@rip-lang/server 1.3.115 → 1.3.117

package/server.rip

@@ -14,19 +14,19 @@
 
 import { existsSync, statSync, readFileSync, writeFileSync, unlinkSync, watch, utimesSync } from 'node:fs'
 import { basename, dirname, isAbsolute, join, resolve } from 'node:path'
-import { cpus, networkInterfaces } from 'node:os'
+import { networkInterfaces } from 'node:os'
 import { isCurrentVersion as schedulerIsCurrentVersion, getNextAvailableSocket as schedulerGetNextAvailableSocket, releaseWorker as schedulerReleaseWorker, shouldRetryBodylessBusy } from './edge/queue.rip'
 import { formatPort, maybeAddSecurityHeaders as edgeMaybeAddSecurityHeaders, buildStatusBody as edgeBuildStatusBody, buildRipdevUrl as edgeBuildRipdevUrl, generateRequestId } from './edge/forwarding.rip'
 import { loadTlsMaterial as edgeLoadTlsMaterial, printCertSummary as edgePrintCertSummary } from './edge/tls.rip'
-import { createAppRegistry, registerApp, resolveHost, getAppState } from './edge/registry.rip'
-import { watchUnavailableResponse, serverBusyResponse, serviceUnavailableResponse, gatewayTimeoutResponse, queueTimeoutResponse, buildUpstreamResponse, forwardOnceWithTimeout } from './edge/forwarding.rip'
+import { createAppRegistry, registerApp, resolveHost, getAppState, removeApp } from './edge/registry.rip'
+import { watchUnavailableResponse, serverBusyResponse, serviceUnavailableResponse, gatewayTimeoutResponse, queueTimeoutResponse, buildUpstreamResponse, forwardOnceWithTimeout, createWsPassthrough } from './edge/forwarding.rip'
 import { processQueuedJob, drainQueueOnce } from './edge/queue.rip'
 import { getControlSocketPath, getPidFilePath } from './control/control.rip'
-import { handleWorkerControl, handleWatchControl, handleRegistryControl } from './control/control.rip'
+import { handleWorkerControl, handleWatchControl, handleRegistryControl, handleReloadControl } from './control/control.rip'
 import { getLanIP as controlGetLanIP, startMdnsAdvertisement as controlStartMdnsAdvertisement, stopMdnsAdvertisements as controlStopMdnsAdvertisements } from './control/mdns.rip'
-import { registerWatchGroup, handleWatchGroup, broadcastWatchChange, registerAppWatchDirs } from './control/watchers.rip'
+import { registerWatchGroup, handleWatchGroup, broadcastWatchChange, registerAppWatchDirs, shouldTriggerCodeReload } from './control/watchers.rip'
 import { computeHideUrls, logStartupSummary, createCleanup, installShutdownHandlers } from './control/lifecycle.rip'
-import { computeSocketPrefix as cliComputeSocketPrefix, runVersionOutput, runHelpOutput, runStopSubcommand, runListSubcommand } from './control/cli.rip'
+import { computeSocketPrefix as cliComputeSocketPrefix, runVersionOutput, runHelpOutput, runStopSubcommand, runListSubcommand, resolveAppEntry, parseFlags, coerceInt } from './control/cli.rip'
 import { runSetupMode, runWorkerMode } from './control/worker.rip'
 import { spawnTrackedWorker, postWorkerQuit, waitForWorkerReady } from './control/workers.rip'
 import { createChallengeStore, handleChallengeRequest } from './acme/store.rip'
@@ -35,9 +35,17 @@ import { loadCert as acmeLoadCert, defaultCertDir } from './acme/store.rip'
 import { createMetrics } from './edge/metrics.rip'
 import { setEventJsonMode, logEvent } from './control/lifecycle.rip'
 import { createHub, generateClientId, addClient, removeClient, processResponse, handlePublish, getRealtimeStats } from './edge/realtime.rip'
-import { findConfigFile, loadConfig, applyConfig } from './edge/config.rip'
+import { findConfigFile, findEdgeFile, resolveConfigSource, applyConfig, applyEdgeConfig, formatConfigErrors } from './edge/config.rip'
+import { createEdgeRuntime, createReloadHistoryEntry, restoreRegistrySnapshot, configNote, toUpstreamWsUrl, loadRuntimeConfig, runCheckConfig } from './edge/runtime.rip'
 import { createRateLimiter, rateLimitResponse } from './edge/ratelimit.rip'
 import { validateRequest } from './edge/security.rip'
+import { createUpstreamPool, addUpstream, getUpstream, listUpstreams, selectTarget, markTargetBusy, releaseTarget, shouldRetry as shouldRetryUpstream, computeRetryDelayMs, startHealthChecks, stopHealthChecks, checkTargetHealth } from './edge/upstream.rip'
+import { compileRouteTable, matchRoute, describeRoute } from './edge/router.rip'
+import { buildVerificationResult, verifyRouteRuntime } from './edge/verify.rip'
+import { serveStaticRoute, buildRedirectResponse } from './edge/static.rip'
+import { buildTlsArray } from './edge/tls.rip'
+import { buildStreamRuntime, startStreamListeners, stopStreamListeners, streamDiagnostics } from './streams/index.rip'
+import { createStreamRuntime, streamUsesListenPort } from './streams/runtime.rip'
 
