npm - @rip-lang/server - Versions diffs - 1.3.115 → 1.3.116 - Mend

@rip-lang/server 1.3.115 → 1.3.116

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (44) hide show

package/README.md +435 -622
package/api.rip +4 -4
package/control/cli.rip +221 -1
package/control/control.rip +9 -0
package/control/lifecycle.rip +6 -1
package/control/watchers.rip +10 -0
package/control/workers.rip +9 -5
package/default.rip +3 -1
package/docs/READ_VALIDATORS.md +656 -0
package/docs/edge/CONFIG_LIFECYCLE.md +70 -32
package/docs/edge/CONTRACTS.md +60 -69
package/docs/edge/EDGEFILE_CONTRACT.md +258 -29
package/docs/edge/M0B_REVIEW_NOTES.md +5 -5
package/edge/config.rip +584 -52
package/edge/forwarding.rip +6 -2
package/edge/metrics.rip +19 -1
package/edge/registry.rip +29 -3
package/edge/router.rip +138 -0
package/edge/runtime.rip +98 -0
package/edge/static.rip +69 -0
package/edge/tls.rip +23 -0
package/edge/upstream.rip +272 -0
package/edge/verify.rip +73 -0
package/middleware.rip +3 -3
package/package.json +2 -2
package/server.rip +775 -393
package/tests/control.rip +18 -0
package/tests/edgefile.rip +165 -0
package/tests/metrics.rip +16 -0
package/tests/proxy.rip +22 -1
package/tests/registry.rip +27 -0
package/tests/router.rip +101 -0
package/tests/runtime_entrypoints.rip +16 -0
package/tests/servers.rip +262 -0
package/tests/static.rip +64 -0
package/tests/streams_clienthello.rip +108 -0
package/tests/streams_index.rip +53 -0
package/tests/streams_pipe.rip +70 -0
package/tests/streams_router.rip +39 -0
package/tests/streams_runtime.rip +38 -0
package/tests/streams_upstream.rip +34 -0
package/tests/upstream.rip +191 -0
package/tests/verify.rip +148 -0
package/tests/watchers.rip +15 -0

package/tests/static.rip ADDED Viewed

@@ -0,0 +1,64 @@
+import { test, eq, ok } from '../test.rip'
+import { serveStaticRoute, buildRedirectResponse } from '../edge/static.rip'
+# --- helpers ---
+mockReq = (method = 'GET', accept = 'text/html') ->
+  headers: new Headers({ accept })
+  method: method
+mockUrl = (pathname) ->
+  new URL("https://example.com#{pathname}")
+# --- static route tests ---
+test "serveStaticRoute returns 405 for POST", ->
+  req = mockReq('POST')
+  route = { static: '/tmp', root: '/tmp', path: '/*' }
+  res = serveStaticRoute(req, mockUrl('/foo'), route)
+  eq res.status, 405
+test "serveStaticRoute returns 404 for missing file", ->
+  req = mockReq()
+  route = { static: '/tmp/nonexistent-dir-rip-test', root: '/tmp/nonexistent-dir-rip-test', path: '/*' }
+  res = serveStaticRoute(req, mockUrl('/missing.txt'), route)
+  eq res.status, 404
+test "serveStaticRoute rejects percent-encoded traversal", ->
+  req = mockReq()
+  route = { static: '/tmp/rip-static-test', root: '/tmp/rip-static-test', path: '/*' }
+  url = { pathname: '/%2e%2e/%2e%2e/etc/passwd' }
+  res = serveStaticRoute(req, url, route)
+  ok res.status is 403 or res.status is 404
+test "URL-normalized traversal stays safe", ->
+  req = mockReq()
+  route = { static: '/tmp/rip-static-test', root: '/tmp/rip-static-test', path: '/*' }
+  res = serveStaticRoute(req, mockUrl('/../../etc/passwd'), route)
+  ok res.status >= 400
+test "serveStaticRoute SPA fallback requires Accept text/html", ->
+  req = mockReq('GET', 'application/json')
+  route = { static: '/tmp', root: '/tmp', path: '/*', spa: true }
+  res = serveStaticRoute(req, mockUrl('/missing-page'), route)
+  eq res.status, 404
+test "serveStaticRoute HEAD returns 405-safe", ->
+  req = mockReq('HEAD')
+  route = { static: '/tmp/nonexistent-dir-rip-test', root: '/tmp/nonexistent-dir-rip-test', path: '/*' }
+  res = serveStaticRoute(req, mockUrl('/missing.txt'), route)
+  eq res.status, 404
+# --- redirect tests ---
+test "buildRedirectResponse returns 302 by default", ->
+  req = mockReq()
+  route = { redirect: { to: 'https://example.com' } }
+  res = buildRedirectResponse(req, mockUrl('/old'), route)
+  eq res.status, 302
+test "buildRedirectResponse uses custom status", ->
+  req = mockReq()
+  route = { redirect: { to: 'https://example.com', status: 301 } }
+  res = buildRedirectResponse(req, mockUrl('/old'), route)
+  eq res.status, 301

