@rip-lang/server 1.3.111 → 1.3.113

package/acme/client.rip

@@ -0,0 +1,138 @@
+# ==============================================================================
+# acme/client.rip — RFC 8555 ACME protocol client (zero dependencies)
+# ==============================================================================
+
+import { signJws, thumbprint } from './crypto.rip'
+
+LETS_ENCRYPT = 'https://acme-v02.api.letsencrypt.org/directory'
+LETS_ENCRYPT_STAGING = 'https://acme-staging-v02.api.letsencrypt.org/directory'
+
+export { LETS_ENCRYPT, LETS_ENCRYPT_STAGING }
+
+# --- Nonce management ---
+
+getNonce = (client) ->
+  if client.nonces.length > 0
+    return client.nonces.pop()
+  res = fetch!(client.directory.newNonce, { method: 'HEAD' })
+  res.headers.get('replay-nonce')
+
+saveNonce = (client, res) ->
+  nonce = res.headers.get('replay-nonce')
+  client.nonces.push(nonce) if nonce
+
+# --- Signed request ---
+
+acmeRequest = (client, url, payload, retryCount = 0) ->
+  nonce = getNonce!(client)
+  body = signJws(payload, url, nonce, client.accountKey, client.publicJwk, client.kid)
+  res = fetch! url,
+    method: 'POST'
+    headers: { 'content-type': 'application/jose+json' }
+    body: body
+  saveNonce(client, res)
+
+  if res.status >= 400
+    errBody = try res.json!
+    # Retry once on badNonce (RFC 8555 Section 6.5)
+    if errBody?.type is 'urn:ietf:params:acme:error:badNonce' and retryCount < 1
+      return acmeRequest!(client, url, payload, retryCount + 1)
+    throw new Error("ACME error #{res.status}: #{errBody?.detail or res.statusText}")
+
+  location = res.headers.get('location')
+  contentType = res.headers.get('content-type') or ''
+
+  data = if contentType.includes('json')
+    res.json!
+  else
+    res.text!
+
+  { data, location, status: res.status, headers: res.headers }
+
+# --- Client lifecycle ---
+
+export createClient = (directoryUrl) ->
+  directoryUrl = directoryUrl or LETS_ENCRYPT
+  res = fetch!(directoryUrl)
+  directory = res.json!
+  {
+    directoryUrl
+    directory
+    accountKey: null
+    publicJwk: null
+    kid: null
+    nonces: []
+  }
+
+export setAccountKey = (client, privateKey, publicJwk) ->
+  client.accountKey = privateKey
+  client.publicJwk = publicJwk
+  client
+
+# --- Account ---
+
+export newAccount = (client) ->
+  { data, location } = acmeRequest! client, client.directory.newAccount,
+    termsOfServiceAgreed: true
+  client.kid = location
+  { accountUrl: location, account: data }
+
+# --- Order ---
+
+export newOrder = (client, domains) ->
+  identifiers = domains.map((d) -> { type: 'dns', value: d })
+  { data, location } = acmeRequest! client, client.directory.newOrder, { identifiers }
+  { orderUrl: location, order: data }
+
+export getAuthorization = (client, authUrl) ->
+  { data } = acmeRequest! client, authUrl, ''
+  data
+
+export getHttp01Challenge = (auth) ->
+  auth.challenges.find((c) -> c.type is 'http-01')
+
+export keyAuthorization = (token, publicJwk) ->
+  "#{token}.#{thumbprint(publicJwk)}"
+
+export respondToChallenge = (client, challengeUrl) ->
+  { data } = acmeRequest! client, challengeUrl, {}
+  data
+
+# --- Polling ---
+
+export pollOrderStatus = (client, orderUrl, maxAttempts = 30, intervalMs = 2000) ->
+  for i in [0...maxAttempts]
+    { data } = acmeRequest! client, orderUrl, ''
+    return data if data.status is 'valid'
+    return data if data.status is 'invalid'
+    throw new Error("ACME order failed: #{data.status}") if data.status in ['expired', 'revoked', 'deactivated']
+    await new Promise (r) -> setTimeout(r, intervalMs)
