+      // Create WebSocket AFTER the initial PUT to avoid race condition
+      const ws = new WebSocket(wsUrl);
+      const notifications = [];
+
+      await new Promise((resolve) => {
+        ws.on('open', () => {
+          ws.send(`sub ${resourceUrl}`);
+        });
+        ws.on('message', (data) => {
+          const msg = data.toString();
+          if (msg.startsWith('pub ')) {
+            notifications.push(msg);
+            resolve();
+          }
+        });
+
+        // Wait for subscription to be established, then patch
+        setTimeout(async () => {
+          const patch = `
+            @prefix solid: <http://www.w3.org/ns/solid/terms#>.
+            _:patch a solid:InsertDeletePatch;
+              solid:inserts { <#test> <http://example.org/name> "Updated" }.
+          `;
+          await request('/notifytest/public/notify-patch2.json', {
+            method: 'PATCH',
+            headers: { 'Content-Type': 'text/n3' },
+            body: patch,
+            auth: 'notifytest'
+          });
+        }, 500);
+
+        setTimeout(() => resolve(), 3000);
+      });
+
+      assert.ok(notifications.length > 0, 'Should receive pub notification for PATCH');
+      ws.close();
+    });
+
+    it('should receive pub notification on DELETE', async () => {
+      const baseUrl = getBaseUrl();
+      const resourceUrl = `${baseUrl}/notifytest/public/notify-delete2.json`;
+
+      // First create the resource
+      await request('/notifytest/public/notify-delete2.json', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/ld+json' },
+        body: JSON.stringify({ '@id': '#test' }),
+        auth: 'notifytest'
+      });
+
+      // Create WebSocket AFTER the initial PUT to avoid race condition
+      const ws = new WebSocket(wsUrl);
+      const notifications = [];
+
+      await new Promise((resolve) => {
+        ws.on('open', () => {
+          ws.send(`sub ${resourceUrl}`);
+        });
+        ws.on('message', (data) => {
+          const msg = data.toString();
+          if (msg.startsWith('pub ')) {
+            notifications.push(msg);
+            resolve();
+          }
+        });
+
+        // Wait for subscription, then delete
+        setTimeout(async () => {
+          await request('/notifytest/public/notify-delete2.json', {
+            method: 'DELETE',
+            auth: 'notifytest'
+          });
+        }, 500);
+
+        setTimeout(() => resolve(), 3000);
+      });
+
+      assert.ok(notifications.length > 0, 'Should receive pub notification for DELETE');
+      ws.close();
+    });
+
+    it('should receive container notification when child changes', async () => {
+      const ws = new WebSocket(wsUrl);
+      const baseUrl = getBaseUrl();
+      const containerUrl = `${baseUrl}/notifytest/public/`;
+
+      const notifications = [];
+
+      await new Promise((resolve) => {
+        ws.on('open', () => {
+          // Subscribe to container
+          ws.send(`sub ${containerUrl}`);
+        });
+        ws.on('message', (data) => {
+          const msg = data.toString();
+          if (msg.startsWith('pub ')) {
+            notifications.push(msg);
+            resolve();
+          }
+        });
+
+        // Wait for subscription, then create a child resource
+        setTimeout(async () => {
+          await request('/notifytest/public/child-resource.json', {
+            method: 'PUT',
+            headers: { 'Content-Type': 'application/ld+json' },
+            body: JSON.stringify({ '@id': '#child' }),
+            auth: 'notifytest'
+          });
+        }, 500);
+
+        setTimeout(() => resolve(), 3000);
+      });
+
+      assert.ok(notifications.length > 0, 'Container should receive notification for child changes');
+      ws.close();
+    });
+  });
+
+  describe('Multiple Subscribers', () => {
+    it('should notify all subscribers', async () => {
+      const ws1 = new WebSocket(wsUrl);
+      const ws2 = new WebSocket(wsUrl);
+      const baseUrl = getBaseUrl();
+      const resourceUrl = `${baseUrl}/notifytest/public/multi-sub.json`;
+
+      const notifications1 = [];
+      const notifications2 = [];
+
+      await new Promise((resolve) => {
+        let ready = 0;
+
+        const setupWs = (ws, notifications) => {
+          ws.on('open', () => {
+            ws.send(`sub ${resourceUrl}`);
+          });
+          ws.on('message', (data) => {
+            const msg = data.toString();
+            if (msg.startsWith('ack ')) {
+              ready++;
+              if (ready === 2) {
+                // Both subscribed, trigger change
+                setTimeout(async () => {
+                  await request('/notifytest/public/multi-sub.json', {
+                    method: 'PUT',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({ test: true }),
+                    auth: 'notifytest'
+                  });
+                }, 100);
+              }
+            }
+            if (msg.startsWith('pub ')) {
+              notifications.push(msg);
+              if (notifications1.length > 0 && notifications2.length > 0) {
+                resolve();
+              }
+            }
+          });
+        };
+
+        setupWs(ws1, notifications1);
+        setupWs(ws2, notifications2);
+
+        setTimeout(() => resolve(), 4000);
+      });
+
+      assert.ok(notifications1.length > 0, 'First subscriber should receive notification');
+      assert.ok(notifications2.length > 0, 'Second subscriber should receive notification');
+      ws1.close();
+      ws2.close();
+    });
+  });
+});
+
+describe('WebSocket Notifications (notifications disabled - default)', () => {
+  before(async () => {
+    // Start server with notifications DISABLED (default)
+    await startTestServer({ notifications: false });
+    await createTestPod('nonotify');
+  });
+
+  after(async () => {
+    await stopTestServer();
+  });
+
+  it('should NOT return Updates-Via header when notifications disabled', async () => {
+    const res = await request('/nonotify/', { method: 'OPTIONS' });
+    assertStatus(res, 204);
+    const updatesVia = res.headers.get('Updates-Via');
+    assert.strictEqual(updatesVia, null, 'Should NOT have Updates-Via header when disabled');
+  });
+});