javascript-solid-server 0.0.80 → 0.0.82

package/.claude/settings.local.json

@@ -277,7 +277,50 @@
       "Bash(node index.js:*)",
       "Bash(timeout 3 npx lws-server@0.0.3:*)",
       "Bash(npx lws-server@0.0.3)",
-      "Bash(node /tmp/jssd/verify-spacing.js:*)"
+      "Bash(node /tmp/jssd/verify-spacing.js:*)",
+      "Bash(gh run list:*)",
+      "Bash(pm2 startup:*)",
+      "Bash(npm run build:*)",
+      "Bash(npx esbuild:*)",
+      "Bash(gzip:*)",
+      "Bash(sort:*)",
+      "Bash(echo __NEW_LINE_496cf3994d374e5c__ echo '1. jsonld \\(277 KB\\) - used by:' grep -r \"from ['''']jsonld\" src/ --include=*.ts --include=*.js 2)",
+      "Bash(/dev/null __NEW_LINE_496cf3994d374e5c__ echo echo '2. readable-stream \\(180 KB\\) - used by:' grep -r readable-stream node_modules/n3/package.json node_modules/jsonld/package.json)",
+      "Bash(head -3 __NEW_LINE_496cf3994d374e5c__ echo echo '3. n3 \\(156 KB\\) - used by:' grep -r \"from ['''']n3\" src/ --include=*.ts --include=*.js 2)",
+      "Bash(/dev/null __NEW_LINE_496cf3994d374e5c__ echo echo '4. @xmldom/xmldom \\(136 KB\\) - used by:' grep -r xmldom src/ --include=*.ts --include=*.js 2)",
+      "Bash(/dev/null __NEW_LINE_496cf3994d374e5c__ echo echo '5. @frogcat/ttl2jsonld \\(135 KB\\) - used by:' grep -r ttl2jsonld src/ --include=*.ts --include=*.js)",
+      "Bash(echo \"\" __NEW_LINE_b9f7c85f1ada8a30__ echo \"1. jsonld \\(277 KB\\):\" grep -rn \"jsonld\" src/ --include=\"*.ts\" --include=\"*.js\")",
+      "Bash(head -5 __NEW_LINE_b9f7c85f1ada8a30__ echo \"\" echo \"2. n3 \\(156 KB\\):\" grep -rn \"from ''''n3''''\" src/ --include=\"*.ts\" --include=\"*.js\")",
+      "Bash(head -5 __NEW_LINE_b9f7c85f1ada8a30__ echo \"\" echo \"3. @xmldom \\(136 KB\\):\" grep -rn \"xmldom\" src/ --include=\"*.ts\" --include=\"*.js\")",
+      "Bash(head -5 __NEW_LINE_b9f7c85f1ada8a30__ echo \"\" echo \"4. @frogcat/ttl2jsonld \\(135 KB\\):\" grep -rn \"ttl2jsonld\" src/ --include=\"*.ts\" --include=\"*.js\")",
+      "Bash(head -5 __NEW_LINE_b9f7c85f1ada8a30__ echo \"\" echo \"5. cross-fetch \\(20 KB\\):\" grep -rn \"cross-fetch\" src/ --include=\"*.ts\" --include=\"*.js\")",
+      "Bash(head -5 __NEW_LINE_b9f7c85f1ada8a30__ echo \"\" echo \"6. solid-namespace \\(3 KB\\):\" grep -rn \"solid-namespace\" src/ --include=\"*.ts\" --include=\"*.js\")",
+      "Bash(echo __NEW_LINE_fbfd1802fc51eb60__ echo '1. jsonld \\(277 KB\\):' grep -n jsonld src/*.ts src/*.js)",
+      "Bash(grep -E \"import|require\" __NEW_LINE_fbfd1802fc51eb60__ echo echo '2. n3 \\(156 KB\\):' grep -n ''n3'' src/*.ts src/*.js)",
+      "Bash(grep -E \"import|require\" __NEW_LINE_fbfd1802fc51eb60__ echo echo '3. @xmldom \\(136 KB\\):' grep -n xmldom src/*.ts src/*.js)",
+      "Bash(grep -E \"import|require\" __NEW_LINE_fbfd1802fc51eb60__ echo echo '4. @frogcat/ttl2jsonld \\(135 KB\\):' grep -n ttl2jsonld src/*.ts src/*.js)",
+      "Bash(grep -E \"import|require\" __NEW_LINE_fbfd1802fc51eb60__ echo echo '5. cross-fetch \\(20 KB\\):' grep -n cross-fetch src/*.ts src/*.js)",
+      "Bash(grep -E \"import|require\" __NEW_LINE_fbfd1802fc51eb60__ echo echo '6. solid-namespace \\(3 KB\\):' grep -n solid-namespace src/*.ts src/*.js)",
+      "Bash(npm run build:all:*)",
+      "Bash(git status:*)",
+      "Bash(npm run lint-fix:*)",
+      "Bash(npm uninstall:*)",
+      "Bash(npm search:*)",
+      "Bash(npm run lint:*)",
+      "Bash(npm run typecheck:*)",
