wiki-plugin-farmmanager 0.1.0 → 0.2.0

package/README.md

@@ -35,8 +35,21 @@ Authentication for all endpoints will be handled by a middleware that checks `ap
 - **`PATCH /plugin/farmmanager/sites/:domain`**
   - **Action**: Partially update a site's properties (preserves unspecified fields).
   - **Request Body**: `{ "owner": {"name": "Carol", ...} }` or `{ "status": "active" }` or both
+  - **Status values**: `active`, `readonly`, or `inactive` (see [Site states](#site-states)).
   - **Response Body**: The updated site object.
 
+### Site states
+
+A site's `status` (stored in `<site>/status.json` and surfaced on every site object) is one of:
+
+- **`active`** — normal, fully editable site.
+- **`readonly`** — pages are still served and readable, but edits, forks, and new pages are blocked. Reversible: `PATCH` the status back to `active` to restore editing. The transition is idempotent — re-applying `readonly` keeps the original `readOnlyAt` timestamp, and returning to `active` clears it.
+- **`inactive`** — soft-deleted / deactivated (set by `DELETE` without `hard=true`).
+
+**How read-only is enforced (plugin-only):** wiki-server gates every content-mutating route — edit/add/remove/move/create/fork via `PUT /page/:slug/action`, page `DELETE`, favicon upload, and recycler deletes — behind a single `securityhandler.isAuthorized(req)` check, while public page reads never call it. On startup the plugin wraps that handler so it denies authorization whenever the current site's `status.json` reads `readonly`, blocking all writes without touching reads and without modifying wiki-server. `isAdmin` is left intact, so the farm-manager API can still flip the flag back. In farm mode each site has its own server instance; the flag is re-read from disk per check, so a status change made from the admin site takes effect immediately.
+
+**On-site indicator (plugin-only):** the wiki client always loads `/theme/style.css` (served from `<site>/status/theme/style.css`). When a site goes read-only the plugin writes a small, clearly-delimited banner rule into that stylesheet, and removes only that block when the site is reactivated — any owner-authored theme CSS in the file is preserved. This needs no changes to wiki-client or the security module. Because CSS cannot read the per-request `isOwner` flag, the banner is shown to **every** visitor of a read-only site, not only the owner. (An owner-only on-site message would require client JS reading `isOwner`, which means touching the auth provider's client code; the banner above is the robust plugin-only option.)
+
 - **`DELETE /plugin/farmmanager/sites/:domain`**
   - **Action**: Deactivate a wiki site (soft delete). Adds a `status.json` file marking the site as inactive.
   - **Query Parameters**: 
@@ -45,7 +58,7 @@ Authentication for all endpoints will be handled by a middleware that checks `ap
 
 ## Web Interface Design
 
-The web interface will be developed after the backend API is complete. It will follow the established FedWiki pattern of providing a client-side component that can be embedded and used within a wiki page.
+The client component (`farmmanager` plugin item) renders an admin dashboard inside a wiki page. It lists every site in the farm with its owner, page count, and a status badge (`active` / `read-only` / `inactive`), and gives each site a one-click action to flip it between editable and read-only (and to reactivate a deactivated site). It calls the JSON API above, so it inherits the same admin-only access control; non-admin or non-farm responses are surfaced as an inline message. Add it to a page like any other plugin item (a `farmmanager` story item), ideally on your designated admin site.
 
