sx/current/CHECKPOINT-HTTPZ.md

CHECKPOINT-HTTPZ — Stream HTTPZ (production HTTP-server readiness)

Tracker for the HTTP-server production-readiness stream. Plan: PLAN-HTTPZ.md. Update after every step.

Last completed step

Stream established (planning only). Audited the existing HTTP/socket/thread/event stack against the user's production-readiness checklist and wrote PLAN-HTTPZ.md + this checkpoint. No code changed. Prior HTTP work (socket S2, thread S6, http S7a, pool S7b) shipped without a tracked plan; this brings the stream under checkpoint discipline.

Current state

• Done & Linux-validated (do NOT rebuild): event.sx (epoll+kqueue, 6/6 green on real aarch64 Linux in Apple container), net/epoll.sx, net/kqueue.sx, sched.sx M:1 runtime, json.sx.
• BROKEN on Linux (Phase C3 keystone):
  • socket.sx — Darwin-only SockAddr (sin_len), O_NONBLOCK=4, macOS errno values, __error binding. Corrupts addresses + breaks WouldBlock detection on Linux.
  • thread.sx — MutexBuf=64B (Darwin) vs glibc 40B → 24-byte heap overflow on pthread_mutex_init. Pool unsafe on Linux.
• Works, unhardened — http.sx: single-worker loop + inline/pool handlers, keep-alive, delivery timeouts, conn/request caps, 400/413/431/503. Gaps: parser limits, Server.close() leaks (conns/PoolState/done), no graceful stop, no handler-exec timeout, zero observability, no streaming.
• Absent entirely: CI (no Linux CI), fuzz, sanitizers/leak-check (tests/stress-http.sh broken — references deleted 32-http-server.sx), releases/tags, SECURITY.md, deploy docs, routing/form helpers. TLS: none yet — to be added natively via mbedTLS FFI (Phase T).

Full grounded audit (file:line) lives in PLAN-HTTPZ.md "Audit of record".

Next step

Phase C3a — socket.sx per-OS selection. Branch SockAddr, O_NONBLOCK, errno constants, and errno_slot on OS/ARCH (mirror the inline if OS == pattern in event.sx/sched.sx). Lock a Linux-vs-Darwin layout/const assertion red (cadence rule), then flip green; validate under the Apple container Linux VM. No silent fallback defaults.

NOT STARTED — user requested plan-only this session. Execution begins next session.

Known issues / capability gaps

• socket.sx / thread.sx Linux-broken (above) — blocks all Linux P0 acceptance.
• No CI of any kind in the repo → "tested on Linux" cannot be claimed until C4.
• Corpus runner (10s/example timeout, no net sandbox) cannot host stress/fuzz/load — those go in separate CI-wired scripts (PLAN decision).
• http.sx Server.close() leaks on shutdown (H2).
• No handler-execution timeout in either handler mode (H5).

Decisions (HTTPZ specifics — full list in PLAN-HTTPZ.md)

• Native TLS via an mbedTLS FFI binding (Phase T) — supersedes the original proxy-only posture; proxy deployment stays supported/documented. No pure-sx TLS stack.
• Transfer-Encoding: chunked rejected (501) in H1, implemented in S1/S2.
• Stress/fuzz/load harnesses live outside the corpus, wired into CI.
• C3 branching bails loudly on unhandled OS/arch arms — no Darwin-default fallback.

Log

• 2026-06-26 — Stream established. Parallel audit of http.sx, socket.sx, thread.sx, event.sx, net/epoll.sx, net/kqueue.sx, sched.sx, the test/CI/bench infra, and the docs/release/security posture against the production-readiness checklist. Wrote PLAN-HTTPZ.md (phases C/H/S/D mapping checklist P0/P1/P2) + this checkpoint. No code changes. Next: Phase C3a.
• 2026-06-26 — Added Phase T (native TLS via mbedTLS FFI) to PLAN-HTTPZ.md, slotted after Phase H; flipped the proxy-only decision to native-TLS-plus-proxy; updated D1. Backend chosen: mbedTLS (static-link-friendly, clean non-blocking API). Still plan-only.