Fixed up the .gitignore

More push to move towards a deployment stage

Dockerfile

@@ -9,21 +9,14 @@ ARG TARGETARCH
 ARG TARGETVARIANT
 
 WORKDIR /src
-
-# 1) Copy ONLY go.mod first and materialize go.sum inside the image
 COPY go.mod ./
-# Produce go.sum (and module cache) before copying the rest
 RUN --mount=type=cache,target=/root/.cache/go-build \
     go mod download && go mod verify
 
-# 2) Now copy the rest of the source
+# Copy the rest and tidy (creates go.sum if missing)
 COPY . .
+RUN --mount=type=cache,target=/root/.cache/go-build go mod tidy
 
-# (Optional but nice) ensure module graph is tidy (updates go.sum if needed)
-RUN --mount=type=cache,target=/root/.cache/go-build \
-    go mod tidy
-
-# 3) Build (with ARM variant handling)
 ENV CGO_ENABLED=0
 RUN --mount=type=cache,target=/root/.cache/go-build \
     if [ "${TARGETARCH}${TARGETVARIANT}" = "armv6" ]; then export GOARM=6; fi && \
@@ -38,7 +31,8 @@ FROM gcr.io/distroless/base-debian12:nonroot
 WORKDIR /app
 COPY --from=build /out/greencoast-shard /app/greencoast-shard
 COPY configs/shard.sample.yaml /app/shard.yaml
+COPY client /app/client
 VOLUME ["/var/lib/greencoast"]
-EXPOSE 8080 8081
+EXPOSE 8080 8081 8443 9443
 USER nonroot:nonroot
 ENTRYPOINT ["/app/greencoast-shard","--config","/app/shard.yaml"]

client/app.js

@@ -78,7 +78,7 @@ async function syncIndex() {
 }
 
 let sseCtrl;
-function sse(restart=false){
+function sse(){
   if (!cfg.url) return;
   if (sseCtrl) { sseCtrl.abort(); sseCtrl = undefined; }
   sseCtrl = new AbortController();
@@ -114,29 +114,6 @@ function sse(restart=false){
   }).catch(()=>{});
 }
 
-function renderPosts() {
-  const posts = getPosts(); els.posts.innerHTML = "";
-  for (const p of posts) {
-    const div = document.createElement("div"); div.className = "post";
-    const badge = p.enc ? `<span class="badge">private</span>` : `<span class="badge">public</span>`;
-    div.innerHTML = `
-      <div class="meta"><code>${p.hash.slice(0,10)}…</code> · ${p.bytes} bytes · ${p.ts} ${badge}</div>
-      <div class="actions">
-        <button data-act="view">View</button>
-        <button data-act="save">Save blob</button>
-        <button data-act="delete">Delete (server)</button>
-        <button data-act="remove">Remove (local)</button>
-      </div>
-      <pre class="content" style="white-space:pre-wrap;margin-top:.5rem;"></pre>`;
-    const pre = div.querySelector(".content");
-    div.querySelector('[data-act="view"]').onclick = () => viewPost(p, pre);
-    div.querySelector('[data-act="save"]').onclick = () => saveBlob(p);
-    div.querySelector('[data-act="delete"]').onclick = () => delServer(p);
-    div.querySelector('[data-act="remove"]').onclick = () => { setPosts(getPosts().filter(x=>x.hash!==p.hash)); };
-    els.posts.appendChild(div);
-  }
-}
-
 async function viewPost(p, pre) {
   pre.textContent = "Loading…";
   try {
@@ -175,9 +152,31 @@ async function delServer(p) {
 
 async function discordStart() {
   if (!cfg.url) { alert("Set shard URL first."); return; }
-  // Require explicit assent for third-party auth
   const r = await fetch(cfg.url + "/v1/auth/discord/start", { headers: { "X-GC-3P-Assent":"1" }});
   if (!r.ok) { alert("Discord SSO not available"); return; }
   const j = await r.json();
-  location.href = j.url; // redirect to Discord; after consent, it returns to /auth-callback.html
+  location.href = j.url;
+}
+
+function renderPosts() {
+  const posts = getPosts(); els.posts.innerHTML = "";
+  for (const p of posts) {
+    const div = document.createElement("div"); div.className = "post";
+    const badge = p.enc ? `<span class="badge">private</span>` : `<span class="badge">public</span>`;
+    div.innerHTML = `
+      <div class="meta"><code>${p.hash.slice(0,10)}…</code> · ${p.bytes} bytes · ${p.ts} ${badge}</div>
+      <div class="actions">
+        <button data-act="view">View</button>
+        <button data-act="save">Save blob</button>
+        <button data-act="delete">Delete (server)</button>
+        <button data-act="remove">Remove (local)</button>
+      </div>
+      <pre class="content" style="white-space:pre-wrap;margin-top:.5rem;"></pre>`;
+    const pre = div.querySelector(".content");
+    div.querySelector('[data-act="view"]').onclick = () => viewPost(p, pre);
+    div.querySelector('[data-act="save"]').onclick = () => saveBlob(p);
+    div.querySelector('[data-act="delete"]').onclick = () => delServer(p);
+    div.querySelector('[data-act="remove"]').onclick = () => { setPosts(getPosts().filter(x=>x.hash!==p.hash)); };
+    els.posts.appendChild(div);
+  }
 }

client/auth_callback.html

@@ -27,7 +27,6 @@
       const r = await fetch(origin + "/v1/auth/discord/callback?assent=1&code=" + encodeURIComponent(code));
       if (!r.ok) { msg("Exchange failed: " + r.status); return; }
       const j = await r.json();
-      // Save token into client config
       const key = "gc_client_config_v1";
       const cfg = JSON.parse(localStorage.getItem(key) || "{}");
       cfg.bearer = j.token;

cmd/shard/main.go

@@ -48,33 +48,42 @@ func main() {
 		},
 	)
 