 ## Development Plan
 

package/client/farmmanager.js

@@ -0,0 +1,29 @@
+/* wiki-plugin-farmmanager - 0.2.0 - Thu, 18 Jun 2026 19:08:45 GMT */
+(()=>{var d=a=>a.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/\*(.+?)\*/g,"<i>$1</i>"),f={active:{label:"active",color:"#2e7d32"},readonly:{label:"read-only",color:"#b25900"},inactive:{label:"inactive",color:"#777777"}},p={active:{status:"readonly",label:"Make read-only"},readonly:{status:"active",label:"Make editable"},inactive:{status:"active",label:"Reactivate"}},u=a=>{let t=f[a]||{label:a,color:"#777777"};return`<span style="display:inline-block;background:${t.color};color:#fff;border-radius:3px;padding:1px 7px;font-size:11px;font-weight:600;">${t.label}</span>`},m=a=>a.length?a.map(t=>{let n=t.owner&&t.owner.name?t.owner.name:"Unknown",o=p[t.status]||p.active;return`
+        <tr>
+          <td style="padding:3px 8px;"><a href="//${d(t.name)}" target="_blank">${d(t.name)}</a></td>
+          <td style="padding:3px 8px;">${d(n)}</td>
+          <td style="padding:3px 8px;text-align:right;">${t.pages}</td>
+          <td style="padding:3px 8px;">${u(t.status)}</td>
+          <td style="padding:3px 8px;">
+            <button class="fm-toggle" data-domain="${d(t.name)}" data-status="${o.status}">${o.label}</button>
+          </td>
+        </tr>`}).join(""):'<tr><td colspan="5"><i>no sites found</i></td></tr>',c=(a,t)=>{let n=$(`
+    <div class="farmmanager" style="background:#eee;padding:12px;">
+      <div style="margin-bottom:8px;font-weight:600;">Farm Manager</div>
+      <div class="fm-message" style="color:#b00;margin-bottom:6px;"></div>
+      <table style="width:100%;border-collapse:collapse;font-size:13px;">
+        <thead>
+          <tr style="text-align:left;border-bottom:1px solid #ccc;">
+            <th style="padding:3px 8px;">Site</th>
+            <th style="padding:3px 8px;">Owner</th>
+            <th style="padding:3px 8px;text-align:right;">Pages</th>
+            <th style="padding:3px 8px;">Status</th>
+            <th style="padding:3px 8px;"></th>
+          </tr>
+        </thead>
+        <tbody class="fm-rows"><tr><td colspan="5"><i>loading\u2026</i></td></tr></tbody>
+      </table>
+      <div style="margin-top:8px;"><button class="fm-refresh">Refresh</button></div>
+    </div>`);a.empty().append(n);let o=e=>n.find(".fm-message").text(e||""),r=()=>{o(""),fetch("/plugin/farmmanager/sites").then(e=>e.ok?e.json():(e.status===403?o("Admin access required to manage the farm."):e.status===400?o("Server must be running in farm mode."):o(`Error ${e.status} ${e.statusText}`),null)).then(e=>{e&&(e.sort((s,l)=>s.name.localeCompare(l.name)),n.find(".fm-rows").html(m(e)))}).catch(()=>o("Failed to load sites."))};return n.on("click",".fm-refresh",r),n.on("dblclick","button, a",e=>e.stopPropagation()),n.on("click",".fm-toggle",function(){let e=$(this),s=e.attr("data-domain"),l=e.attr("data-status");e.prop("disabled",!0),fetch(`/plugin/farmmanager/sites/${encodeURIComponent(s)}`,{method:"PATCH",headers:{"Content-Type":"application/json"},body:JSON.stringify({status:l})}).then(i=>{if(!i.ok){o(`Error ${i.status} ${i.statusText}`),e.prop("disabled",!1);return}r()}).catch(()=>{o("Failed to update site."),e.prop("disabled",!1)})}),r(),n},g=(a,t)=>a.on("dblclick",()=>wiki.textEditor(a,t)),b=(a,t)=>{let n=a.parents(".page:first");c(a,t),g(a,t),wiki.pageHandler.put(n,{type:"edit",id:t.id,item:t})};typeof window<"u"&&(window.plugins.farmmanager={emit:c,bind:g,editor:b});var x=typeof window>"u"?{expand:d}:void 0;})();
+//# sourceMappingURL=farmmanager.js.map

