...

current/CHECKPOINT-HTTPZ.md

@@ -0,0 +1,62 @@
+# CHECKPOINT-HTTPZ — Stream HTTPZ (production HTTP-server readiness)
+
+Tracker for the HTTP-server production-readiness stream. Plan:
+[PLAN-HTTPZ.md](PLAN-HTTPZ.md). Update after every step.
+
+## Last completed step
+**Stream established (planning only).** Audited the existing HTTP/socket/thread/event
+stack against the user's production-readiness checklist and wrote
+[PLAN-HTTPZ.md](PLAN-HTTPZ.md) + this checkpoint. **No code changed.** Prior HTTP work
+(socket `S2`, thread `S6`, http `S7a`, pool `S7b`) shipped without a tracked plan; this
+brings the stream under checkpoint discipline.
+
+## Current state
+- **Done & Linux-validated (do NOT rebuild):** `event.sx` (epoll+kqueue, 6/6 green on real
+  aarch64 Linux in Apple `container`), `net/epoll.sx`, `net/kqueue.sx`, `sched.sx` M:1
+  runtime, `json.sx`.
+- **BROKEN on Linux (Phase C3 keystone):**
+  - `socket.sx` — Darwin-only `SockAddr` (`sin_len`), `O_NONBLOCK=4`, macOS errno values,
+    `__error` binding. Corrupts addresses + breaks WouldBlock detection on Linux.
+  - `thread.sx` — `MutexBuf=64B` (Darwin) vs glibc 40B → 24-byte heap overflow on
+    `pthread_mutex_init`. Pool unsafe on Linux.
+- **Works, unhardened — `http.sx`:** single-worker loop + inline/pool handlers, keep-alive,
+  delivery timeouts, conn/request caps, 400/413/431/503. Gaps: parser limits, `Server.close()`
+  leaks (`conns`/`PoolState`/`done`), no graceful stop, no handler-exec timeout, zero
+  observability, no streaming.
+- **Absent entirely:** CI (no Linux CI), fuzz, sanitizers/leak-check (`tests/stress-http.sh`
+  broken — references deleted `32-http-server.sx`), releases/tags, SECURITY.md, deploy docs,
+  routing/form helpers. **TLS:** none yet — to be added natively via mbedTLS FFI (Phase T).
+
+Full grounded audit (file:line) lives in PLAN-HTTPZ.md "Audit of record".
+
+## Next step
+**Phase C3a — `socket.sx` per-OS selection.** Branch `SockAddr`, `O_NONBLOCK`, errno
+constants, and `errno_slot` on `OS`/`ARCH` (mirror the `inline if OS ==` pattern in
+`event.sx`/`sched.sx`). Lock a Linux-vs-Darwin layout/const assertion red (cadence rule),
+then flip green; validate under the Apple `container` Linux VM. No silent fallback defaults.
+> **NOT STARTED** — user requested plan-only this session. Execution begins next session.
+
+## Known issues / capability gaps
+- `socket.sx` / `thread.sx` Linux-broken (above) — blocks all Linux P0 acceptance.
+- No CI of any kind in the repo → "tested on Linux" cannot be claimed until C4.
+- Corpus runner (10s/example timeout, no net sandbox) cannot host stress/fuzz/load — those
+  go in separate CI-wired scripts (PLAN decision).
+- `http.sx` `Server.close()` leaks on shutdown (H2).
+- No handler-execution timeout in either handler mode (H5).
+
+## Decisions (HTTPZ specifics — full list in PLAN-HTTPZ.md)
+- Native TLS via an mbedTLS FFI binding (Phase T) — supersedes the original proxy-only
+  posture; proxy deployment stays supported/documented. No pure-sx TLS stack.
+- `Transfer-Encoding: chunked` rejected (501) in H1, implemented in S1/S2.
+- Stress/fuzz/load harnesses live outside the corpus, wired into CI.
+- C3 branching bails loudly on unhandled OS/arch arms — no Darwin-default fallback.
+
+## Log
+- **2026-06-26** — Stream established. Parallel audit of `http.sx`, `socket.sx`,
+  `thread.sx`, `event.sx`, `net/epoll.sx`, `net/kqueue.sx`, `sched.sx`, the test/CI/bench
+  infra, and the docs/release/security posture against the production-readiness checklist.
+  Wrote PLAN-HTTPZ.md (phases C/H/S/D mapping checklist P0/P1/P2) + this checkpoint.
+  No code changes. Next: Phase C3a.
+- **2026-06-26** — Added **Phase T (native TLS via mbedTLS FFI)** to PLAN-HTTPZ.md, slotted
+  after Phase H; flipped the proxy-only decision to native-TLS-plus-proxy; updated D1.
+  Backend chosen: mbedTLS (static-link-friendly, clean non-blocking API). Still plan-only.