-	// Serve the client if enabled
+	// Optional: also mount static under API mux (subpath) if you later want that.
-	if cfg.UI.Enable {
+	// srv.MountStatic(cfg.UI.Path, "/app")
-		srv.MountStatic(cfg.UI.Path, cfg.UI.BaseURL)
-	}
 
-	// listeners
+	// Start federation mTLS (if enabled)
-	if cfg.Listen.HTTP != "" {
-		go func() { log.Fatal(srv.ListenHTTP(cfg.Listen.HTTP)) }()
-	}
-	if cfg.TLS.Enable && cfg.Listen.HTTPS != "" {
-		go func() { log.Fatal(srv.ListenHTTPS(cfg.Listen.HTTPS, cfg.TLS.CertFile, cfg.TLS.KeyFile)) }()
-	}
 	if cfg.Federation.MTLSEnable {
-		tlsCfg, err := federation.ServerTLSConfig(cfg.Federation.CertFile, cfg.Federation.KeyFile, cfg.Federation.ClientCAFile)
+		tlsCfg, err := federation.ServerTLSConfig(
+			cfg.Federation.CertFile,
+			cfg.Federation.KeyFile,
+			cfg.Federation.ClientCAFile,
+		)
 		if err != nil {
 			log.Fatalf("federation tls config error: %v", err)
 		}
-		go func() { log.Fatal(srv.ListenMTLS(cfg.Federation.Listen, tlsCfg)) }()
+		go func() {
+			if err := srv.ListenMTLS(cfg.Federation.Listen, tlsCfg); err != nil {
+				log.Fatalf("federation mTLS listener error: %v", err)
+			}
+		}()
 	}
 
-	// foreground
+	// Start FRONTEND listener (separate port) if enabled
+	if cfg.UI.Enable && cfg.UI.FrontendHTTP != "" {
+		go func() {
+			if err := srv.ListenFrontendHTTP(cfg.UI.FrontendHTTP, cfg.UI.Path, cfg.UI.BaseURL); err != nil {
+				log.Fatalf("frontend listener error: %v", err)
+			}
+		}()
+	}
+
+	// Choose ONE foreground listener for API: HTTPS if enabled, else HTTP.
 	if cfg.TLS.Enable && cfg.Listen.HTTPS != "" {
 		log.Fatal(srv.ListenHTTPS(cfg.Listen.HTTPS, cfg.TLS.CertFile, cfg.TLS.KeyFile))
 		return
 	}
 	if cfg.Listen.HTTP == "" {
-		log.Fatal("no listeners configured (set listen.http or listen.https)")
+		log.Fatal("no API listeners configured (set listen.http or listen.https)")
 	}
 	log.Fatal(srv.ListenHTTP(cfg.Listen.HTTP))
 }

configs/shard.sample.yaml

@@ -1,9 +1,9 @@
 shard_id: "gc-001"
 
 listen:
-  http: "0.0.0.0:8080"
+  http: "0.0.0.0:8080"     # API
-  https: ""                    # e.g., "0.0.0.0:8443" when tls.enable=true
+  https: ""                # e.g., "0.0.0.0:8443" if tls.enable=true
-  ws:   "0.0.0.0:8081"         # reserved (not used)
+  ws:   "0.0.0.0:8081"     # reserved
 
 tls:
   enable: false
@@ -21,6 +21,7 @@ ui:
   enable: true
   path: "./client"
   base_url: "/"
+  frontend_http: "0.0.0.0:8082"  # NEW: static client served on its own port
 
 storage:
   backend: "fs"
@@ -39,13 +40,13 @@ privacy:
   retain_timestamps: "coarse"
 
 auth:
-  signing_secret: "50A936BBA70A6F469260ABF2D86A425C07FA3228D1B24D2A9079708CE787F6B09C75C64AA26170B6B2580EC06F4C7C9F4268B2859F864D5925550FC1768E69F9E1A65B32A7A075DF5FF4992E05369362A1753ED5929B4FD48B1291CD2A281C7C54881BD377410EE8D1D210C47613B4CBA7A0E6055F66D4B9402BB871C224D4FE"   # hex key for HMAC shard tokens
+  signing_secret: "50A936BBA70A6F469260ABF2D86A425C07FA3228D1B24D2A9079708CE787F6B09C75C64AA26170B6B2580EC06F4C7C9F4268B2859F864D5925550FC1768E69F9E1A65B32A7A075DF5FF4992E05369362A1753ED5929B4FD48B1291CD2A281C7C54881BD377410EE8D1D210C47613B4CBA7A0E6055F66D4B9402BB871C224D4FE"
   sso:
     discord:
       enabled: false
       client_id: ""
       client_secret: ""
-      redirect_uri: "http://localhost:8080/auth-callback.html"
+      redirect_uri: "http://localhost:8082/auth-callback.html"  # points to frontend port
     google:
       enabled: false
       client_id: ""

data/objects/d8/d5/d8d59d382c7e358037322494107cfd62510a2a656244756bf48359c44787923e