package/tests/streams_clienthello.rip ADDED Viewed

@@ -0,0 +1,108 @@
+import { test, eq, ok } from '../test.rip'
+import { parseSNI } from '../streams/tls_clienthello.rip'
+buildClientHello = (hostname = 'incus.example.com', opts = {}) ->
+  hostBytes = new TextEncoder().encode(hostname)
+  sniEntryLen = 1 + 2 + hostBytes.length
+  serverNameListLen = sniEntryLen
+  sniExtLen = 2 + serverNameListLen
+  extensionsLen = if opts.noExtensions then 0 else 4 + sniExtLen
+  sessionId = new Uint8Array(0)
+  cipherSuites = new Uint8Array([0x00, 0x2f])
+  compression = new Uint8Array([0x00])
+  bodyLen = 2 + 32 + 1 + sessionId.length + 2 + cipherSuites.length + 1 + compression.length + 2 + extensionsLen
+  recordLen = 4 + bodyLen
+  totalLen = 5 + recordLen
+  out = new Uint8Array(totalLen)
+  i = 0
+  out[i++] = opts.contentType or 0x16
+  out[i++] = 0x03
+  out[i++] = opts.tlsMinor or 0x03
+  out[i++] = (recordLen >> 8) & 0xff
+  out[i++] = recordLen & 0xff
+  out[i++] = opts.handshakeType or 0x01
+  out[i++] = (bodyLen >> 16) & 0xff
+  out[i++] = (bodyLen >> 8) & 0xff
+  out[i++] = bodyLen & 0xff
+  out[i++] = 0x03
+  out[i++] = opts.clientMinor or 0x03
+  for n in [0...32]
+    out[i++] = n
+  out[i++] = sessionId.length
+  out.set(sessionId, i)
+  i += sessionId.length
+  out[i++] = 0x00
+  out[i++] = cipherSuites.length
+  out.set(cipherSuites, i)
+  i += cipherSuites.length
+  out[i++] = compression.length
+  out.set(compression, i)
+  i += compression.length
+  out[i++] = (extensionsLen >> 8) & 0xff
+  out[i++] = extensionsLen & 0xff
+  unless opts.noExtensions
+    out[i++] = 0x00
+    out[i++] = 0x00
+    out[i++] = (sniExtLen >> 8) & 0xff
+    out[i++] = sniExtLen & 0xff
+    out[i++] = (serverNameListLen >> 8) & 0xff
+    out[i++] = serverNameListLen & 0xff
+    out[i++] = 0x00
+    out[i++] = (hostBytes.length >> 8) & 0xff
+    out[i++] = hostBytes.length & 0xff
+    out.set(hostBytes, i)
+    i += hostBytes.length
+  out
+test "parseSNI extracts hostname from TLS 1.2 ClientHello", ->
+  hello = buildClientHello('incus.example.com', tlsMinor: 0x03, clientMinor: 0x03)
+  parsed = parseSNI(hello)
+  eq parsed.ok, true
+  eq parsed.sni, 'incus.example.com'
+test "parseSNI extracts hostname from TLS 1.3-style ClientHello", ->
+  hello = buildClientHello('api.example.com', tlsMinor: 0x03, clientMinor: 0x03)
+  parsed = parseSNI(hello)
+  eq parsed.ok, true
+  eq parsed.sni, 'api.example.com'
+test "parseSNI lowercases hostname", ->
+  hello = buildClientHello('InCus.Example.Com')
+  parsed = parseSNI(hello)
+  eq parsed.sni, 'incus.example.com'
+test "parseSNI returns need_more_bytes for short buffer", ->
+  parsed = parseSNI(new Uint8Array([0x16, 0x03, 0x03]))
+  eq parsed.ok, false
+  eq parsed.code, 'need_more_bytes'
+test "parseSNI rejects wrong record type", ->
+  hello = buildClientHello('incus.example.com', contentType: 0x17)
+  parsed = parseSNI(hello)
+  eq parsed.ok, false
+  eq parsed.code, 'bad_record_type'
+test "parseSNI rejects no-extensions hello as no_sni", ->
+  hello = buildClientHello('incus.example.com', noExtensions: true)
+  parsed = parseSNI(hello)
+  eq parsed.ok, false
+  eq parsed.code, 'no_sni'
+test "parseSNI rejects oversized ClientHello", ->
+  huge = new Uint8Array(5)
+  huge[0] = 0x16
+  huge[1] = 0x03
+  huge[2] = 0x03
+  huge[3] = 0x40
+  huge[4] = 0x01
+  parsed = parseSNI(huge)
+  eq parsed.ok, false
+  eq parsed.code, 'client_hello_too_large'
+test "parseSNI rejects malformed extension bounds", ->
+  hello = buildClientHello('incus.example.com')
+  hello[54] = 0xff
+  hello[55] = 0xff
+  parsed = parseSNI(hello)
+  ok parsed.ok is false