+      "Bash(du:*)",
+      "Bash(for pkg in activitystreams-pane chat-pane contacts-pane folder-pane issue-pane meeting-pane profile-pane source-pane pane-registry)",
+      "Bash(do du -sh node_modules/$pkg)",
+      "Bash(for pkg in solid-ui solid-logic react react-dom lodash core-js @inrupt marked dompurify)",
+      "Bash(npm why:*)",
+      "Bash(for pkg in activitystreams-pane chat-pane contacts-pane folder-pane issue-pane meeting-pane profile-pane source-pane)",
+      "Bash(wc -l echo 'Brings: mime-types \\(we already removed this pattern\\)' echo echo '=== profile-pane unique deps ===')",
+      "Bash(npm run build-prod:*)",
+      "Bash(ln:*)",
+      "WebFetch(domain:remotestorage.io)",
+      "Bash(gh issue create --title \"Feature: --public flag to skip WAC and allow open access\" --body \"$\\(cat << ''ENDOFFILE''\n## Summary\n\nAdd a `--public` flag that disables WAC \\(Web Access Control\\) checks, allowing unauthenticated read/write access to all resources. This enables JSS to be used as a simple file server similar to `npx serve`, but with REST write capabilities.\n\n**Difficulty**: 15/100  \n**Estimated Effort**: 2-4 hours  \n**Dependencies**: None\n\n---\n\n## Motivation\n\nCurrently, JSS requires either:\n1. ACL files to grant access, or\n2. Authentication via Solid-OIDC\n\nThis makes it impossible to use JSS as a simple \"just serve this folder\" tool like `npx serve`. The `--public` flag would enable:\n\n1. **Quick local development** - No auth setup needed\n2. **Simple file sharing** - LAN file server with write support\n3. **jsserve wrapper** - Foundation for `npx jsserve` \\(see future issue\\)\n4. **WebDAV alternative** - Simple REST-based file server\n5. **Testing/demos** - Quick Solid server without auth complexity\n\n---\n\n## Proposed Implementation\n\n### CLI Flag\n\n```bash\njss start --public              # Open read/write, no auth\njss start --public --read-only  # Open read, no writes \\(like npx serve\\)\n```\n\n### Environment Variable\n\n```bash\nJSS_PUBLIC=true jss start\n```\n\n### Config File\n\n```json\n{\n  \"public\": true\n}\n```\n\n---\n\n## Implementation Details\n\n### 1. Add flag to CLI \\(`bin/jss.js`\\)\n\n```javascript\n.option\\(''--public'', ''Allow unauthenticated access to all resources \\(disables WAC\\)''\\)\n.option\\(''--read-only'', ''Disable PUT/DELETE methods \\(read-only mode\\)''\\)\n```\n\n### 2. Add to config \\(`src/config.js`\\)\n\n```javascript\nconst DEFAULTS = {\n  // ... existing ...\n  public: false,\n  readOnly: false,\n};\n\n// Environment variable mapping\nif \\(process.env.JSS_PUBLIC\\) {\n  config.public = process.env.JSS_PUBLIC === ''true'';\n}\nif \\(process.env.JSS_READ_ONLY\\) {\n  config.readOnly = process.env.JSS_READ_ONLY === ''true'';\n}\n```\n\n### 3. Skip WAC when public \\(`src/auth/middleware.js`\\)\n\n```javascript\nexport async function authorize\\(request, reply\\) {\n  // Public mode - skip all auth/WAC checks\n  if \\(request.config?.public\\) {\n    return; // Allow request to proceed\n  }\n  \n  // ... existing WAC logic ...