 # Match capture holder for Rip's =~
 _ = null
@@ -56,12 +64,6 @@ STABILITY_THRESHOLD_MS = 60000 # Worker uptime before restart count resets
 
 nowMs = -> Date.now()
 
-coerceInt = (value, fallback) ->
-  return fallback unless value? and value isnt ''
-  n = parseInt(String(value))
-  if Number.isFinite(n) then n else fallback
-
-# Environment detection (can be overridden by --env flag)
 _envOverride = null
 _debugMode = false
 
@@ -71,6 +73,10 @@ isDev = ->
 
 isDebug = -> _debugMode or process.env.RIP_DEBUG?
 
+applyFlagSideEffects = (flags) ->
+  _envOverride = flags.envOverride if flags.envOverride
+  _debugMode = flags.debug is true
+
 formatTimestamp = ->
   now = new Date()
   pad = (n, w = 2) -> String(n).padStart(w, '0')
@@ -153,225 +159,9 @@ stripInternalHeaders = (h) ->
     out.append(k, v)
   out
 
-# ==============================================================================
-# Flag Parsing
-# ==============================================================================
-
-parseWorkersToken = (token, fallback) ->
-  return fallback unless token
-  cores = cpus().length
-  return Math.max(1, cores) if token is 'auto'
-  return Math.max(1, Math.floor(cores / 2)) if token is 'half'
-  return Math.max(1, cores * 2) if token is '2x'
-  return Math.max(1, cores * 3) if token is '3x'
-  n = parseInt(token)
-  if Number.isFinite(n) and n > 0 then n else fallback
-
-parseRestartPolicy = (token, defReqs, defSecs) ->
-  return { maxRequests: defReqs, maxSeconds: defSecs } unless token
-  maxRequests = defReqs
-  maxSeconds = defSecs
-
-  for part in token.split(',').map((s) -> s.trim()).filter(Boolean)
-    if part.endsWith('s')
-      secs = parseInt(part.slice(0, -1))
-      maxSeconds = secs if Number.isFinite(secs) and secs >= 0
-    else
-      n = parseInt(part)
-      maxRequests = n if Number.isFinite(n) and n > 0
-
-  { maxRequests, maxSeconds }
-
 defaultEntry = join(import.meta.dir, 'default.rip')
 