package/tests/streams_index.rip ADDED Viewed

@@ -0,0 +1,53 @@
+import { test, eq } from '../test.rip'
+import { buildStreamRuntime, resolveHandshakeTarget } from '../streams/index.rip'
+test "resolveHandshakeTarget falls through to http fallback when no route matches", ->
+  runtime = buildStreamRuntime(
+    streamUpstreams:
+      incus:
+        targets: [{ host: '127.0.0.1', port: 8443 }]
+    streams: [
+      { id: 'incus', order: 0, listen: 443, sni: ['incus.example.com'], upstream: 'incus' }
+    ]
+  )
+  result = resolveHandshakeTarget(runtime, 443, 'app.example.com',
+    443:
+      hostname: '127.0.0.1'
+      port: 9443
+  )
+  eq result.kind, 'fallback'
+  eq result.target.port, 9443
+test "resolveHandshakeTarget prefers configured stream routes over fallback", ->
+  runtime = buildStreamRuntime(
+    streamUpstreams:
+      incus:
+        targets: [{ host: '127.0.0.1', port: 8443 }]
+    streams: [
+      { id: 'incus', order: 0, listen: 443, sni: ['incus.example.com'], upstream: 'incus' }
+    ]
+  )
+  result = resolveHandshakeTarget(runtime, 443, 'incus.example.com',
+    443:
+      hostname: '127.0.0.1'
+      port: 9443
+  )
+  eq result.kind, 'stream'
+  eq result.target.port, 8443
+test "resolveHandshakeTarget rejects when stream route matches but upstream is unavailable", ->
+  runtime = buildStreamRuntime(
+    streamUpstreams:
+      incus:
+        targets: []
+    streams: [
+      { id: 'incus', order: 0, listen: 443, sni: ['incus.example.com'], upstream: 'incus' }
+    ]
+  )
+  result = resolveHandshakeTarget(runtime, 443, 'incus.example.com',
+    443:
+      hostname: '127.0.0.1'
+      port: 9443
+  )
+  eq result.kind, 'reject'
+  eq result.code, 'no_available_target'