+  throw new Error('ACME order timed out waiting for validation')
+
+export pollAuthorizationStatus = (client, authUrl, maxAttempts = 30, intervalMs = 2000) ->
+  for i in [0...maxAttempts]
+    { data } = acmeRequest! client, authUrl, ''
+    return data if data.status is 'valid'
+    throw new Error("ACME authorization failed: #{data.status}") if data.status is 'invalid'
+    await new Promise (r) -> setTimeout(r, intervalMs)
+  throw new Error('ACME authorization timed out')
+
+# --- Finalize and download ---
+
+export finalizeOrder = (client, finalizeUrl, csrB64url) ->
+  { data } = acmeRequest! client, finalizeUrl, { csr: csrB64url }
+  data
+
+export downloadCert = (client, certUrl) ->
+  nonce = getNonce!(client)
+  body = signJws('', certUrl, nonce, client.accountKey, client.publicJwk, client.kid)
+  res = fetch! certUrl,
+    method: 'POST'
+    headers:
+      'content-type': 'application/jose+json'
+      'accept': 'application/pem-certificate-chain'
+    body: body
+  saveNonce(client, res)
+  if res.status >= 400
+    throw new Error("ACME cert download failed: #{res.status}")
+  res.text!

package/acme/crypto.rip

@@ -0,0 +1,130 @@
+# ==============================================================================
+# acme/crypto.rip — ACME protocol crypto helpers (zero dependencies)
+# ==============================================================================
+
+import { generateKeyPairSync, createSign, createHash, createPrivateKey } from 'node:crypto'
+import { existsSync, readFileSync, writeFileSync, mkdirSync, mkdtempSync, rmSync } from 'node:fs'
+import { tmpdir } from 'node:os'
+import { join, dirname } from 'node:path'
+
+# --- Base64url ---
+
+export b64url = (buf) ->
+  s = if typeof buf is 'string' then Buffer.from(buf).toString('base64') else Buffer.from(buf).toString('base64')
+  s.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
+
+b64urlBuf = (buf) -> b64url(buf)
+
+# --- Key generation ---
+
+export generateAccountKeyPair = ->
+  generateKeyPairSync('ec', { namedCurve: 'P-256' })
+
+export generateCertKeyPair = ->
+  generateKeyPairSync('ec', { namedCurve: 'P-256' })
+
+export exportPrivateKeyPem = (keyPair) ->
+  keyPair.privateKey.export({ format: 'pem', type: 'pkcs8' })
+
+export exportPublicJwk = (keyPair) ->
+  jwk = keyPair.publicKey.export({ format: 'jwk' })
+  { kty: jwk.kty, crv: jwk.crv, x: jwk.x, y: jwk.y }
+
+# --- Account key persistence ---
+
+export loadOrCreateAccountKey = (storePath) ->
+  accountFile = join(storePath, 'account.json')
+  if existsSync(accountFile)
+    data = JSON.parse(readFileSync(accountFile, 'utf8'))
+    privKey = createPrivateKey({ key: Buffer.from(data.privateKeyPem), format: 'pem' })
+    pubJwk = data.publicJwk
+    return { privateKey: privKey, publicJwk: pubJwk }
+
+  pair = generateAccountKeyPair()
+  pubJwk = exportPublicJwk(pair)
+  privPem = exportPrivateKeyPem(pair)
+  mkdirSync(dirname(accountFile), { recursive: true, mode: 0o700 }) unless existsSync(dirname(accountFile))
+  writeFileSync(accountFile, JSON.stringify({ publicJwk: pubJwk, privateKeyPem: privPem }), { encoding: 'utf8', mode: 0o600 })
+  { privateKey: pair.privateKey, publicJwk: pubJwk }
+
+# --- JWK Thumbprint (RFC 7638) ---
+
+export thumbprint = (jwk) ->
+  canonical = JSON.stringify({ crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y })
+  hash = createHash('sha256').update(canonical).digest()
+  b64url(hash)
+
+# --- JWS Signing (ES256 / ACME) ---
+
+derToRaw = (derSig) ->
+  # Convert DER-encoded ECDSA signature to raw r||s (64 bytes for P-256)
+  offset = 2
+  rLen = derSig[offset + 1]
+  r = derSig.slice(offset + 2, offset + 2 + rLen)