@@ -1,24 +0,0 @@
-# GreenCoast — Privacy-First, Shardable Social (Dockerized)
-
-**Goal:** A BlueSky-like experience with **shards**, **zero-trust**, **no data collection**, **E2EE**, and easy self-hosting — from x86_64 down to **Raspberry Pi Zero**.  
-License: **The Unlicense** (public-domain equivalent).
-
-This repo contains a minimal, working **shard**: an append-only object API with zero-data-collection defaults. It’s structured to evolve into full federation, E2EE, and client apps, while keeping Pi Zero as a supported host.
-
----
-
-## Quick Start (Laptop / Dev)
-
-**Requirements:** Docker + Compose v2
-
-```bash
-git clone <your repo> greencoast
-cd greencoast
-cp .env.example .env
-docker compose -f docker-compose.dev.yml up --build
-# Health:
-curl -s http://localhost:8080/healthz
-# Put an object (dev mode allows unauthenticated PUT/GET):
-curl -s -X PUT --data-binary @README.md http://localhost:8080/v1/object
-# -> {"ok":true,"hash":"<sha256>",...}
-curl -s http://localhost:8080/v1/object/<sha256> | head

docker-compose.dev.yml

@@ -6,13 +6,15 @@ services:
       context: .
     container_name: greencoast-shard-dev
     restart: unless-stopped
-    user: "0:0"                      # <-- run as root in dev
+    user: "0:0"
     ports:
-      - "8080:8080"
+      - "8080:8080"   # API
-      - "8081:8081"
+      - "8081:8081"   # reserved
+      - "8082:8082"   # FRONTEND
     environment:
       - GC_DEV_ALLOW_UNAUTH=true
       - GC_DEV_BEARER=dev-local-token
     volumes:
-      - ./data:/var/lib/greencoast   # <-- bind-mount a host folder
+      - ./data:/var/lib/greencoast
       - ./configs/shard.sample.yaml:/app/shard.yaml:ro
+      - ./client:/app/client:ro

docker-compose.yml

@@ -10,9 +10,11 @@ services:
       - "8080:8080"
       - "8081:8081"
     environment:
-      - GC_DEV_ALLOW_UNAUTH=false        # enforce auth path
+      - GC_DEV_ALLOW_UNAUTH=false
     volumes:
       - gc_data:/var/lib/greencoast
       - ./configs/shard.sample.yaml:/app/shard.yaml:ro
+      - ./client:/app/client:ro
+    user: "65532:65532"  # distroless nonroot
 volumes:
   gc_data:

internal/api/http.go

@@ -13,8 +13,10 @@ import (
 	"log"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"sort"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -57,8 +59,17 @@ func newHub() *hub { return &hub{subs: make(map[chan []byte]struct{})} }
 
 func (h *hub) subscribe() (ch chan []byte, cancel func()) {
 	ch = make(chan []byte, 16)
-	h.mu.Lock(); h.subs[ch] = struct{}{}; h.mu.Unlock()
+	h.mu.Lock()
-	cancel = func() { h.mu.Lock(); if _, ok := h.subs[ch]; ok { delete(h.subs, ch); close(ch) }; h.mu.Unlock() }
+	h.subs[ch] = struct{}{}
+	h.mu.Unlock()
+	cancel = func() {
+		h.mu.Lock()
+		if _, ok := h.subs[ch]; ok {
+			delete(h.subs, ch)
+			close(ch)
+		}
+		h.mu.Unlock()
+	}
 	return ch, cancel
 }
 func (h *hub) broadcast(ev sseEvent) {
@@ -67,7 +78,10 @@ func (h *hub) broadcast(ev sseEvent) {
 	line = append(line, '\n', '\n')
 	h.mu.Lock()
 	for ch := range h.subs {
-		select { case ch <- line: default: }
+		select {
+		case ch <- line:
+		default:
+		}
 	}
 	h.mu.Unlock()
 }
@@ -93,11 +107,15 @@ type Server struct {
 func New(store *storage.FSStore, idx *index.Index, coarseTimestamps bool, zeroTrust bool, auth AuthProviders) *Server {
 	devAllow := strings.ToLower(os.Getenv("GC_DEV_ALLOW_UNAUTH")) == "true"
 	devToken := os.Getenv("GC_DEV_BEARER")
-	if devToken == "" { devToken = "dev-local-token" }
+	if devToken == "" {
+		devToken = "dev-local-token"
+	}
 
 	sec := make([]byte, 0)
 	if auth.SigningSecretHex != "" {
-		if b, err := hex.DecodeString(auth.SigningSecretHex); err == nil { sec = b }
+		if b, err := hex.DecodeString(auth.SigningSecretHex); err == nil {
+			sec = b
+		}
 	}
 
 	s := &Server{
@@ -116,29 +134,25 @@ func New(store *storage.FSStore, idx *index.Index, coarseTimestamps bool, zeroTr
 	return s
 }
 
-// ---------- middleware helpers (privacy, CORS, auth) ----------
+// ---------- helpers (privacy headers, CORS, util) ----------
 
 func (s *Server) secureHeaders(w http.ResponseWriter) {
-	// Anti-fingerprinting posture: do not echo request details; set strict policies.
+	// Anti-fingerprinting posture
 	w.Header().Set("Referrer-Policy", "no-referrer")
 	w.Header().Set("Permissions-Policy", "camera=(), microphone=(), geolocation=(), interest-cohort=(), browsing-topics=()")
 	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("X-Frame-Options", "DENY")
 	w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
 	w.Header().Set("Cross-Origin-Resource-Policy", "same-site")
-	// CORS: allow simple cross-origin usage without credentials (we do not use cookies).
 	w.Header().Set("Access-Control-Allow-Origin", "*")
 	w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type, X-GC-Private, X-GC-3P-Assent")
 	w.Header().Set("Access-Control-Allow-Methods", "GET, PUT, DELETE, OPTIONS")
-	// No-store by default (content blobs may be large but not user-identifying)
 	w.Header().Set("Cache-Control", "no-store")
-	// HSTS is meaningful over HTTPS; harmless otherwise.
 	w.Header().Set("Strict-Transport-Security", "max-age=15552000; includeSubDomains; preload")
 }
 
 func (s *Server) with(w http.ResponseWriter, r *http.Request, handler func(http.ResponseWriter, *http.Request)) {
 	s.secureHeaders(w)
-	// Handle CORS preflight
 	if r.Method == http.MethodOptions {
 		w.WriteHeader(http.StatusNoContent)
 		return
@@ -146,30 +160,57 @@ func (s *Server) with(w http.ResponseWriter, r *http.Request, handler func(http.
 	handler(w, r)
 }
 