package/tests/streams_pipe.rip ADDED Viewed

@@ -0,0 +1,70 @@
+import { test, eq, ok } from '../test.rip'
+import { createPipeState, writeChunk, flushPending } from '../streams/pipe.rip'
+fakeSocket = (returns = []) ->
+  writes = []
+  idx = 0
+  paused = 0
+  resumed = 0
+  {
+    writes
+    write: (data) ->
+      writes.push(new Uint8Array(data))
+      ret = returns[idx]
+      idx++
+      if ret? then ret else data.byteLength
+    pause: -> paused++
+    resume: -> resumed++
+    pausedCount: -> paused
+    resumedCount: -> resumed
+  }
+test "writeChunk succeeds when full write completes", ->
+  sock = fakeSocket()
+  state = createPipeState()
+  res = writeChunk(sock, state, new Uint8Array([1, 2, 3]))
+  eq res.needDrain, false
+  eq state.pending.byteLength, 0
+test "writeChunk buffers remainder on partial write", ->
+  sock = fakeSocket([1])
+  state = createPipeState()
+  res = writeChunk(sock, state, new Uint8Array([1, 2, 3]))
+  eq res.needDrain, true
+  eq state.pending.byteLength, 2
+  eq Array.from(state.pending), [2, 3]
+test "flushPending clears buffer when write completes", ->
+  sock = fakeSocket()
+  state = createPipeState()
+  state.pending = new Uint8Array([4, 5])
+  state.waitingForDrain = true
+  res = flushPending(sock, state)
+  eq res.needDrain, false
+  eq state.pending.byteLength, 0
+test "flushPending keeps remainder on partial write", ->
+  sock = fakeSocket([1])
+  state = createPipeState()
+  state.pending = new Uint8Array([4, 5, 6])
+  state.waitingForDrain = true
+  res = flushPending(sock, state)
+  eq res.needDrain, true
+  eq Array.from(state.pending), [5, 6]
+test "writeChunk appends new data behind existing pending buffer", ->
+  sock = fakeSocket()
+  state = createPipeState()
+  state.pending = new Uint8Array([9, 9])
+  state.waitingForDrain = true
+  res = writeChunk(sock, state, new Uint8Array([1, 2]))
+  eq res.needDrain, true
+  eq res.wrote, 0
+  eq Array.from(state.pending), [9, 9, 1, 2]
+test "writeChunk reports closed socket on -1", ->
+  sock = fakeSocket([-1])
+  state = createPipeState()
+  res = writeChunk(sock, state, new Uint8Array([1]))
+  eq res.closed, true
+  eq res.ok, false

package/tests/streams_router.rip ADDED Viewed

@@ -0,0 +1,39 @@
+import { test, eq } from '../test.rip'
+import { compileStreamTable, matchStreamRoute, describeStreamRoute } from '../streams/router.rip'
+test "compileStreamTable expands sni patterns", ->
+  table = compileStreamTable([
+    { id: 'incus', order: 0, listen: 8443, sni: ['incus.example.com', '*.example.com'], upstream: 'incus' }
+  ])
+  eq table.routes.length, 2
+test "matchStreamRoute prefers exact sni", ->
+  table = compileStreamTable([
+    { id: 'wild', order: 0, listen: 8443, sni: ['*.example.com'], upstream: 'wild' }
+    { id: 'exact', order: 1, listen: 8443, sni: ['incus.example.com'], upstream: 'exact' }
+  ])
+  eq matchStreamRoute(table, 8443, 'incus.example.com').upstream, 'exact'
+test "matchStreamRoute matches wildcard sni", ->
+  table = compileStreamTable([
+    { id: 'wild', order: 0, listen: 8443, sni: ['*.example.com'], upstream: 'wild' }
+  ])
+  eq matchStreamRoute(table, 8443, 'api.example.com').upstream, 'wild'
+test "matchStreamRoute wildcard is single-label only", ->
+  table = compileStreamTable([
+    { id: 'wild', order: 0, listen: 8443, sni: ['*.example.com'], upstream: 'wild' }
+  ])
+  eq matchStreamRoute(table, 8443, 'a.b.example.com'), null
+test "matchStreamRoute filters by listen port", ->
+  table = compileStreamTable([
+    { id: 'incus', order: 0, listen: 8443, sni: ['incus.example.com'], upstream: 'incus' }
+  ])
+  eq matchStreamRoute(table, 443, 'incus.example.com'), null
+test "describeStreamRoute summarizes route", ->
+  table = compileStreamTable([
+    { id: 'incus', order: 0, listen: 8443, sni: ['incus.example.com'], upstream: 'incus' }
+  ])
+  eq describeStreamRoute(table.routes[0]), '8443 incus.example.com -> incus'