-resolveAppEntry = (appPathInput) ->
-  abs = if isAbsolute(appPathInput) then appPathInput else resolve(process.cwd(), appPathInput)
-
-  if existsSync(abs) and statSync(abs).isDirectory()
-    baseDir = abs
-    one = join(abs, 'index.rip')
-    two = join(abs, 'index.ts')
-    if existsSync(one)
-      entryPath = one
-    else if existsSync(two)
-      entryPath = two
-    else
-      p "rip-server: no index.rip found, serving static files from #{abs}\n             Create an index.rip to customize, or run 'rip server --help' for options."
-      entryPath = defaultEntry
-  else
-    unless existsSync(abs)
-      console.error "App path not found: #{abs}"
-      exit 2
-    baseDir = dirname(abs)
-    entryPath = abs
-
-  appName = basename(baseDir)
-  { baseDir, entryPath, appName }
-
-parseFlags = (argv) ->
-  rawFlags = new Set()
-  appPathInput = null
-  appAliases = []
-
-  # Check if token looks like a flag
-  isFlag = (tok) ->
-    tok.startsWith('-') or tok.startsWith('--') or /^\d+$/.test(tok) or tok in ['http', 'https']
-
-  # Try to resolve a token as an app path
-  tryResolveApp = (tok) ->
-    looksLikePath = tok.includes('/') or tok.startsWith('.') or isAbsolute(tok) or tok.endsWith('.rip') or tok.endsWith('.ts')
-    return undefined unless looksLikePath
-    try
-      abs = if isAbsolute(tok) then tok else resolve(process.cwd(), tok)
-      if existsSync(abs) then tok else undefined
-    catch
-      undefined
-
-  for i in [2...argv.length]
-    tok = argv[i]
-    unless appPathInput
-      # Handle path@alias syntax
-      if tok.includes('@') and not tok.startsWith('-')
-        [pathPart, aliasesPart] = tok.split('@')
-        maybe = tryResolveApp(pathPart)
-        if maybe
-          appPathInput = maybe
-          appAliases = aliasesPart.split(',').map((a) -> a.trim()).filter((a) -> a)
-          continue
-        # pathPart might be an alias, not a path - check if entry exists in cwd
-        else if not pathPart.includes('/') and not pathPart.startsWith('.')
-          appAliases = [pathPart].concat(aliasesPart.split(',').map((a) -> a.trim()).filter((a) -> a))
-          continue
-
-      # Try as path first
-      maybe = tryResolveApp(tok)
-      if maybe
-        appPathInput = maybe
-        continue
-
-      # If not a flag and not a path, treat as app name/alias
-      unless isFlag(tok)
-        appAliases.push(tok)
-        continue
-
-    rawFlags.add(tok)
-
-  # Default to current directory if no path specified
-  unless appPathInput
-    cwd = process.cwd()
-    indexRip = join(cwd, 'index.rip')
-    indexTs = join(cwd, 'index.ts')
-    if existsSync(indexRip)
-      appPathInput = indexRip
-    else if existsSync(indexTs)
-      appPathInput = indexTs
-    else
-      appPathInput = cwd
-
-  getKV = (prefix) ->
-    for f as rawFlags
-      return f.slice(prefix.length) if f.startsWith(prefix)
-    undefined
-
-  has = (name) -> rawFlags.has(name)
-
-  { baseDir, entryPath, appName } = resolveAppEntry(appPathInput)
-  appAliases = [appName] if appAliases.length is 0
-
-  # Parse listener tokens
-  tokens = Array.from(rawFlags)
-  bareIntPort = null
-  hasHttpsKeyword = false
-  httpsPortToken = null
-  hasHttpKeyword = false
-  httpPortToken = null
-
-  for t in tokens
-    if /^\d+$/.test(t)
-      bareIntPort = parseInt(t)
-    else if t is 'https'
-      hasHttpsKeyword = true
-    else if t.startsWith('https:')
-      httpsPortToken = coerceInt(t.slice(6), 0)
-    else if t is 'http'
-      hasHttpKeyword = true
-    else if t.startsWith('http:')
-      httpPortToken = coerceInt(t.slice(5), 0)
-
-  httpsIntent = bareIntPort? or hasHttpsKeyword or httpsPortToken?
-  httpIntent = hasHttpKeyword or httpPortToken?
-  httpsIntent = true unless httpsIntent or httpIntent
-
-  httpPort = if httpIntent then (httpPortToken ?? bareIntPort ?? 0) else 0
-  httpsPortDerived = if not httpIntent then (bareIntPort or httpsPortToken or 0) else null
-
-  socketPrefixOverride = getKV('--socket-prefix=')
-  socketPrefix = socketPrefixOverride or "rip_#{appName}"
-
-  cores = cpus().length
-  workers = parseWorkersToken(getKV('w:'), Math.max(1, Math.floor(cores / 2)))
-
-  policy = parseRestartPolicy(
-    getKV('r:'),
-    coerceInt(process.env.RIP_MAX_REQUESTS, 10000),
-    coerceInt(process.env.RIP_MAX_SECONDS, 3600)
-  )
-
-  reload = not (has('--static') or process.env.RIP_STATIC is '1')
-
-  # Environment mode (--env=production, --env=dev, etc.)
-  envValue = getKV('--env=')
-  if envValue
-    normalized = envValue.toLowerCase()
-    _envOverride = switch normalized
-      when 'prod', 'production' then 'production'
-      when 'dev', 'development' then 'development'
-      else normalized
-
-  # Debug mode
-  _debugMode = has('--debug')
-
-  # Watch mode: on by default, --static disables everything
-  watch = getKV('--watch=') or '*.rip'
-
-  httpsPort = do ->
-    kv = getKV('--https-port=')
-    return coerceInt(kv, 443) if kv?
-    httpsPortDerived
-
-  {
-    appPath: resolve(appPathInput)
-    appBaseDir: baseDir
-    appEntry: entryPath
-    appName
-    appAliases
-    workers
-    maxRequestsPerWorker: policy.maxRequests
-    maxSecondsPerWorker: policy.maxSeconds
-    httpPort
-    httpsPort
-    certPath: getKV('--cert=')
-    keyPath: getKV('--key=')
-    hsts: has('--hsts')
-    redirectHttp: not has('--no-redirect-http')
-    reload
-    quiet: has('--quiet')
-    socketPrefix
-    maxQueue: coerceInt(getKV('--max-queue='), coerceInt(process.env.RIP_MAX_QUEUE, 512))
-    queueTimeoutMs: coerceInt(getKV('--queue-timeout-ms='), coerceInt(process.env.RIP_QUEUE_TIMEOUT_MS, 30000))
-    connectTimeoutMs: coerceInt(getKV('--connect-timeout-ms='), coerceInt(process.env.RIP_CONNECT_TIMEOUT_MS, 2000))
-    readTimeoutMs: coerceInt(getKV('--read-timeout-ms='), coerceInt(process.env.RIP_READ_TIMEOUT_MS, 30000))
-    jsonLogging: has('--json-logging')
-    accessLog: not has('--no-access-log')
-    acme: has('--acme')
-    acmeStaging: has('--acme-staging')
-    acmeDomain: getKV('--acme-domain=')
-    realtimePath: getKV('--realtime-path=') or '/realtime'
-    publishSecret: getKV('--publish-secret=') or process.env.RIP_PUBLISH_SECRET or null
-    rateLimit: coerceInt(getKV('--rate-limit='), 0)
-    rateLimitWindow: coerceInt(getKV('--rate-limit-window='), 60000)
-    watch: watch
-  }
+# Edge runtime lifecycle helpers are in edge/runtime.rip
 
