storage.write() returns a boolean success flag, but the result is ignored here. If the write fails (permissions, full disk, read-only DATA_ROOT), seededHtml is still set to true and the code continues, which can leave the server with a public root ACL but no index page. Check the return value and fail/abort seeding (and avoid creating /.acl) when the index write fails.

The seeded root ACL is built inline as JSON-LD. Since the codebase already has ACL generators (e.g., generatePublicReadAcl / serializeAcl in src/wac/parser.js), consider using those here to avoid duplicating ACL JSON structure and to keep future ACL schema changes centralized.

storage.write() success is ignored when writing /.acl (and later index.html.acl). If either write fails, the server can end up in a partially-seeded state that’s hard to debug. Capture the return value(s) and log/throw on failure so startup clearly reports that the landing page/ACLs could not be installed.

The onReady seeding hook logs only err.message, which drops stack/context that would be useful for diagnosing startup seeding failures (e.g., missing package.json, permission issues). Log the full error object (or include err.stack) so operators can troubleshoot why seeding didn’t run.

The “Create a pod” button points at /.account/new, but there doesn’t appear to be any route registered for /.account/* (IdP registration is exposed as /idp/register). This link will 404 in multi-user+IdP mode; update it to the actual registration / pod-creation entry point (and consider linking “Sign in” to /idp rather than the OIDC /idp/auth endpoint).

JSDoc says seedServerRoot returns Promise<{seeded: boolean}>, but the function actually returns { seededHtml, seededAcl }. Update the return type (and/or property names) so the doc matches the real API.

seedServerRoot() runs even when the server is configured in read-only mode (options.readOnly). In that mode, startup should not mutate DATA_ROOT; otherwise a read-only deployment can still create/modify /index.html and ACL files. Consider skipping this hook entirely when options.readOnly is true (or passing a flag into seedServerRoot and returning early).

This file duplicates ACL generation logic (publicReadAcl) and includes a misleading comment that “existing WAC generators all require an owner WebID”. The codebase already has generatePublicReadAcl(resourceUrl) in src/wac/parser.js, which produces the same public-read rule without an owner. Reusing it would reduce duplication and keep ACL formatting consistent with the rest of the server.

This test suite mutates the global process.env.DATA_ROOT via createServer({ root: DATA_DIR }) (server.js sets the env var). It is never restored, so subsequent test files that rely on the default ./data directory (e.g. via startTestServer() emptying ./data) can start using a removed directory instead, causing cross-test interference/flakiness. Capture the previous value before starting this dedicated server and restore it in after() (and consider resetting to undefined if it was unset).

The landing page feature list omits the terminal feature flag even though the server supports options.terminal (and other features are listed). This means the UI can incorrectly report enabled features. Add a terminal entry (and any other intended flags) in listFeatures() so the landing page accurately reflects the configured server capabilities.

Mode-specific rendering is implemented in renderActions() (e.g. “Create a pod”/“Sign in” buttons), but the added tests only assert generic text and don’t verify these mode-dependent outputs. Adding a few unit tests for renderServerRoot() with different ctx combinations (multi-user+IdP, single-user+IdP, etc.) would lock in the behavior described in the PR.

Seeding is skipped entirely if reading/parsing package.json fails, because seedServerRoot(...) is inside the try block. In deployments where package.json isn’t present/readable (e.g. some production bundles), this prevents the root landing page/ACL from being created. Consider calling seedServerRoot even when version lookup fails (default version to "unknown" on read/parse errors) and only log a warning about the version read failure.

String.prototype.replace treats $&, $1, etc. in the replacement string as special substitution patterns. Since subtitle (and potentially other interpolated values) can include user-configurable data like singleUserName, values containing $ (e.g. $&) will be mangled during the template replacement. Use a replacer function (e.g. replace(/{{subtitle}}/g, () => subtitle)) or escape $ in replacement values before calling replace to ensure literal output.