\n}\n```\n\n### 4. Block writes when read-only \\(`src/handlers/resource.js`, `src/handlers/container.js`\\)\n\n```javascript\n// At start of PUT/DELETE handlers\nif \\(request.config?.readOnly\\) {\n  return reply.code\\(405\\).send\\({ \n    error: ''Method Not Allowed'',\n    message: ''Server is in read-only mode''\n  }\\);\n}\n```\n\n---\n\n## Behavior Matrix\n\n| Flag Combination | GET | PUT/DELETE | Auth Required |\n|------------------|-----|------------|---------------|\n| \\(default\\) | ACL | ACL | Yes \\(if ACL requires\\) |\n| `--public` | ✅ Allow | ✅ Allow | No |\n| `--public --read-only` | ✅ Allow | ❌ Block | No |\n| `--read-only` \\(no public\\) | ACL | ❌ Block | Yes |\n\n---\n\n## Security Considerations\n\n### Warning on Startup\n\nWhen `--public` is enabled, show a clear warning:\n\n```\n⚠️  WARNING: Server running in PUBLIC mode\n   All files are readable and writable without authentication.\n   Do not use in production or expose to the internet.\n```\n\n### Binding to localhost by default?\n\nConsider: When `--public` is set, should the default host be `localhost` instead of `0.0.0.0`?\n\n```javascript\nif \\(config.public && !explicitHostSet\\) {\n  config.host = ''localhost''; // Safer default for public mode\n}\n```\n\nUser can override with `--public --host 0.0.0.0` if they explicitly want network access.\n\n---\n\n## Examples\n\n### Local Development\n```bash\n# Quick Solid-compatible file server for development\njss start --public --port 3000 --root ./test-data\n```\n\n### Read-Only File Sharing\n```bash\n# Share files on LAN, no writes allowed\njss start --public --read-only --host 0.0.0.0 --root ~/shared\n```\n\n### Testing Solid Apps\n```bash\n# Test app without auth complexity\njss start --public --root ./fixtures\nnpm test\n```\n\n---\n\n## Files to Modify\n\n| File | Changes |\n|------|---------|\n| `bin/jss.js` | Add `--public` and `--read-only` options \\(~5 LOC\\) |\n| `src/config.js` | Add defaults and env var mapping \\(~10 LOC\\) |\n| `src/auth/middleware.js` | Skip WAC when public \\(~5 LOC\\) |\n| `src/handlers/resource.js` | Block writes when read-only \\(~5 LOC\\) |\n| `src/handlers/container.js` | Block writes when read-only \\(~5 LOC\\) |\n| **Total** | **~30 LOC** |\n\n---\n\n## Testing\n\n```javascript\ndescribe\\(''--public flag'', \\(\\) => {\n  it\\(''should allow unauthenticated GET'', async \\(\\) => {\n    const server = await createServer\\({ public: true, root: tmpDir }\\);\n    const res = await request\\(server\\).get\\(''/file.txt''\\);\n    expect\\(res.status\\).toBe\\(200\\);\n  }\\);\n\n  it\\(''should allow unauthenticated PUT'', async \\(\\) => {\n    const server = await createServer\\({ public: true, root: tmpDir }\\);\n    const res = await request\\(server\\)\n      .put\\(''/new-file.txt''\\)\n      .send\\(''content''\\);\n    expect\\(res.status\\).toBe\\(201\\);\n  }\\);\n\n  it\\(''should block PUT when read-only'', async \\(\\) => {\n    const server = await createServer\\({ public: true, readOnly: true, root: tmpDir }\\);\n    const res = await request\\(server\\)\n      .put\\(''/new-file.txt''\\)\n      .send\\(''content''\\);\n    expect\\(res.status\\).toBe\\(405\\);\n  }\\);\n}\\);\n```\n\n---\n\n## Related Issues\n\n- Future: `jsserve` package \\(thin wrapper using this flag\\)\n- #100 - Production Readiness \\(this is a dev/convenience feature\\)\n\n---\n\n## Open Questions\n\n1. Should `--public` default to `localhost` binding for safety?\n2. Should there be a `--public-read` \\(read-only public\\) shorthand?\n3. Should `--public` disable IdP/login UI entirely, or just make it optional?\nENDOFFILE\n\\)\")",
+      "Bash(npx serve --help:*)",
+      "Bash(npm exec serve:*)"
     ]
   }
 }