package/tests/streams_runtime.rip ADDED Viewed

@@ -0,0 +1,38 @@
+import { test, eq } from '../test.rip'
+import { createStreamRuntime, describeStreamRuntime, buildStreamConfigInfo, streamUsesListenPort } from '../streams/runtime.rip'
+test "createStreamRuntime starts empty", ->
+  runtime = createStreamRuntime()
+  eq runtime.inflight, 0
+  eq runtime.listeners.size, 0
+test "describeStreamRuntime returns summary", ->
+  runtime = createStreamRuntime()
+  runtime.inflight = 2
+  runtime.retiredAt = '2026-01-01T00:00:00.000Z'
+  runtime.listeners.set(8443, {})
+  summary = describeStreamRuntime(runtime)
+  eq summary.inflight, 2
+  eq summary.listeners[0], 8443
+test "buildStreamConfigInfo reports counts and descriptions", ->
+  info = buildStreamConfigInfo(
+    streamUpstreams:
+      incus: {}
+    streams: [
+      { id: 'incus', order: 0, listen: 8443, sni: ['incus.example.com'], upstream: 'incus' }
+    ]
+  )
+  eq info.streamCounts.streamUpstreams, 1
+  eq info.streamCounts.streams, 1
+  eq info.activeStreamRouteDescriptions[0], '8443 incus.example.com -> incus'
+test "streamUsesListenPort detects shared listener ports", ->
+  runtime = createStreamRuntime(null, null,
+    routes: [
+      { listen: 443, sni: 'incus.example.com', upstream: 'incus' }
+      { listen: 8443, sni: 'db.example.com', upstream: 'db' }
+    ]
+  )
+  eq streamUsesListenPort(runtime, 443), true
+  eq streamUsesListenPort(runtime, 80), false

package/tests/streams_upstream.rip ADDED Viewed

@@ -0,0 +1,34 @@
+import { test, eq } from '../test.rip'
+import { createStreamUpstreamPool, addStreamUpstream, getStreamUpstream, selectStreamTarget, openStreamConnection, releaseStreamConnection } from '../streams/upstream.rip'
+test "addStreamUpstream registers targets", ->
+  pool = createStreamUpstreamPool()
+  upstream = addStreamUpstream(pool, 'incus',
+    targets: [{ targetId: '127.0.0.1:8443', host: '127.0.0.1', port: 8443 }]
+  )
+  eq getStreamUpstream(pool, 'incus').targets.length, 1
+  eq upstream.connectTimeoutMs, 5000
+test "selectStreamTarget prefers least connections", ->
+  pool = createStreamUpstreamPool()
+  upstream = addStreamUpstream(pool, 'incus',
+    targets: [
+      { targetId: 'a:1', host: 'a', port: 1 }
+      { targetId: 'b:1', host: 'b', port: 1 }
+    ]
+  )
+  upstream.targets[0].activeConnections = 3
+  upstream.targets[1].activeConnections = 1
+  eq selectStreamTarget(upstream).targetId, 'b:1'
+test "open and release stream connection update counters", ->
+  pool = createStreamUpstreamPool()
+  upstream = addStreamUpstream(pool, 'incus',
+    targets: [{ targetId: 'a:1', host: 'a', port: 1 }]
+  )
+  target = upstream.targets[0]
+  openStreamConnection(target)
+  eq target.activeConnections, 1
+  eq target.totalConnections, 1
+  releaseStreamConnection(target)
+  eq target.activeConnections, 0