+  offset = offset + 2 + rLen
+  sLen = derSig[offset + 1]
+  s = derSig.slice(offset + 2, offset + 2 + sLen)
+  # Pad or trim to 32 bytes each
+  pad = (buf, len) ->
+    return buf.slice(buf.length - len) if buf.length > len
+    return buf if buf.length is len
+    out = Buffer.alloc(len)
+    buf.copy(out, len - buf.length)
+    out
+  Buffer.concat([pad(r, 32), pad(s, 32)])
+
+export signJws = (payload, url, nonce, privateKey, publicJwk, kid) ->
+  protectedHeader = if kid
+    { alg: 'ES256', kid, nonce, url }
+  else
+    { alg: 'ES256', jwk: publicJwk, nonce, url }
+
+  protectedB64 = b64url(JSON.stringify(protectedHeader))
+  payloadB64 = if payload is '' then '' else b64url(JSON.stringify(payload))
+
+  sigInput = "#{protectedB64}.#{payloadB64}"
+  signer = createSign('SHA256')
+  signer.update(sigInput)
+  derSig = signer.sign(privateKey)
+  rawSig = derToRaw(derSig)
+
+  JSON.stringify
+    protected: protectedB64
+    payload: payloadB64
+    signature: b64url(rawSig)
+
+# --- CSR generation via openssl ---
+
+export generateCsr = (domain, keyPem) ->
+  # Write key to temp file, generate CSR, read it back
+  tmpDir = mkdtempSync(join(tmpdir(), 'rip-acme-'))
+  keyPath = join(tmpDir, 'key.pem')
+  csrPath = join(tmpDir, 'csr.der')
+  extPath = join(tmpDir, 'san.cnf')
+  writeFileSync(keyPath, keyPem, { encoding: 'utf8', mode: 0o600 })
+
+  # OpenSSL config with SAN extension (required by modern CAs)
+  sanConfig = "[req]\ndistinguished_name=dn\nreq_extensions=san\n[dn]\nCN=#{domain}\n[san]\nsubjectAltName=DNS:#{domain}\n"
+  writeFileSync(extPath, sanConfig, { encoding: 'utf8', mode: 0o600 })
+
+  result = Bun.spawnSync [
+    'openssl', 'req', '-new'
+    '-key', keyPath
+    '-subj', "/CN=#{domain}"
+    '-config', extPath
+    '-outform', 'DER'
+    '-out', csrPath
+  ],
+    stdout: 'pipe'
+    stderr: 'pipe'
+
+  if result.exitCode isnt 0
+    stderr = Buffer.from(result.stderr or []).toString('utf8')
+    throw new Error("CSR generation failed: #{stderr}")
+
+  csrDer = readFileSync(csrPath)
+
+  # Cleanup
+  try rmSync(tmpDir, { recursive: true, force: true })
+
+  b64url(csrDer)

package/acme/manager.rip

@@ -0,0 +1,107 @@
+# ==============================================================================
+# acme/manager.rip — ACME certificate lifecycle orchestrator
+# ==============================================================================
+
+import { loadOrCreateAccountKey, generateCertKeyPair, exportPrivateKeyPem, generateCsr } from './crypto.rip'
+import { createClient, setAccountKey, newAccount, newOrder, getAuthorization, getHttp01Challenge, keyAuthorization, respondToChallenge, pollAuthorizationStatus, pollOrderStatus, finalizeOrder, downloadCert, LETS_ENCRYPT, LETS_ENCRYPT_STAGING } from './client.rip'
+import { defaultCertDir, saveCert, loadCert, needsRenewal } from './store.rip'
+
+export createAcmeManager = (options = {}) ->
+  certDir = options.certDir or defaultCertDir()
+  staging = options.staging or false
+  directoryUrl = if staging then LETS_ENCRYPT_STAGING else LETS_ENCRYPT
+  challengeStore = options.challengeStore or null
+  onCertRenewed = options.onCertRenewed or (->)
+  renewalTimer = null
+
+  manager =
+    certDir: certDir
+    staging: staging
+    directoryUrl: directoryUrl
+    challengeStore: challengeStore
+    onCertRenewed: onCertRenewed
+
+    obtainCert: (domain) ->
+      p "rip-acme: obtaining cert for #{domain}#{if staging then ' (staging)' else ''}"
+
+      # Load or create account key
+      account = loadOrCreateAccountKey(certDir)
+
+      # Create ACME client and register account