+func urlq(v string) string { return url.QueryEscape(v) }
+
+// Generic helper must be package-level (methods cannot have type parameters).
+func ternary[T any](cond bool, a, b T) T {
+	if cond {
+		return a
+	}
+	return b
+}
+
+func randHex(n int) string {
+	b := make([]byte, n)
+	if _, err := rand.Read(b); err != nil {
+		ts := time.Now().UnixNano()
+		for i := 0; i < n; i++ {
+			b[i] = byte(ts >> (8 * (i % 8)))
+		}
+	}
+	return hex.EncodeToString(b)
+}
+
+// ---------- auth middleware ----------
+
 func (s *Server) auth(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		s.secureHeaders(w)
 		if !s.zeroTrust {
-			next.ServeHTTP(w, r); return
+			next.ServeHTTP(w, r)
+			return
 		}
 		authz := r.Header.Get("Authorization")
 
 		// Dev bypass if explicitly enabled
 		if s.devAllow {
 			if authz == "" || authz == "Bearer "+s.devToken {
-				next.ServeHTTP(w, r); return
+				next.ServeHTTP(w, r)
+				return
 			}
 		}
 		if !strings.HasPrefix(authz, "Bearer ") {
-			http.Error(w, "unauthorized", http.StatusUnauthorized); return
+			http.Error(w, "unauthorized", http.StatusUnauthorized)
+			return
 		}
 		if len(s.signingSecret) == 0 {
-			// If no signing secret configured, accept presence only (dev posture).
+			next.ServeHTTP(w, r)
-			next.ServeHTTP(w, r); return
+			return
 		}
 		token := strings.TrimPrefix(authz, "Bearer ")
 		if ok := s.verifyShardToken(token); !ok {
-			http.Error(w, "unauthorized", http.StatusUnauthorized); return
+			http.Error(w, "unauthorized", http.StatusUnauthorized)
+			return
 		}
 		next.ServeHTTP(w, r)
 	}
@@ -188,24 +229,26 @@ func (s *Server) signShardToken(provider, subject string, exp time.Time) (string
 	sig := hex.EncodeToString(mac.Sum(nil))
 	return "gc|" + msg + "|" + sig, nil
 }
+
 func (s *Server) verifyShardToken(tok string) bool {
 	parts := strings.Split(tok, "|")
-	if len(parts) != 5 || parts[0] != "gc" { return false }
+	if len(parts) != 5 || parts[0] != "gc" {
+		return false
+	}
 	prov, sub, expStr, sig := parts[1], parts[2], parts[3], parts[4]
+	_ = prov
+	_ = sub
 	msg := prov + "|" + sub + "|" + expStr
 	mac := hmac.New(sha256.New, s.signingSecret)
 	_, _ = mac.Write([]byte(msg))
 	want := hex.EncodeToString(mac.Sum(nil))
-	if !hmac.Equal([]byte(want), []byte(sig)) { return false }
+	if !hmac.Equal([]byte(want), []byte(sig)) {
-	// expiry
+		return false
-	secs, err := time.ParseDuration(expStr + "s")
+	}
-	if err != nil {
+	expUnix, err := strconv.ParseInt(expStr, 10, 64)
-		// expStr is epoch; parse manually
+	if err != nil {
-		epoch, e2 := time.ParseDuration("0s"); _ = epoch; _ = e2
+		return false
 	}
-	// treat expStr as epoch seconds
-	var expUnix int64
-	fmt.Sscan(expStr, &expUnix)
 	return time.Now().UTC().Unix() < expUnix
 }
 