package/README.md

@@ -1047,7 +1047,7 @@ Minimal dependencies for a fast, secure server:
 - **oidc-provider** - OpenID Connect Identity Provider (only when IdP enabled)
 - **bcryptjs** - Password hashing (only when IdP enabled)
 - **microfed** - ActivityPub primitives (only when activitypub enabled)
-- **better-sqlite3** - SQLite storage for federation data
+- **sql.js** - SQLite storage for federation data (WASM, cross-platform)
 
 ## License
 

package/bin/jss.js

@@ -76,6 +76,8 @@ program
   .option('--single-user-name <name>', 'Username for single-user mode (default: me)')
   .option('--webid-tls', 'Enable WebID-TLS client certificate authentication')
   .option('--no-webid-tls', 'Disable WebID-TLS authentication')
+  .option('--public', 'Allow unauthenticated access (skip WAC, open read/write)')
+  .option('--read-only', 'Disable PUT/DELETE/PATCH methods (read-only mode)')
   .option('-q, --quiet', 'Suppress log output')
   .option('--print-config', 'Print configuration and exit')
   .action(async (options) => {
@@ -131,6 +133,8 @@ program
         webidTls: config.webidTls,
         singleUser: config.singleUser,
         singleUserName: config.singleUserName,
+        public: config.public,
+        readOnly: config.readOnly,
       });
 
       await server.listen({ port: config.port, host: config.host });
@@ -156,6 +160,16 @@ program
         if (config.singleUser) console.log(`  Single-user: ${config.singleUserName || 'me'} (registration disabled)`);
         else if (config.inviteOnly) console.log('  Registration: invite-only');
         if (config.webidTls) console.log('  WebID-TLS: enabled (client certificate auth)');
+        if (config.public) {
+          console.log('');
+          console.log('  ⚠️  WARNING: PUBLIC MODE ENABLED');
+          console.log('     All files are accessible without authentication.');
+          if (!config.readOnly) {
+            console.log('     Anyone can read, write, and delete files.');
+          }
+          console.log('     Do not expose to the internet!');
+        }
+        if (config.readOnly) console.log('  Read-only: enabled (PUT/DELETE/PATCH disabled)');
         console.log('\n  Press Ctrl+C to stop\n');
       }
 