package/client/farmmanager.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/client/farmmanager.js"],
+  "sourcesContent": ["const expand = text => {\n  return text\n    .replace(/&/g, '&amp;')\n    .replace(/</g, '&lt;')\n    .replace(/>/g, '&gt;')\n    .replace(/\\*(.+?)\\*/g, '<i>$1</i>')\n}\n\n// Visual treatment for each site status.\nconst STATUS_BADGE = {\n  active: { label: 'active', color: '#2e7d32' },\n  readonly: { label: 'read-only', color: '#b25900' },\n  inactive: { label: 'inactive', color: '#777777' },\n}\n\n// The status a site moves to when the admin clicks its action button, and the\n// label for that button. Read-only is the reversible flip we care about here.\nconst NEXT_ACTION = {\n  active: { status: 'readonly', label: 'Make read-only' },\n  readonly: { status: 'active', label: 'Make editable' },\n  inactive: { status: 'active', label: 'Reactivate' },\n}\n\nconst badge = status => {\n  const s = STATUS_BADGE[status] || { label: status, color: '#777777' }\n  return `<span style=\"display:inline-block;background:${s.color};color:#fff;border-radius:3px;padding:1px 7px;font-size:11px;font-weight:600;\">${s.label}</span>`\n}\n\nconst rows = sites => {\n  if (!sites.length) return '<tr><td colspan=\"5\"><i>no sites found</i></td></tr>'\n  return sites\n    .map(site => {\n      const owner = site.owner && site.owner.name ? site.owner.name : 'Unknown'\n      const next = NEXT_ACTION[site.status] || NEXT_ACTION.active\n      return `\n        <tr>\n          <td style=\"padding:3px 8px;\"><a href=\"//${expand(site.name)}\" target=\"_blank\">${expand(site.name)}</a></td>\n          <td style=\"padding:3px 8px;\">${expand(owner)}</td>\n          <td style=\"padding:3px 8px;text-align:right;\">${site.pages}</td>\n          <td style=\"padding:3px 8px;\">${badge(site.status)}</td>\n          <td style=\"padding:3px 8px;\">\n            <button class=\"fm-toggle\" data-domain=\"${expand(site.name)}\" data-status=\"${next.status}\">${next.label}</button>\n          </td>\n        </tr>`\n    })\n    .join('')\n}\n\nconst emit = ($item, item) => {\n  const $root = $(`\n    <div class=\"farmmanager\" style=\"background:#eee;padding:12px;\">\n      <div style=\"margin-bottom:8px;font-weight:600;\">Farm Manager</div>\n      <div class=\"fm-message\" style=\"color:#b00;margin-bottom:6px;\"></div>\n      <table style=\"width:100%;border-collapse:collapse;font-size:13px;\">\n        <thead>\n          <tr style=\"text-align:left;border-bottom:1px solid #ccc;\">\n            <th style=\"padding:3px 8px;\">Site</th>\n            <th style=\"padding:3px 8px;\">Owner</th>\n            <th style=\"padding:3px 8px;text-align:right;\">Pages</th>\n            <th style=\"padding:3px 8px;\">Status</th>\n            <th style=\"padding:3px 8px;\"></th>\n          </tr>\n        </thead>\n        <tbody class=\"fm-rows\"><tr><td colspan=\"5\"><i>loading\u2026</i></td></tr></tbody>\n      </table>\n      <div style=\"margin-top:8px;\"><button class=\"fm-refresh\">Refresh</button></div>\n    </div>`)\n  $item.empty().append($root)\n\n  const message = text => $root.find('.fm-message').text(text || '')\n\n  const load = () => {\n    message('')\n    fetch('/plugin/farmmanager/sites')\n      .then(res => {\n        if (!res.ok) {\n          if (res.status === 403) message('Admin access required to manage the farm.')\n          else if (res.status === 400) message('Server must be running in farm mode.')\n          else message(`Error ${res.status} ${res.statusText}`)\n          return null\n        }\n        return res.json()\n      })\n      .then(sites => {\n        if (!sites) return\n        sites.sort((a, b) => a.name.localeCompare(b.name))\n        $root.find('.fm-rows').html(rows(sites))\n      })\n      .catch(() => message('Failed to load sites.'))\n  }\n\n  $root.on('click', '.fm-refresh', load)\n  $root.on('dblclick', 'button, a', e => e.stopPropagation())\n  $root.on('click', '.fm-toggle', function () {\n    const $btn = $(this)\n    const domain = $btn.attr('data-domain')\n    const status = $btn.attr('data-status')\n    $btn.prop('disabled', true)\n    fetch(`/plugin/farmmanager/sites/${encodeURIComponent(domain)}`, {\n      method: 'PATCH',\n      headers: { 'Content-Type': 'application/json' },\n      body: JSON.stringify({ status }),\n    })\n      .then(res => {\n        if (!res.ok) {\n          message(`Error ${res.status} ${res.statusText}`)\n          $btn.prop('disabled', false)\n          return\n        }\n        load()\n      })\n      .catch(() => {\n        message('Failed to update site.')\n        $btn.prop('disabled', false)\n      })\n  })\n\n  load()\n  return $root\n}\n\nconst bind = ($item, item) => {\n  return $item.on('dblclick', () => wiki.textEditor($item, item))\n}\n\n// Farmmanager always renders the same dashboard; the item has no meaningful\n// text. Declaring \"editor\" in factory.json makes the factory hand a freshly\n// added block to this function instead of the core text editor \u2014 which would\n// delete the item on focus-out if its text were left empty (the reason an empty\n// block used to vanish unless you typed a placeholder). Here we just render and\n// persist the item, so you can drop in an empty Farmmanager block and it stays.\nconst editor = ($item, item) => {\n  const $page = $item.parents('.page:first')\n  emit($item, item)\n  bind($item, item)\n  wiki.pageHandler.put($page, { type: 'edit', id: item.id, item })\n}\n\nif (typeof window !== 'undefined') {\n  window.plugins.farmmanager = { emit, bind, editor }\n}\n\nexport const farmmanager = typeof window == 'undefined' ? { expand } : undefined\n"],