@@ -223,11 +266,15 @@ func (s *Server) routes() {
 	s.mux.HandleFunc("/v1/object", s.auth(func(w http.ResponseWriter, r *http.Request) {
 		s.with(w, r, func(w http.ResponseWriter, r *http.Request) {
 			if r.Method != http.MethodPut {
-				http.Error(w, "method not allowed", http.StatusMethodNotAllowed); return
+				http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+				return
 			}
 			isPrivate := strings.TrimSpace(r.Header.Get("X-GC-Private")) == "1"
 			hash, n, err := s.store.Put(r.Body)
-			if err != nil { http.Error(w, err.Error(), http.StatusBadRequest); return }
+			if err != nil {
+				http.Error(w, err.Error(), http.StatusBadRequest)
+				return
+			}
 			ts := s.nowCoarse()
 			_ = s.idx.AppendPut(index.Entry{
 				Hash: hash, Bytes: n, StoredAt: s.parseRFC3339(ts), Private: isPrivate,
@@ -247,15 +294,24 @@ func (s *Server) routes() {
 			case http.MethodGet:
 				hash := strings.TrimPrefix(r.URL.Path, "/v1/object/")
 				p, err := s.store.Get(hash)
-				if err != nil { http.NotFound(w, r); return }
+				if err != nil {
+					http.NotFound(w, r)
+					return
+				}
 				f, err := os.Open(p)
-				if err != nil { http.Error(w, "open error", http.StatusInternalServerError); return }
+				if err != nil {
+					http.Error(w, "open error", http.StatusInternalServerError)
+					return
+				}
 				defer f.Close()
 				w.Header().Set("Content-Type", "application/octet-stream")
 				_, _ = io.Copy(w, f)
 			case http.MethodDelete:
 				hash := strings.TrimPrefix(r.URL.Path, "/v1/object/")
-				if err := s.store.Delete(hash); err != nil { http.NotFound(w, r); return }
+				if err := s.store.Delete(hash); err != nil {
+					http.NotFound(w, r)
+					return
+				}
 				_ = s.idx.AppendDelete(hash)
 				s.live.broadcast(sseEvent{Event: "delete", Data: map[string]any{"hash": hash}})
 				w.Header().Set("Content-Type", "application/json")
@@ -269,9 +325,15 @@ func (s *Server) routes() {
 	// Index snapshot
 	s.mux.HandleFunc("/v1/index", s.auth(func(w http.ResponseWriter, r *http.Request) {
 		s.with(w, r, func(w http.ResponseWriter, r *http.Request) {
-			if r.Method != http.MethodGet { http.Error(w, "method not allowed", http.StatusMethodNotAllowed); return }
+			if r.Method != http.MethodGet {
+				http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+				return
+			}
 			entries, err := s.idx.Snapshot()
-			if err != nil { http.Error(w, err.Error(), 500); return }
+			if err != nil {
+				http.Error(w, err.Error(), 500)
+				return
+			}
 			sort.Slice(entries, func(i, j int) bool { return entries[i].StoredAt.After(entries[j].StoredAt) })
 			w.Header().Set("Content-Type", "application/json")
 			_ = json.NewEncoder(w).Encode(entries)
@@ -282,7 +344,10 @@ func (s *Server) routes() {
 	s.mux.HandleFunc("/v1/index/stream", s.auth(func(w http.ResponseWriter, r *http.Request) {
 		s.secureHeaders(w)
 		flusher, ok := w.(http.Flusher)
-		if !ok { http.Error(w, "stream unsupported", http.StatusInternalServerError); return }
+		if !ok {
+			http.Error(w, "stream unsupported", http.StatusInternalServerError)
+			return
+		}
 		w.Header().Set("Content-Type", "text/event-stream")
 		w.Header().Set("Cache-Control", "no-store")
 		w.Header().Set("Connection", "keep-alive")
@@ -290,17 +355,24 @@ func (s *Server) routes() {
 		ch, cancel := s.live.subscribe()
 		defer cancel()
 
-		_, _ = w.Write([]byte(": ok\n\n")); flusher.Flush()
+		_, _ = w.Write([]byte(": ok\n\n"))
-		ticker := time.NewTicker(25 * time.Second); defer ticker.Stop()
+		flusher.Flush()
+		ticker := time.NewTicker(25 * time.Second)
+		defer ticker.Stop()
 		notify := r.Context().Done()
 		for {
 			select {
-			case <-notify: return
+			case <-notify:
+				return
 			case <-ticker.C:
-				_, _ = w.Write([]byte(": ping\n\n")); flusher.Flush()
+				_, _ = w.Write([]byte(": ping\n\n"))
+				flusher.Flush()
 			case msg, ok := <-ch:
-				if !ok { return }
+				if !ok {
-				_, _ = w.Write(msg); flusher.Flush()
+					return
+				}
+				_, _ = w.Write(msg)
+				flusher.Flush()
 			}
 		}
 	}))
@@ -312,7 +384,7 @@ func (s *Server) routes() {
 			_ = json.NewEncoder(w).Encode(map[string]any{
 				"collect_ip":        false,
 				"collect_useragent": false,
-				"timestamp_policy":  s.ternary(s.coarseTS, "coarse-hour", "exact"),
+				"timestamp_policy":  ternary(s.coarseTS, "coarse-hour", "exact"),
 				"stores_pii":        false,
 				"erasure":           "DELETE /v1/object/{hash}",
 				"portability":       "GET /v1/object/{hash}",
@@ -328,10 +400,12 @@ func (s *Server) routes() {
 		s.with(w, r, func(w http.ResponseWriter, r *http.Request) {
 			w.Header().Set("Content-Type", "application/json")
 			if !s.discord.Enabled {
-				http.Error(w, "discord SSO disabled", http.StatusNotImplemented); return
+				http.Error(w, "discord SSO disabled", http.StatusNotImplemented)
+				return
 			}
 			if !assented(r) {
-				http.Error(w, "third-party assent required (set header X-GC-3P-Assent: 1)", http.StatusPreconditionFailed); return
+				http.Error(w, "third-party assent required (set header X-GC-3P-Assent: 1)", http.StatusPreconditionFailed)
+				return
 			}
 			state := randHex(24)
 			url := "https://discord.com/api/oauth2/authorize" +
@@ -341,7 +415,6 @@ func (s *Server) routes() {
 				"&redirect_uri=" + urlq(s.discord.RedirectURI) +
 				"&prompt=consent" +
 				"&state=" + urlq(state)
-			_ = state // stateless; client returns same state to callback; you can verify in client
 			_ = json.NewEncoder(w).Encode(map[string]any{"url": url, "note": "We cannot vouch for external IdP security."})
 		})
 	})
@@ -352,15 +425,19 @@ func (s *Server) routes() {
 		s.with(w, r, func(w http.ResponseWriter, r *http.Request) {
 			w.Header().Set("Content-Type", "application/json")
 			if !s.discord.Enabled {
-				http.Error(w, "discord SSO disabled", http.StatusNotImplemented); return
+				http.Error(w, "discord SSO disabled", http.StatusNotImplemented)
+				return
 			}
 			if !assented(r) {
-				http.Error(w, "third-party assent required (set header X-GC-3P-Assent: 1)", http.StatusPreconditionFailed); return
+				http.Error(w, "third-party assent required (set header X-GC-3P-Assent: 1)", http.StatusPreconditionFailed)
+				return
 			}
 			code := r.URL.Query().Get("code")
-			if code == "" { http.Error(w, "missing code", 400); return }
+			if code == "" {
+				http.Error(w, "missing code", 400)
+				return
+			}
 