+      client = createClient!(directoryUrl)
+      setAccountKey(client, account.privateKey, account.publicJwk)
+      newAccount!(client)
+
+      # Create order
+      { orderUrl, order } = newOrder!(client, [domain])
+
+      # Process authorizations
+      for authUrl in order.authorizations
+        auth = getAuthorization!(client, authUrl)
+        continue if auth.status is 'valid'
+
+        challenge = getHttp01Challenge(auth)
+        unless challenge
+          throw new Error("No HTTP-01 challenge available for #{domain}")
+
+        # Set challenge token for the HTTP server to serve
+        keyAuth = keyAuthorization(challenge.token, client.publicJwk)
+        if challengeStore
+          challengeStore.set(challenge.token, keyAuth)
+
+        try
+          # Tell CA we're ready
+          respondToChallenge!(client, challenge.url)
+
+          # Wait for authorization to be validated
+          pollAuthorizationStatus!(client, authUrl)
+        finally
+          # Always clean up challenge token, even on failure
+          challengeStore.remove(challenge.token) if challengeStore
+
+      # Generate cert key and CSR
+      certKey = generateCertKeyPair()
+      certKeyPem = exportPrivateKeyPem(certKey)
+      csrB64 = generateCsr(domain, certKeyPem)
+
+      # Finalize order with CSR
+      finalizeOrder!(client, order.finalize, csrB64)
+
+      # Poll until cert is ready
+      completedOrder = pollOrderStatus!(client, orderUrl)
+      unless completedOrder.certificate
+        throw new Error('ACME order completed but no certificate URL returned')
+
+      # Download cert chain
+      certPem = downloadCert!(client, completedOrder.certificate)
+
+      # Store cert and key
+      saveCert(certDir, domain, certPem, certKeyPem)
+      p "rip-acme: cert obtained and stored for #{domain}"
+
+      { cert: certPem, key: certKeyPem }
+
+    renewIfNeeded: (domain) ->
+      if needsRenewal(certDir, domain)
+        p "rip-acme: cert for #{domain} needs renewal"
+        result = manager.obtainCert!(domain)
+        manager.onCertRenewed(domain, result)
+        return true
+      false
+
+    startRenewalLoop: (domains, intervalMs = 12 * 60 * 60 * 1000) ->
+      manager.stopRenewalLoop()
+      check = ->
+        for domain in domains
+          try manager.renewIfNeeded!(domain)
+          catch e
+            console.error "rip-acme: renewal failed for #{domain}:", e.message
+      renewalTimer = setInterval(check, intervalMs)
+      # Run first check after a short delay
+      setTimeout(check, 5000)
+
+    stopRenewalLoop: ->
+      clearInterval(renewalTimer) if renewalTimer
+      renewalTimer = null
+
+  manager

package/acme/store.rip

@@ -0,0 +1,67 @@
+# ==============================================================================
+# acme/store.rip — certificate storage, lookup, and HTTP-01 challenge store
+# ==============================================================================
+
+import { existsSync, mkdirSync, readFileSync, writeFileSync, readdirSync } from 'node:fs'
+import { join } from 'node:path'
+import { homedir } from 'node:os'
+import { X509Certificate } from 'node:crypto'
+
+export defaultCertDir = -> join(homedir(), '.rip', 'certs')
+
+export ensureDir = (dir) ->
+  mkdirSync(dir, { recursive: true }) unless existsSync(dir)
+  dir
+
+export domainDir = (baseDir, domain) ->
+  ensureDir(join(ensureDir(baseDir), domain))
+
+export saveCert = (baseDir, domain, certPem, keyPem) ->
+  dir = domainDir(baseDir, domain)
+  writeFileSync(join(dir, 'cert.pem'), certPem, { encoding: 'utf8', mode: 0o644 })