package/tests/upstream.rip ADDED Viewed

@@ -0,0 +1,191 @@
+import { test, eq, ok } from '../test.rip'
+import {
+  createUpstreamPool
+  addUpstream
+  getUpstream
+  listUpstreams
+  removeUpstream
+  selectTarget
+  markTargetBusy
+  releaseTarget
+  shouldRetry
+  computeRetryDelayMs
+  updateTargetHealth
+} from '../edge/upstream.rip'
+test "createUpstreamPool starts empty", ->
+  pool = createUpstreamPool()
+  eq pool.upstreams.size, 0
+test "addUpstream normalizes targets and defaults", ->
+  pool = createUpstreamPool()
+  upstream = addUpstream(pool, 'app',
+    targets: ['http://127.0.0.1:3000']
+  )
+  eq pool.upstreams.size, 1
+  eq upstream.targets.length, 1
+  eq upstream.targets[0].healthy, true
+  eq upstream.targets[0].circuitState, 'closed'
+test "listUpstreams returns added upstreams", ->
+  pool = createUpstreamPool()
+  addUpstream(pool, 'app', targets: ['http://127.0.0.1:3000'])
+  eq listUpstreams(pool).length, 1
+test "removeUpstream deletes entry", ->
+  pool = createUpstreamPool()
+  addUpstream(pool, 'app', targets: ['http://127.0.0.1:3000'])
+  removeUpstream(pool, 'app')
+  eq getUpstream(pool, 'app'), null
+test "selectTarget picks least inflight target", ->
+  pool = createUpstreamPool()
+  upstream = addUpstream(pool, 'app',
+    targets: ['http://a', 'http://b']
+  )
+  upstream.targets[0].inflight = 2
+  upstream.targets[1].inflight = 0
+  eq selectTarget(upstream).url, 'http://b'
+test "selectTarget falls back to latency tie-break", ->
+  pool = createUpstreamPool()
+  upstream = addUpstream(pool, 'app',
+    targets: ['http://a', 'http://b']
+  )
+  upstream.targets[0].latencyEwma = 50
+  upstream.targets[1].latencyEwma = 10
+  eq selectTarget(upstream).url, 'http://b'
+test "selectTarget returns null when all targets unhealthy", ->
+  pool = createUpstreamPool()
+  upstream = addUpstream(pool, 'app',
+    targets: ['http://a', 'http://b']
+  )
+  upstream.targets[0].healthy = false
+  upstream.targets[1].healthy = false
+  eq selectTarget(upstream), null
+test "markTargetBusy increments inflight", ->
+  pool = createUpstreamPool()
+  upstream = addUpstream(pool, 'app', targets: ['http://a'])
+  target = upstream.targets[0]
+  markTargetBusy(target)
+  eq target.inflight, 1
+test "releaseTarget decrements inflight and updates ewma", ->
+  pool = createUpstreamPool()
+  upstream = addUpstream(pool, 'app', targets: ['http://a'])
+  target = upstream.targets[0]
+  markTargetBusy(target)
+  releaseTarget(target, 100, true, pool)
+  eq target.inflight, 0
+  ok target.latencyEwma > 0
+test "updateTargetHealth marks target unhealthy after threshold", ->
+  pool = createUpstreamPool(nowFn: -> 1000, randomFn: -> 0)
+  upstream = addUpstream(pool, 'app',
+    targets: ['http://a']
+    healthCheck:
+      unhealthyThreshold: 2
+  )
+  target = upstream.targets[0]
+  updateTargetHealth(target, false, pool)
+  eq target.healthy, true
+  updateTargetHealth(target, false, pool)
+  eq target.healthy, false
+test "updateTargetHealth restores healthy after success threshold", ->
+  pool = createUpstreamPool(nowFn: -> 1000, randomFn: -> 0)