-			// Exchange code -> access_token
 			form := "client_id=" + urlq(s.discord.ClientID) +
 				"&client_secret=" + urlq(s.discord.ClientSecret) +
 				"&grant_type=authorization_code" +
@@ -369,32 +446,46 @@ func (s *Server) routes() {
 			req, _ := http.NewRequest(http.MethodPost, "https://discord.com/api/oauth2/token", strings.NewReader(form))
 			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 			resp, err := http.DefaultClient.Do(req)
-			if err != nil { http.Error(w, "token exchange failed", 502); return }
+			if err != nil {
+				http.Error(w, "token exchange failed", 502)
+				return
+			}
 			defer resp.Body.Close()
-			var tok struct{ AccessToken, TokenType string `json:"access_token","token_type"` }
+			var tok struct {
+				AccessToken string `json:"access_token"`
+				TokenType   string `json:"token_type"`
+			}
 			if err := json.NewDecoder(resp.Body).Decode(&tok); err != nil || tok.AccessToken == "" {
-				http.Error(w, "invalid token response", 502); return
+				http.Error(w, "invalid token response", 502)
+				return
 			}
 
-			// Fetch user id (PII seen in transit only; not stored)
 			uReq, _ := http.NewRequest(http.MethodGet, "https://discord.com/api/users/@me", nil)
 			uReq.Header.Set("Authorization", tok.TokenType+" "+tok.AccessToken)
 			uResp, err := http.DefaultClient.Do(uReq)
-			if err != nil { http.Error(w, "userinfo failed", 502); return }
+			if err != nil {
+				http.Error(w, "userinfo failed", 502)
+				return
+			}
 			defer uResp.Body.Close()
-			var me struct{ ID string `json:"id"` }
+			var me struct {
+				ID string `json:"id"`
+			}
 			if err := json.NewDecoder(uResp.Body).Decode(&me); err != nil || me.ID == "" {
-				http.Error(w, "userinfo parse failed", 502); return
+				http.Error(w, "userinfo parse failed", 502)
+				return
 			}
 
-			// Issue shard token
 			exp := time.Now().UTC().Add(30 * time.Minute)
 			gcTok, err := s.signShardToken("discord", me.ID, exp)
-			if err != nil { http.Error(w, err.Error(), 500); return }
+			if err != nil {
+				http.Error(w, err.Error(), 500)
+				return
+			}
 
 			_ = json.NewEncoder(w).Encode(map[string]any{
-				"ok": true,
+				"ok":         true,
-				"token": gcTok,
+				"token":      gcTok,
 				"expires_at": exp.Format(time.RFC3339),
 				"disclaimer": "This token is issued after authenticating with a third-party provider (Discord). We cannot vouch for third-party security.",
 			})
@@ -402,57 +493,68 @@ func (s *Server) routes() {
 	})
 }
 
-// ---------- helpers ----------
+// ---------- misc helpers ----------
-
-func (s *Server) nowCoarse() string {
-	ts := time.Now().UTC()
-	if s.coarseTS { ts = ts.Truncate(time.Hour) }
-	return ts.Format(time.RFC3339)
-}
-func (s *Server) parseRFC3339(v string) time.Time { t, _ := time.Parse(time.RFC3339, v); return t }
-
-func (s *Server) ternary[T any](cond bool, a, b T) T { if cond { return a }; return b }
 
 func assented(r *http.Request) bool {
-	if r.Header.Get("X-GC-3P-Assent") == "1" { return true }
+	if r.Header.Get("X-GC-3P-Assent") == "1" {
-	if r.URL.Query().Get("assent") == "1" { return true }
+		return true
+	}
+	if r.URL.Query().Get("assent") == "1" {
+		return true
+	}
 	return false
 }
 
-func randHex(n int) string {
+func (s *Server) nowCoarse() string {
-	b := make([]byte, n)
+	ts := time.Now().UTC()
-	if _, err := rand.Read(b); err != nil {
+	if s.coarseTS {
-		// very unlikely; fall back to timestamp bytes
+		ts = ts.Truncate(time.Hour)
-		ts := time.Now().UnixNano()
-		for i := 0; i < n; i++ { b[i] = byte(ts >> (8 * (i % 8))) }
 	}
-	return hex.EncodeToString(b)
+	return ts.Format(time.RFC3339)
 }
 
-// randReader uses crypto/rand without importing directly to keep imports tidy here.
+func (s *Server) parseRFC3339(v string) time.Time {
-type randReader struct{}
+	t, _ := time.Parse(time.RFC3339, v)
-func (randReader) Read(p []byte) (int, error) { return io.ReadFull(os.OpenFile("/dev/urandom", os.O_RDONLY, 0), p) } // fallback if needed (linux-only)
+	return t
+}
 