+  "mappings": ";MAAA,IAAMA,EAASC,GACNA,EACJ,QAAQ,KAAM,OAAO,EACrB,QAAQ,KAAM,MAAM,EACpB,QAAQ,KAAM,MAAM,EACpB,QAAQ,aAAc,WAAW,EAIhCC,EAAe,CACnB,OAAQ,CAAE,MAAO,SAAU,MAAO,SAAU,EAC5C,SAAU,CAAE,MAAO,YAAa,MAAO,SAAU,EACjD,SAAU,CAAE,MAAO,WAAY,MAAO,SAAU,CAClD,EAIMC,EAAc,CAClB,OAAQ,CAAE,OAAQ,WAAY,MAAO,gBAAiB,EACtD,SAAU,CAAE,OAAQ,SAAU,MAAO,eAAgB,EACrD,SAAU,CAAE,OAAQ,SAAU,MAAO,YAAa,CACpD,EAEMC,EAAQC,GAAU,CACtB,IAAMC,EAAIJ,EAAaG,CAAM,GAAK,CAAE,MAAOA,EAAQ,MAAO,SAAU,EACpE,MAAO,gDAAgDC,EAAE,KAAK,kFAAkFA,EAAE,KAAK,SACzJ,EAEMC,EAAOC,GACNA,EAAM,OACJA,EACJ,IAAIC,GAAQ,CACX,IAAMC,EAAQD,EAAK,OAASA,EAAK,MAAM,KAAOA,EAAK,MAAM,KAAO,UAC1DE,EAAOR,EAAYM,EAAK,MAAM,GAAKN,EAAY,OACrD,MAAO;AAAA;AAAA,oDAEuCH,EAAOS,EAAK,IAAI,CAAC,qBAAqBT,EAAOS,EAAK,IAAI,CAAC;AAAA,yCAClET,EAAOU,CAAK,CAAC;AAAA,0DACID,EAAK,KAAK;AAAA,yCAC3BL,EAAMK,EAAK,MAAM,CAAC;AAAA;AAAA,qDAENT,EAAOS,EAAK,IAAI,CAAC,kBAAkBE,EAAK,MAAM,KAAKA,EAAK,KAAK;AAAA;AAAA,cAG9G,CAAC,EACA,KAAK,EAAE,EAhBgB,sDAmBtBC,EAAO,CAACC,EAAOC,IAAS,CAC5B,IAAMC,EAAQ,EAAE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,WAiBP,EACTF,EAAM,MAAM,EAAE,OAAOE,CAAK,EAE1B,IAAMC,EAAUf,GAAQc,EAAM,KAAK,aAAa,EAAE,KAAKd,GAAQ,EAAE,EAE3DgB,EAAO,IAAM,CACjBD,EAAQ,EAAE,EACV,MAAM,2BAA2B,EAC9B,KAAKE,GACCA,EAAI,GAMFA,EAAI,KAAK,GALVA,EAAI,SAAW,IAAKF,EAAQ,2CAA2C,EAClEE,EAAI,SAAW,IAAKF,EAAQ,sCAAsC,EACtEA,EAAQ,SAASE,EAAI,MAAM,IAAIA,EAAI,UAAU,EAAE,EAC7C,KAGV,EACA,KAAKV,GAAS,CACRA,IACLA,EAAM,KAAK,CAACW,EAAGC,IAAMD,EAAE,KAAK,cAAcC,EAAE,IAAI,CAAC,EACjDL,EAAM,KAAK,UAAU,EAAE,KAAKR,EAAKC,CAAK,CAAC,EACzC,CAAC,EACA,MAAM,IAAMQ,EAAQ,uBAAuB,CAAC,CACjD,EAEA,OAAAD,EAAM,GAAG,QAAS,cAAeE,CAAI,EACrCF,EAAM,GAAG,WAAY,YAAa,GAAK,EAAE,gBAAgB,CAAC,EAC1DA,EAAM,GAAG,QAAS,aAAc,UAAY,CAC1C,IAAMM,EAAO,EAAE,IAAI,EACbC,EAASD,EAAK,KAAK,aAAa,EAChChB,EAASgB,EAAK,KAAK,aAAa,EACtCA,EAAK,KAAK,WAAY,EAAI,EAC1B,MAAM,6BAA6B,mBAAmBC,CAAM,CAAC,GAAI,CAC/D,OAAQ,QACR,QAAS,CAAE,eAAgB,kBAAmB,EAC9C,KAAM,KAAK,UAAU,CAAE,OAAAjB,CAAO,CAAC,CACjC,CAAC,EACE,KAAKa,GAAO,CACX,GAAI,CAACA,EAAI,GAAI,CACXF,EAAQ,SAASE,EAAI,MAAM,IAAIA,EAAI,UAAU,EAAE,EAC/CG,EAAK,KAAK,WAAY,EAAK,EAC3B,MACF,CACAJ,EAAK,CACP,CAAC,EACA,MAAM,IAAM,CACXD,EAAQ,wBAAwB,EAChCK,EAAK,KAAK,WAAY,EAAK,CAC7B,CAAC,CACL,CAAC,EAEDJ,EAAK,EACEF,CACT,EAEMQ,EAAO,CAACV,EAAOC,IACZD,EAAM,GAAG,WAAY,IAAM,KAAK,WAAWA,EAAOC,CAAI,CAAC,EAS1DU,EAAS,CAACX,EAAOC,IAAS,CAC9B,IAAMW,EAAQZ,EAAM,QAAQ,aAAa,EACzCD,EAAKC,EAAOC,CAAI,EAChBS,EAAKV,EAAOC,CAAI,EAChB,KAAK,YAAY,IAAIW,EAAO,CAAE,KAAM,OAAQ,GAAIX,EAAK,GAAI,KAAAA,CAAK,CAAC,CACjE,EAEI,OAAO,OAAW,MACpB,OAAO,QAAQ,YAAc,CAAE,KAAAF,EAAM,KAAAW,EAAM,OAAAC,CAAO,GAG7C,IAAME,EAAc,OAAO,OAAU,IAAc,CAAE,OAAA1B,CAAO,EAAI",
+  "names": ["expand", "text", "STATUS_BADGE", "NEXT_ACTION", "badge", "status", "s", "rows", "sites", "site", "owner", "next", "emit", "$item", "item", "$root", "message", "load", "res", "a", "b", "$btn", "domain", "bind", "editor", "$page", "farmmanager"]
+}