+  writeFileSync(join(dir, 'key.pem'), keyPem, { encoding: 'utf8', mode: 0o600 })
+  { certPath: join(dir, 'cert.pem'), keyPath: join(dir, 'key.pem') }
+
+export loadCert = (baseDir, domain) ->
+  dir = join(baseDir, domain)
+  certPath = join(dir, 'cert.pem')
+  keyPath = join(dir, 'key.pem')
+  return null unless existsSync(certPath) and existsSync(keyPath)
+  cert = readFileSync(certPath, 'utf8')
+  key = readFileSync(keyPath, 'utf8')
+  notAfter = null
+  try
+    x = new X509Certificate(cert)
+    notAfter = new Date(x.validTo).getTime()
+  { cert, key, certPath, keyPath, notAfter }
+
+export needsRenewal = (baseDir, domain, thresholdDays = 30) ->
+  rec = loadCert(baseDir, domain)
+  return true unless rec?.notAfter
+  msLeft = rec.notAfter - Date.now()
+  daysLeft = msLeft / (1000 * 60 * 60 * 24)
+  daysLeft < thresholdDays
+
+export listCerts = (baseDir) ->
+  return [] unless existsSync(baseDir)
+  entries = readdirSync(baseDir, { withFileTypes: true })
+  entries.filter((e) -> e.isDirectory()).map((e) -> e.name)
+
+# --- HTTP-01 challenge token store ---
+
+export createChallengeStore = ->
+  tokens = new Map()
+
+  set: (token, keyAuthorization) -> tokens.set(token, keyAuthorization)
+  get: (token) -> tokens.get(token) ?? null
+  has: (token) -> tokens.has(token)
+  remove: (token) -> tokens.delete(token)
+  clear: -> tokens.clear()
+
+export handleChallengeRequest = (url, challengeStore) ->
+  prefix = '/.well-known/acme-challenge/'
+  return null unless url.pathname.startsWith(prefix)
+  token = url.pathname.slice(prefix.length)
+  return null unless token and challengeStore.has(token)
+  keyAuth = challengeStore.get(token)
+  new Response(keyAuth, { headers: { 'content-type': 'application/octet-stream' } })

package/control/cli.rip

@@ -0,0 +1,123 @@
+# ==============================================================================
+# control/cli.rip — CLI parsing, subcommands, and output
+# ==============================================================================
+
+# --- Argv helpers ---
+
+export getKV = (argv, prefix) ->
+  for tok in argv
+    return tok.slice(prefix.length) if tok.startsWith(prefix)
+  undefined
+
+export findAppPathToken = (argv, existsSyncFn, isAbsoluteFn, resolveFn, cwdFn) ->
+  for i in [2...argv.length]
+    tok = argv[i]
+    pathPart = if tok.includes('@') then tok.split('@')[0] else tok
+    looksLikePath = pathPart.includes('/') or pathPart.startsWith('.') or pathPart.endsWith('.rip') or pathPart.endsWith('.ts')
+    try
+      return pathPart if looksLikePath and existsSyncFn(if isAbsoluteFn(pathPart) then pathPart else resolveFn(cwdFn(), pathPart))
+  undefined
+
+export computeSocketPrefix = (argv, resolveAppEntryFn, existsSyncFn, isAbsoluteFn, resolveFn, cwdFn) ->
+  override = getKV(argv, '--socket-prefix=')
+  return override if override
+  appTok = findAppPathToken(argv, existsSyncFn, isAbsoluteFn, resolveFn, cwdFn)
+  if appTok
+    try
+      { appName } = resolveAppEntryFn(appTok)
+      return "rip_#{appName}"
+  'rip_server'
+
+# --- Output ---
+
+export runVersionOutput = (argv, readFileSyncFn, packageJsonPath) ->
+  return false unless '--version' in argv or '-v' in argv
+  try
+    pkg = JSON.parse(readFileSyncFn(packageJsonPath, 'utf8'))
+    p "rip-server v#{pkg.version}"
+  catch
+    p 'rip-server (version unknown)'
+  true
+
+export runHelpOutput = (argv) ->
+  return false unless '--help' in argv or '-h' in argv
+  p """
+    rip-server - Pure Rip application server
+
+    Usage:
+      rip serve [options] [app-path] [app-name]
+      rip serve [options] [app-path]@<alias1>,<alias2>,...