package/fonstr-data/index.html

@@ -0,0 +1,120 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>fonstr - Your Nostr Relay</title>
+    <style>
+        * { margin: 0; padding: 0; box-sizing: border-box; }
+        body {
+            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
+            background: linear-gradient(135deg, #6366f1 0%, #8b5cf6 100%);
+            color: white;
+            min-height: 100vh;
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            padding: 2rem;
+        }
+        .container {
+            text-align: center;
+            max-width: 600px;
+        }
+        h1 {
+            font-size: 3rem;
+            margin-bottom: 0.5rem;
+        }
+        .emoji {
+            font-size: 4rem;
+            margin-bottom: 1rem;
+        }
+        p {
+            font-size: 1.25rem;
+            opacity: 0.95;
+            margin-bottom: 2rem;
+            line-height: 1.6;
+        }
+        .relay-info {
+            background: rgba(255, 255, 255, 0.2);
+            backdrop-filter: blur(10px);
+            border-radius: 1rem;
+            padding: 2rem;
+            margin: 2rem 0;
+        }
+        code {
+            background: rgba(255, 255, 255, 0.3);
+            padding: 0.5rem 1rem;
+            border-radius: 0.5rem;
+            font-size: 1.1rem;
+            display: inline-block;
+            margin: 0.5rem 0;
+            font-family: 'Monaco', 'Menlo', monospace;
+        }
+        .stats {
+            display: grid;
+            grid-template-columns: repeat(auto-fit, minmax(150px, 1fr));
+            gap: 1rem;
+            margin-top: 2rem;
+        }
+        .stat {
+            background: rgba(255, 255, 255, 0.15);
+            padding: 1rem;
+            border-radius: 0.5rem;
+        }
+        .stat-label {
+            font-size: 0.9rem;
+            opacity: 0.8;
+        }
+        .stat-value {
+            font-size: 1.5rem;
+            font-weight: 700;
+            margin-top: 0.25rem;
+        }
+        a {
+            color: white;
+            text-decoration: none;
+            border-bottom: 2px solid rgba(255, 255, 255, 0.5);
+            transition: border-color 0.2s;
+        }
+        a:hover {
+            border-color: white;
+        }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="emoji">⚡</div>
+        <h1>fonstr</h1>
+        <p>Your Nostr relay is running!</p>
+
+        <div class="relay-info">
+            <p style="font-size: 1rem; margin-bottom: 1rem; opacity: 0.9;">Connect to your relay:</p>
+            <code>ws://localhost:4444/relay</code>
+
+            <div class="stats">
+                <div class="stat">
+                    <div class="stat-label">Status</div>
+                    <div class="stat-value">✓ Online</div>
+                </div>
+                <div class="stat">
+                    <div class="stat-label">Protocol</div>
+                    <div class="stat-value">NIP-01</div>
+                </div>
+                <div class="stat">
+                    <div class="stat-label">Port</div>
+                    <div class="stat-value">4444</div>
+                </div>
+            </div>
+        </div>
+
+        <p style="font-size: 1rem;">
+            Add this relay to your favorite Nostr client and start using it!<br>
+            <a href="https://fonstr.com" target="_blank">Learn more about fonstr</a>
+        </p>
+
+        <p style="font-size: 0.9rem; opacity: 0.7; margin-top: 2rem;">
+            Replace this page by editing <code style="font-size: 0.8rem;">index.html</code> in your data directory
+        </p>
+    </div>
+</body>
+</html>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.80",
+  "version": "0.0.82",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",
@@ -28,7 +28,6 @@
     "@fastify/websocket": "^8.3.1",
     "@simplewebauthn/server": "^13.2.2",
     "bcryptjs": "^3.0.3",
-    "better-sqlite3": "^12.5.0",
     "commander": "^14.0.2",
     "fastify": "^4.29.1",
     "fs-extra": "^11.2.0",

package/src/ap/store.js

@@ -2,8 +2,8 @@
  * ActivityPub SQLite Storage
  * Persistence layer for federation data
  *
- * Uses better-sqlite3 when available (native, fast)
- * Falls back to sql.js on Android/platforms without native builds
+ * Uses sql.js (WASM) for cross-platform compatibility
+ * Works on Android/Termux, Windows, and all platforms
  */
 
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs'
@@ -11,7 +11,6 @@ import { dirname } from 'path'
 
 let db = null
 let dbPath = null
-let usingSqlJs = false
 
 // SQL schema
 const SCHEMA = `
@@ -59,7 +58,7 @@ const SCHEMA = `
 
 /**
  * Initialize the database
- * Tries better-sqlite3 first, falls back to sql.js
+ * Uses sql.js (WASM) for cross-platform compatibility
  * @param {string} path - Path to SQLite file
  */
 export async function initStore(path = 'data/activitypub.db') {
@@ -71,43 +70,31 @@ export async function initStore(path = 'data/activitypub.db') {
 