package/factory.json

@@ -0,0 +1,6 @@
+{
+  "name": "Farmmanager",
+  "title": "Farm Manager — read-only & site admin dashboard",
+  "category": "other",
+  "editor": true
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wiki-plugin-farmmanager",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Federated Wiki - Farm Manager Plugin",
   "repository": {
     "type": "git",
@@ -16,6 +16,9 @@
     "fedwiki"
   ],
   "scripts": {
+    "build": "node scripts/build-client.js",
+    "prepublishOnly": "npm run build",
+    "test": "node --test",
     "prettier:format": "prettier --write './**/*.js'",
     "prettier:check": "prettier --check ./**/*.js"
   },

package/server/server.js

@@ -1,15 +1,97 @@
 import fsp from 'node:fs/promises'
+import fs from 'node:fs'
 import path from 'node:path'
 
+// Site lifecycle states the farm manager understands.
+//   active   - normal, fully editable site
+//   readonly - pages are still served and readable, but edits, forks and new
+//              pages are blocked (reversible)
+//   inactive - soft-deleted / deactivated
+const VALID_STATUSES = ['active', 'inactive', 'readonly']
+
+// On-site read-only indicator.
+//
+// The wiki client always loads /theme/style.css, which the server serves from
+// <site>/status/theme/style.css. By writing a small banner rule into that
+// stylesheet we surface the read-only state to anyone viewing the site, using
+// an existing extension point and without touching wiki-client. The rule lives
+// in a clearly delimited, managed block so any owner-authored theme CSS in the
+// same file is preserved; clearing read-only strips only our block.
+//
+// Note: CSS cannot read the per-request `isOwner` flag, so this banner is shown
+// to every visitor, not only the owner.
+const BANNER_START = '/* >>> wiki-plugin-farmmanager read-only banner (managed; do not edit) >>> */'
+const BANNER_END = '/* <<< wiki-plugin-farmmanager read-only banner <<< */'
+
+const BANNER_CSS = `${BANNER_START}
+body::before {
+  content: '\\1F512  Read-only \\2014  the site owner cannot edit, fork, or create pages here. You can still read and fork these pages to your own wiki.';
+  display: block;
+  box-sizing: border-box;
+  width: 100%;
+  padding: 4px 12px;
+  background: #faf3e6;
+  color: #7a5a2e;
+  border-bottom: 1px solid #ead9bd;
+  text-align: center;
+  font-family: sans-serif;
+  font-size: 12px;
+  font-weight: 400;
+}
+${BANNER_END}`
+
+// Remove the managed banner block (if present) from existing theme CSS,
+// leaving any owner-authored rules untouched.
+const stripBanner = function (css) {
+  const start = css.indexOf(BANNER_START)
+  if (start === -1) return css.trim()
+  const endMarker = css.indexOf(BANNER_END)
+  const end = endMarker === -1 ? css.length : endMarker + BANNER_END.length
+  return (css.slice(0, start) + css.slice(end)).replace(/\n{3,}/g, '\n\n').trim()
+}
+
+// Reflect the read-only state in the site's theme stylesheet. Idempotent:
+// re-applying produces the same file, and clearing removes only our block
+// (deleting the file if nothing else remains).
+const applyReadOnlyBanner = async function (siteDir, readOnly) {
+  const themeDir = path.join(siteDir, 'status', 'theme')
+  const themePath = path.join(themeDir, 'style.css')
+
+  let existing = ''
+  try {
+    existing = await fsp.readFile(themePath, 'utf8')
+  } catch (err) {
+    // No theme stylesheet yet; that's fine.
+  }
+
+  const base = stripBanner(existing)
+
+  if (readOnly) {
+    const next = base ? `${base}\n\n${BANNER_CSS}\n` : `${BANNER_CSS}\n`
+    await fsp.mkdir(themeDir, { recursive: true })
+    await fsp.writeFile(themePath, next)
+  } else if (existing) {
+    if (base) {
+      await fsp.writeFile(themePath, `${base}\n`)
+    } else {
+      // The stylesheet held only our banner; remove it entirely.
+      await fsp.rm(themePath, { force: true })
+    }
+  }
+}
+
 // Helper function to read owner information from a site directory
 const readSiteOwner = async function (siteDir) {
   try {
     const ownerPath = path.join(siteDir, 'status', 'owner.json')
     const ownerData = await fsp.readFile(ownerPath, 'utf8')
     const owner = JSON.parse(ownerData)
-    return owner.name || 'Unknown'
+    return {
+      ...owner,
+      name: owner.name || 'Unknown',
+    }
   } catch (err) {
-    return 'Unknown'
+    return { name: 'Unknown' }
   }
 }
 
@@ -84,6 +166,51 @@ const startServer = async function (params) {
   // We need to go up one level to get to the farm root
   const dataDir = path.resolve(argv.data || './data', '..')
 