+
+    Options:
+      -h, --help              Show this help
+      -v, --version           Show version
+      --watch=<glob>          Watch glob pattern (default: *.rip)
+      --static                Disable hot reload and file watching
+      --env=<mode>            Set environment (dev, production)
+      --debug                 Enable debug logging
+      --quiet                 Suppress URL lines (app prints its own)
+
+    Network:
+      http                    HTTP only (no TLS)
+      https                   HTTPS with trusted *.ripdev.io cert (default)
+      <port>                  Listen on specific port
+      --cert=<path>           TLS certificate file (overrides shipped cert)
+      --key=<path>            TLS key file (overrides shipped cert)
+      --hsts                  Enable HSTS header
+      --no-redirect-http      Don't redirect HTTP to HTTPS
+
+    ACME (auto TLS):
+      --acme                  Enable auto TLS via Let's Encrypt
+      --acme-staging          Use Let's Encrypt staging CA (for testing)
+      --acme-domain=<domain>  Domain for ACME cert (required with --acme)
+
+    Realtime (WebSocket):
+      --realtime-path=<path>  WebSocket endpoint path (default: /realtime)
+
+    Workers:
+      w:<n>                   Number of workers (default: cores/2)
+      w:auto                  One worker per core
+      r:<n>,<s>s              Restart policy: max requests, max seconds
+
+    Examples:
+      rip serve               Start with ./index.rip (watches *.rip)
+      rip serve myapp         Start with app name "myapp"
+      rip serve http          HTTP only (no TLS)
+      rip serve --static w:8  Production: no reload, 8 workers
+
+    If no index.rip or index.ts is found, a built-in static file server
+    activates with directory indexes, auto-detected MIME types, and
+    hot-reload. Create an index.rip to customize server behavior.
+  """
+  true
+
+# --- Subcommands ---
+
+export runStopSubcommand = (argv, prefix, getPidFilePathFn, existsSyncFn, readFileSyncFn, killFn, spawnSyncFn, importMetaPath) ->
+  return false unless 'stop' in argv
+  pidFile = getPidFilePathFn(prefix)
+  try
+    if existsSyncFn(pidFile)
+      pid = parseInt(readFileSyncFn(pidFile, 'utf8').trim())
+      killFn(pid, 'SIGTERM')
+      p "rip-server: sent SIGTERM to process #{pid}"
+    else
+      p "rip-server: no PID file found at #{pidFile}, trying pkill..."
+      spawnSyncFn(['pkill', '-f', importMetaPath])
+  catch e
+    console.error "rip-server: stop failed: #{e.message}"
+  true
+
+export runListSubcommand = (argv, prefix, getControlSocketPathFn, fetchFn, exitFn) ->
+  return false unless 'list' in argv
+  controlUnix = getControlSocketPathFn(prefix)
+  try
+    res = fetchFn!('http://localhost/registry', { unix: controlUnix, method: 'GET' })
+    throw new Error("list failed: #{res.status}") unless res.ok
+    j = res.json!