 // ----- listeners -----
 
 func (s *Server) ListenHTTP(addr string) error {
 	log.Printf("http listening on %s", addr)
-	server := &http.Server{ Addr: addr, Handler: s.mux, ReadHeaderTimeout: 5 * time.Second }
+	server := &http.Server{
+		Addr:              addr,
+		Handler:           s.mux,
+		ReadHeaderTimeout: 5 * time.Second,
+	}
 	ln, err := net.Listen("tcp", addr)
-	if err != nil { return err }
+	if err != nil {
+		return err
+	}
 	return server.Serve(ln)
 }
 
 func (s *Server) ListenHTTPS(addr, certFile, keyFile string) error {
 	log.Printf("https listening on %s", addr)
-	server := &http.Server{ Addr: addr, Handler: s.mux, ReadHeaderTimeout: 5 * time.Second }
+	server := &http.Server{
+		Addr:              addr,
+		Handler:           s.mux,
+		ReadHeaderTimeout: 5 * time.Second,
+	}
 	return server.ListenAndServeTLS(certFile, keyFile)
 }
 
 func (s *Server) ListenMTLS(addr string, tlsCfg *tls.Config) error {
 	log.Printf("federation mTLS listening on %s", addr)
-	server := &http.Server{ Addr: addr, Handler: s.mux, ReadHeaderTimeout: 5 * time.Second, TLSConfig: tlsCfg }
+	server := &http.Server{
+		Addr:              addr,
+		Handler:           s.mux,
+		ReadHeaderTimeout: 5 * time.Second,
+		TLSConfig:         tlsCfg,
+	}
 	ln, err := tls.Listen("tcp", addr, tlsCfg)
-	if err != nil { return err }
+	if err != nil {
+		return err
+	}
 	return server.Serve(ln)
 }

internal/api/static.go

@@ -1,14 +1,15 @@
 package api
 
 import (
+	"log"
 	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
+	"time"
 )
 
-// MountStatic serves files from dir under baseURL. If baseURL == "/", it serves root.
+// Mount static on the API mux (kept for compatibility; still serves under API port if you want)
-// Directory listings are disabled. Unknown paths fall back to index.html (SPA).
 func (s *Server) MountStatic(dir string, baseURL string) {
 	if dir == "" {
 		return
@@ -16,20 +17,46 @@ func (s *Server) MountStatic(dir string, baseURL string) {
 	if baseURL == "" {
 		baseURL = "/"
 	}
-	fs := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	s.mux.Handle(baseURL, s.staticHandler(dir, baseURL))
+	if !strings.HasSuffix(baseURL, "/") {
+		s.mux.Handle(baseURL+"/", s.staticHandler(dir, baseURL))
+	}
+}
+
+// NEW: serve the same static handler on its own port (frontend).
+func (s *Server) ListenFrontendHTTP(addr, dir, baseURL string) error {
+	if dir == "" || addr == "" {
+		return nil
+	}
+	log.Printf("frontend listening on %s (dir=%s base=%s)", addr, dir, baseURL)
+	mx := http.NewServeMux()
+	mx.Handle(baseURL, s.staticHandler(dir, baseURL))
+	if !strings.HasSuffix(baseURL, "/") {
+		mx.Handle(baseURL+"/", s.staticHandler(dir, baseURL))
+	}
+	server := &http.Server{
+		Addr:              addr,
+		Handler:           mx,
+		ReadHeaderTimeout: 5 * time.Second,
+	}
+	return server.ListenAndServe()
+}
+
+func (s *Server) staticHandler(dir, baseURL string) http.Handler {
+	if baseURL == "" {
+		baseURL = "/"
+	}
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		s.secureHeaders(w)
-		// normalize path inside dir
 		up := strings.TrimPrefix(r.URL.Path, baseURL)
 		if up == "" || strings.HasSuffix(r.URL.Path, "/") {
 			up = "index.html"
 		}
 		full := filepath.Join(dir, filepath.FromSlash(up))
-		// prevent path escape
 		if !strings.HasPrefix(filepath.Clean(full), filepath.Clean(dir)) {
 			http.NotFound(w, r)
 			return
 		}
-		// serve if exists, else SPA fallback
 		if st, err := os.Stat(full); err == nil && !st.IsDir() {
 			http.ServeFile(w, r, full)
 			return
@@ -41,14 +68,4 @@ func (s *Server) MountStatic(dir string, baseURL string) {
 		}
 		http.NotFound(w, r)
 	})
-	// Root or subpath
-	if baseURL == "/" {
-		s.mux.Handle("/", fs)
-	} else {
-		if !strings.HasSuffix(baseURL, "/") {
-			baseURL += "/"
-		}
-		s.mux.Handle(baseURL, fs)
-		s.mux.Handle(baseURL+"", fs) // ensure exact mount works
-	}
 }

internal/config/config.go

@@ -26,9 +26,10 @@ type Config struct {
 		ClientCAFile string `yaml:"client_ca_file"`
 	} `yaml:"federation"`
 	UI struct {
-		Enable  bool   `yaml:"enable"`
+		Enable       bool   `yaml:"enable"`
-		Path    string `yaml:"path"`
+		Path         string `yaml:"path"`
-		BaseURL string `yaml:"base_url"`
+		BaseURL      string `yaml:"base_url"`
+		FrontendHTTP string `yaml:"frontend_http"` // NEW
 	} `yaml:"ui"`
 	Storage struct {
 		Backend     string `yaml:"backend"`

internal/storage/fsstore.go

@@ -1,83 +1,95 @@
-package config
+package storage
 
 import (
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
+	"io"
 	"os"
-
+	"path/filepath"
-	"gopkg.in/yaml.v3"
 )
 