   dbPath = path
 
-  // Try better-sqlite3 first (fast, native)
-  try {
-    const Database = (await import('better-sqlite3')).default
-    db = new Database(path)
-    db.exec(SCHEMA)
-    usingSqlJs = false
-    return db
-  } catch (e) {
-    // Fall back to sql.js (WASM, works everywhere)
-    console.log('ActivityPub: Using sql.js (WASM) for SQLite storage')
-
-    const initSqlJs = (await import('sql.js')).default
-    const SQL = await initSqlJs()
-
-    // Load existing database if it exists
-    if (existsSync(path)) {
-      const buffer = readFileSync(path)
-      db = new SQL.Database(buffer)
-    } else {
-      db = new SQL.Database()
-    }
-
-    db.run(SCHEMA)
-    usingSqlJs = true
-
-    // Save initial database
-    saveDatabase()
-
-    return db
+  // Use sql.js (WASM, works everywhere)
+  const initSqlJs = (await import('sql.js')).default
+  const SQL = await initSqlJs()
+
+  // Load existing database if it exists
+  if (existsSync(path)) {
+    const buffer = readFileSync(path)
+    db = new SQL.Database(buffer)
+  } else {
+    db = new SQL.Database()
   }
+
+  db.run(SCHEMA)
+
+  // Save initial database
+  saveDatabase()
+
+  return db
 }
 
 /**
  * Save sql.js database to disk
  */
 function saveDatabase() {
-  if (usingSqlJs && db && dbPath) {
+  if (db && dbPath) {
     const data = db.export()
     const buffer = Buffer.from(data)
     writeFileSync(dbPath, buffer)
@@ -124,45 +111,33 @@ export function getStore() {
   return db
 }
 
-// Helper to run prepared statements across both implementations
+// Helper functions for sql.js API
 function runStmt(sql, params = []) {
-  if (usingSqlJs) {
-    db.run(sql, params)
-    saveDatabase()
-  } else {
-    db.prepare(sql).run(...params)
-  }
+  db.run(sql, params)
+  saveDatabase()
 }
 
 function getOne(sql, params = []) {
-  if (usingSqlJs) {
-    const stmt = db.prepare(sql)
-    stmt.bind(params)
-    if (stmt.step()) {
-      const row = stmt.getAsObject()
-      stmt.free()
-      return row
-    }
+  const stmt = db.prepare(sql)
+  stmt.bind(params)
+  if (stmt.step()) {
+    const row = stmt.getAsObject()
     stmt.free()
-    return null
-  } else {
-    return db.prepare(sql).get(...params)
+    return row
   }
+  stmt.free()
+  return null
 }
 
 function getAll(sql, params = []) {
-  if (usingSqlJs) {
-    const results = []
-    const stmt = db.prepare(sql)
-    stmt.bind(params)
-    while (stmt.step()) {
-      results.push(stmt.getAsObject())
-    }
-    stmt.free()
-    return results
-  } else {
-    return db.prepare(sql).all(...params)
+  const results = []
+  const stmt = db.prepare(sql)
+  stmt.bind(params)
+  while (stmt.step()) {
+    results.push(stmt.getAsObject())
   }
+  stmt.free()
+  return results
 }
 
 // Followers

package/src/auth/middleware.js

@@ -28,6 +28,12 @@ export async function authorize(request, reply, options = {}) {
     return { authorized: true, webId: null, wacAllow: 'user="read write append control", public="read write append"', authError: null };
   }
 
+  // Public mode - skip all WAC checks, allow unauthenticated access
+  if (request.config?.public) {
+    const modes = request.config?.readOnly ? 'read' : 'read write append';
+    return { authorized: true, webId: null, wacAllow: `public="${modes}"`, authError: null };
+  }
+
   // Get WebID from token (supports both simple and Solid-OIDC tokens)
   const { webId, error: authError } = await getWebIdFromRequestAsync(request);
 

package/src/config.js

@@ -73,6 +73,12 @@ export const defaults = {
   // Storage quota (bytes) - 50MB default
   defaultQuota: 50 * 1024 * 1024,
 