+    hosts = if Array.isArray(j?.hosts) then j.hosts else []
+    p if hosts.length then hosts.join('\n') else '(no hosts)'
+  catch e
+    console.error "list command failed: #{e?.message or e}"
+    exitFn(1)
+  true

package/control/control.rip

@@ -0,0 +1,75 @@
+# ==============================================================================
+# control/control.rip — paths, worker registry, and control socket handlers
+# ==============================================================================
+
+# --- Socket and PID paths ---
+
+export getWorkerSocketPath = (prefix, id) -> "/tmp/#{prefix}.#{id}.sock"
+export getControlSocketPath = (prefix) -> "/tmp/#{prefix}.ctl.sock"
+export getPidFilePath = (prefix) -> "/tmp/#{prefix}.pid"
+
+# --- Worker registry ---
+
+registerWorker = (sockets, availableWorkers, payload) ->
+  version = if typeof payload.version is 'number' then payload.version else null
+  exists = sockets.find((x) -> x.socket is payload.socket)
+  unless exists
+    worker = { socket: payload.socket, inflight: 0, version, workerId: payload.workerId }
+    sockets.push(worker)
+    availableWorkers.push(worker)
+  { version }
+
+removeWorkerById = (sockets, availableWorkers, workerId) ->
+  # Mutate in-place to avoid race conditions with concurrent join/quit
+  i = sockets.length
+  while i-- > 0
+    sockets.splice(i, 1) if sockets[i].workerId is workerId
+  i = availableWorkers.length
+  while i-- > 0
+    availableWorkers.splice(i, 1) if availableWorkers[i].workerId is workerId
+  return
+
+# --- Control socket handlers ---
+
+jsonOk = -> new Response(JSON.stringify({ ok: true }), { headers: { 'content-type': 'application/json' } })
+jsonBad = -> new Response(JSON.stringify({ ok: false }), { status: 400, headers: { 'content-type': 'application/json' } })
+
+export handleWorkerControl = (req, state) ->
+  return { handled: false } unless req.method is 'POST'
+  try
+    j = req.json!
+    if j?.op is 'join' and typeof j.socket is 'string' and typeof j.workerId is 'number'
+      { version } = registerWorker(state.sockets, state.availableWorkers, j)
+      newestVersion = state.newestVersion
+      newestVersion = if newestVersion is null then version else Math.max(newestVersion, version) if version?
+      return
+        handled: true
+        response: jsonOk()
+        sockets: state.sockets
+        availableWorkers: state.availableWorkers
+        newestVersion: newestVersion
+
+    if j?.op is 'quit' and typeof j.workerId is 'number'
+      removeWorkerById(state.sockets, state.availableWorkers, j.workerId)
+      return
+        handled: true
+        response: jsonOk()
+  { handled: true, response: jsonBad(), sockets: state.sockets, availableWorkers: state.availableWorkers, newestVersion: state.newestVersion }
+
+export handleWatchControl = (req, registerWatch, watchDirs) ->
+  return { handled: false } unless req.method is 'POST'
+  try
+    j = req.json!
+    if j?.op is 'watch' and typeof j.prefix is 'string' and Array.isArray(j.dirs)
+      registerWatch(j.prefix)
+      watchDirs(j.prefix, j.dirs) if j.dirs.length > 0
+      return { handled: true, response: jsonOk() }
+  { handled: true, response: jsonBad() }
+
+export handleRegistryControl = (req, hostIndex) ->
+  return { handled: false } unless req.method is 'GET'
+  hostMap = {}
+  for [host, appId] as hostIndex
+    (hostMap[appId] = hostMap[appId] or []).push(host)
+  response = new Response(JSON.stringify({ ok: true, hosts: Array.from(hostIndex.keys()), apps: hostMap }), { headers: { 'content-type': 'application/json' } })
+  { handled: true, response }