# CHECKPOINT-HTTPZ — Stream HTTPZ (production HTTP-server readiness) Tracker for the HTTP-server production-readiness stream. Plan: [PLAN-HTTPZ.md](PLAN-HTTPZ.md). Update after every step. ## Last completed step **Stream established (planning only).** Audited the existing HTTP/socket/thread/event stack against the user's production-readiness checklist and wrote [PLAN-HTTPZ.md](PLAN-HTTPZ.md) + this checkpoint. **No code changed.** Prior HTTP work (socket `S2`, thread `S6`, http `S7a`, pool `S7b`) shipped without a tracked plan; this brings the stream under checkpoint discipline. ## Current state - **Done & Linux-validated (do NOT rebuild):** `event.sx` (epoll+kqueue, 6/6 green on real aarch64 Linux in Apple `container`), `net/epoll.sx`, `net/kqueue.sx`, `sched.sx` M:1 runtime, `json.sx`. - **BROKEN on Linux (Phase C3 keystone):** - `socket.sx` — Darwin-only `SockAddr` (`sin_len`), `O_NONBLOCK=4`, macOS errno values, `__error` binding. Corrupts addresses + breaks WouldBlock detection on Linux. - `thread.sx` — `MutexBuf=64B` (Darwin) vs glibc 40B → 24-byte heap overflow on `pthread_mutex_init`. Pool unsafe on Linux. - **Works, unhardened — `http.sx`:** single-worker loop + inline/pool handlers, keep-alive, delivery timeouts, conn/request caps, 400/413/431/503. Gaps: parser limits, `Server.close()` leaks (`conns`/`PoolState`/`done`), no graceful stop, no handler-exec timeout, zero observability, no streaming. - **Absent entirely:** CI (no Linux CI), fuzz, sanitizers/leak-check (`tests/stress-http.sh` broken — references deleted `32-http-server.sx`), releases/tags, SECURITY.md, deploy docs, routing/form helpers. **TLS:** none yet — to be added natively via mbedTLS FFI (Phase T). Full grounded audit (file:line) lives in PLAN-HTTPZ.md "Audit of record". ## Next step **Phase C3a — `socket.sx` per-OS selection.** Branch `SockAddr`, `O_NONBLOCK`, errno constants, and `errno_slot` on `OS`/`ARCH` (mirror the `inline if OS ==` pattern in `event.sx`/`sched.sx`). Lock a Linux-vs-Darwin layout/const assertion red (cadence rule), then flip green; validate under the Apple `container` Linux VM. No silent fallback defaults. > **NOT STARTED** — user requested plan-only this session. Execution begins next session. ## Known issues / capability gaps - `socket.sx` / `thread.sx` Linux-broken (above) — blocks all Linux P0 acceptance. - No CI of any kind in the repo → "tested on Linux" cannot be claimed until C4. - Corpus runner (10s/example timeout, no net sandbox) cannot host stress/fuzz/load — those go in separate CI-wired scripts (PLAN decision). - `http.sx` `Server.close()` leaks on shutdown (H2). - No handler-execution timeout in either handler mode (H5). ## Decisions (HTTPZ specifics — full list in PLAN-HTTPZ.md) - Native TLS via an mbedTLS FFI binding (Phase T) — supersedes the original proxy-only posture; proxy deployment stays supported/documented. No pure-sx TLS stack. - `Transfer-Encoding: chunked` rejected (501) in H1, implemented in S1/S2. - Stress/fuzz/load harnesses live outside the corpus, wired into CI. - C3 branching bails loudly on unhandled OS/arch arms — no Darwin-default fallback. ## Log - **2026-06-26** — Stream established. Parallel audit of `http.sx`, `socket.sx`, `thread.sx`, `event.sx`, `net/epoll.sx`, `net/kqueue.sx`, `sched.sx`, the test/CI/bench infra, and the docs/release/security posture against the production-readiness checklist. Wrote PLAN-HTTPZ.md (phases C/H/S/D mapping checklist P0/P1/P2) + this checkpoint. No code changes. Next: Phase C3a. - **2026-06-26** — Added **Phase T (native TLS via mbedTLS FFI)** to PLAN-HTTPZ.md, slotted after Phase H; flipped the proxy-only decision to native-TLS-plus-proxy; updated D1. Backend chosen: mbedTLS (static-link-friendly, clean non-blocking API). Still plan-only.