+  // --- Read-only enforcement -------------------------------------------------
+  // A site is "read-only" when its status.json says so. In that state pages are
+  // still served (public reads never consult isAuthorized) but every
+  // content-mutating route in wiki-server is gated behind
+  // securityhandler.isAuthorized(): edits/adds/removes/moves/creates/forks via
+  // PUT /page/:slug/action, page DELETE, favicon upload, and recycler deletes.
+  // By wrapping isAuthorized to deny while the current site is read-only we
+  // block every write without touching reads — and without modifying
+  // wiki-server itself. isAdmin is left untouched, so the farm-manager API can
+  // still flip the flag back.
+  //
+  // In farm mode each site gets its own app instance and its own plugin load,
+  // so argv.data is the current site's directory and its status.json lives at
+  // its root. We re-read it on each check (writes are infrequent) so a flag
+  // flipped from the admin site — a different app instance — takes effect
+  // immediately on the site being served.
+  const currentSiteStatusPath = path.join(argv.data || './data', 'status.json')
+
+  const isCurrentSiteReadOnly = function () {
+    try {
+      const raw = fs.readFileSync(currentSiteStatusPath, 'utf8')
+      return JSON.parse(raw).status === 'readonly'
+    } catch (err) {
+      // No status.json, unreadable, or malformed: treat the site as writable.
+      return false
+    }
+  }
+
+  const securityhandler = app.securityhandler
+  if (
+    securityhandler &&
+    typeof securityhandler.isAuthorized === 'function' &&
+    !securityhandler.farmmanagerReadOnlyWrapped
+  ) {
+    const originalIsAuthorized = securityhandler.isAuthorized.bind(securityhandler)
+    securityhandler.isAuthorized = function (req) {
+      if (isCurrentSiteReadOnly()) {
+        return false
+      }
+      return originalIsAuthorized(req)
+    }
+    // Guard against double-wrapping if startServer ever runs twice on one app.
+    securityhandler.farmmanagerReadOnlyWrapped = true
+  }
+
   // Middleware to ensure only admin users can access these endpoints
   const admin = function (req, res, next) {
     if (req.app.securityhandler && req.app.securityhandler.isAdmin(req)) {
@@ -212,8 +339,8 @@ const startServer = async function (params) {
 
       // Update status if specified
       if (status) {
-        if (status !== 'active' && status !== 'inactive') {
-          return res.status(400).json({ error: 'Status must be either "active" or "inactive"' })
+        if (!VALID_STATUSES.includes(status)) {
+          return res.status(400).json({ error: `Status must be one of: ${VALID_STATUSES.join(', ')}` })
         }
 
         let statusData = {}
@@ -225,14 +352,25 @@ const startServer = async function (params) {
         }
 
         statusData.status = status
+        // Maintain transition timestamps idempotently: re-applying the same
+        // status keeps its original timestamp, and markers belonging to other
+        // states are cleared so status.json always reflects exactly one state.
         if (status === 'inactive') {
-          statusData.deactivatedAt = new Date().toISOString()
+          statusData.deactivatedAt ||= new Date().toISOString()
+          delete statusData.readOnlyAt
+        } else if (status === 'readonly') {
+          statusData.readOnlyAt ||= new Date().toISOString()
+          delete statusData.deactivatedAt
         } else {
-          // If re-activating, remove the deactivation timestamp
+          // active: clear any soft-delete / read-only markers
           delete statusData.deactivatedAt
+          delete statusData.readOnlyAt
         }
 
         await fsp.writeFile(statusPath, JSON.stringify(statusData, null, 2))
+
+        // Keep the on-site read-only banner in sync with the new status.
+        await applyReadOnlyBanner(siteDir, status === 'readonly')
       }
 
       // Return updated site info
@@ -275,6 +413,9 @@ const startServer = async function (params) {
         }
         await fsp.writeFile(statusPath, JSON.stringify(statusData, null, 2))
 
+        // Deactivation supersedes read-only; clear any read-only banner.
+        await applyReadOnlyBanner(siteDir, false)
+
         res.json({
           status: 'ok',
           message: `Site ${domain} deactivated.`,