+  upstream = addUpstream(pool, 'app',
+    targets: ['http://a']
+    healthCheck:
+      unhealthyThreshold: 1
+      healthyThreshold: 2
+  )
+  target = upstream.targets[0]
+  updateTargetHealth(target, false, pool)
+  eq target.healthy, false
+  updateTargetHealth(target, true, pool)
+  eq target.healthy, false
+  updateTargetHealth(target, true, pool)
+  eq target.healthy, true
+test "releaseTarget opens circuit after enough failures", ->
+  pool = createUpstreamPool(nowFn: -> 1234, randomFn: -> 0)
+  upstream = addUpstream(pool, 'app',
+    targets: ['http://a']
+    circuit:
+      minRequests: 3
+      errorThreshold: 0.5
+      cooldownMs: 1000
+  )
+  target = upstream.targets[0]
+  for _ in [1..3]
+    markTargetBusy(target)
+    releaseTarget(target, 10, false, pool)
+  eq target.circuitState, 'open'
+  eq target.circuitOpenedAt, 1234
+test "selectTarget reopens half-open target after cooldown", ->
+  now = 0
+  pool = createUpstreamPool(nowFn: -> now, randomFn: -> 0)
+  upstream = addUpstream(pool, 'app',
+    targets: ['http://a']
+    circuit:
+      minRequests: 1
+      cooldownMs: 100
+      jitterRatio: 0
+  )
+  target = upstream.targets[0]
+  markTargetBusy(target)
+  releaseTarget(target, 10, false, pool)
+  eq selectTarget(upstream, pool.nowFn), null
+  now = 150
+  selected = selectTarget(upstream, pool.nowFn)
+  eq selected.url, 'http://a'
+  eq target.circuitState, 'half-open'
+test "half-open success closes circuit", ->
+  pool = createUpstreamPool(nowFn: -> 500, randomFn: -> 0)
+  upstream = addUpstream(pool, 'app',
+    targets: ['http://a']
+    circuit:
+      minRequests: 1
+      cooldownMs: 100
+      jitterRatio: 0
+  )
+  target = upstream.targets[0]
+  markTargetBusy(target)
+  releaseTarget(target, 10, false, pool)
+  target.circuitOpenedAt = 0
+  selected = selectTarget(upstream, pool.nowFn)
+  markTargetBusy(selected)
+  releaseTarget(selected, 5, true, pool)
+  eq target.circuitState, 'closed'
+test "shouldRetry honors method status and body state", ->
+  retry = attempts: 2, retryOn: [502, 503], retryMethods: ['GET']
+  ok shouldRetry(retry, 'GET', 502, false)
+  eq shouldRetry(retry, 'POST', 502, false), false
+  eq shouldRetry(retry, 'GET', 500, false), false
+  eq shouldRetry(retry, 'GET', 502, true), false
+test "computeRetryDelayMs adds bounded jitter", ->
+  delay = computeRetryDelayMs({ backoffMs: 100 }, 2, -> 0)
+  eq delay, 200
+test "updateTargetHealth records last check timestamp", ->
+  pool = createUpstreamPool(nowFn: -> 42, randomFn: -> 0)
+  upstream = addUpstream(pool, 'app', targets: ['http://a'])
+  target = upstream.targets[0]
+  updateTargetHealth(target, true, pool)
+  eq target.lastCheckAt, 42
+test "updateTargetHealth can trip half-open target back to open", ->
+  pool = createUpstreamPool(nowFn: -> 99, randomFn: -> 0)
+  upstream = addUpstream(pool, 'app', targets: ['http://a'])
+  target = upstream.targets[0]
+  target.circuitState = 'half-open'
+  updateTargetHealth(target, false, pool)
+  eq target.circuitState, 'open'
+  eq target.circuitOpenedAt, 99