-type Config struct {
+type FSStore struct {
-	ShardID string `yaml:"shard_id"`
+	root       string
-	Listen  struct {
+	maxObjectB int64
-		HTTP  string `yaml:"http"`
-		HTTPS string `yaml:"https"`
-		WS    string `yaml:"ws"`
-	} `yaml:"listen"`
-	TLS struct {
-		Enable   bool   `yaml:"enable"`
-		CertFile string `yaml:"cert_file"`
-		KeyFile  string `yaml:"key_file"`
-	} `yaml:"tls"`
-	Federation struct {
-		MTLSEnable   bool   `yaml:"mtls_enable"`
-		Listen       string `yaml:"listen"`
-		CertFile     string `yaml:"cert_file"`
-		KeyFile      string `yaml:"key_file"`
-		ClientCAFile string `yaml:"client_ca_file"`
-	} `yaml:"federation"`
-	Storage struct {
-		Backend     string `yaml:"backend"`
-		Path        string `yaml:"path"`
-		MaxObjectKB int    `yaml:"max_object_kb"`
-	} `yaml:"storage"`
-	Security struct {
-		ZeroTrust                bool   `yaml:"zero_trust"`
-		RequireMTLSForFederation bool   `yaml:"require_mtls_for_federation"`
-		AcceptClientSignedTokens bool   `yaml:"accept_client_signed_tokens"`
-		LogLevel                 string `yaml:"log_level"`
-	} `yaml:"security"`
-	Privacy struct {
-		RetainIP         string `yaml:"retain_ip"`
-		RetainUserAgent  string `yaml:"retain_user_agent"`
-		RetainTimestamps string `yaml:"retain_timestamps"`
-	} `yaml:"privacy"`
-	Auth struct {
-		SigningSecret string `yaml:"signing_secret"`
-		SSO           struct {
-			Discord struct {
-				Enabled      bool   `yaml:"enabled"`
-				ClientID     string `yaml:"client_id"`
-				ClientSecret string `yaml:"client_secret"`
-				RedirectURI  string `yaml:"redirect_uri"`
-			} `yaml:"discord"`
-			Google struct {
-				Enabled      bool   `yaml:"enabled"`
-				ClientID     string `yaml:"client_id"`
-				ClientSecret string `yaml:"client_secret"`
-				RedirectURI  string `yaml:"redirect_uri"`
-			} `yaml:"google"`
-			Facebook struct {
-				Enabled      bool   `yaml:"enabled"`
-				ClientID     string `yaml:"client_id"`
-				ClientSecret string `yaml:"client_secret"`
-				RedirectURI  string `yaml:"redirect_uri"`
-			} `yaml:"facebook"`
-		} `yaml:"sso"`
-		TwoFactor struct {
-			WebAuthnEnabled bool `yaml:"webauthn_enabled"`
-			TOTPEnabled     bool `yaml:"totp_enabled"`
-		} `yaml:"two_factor"`
-	} `yaml:"auth"`
 }
 
-func Load(path string) (*Config, error) {
+func NewFSStore(root string, maxKB int) (*FSStore, error) {
-	b, err := os.ReadFile(path)
+	if root == "" {
-	if err != nil {
+		root = "./data/objects"
+	}
+	if err := os.MkdirAll(root, 0o755); err != nil {
 		return nil, err
 	}
-	var c Config
+	return &FSStore{root: root, maxObjectB: int64(maxKB) * 1024}, nil
-	if err := yaml.Unmarshal(b, &c); err != nil {
+}
-		return nil, err
+
-	}
+func (s *FSStore) Put(r io.Reader) (string, int64, error) {
-	return &c, nil
+	h := sha256.New()
+	tmp := filepath.Join(s.root, ".tmp")
+	_ = os.MkdirAll(tmp, 0o755)
+	f, err := os.CreateTemp(tmp, "obj-*")
+	if err != nil {
+		return "", 0, err
+	}
+	defer f.Close()
+
+	var n int64
+	buf := make([]byte, 32*1024)
+	for {
+		m, er := r.Read(buf)
+		if m > 0 {
+			n += int64(m)
+			if s.maxObjectB > 0 && n > s.maxObjectB {
+				return "", 0, errors.New("object too large")
+			}
+			_, _ = h.Write(buf[:m])
+			if _, werr := f.Write(buf[:m]); werr != nil {
+				return "", 0, werr
+			}
+		}
+		if er == io.EOF {
+			break
+		}
+		if er != nil {
+			return "", 0, er
+		}
+	}
+	sum := hex.EncodeToString(h.Sum(nil))
+	dst := filepath.Join(s.root, sum[:2], sum[2:4], sum)
+	if err := os.MkdirAll(filepath.Dir(dst), 0o755); err != nil {
+		return "", 0, err
+	}
+	if err := os.Rename(f.Name(), dst); err != nil {
+		return "", 0, err
+	}
+	return sum, n, nil
+}
+
+func (s *FSStore) pathFor(hash string) string {
+	return filepath.Join(s.root, hash[:2], hash[2:4], hash)
+}
+
+func (s *FSStore) Get(hash string) (string, error) {
+	if len(hash) < 4 {
+		return "", os.ErrNotExist
+	}
+	p := s.pathFor(hash)
+	if _, err := os.Stat(p); err != nil {
+		return "", err
+	}
+	return p, nil
+}
+
+func (s *FSStore) Delete(hash string) error {
+	if len(hash) < 4 {
+		return os.ErrNotExist
+	}
+	p := s.pathFor(hash)
+	if err := os.Remove(p); err != nil {
+		return err
+	}
+	_ = os.Remove(filepath.Dir(p))
+	_ = os.Remove(filepath.Dir(filepath.Dir(p)))
+	return nil
 }