+  // Public mode - skip WAC, allow unauthenticated access
+  public: false,
+
+  // Read-only mode - disable PUT/DELETE/PATCH
+  readOnly: false,
+
   // Logging
   logger: true,
   quiet: false,
@@ -117,6 +123,8 @@ const envMap = {
   JSS_SINGLE_USER_NAME: 'singleUserName',
   JSS_WEBID_TLS: 'webidTls',
   JSS_DEFAULT_QUOTA: 'defaultQuota',
+  JSS_PUBLIC: 'public',
+  JSS_READ_ONLY: 'readOnly',
 };
 
 /**

package/src/handlers/container.js

@@ -25,6 +25,11 @@ function getRequestPaths(request) {
  * Handle POST request to container (create new resource)
  */
 export async function handlePost(request, reply) {
+  // Read-only mode - block all writes
+  if (request.config?.readOnly) {
+    return reply.code(405).send({ error: 'Method Not Allowed', message: 'Server is in read-only mode' });
+  }
+
   const { urlPath, storagePath } = getRequestPaths(request);
 
   // Ensure target is a container
@@ -233,6 +238,11 @@ export async function createPodStructure(name, webId, podUri, issuer, defaultQuo
  *   /{name}/settings/privateTypeIndex
  */
 export async function handleCreatePod(request, reply) {
+  // Read-only mode - block pod creation
+  if (request.config?.readOnly) {
+    return reply.code(405).send({ error: 'Method Not Allowed', message: 'Server is in read-only mode' });
+  }
+
   const { name, email, password } = request.body || {};
   const idpEnabled = request.idpEnabled;
 

package/src/handlers/resource.js

@@ -511,6 +511,11 @@ export async function handleHead(request, reply) {
  * Handle PUT request
  */
 export async function handlePut(request, reply) {
+  // Read-only mode - block all writes
+  if (request.config?.readOnly) {
+    return reply.code(405).send({ error: 'Method Not Allowed', message: 'Server is in read-only mode' });
+  }
+
   const { urlPath, storagePath, resourceUrl } = getRequestPaths(request);
   const connegEnabled = request.connegEnabled || false;
 
@@ -644,6 +649,11 @@ export async function handlePut(request, reply) {
  * Handle DELETE request
  */
 export async function handleDelete(request, reply) {
+  // Read-only mode - block all writes
+  if (request.config?.readOnly) {
+    return reply.code(405).send({ error: 'Method Not Allowed', message: 'Server is in read-only mode' });
+  }
+
   const { storagePath, resourceUrl } = getRequestPaths(request);
 
   // Check if resource exists and get current ETag
@@ -716,6 +726,11 @@ export async function handleOptions(request, reply) {
  * Supports N3 Patch format (text/n3) and SPARQL Update for updating RDF resources
  */
 export async function handlePatch(request, reply) {
+  // Read-only mode - block all writes
+  if (request.config?.readOnly) {
+    return reply.code(405).send({ error: 'Method Not Allowed', message: 'Server is in read-only mode' });
+  }
+
   const { urlPath, storagePath, resourceUrl } = getRequestPaths(request);
 
   // Don't allow PATCH to containers

package/src/server.js

@@ -135,6 +135,7 @@ export function createServer(options = {}) {
   fastify.decorateRequest('mashlibVersion', null);
   fastify.decorateRequest('solidosUiEnabled', null);
   fastify.decorateRequest('defaultQuota', null);
+  fastify.decorateRequest('config', null);
   fastify.addHook('onRequest', async (request) => {
     request.connegEnabled = connegEnabled;
     request.notificationsEnabled = notificationsEnabled;
@@ -146,6 +147,7 @@ export function createServer(options = {}) {
     request.mashlibVersion = mashlibVersion;
     request.solidosUiEnabled = solidosUiEnabled;
     request.defaultQuota = defaultQuota;
+    request.config = { public: options.public, readOnly: options.readOnly };
 
     // Extract pod name from subdomain if enabled
     if (subdomainsEnabled && baseDomain) {