 # ==============================================================================
 # Worker Mode
@@ -386,9 +176,9 @@ class Manager
     @appWorkers = new Map()
     @shuttingDown = false
     @lastCheck = 0
-    @currentMtime = 0
-    @isRolling = false
-    @lastRollAt = 0
+    @currentMtimes = new Map()
+    @rollingApps = new Set()
+    @lastRollAt = new Map()
     @nextWorkerId = -1
     @retiringIds = new Set()
     @restartBudgets = new Map()  # slotIndex -> { count, backoffMs }
@@ -397,6 +187,7 @@ class Manager
     @server = null
     @dbUrl = null
     @appWatchers = new Map()
+    @codeWatchers = new Map()
     @defaultAppId = @flags.appName
 
   getWorkers: (appId) ->
@@ -405,79 +196,96 @@ class Manager
       @appWorkers.set(appId, [])
     @appWorkers.get(appId)
 
+  getAppState: (appId) ->
+    @server?.appRegistry?.apps?.get(appId) or null
+
+  allAppStates: ->
+    return [] unless @server?.appRegistry?.apps
+    Array.from(@server.appRegistry.apps.values())
+
+  runSetupForApp: (app) ->
+    setupFile = join(app.config.appBaseDir or dirname(app.config.entry or @flags.appEntry), 'setup.rip')
+    return unless existsSync(setupFile)
+
+    dbUrl = process.env.DB_URL or 'http://localhost:4213'
+    dbAlreadyRunning = try
+      fetch! dbUrl + '/health'
+      true
+    catch
+      false
+    @dbUrl = dbUrl unless dbAlreadyRunning
+
+    setupEnv = Object.assign {}, process.env, app.config.env or {},
+      RIP_SETUP_MODE: '1'
+      RIP_SETUP_FILE: setupFile
+      APP_ID: String(app.appId)
+      APP_ENTRY: app.config.entry or @flags.appEntry
+      APP_BASE_DIR: app.config.appBaseDir or @flags.appBaseDir
+    proc = Bun.spawn ['rip', import.meta.path],
+      stdout: 'inherit'
+      stderr: 'inherit'
+      stdin: 'ignore'
+      cwd: process.cwd()
+      env: setupEnv
+
+    code = await proc.exited
+    if code isnt 0
+      console.error "rip-server: setup exited with code #{code} for app #{app.appId}"
+      exit 1
+
   start: ->
     @stop!
 
-    # Run one-time setup if setup.rip exists next to the entry file
-    setupFile = join(dirname(@flags.appEntry), 'setup.rip')
-    if existsSync(setupFile)
-      # Check reachability before setup — determines if WE will start the DB
-      dbUrl = process.env.DB_URL or 'http://localhost:4213'
-      dbAlreadyRunning = try
-        fetch! dbUrl + '/health'
-        true
-      catch
-        false
-      @dbUrl = dbUrl unless dbAlreadyRunning
-
-      setupEnv = Object.assign {}, process.env,
-        RIP_SETUP_MODE: '1'
-        RIP_SETUP_FILE: setupFile
-      proc = Bun.spawn ['rip', import.meta.path],
-        stdout: 'inherit'
-        stderr: 'inherit'
-        stdin: 'ignore'
-        cwd: process.cwd()
-        env: setupEnv
-
-      code = await proc.exited
-      if code isnt 0
-        console.error "rip-server: setup exited with code #{code}"
-        exit 1
-
-    workers = @getWorkers()
-    workers.length = 0
-    for i in [0...@flags.workers]
-      w = @spawnWorker!(@currentVersion)
-      workers.push(w)
+    for app in @allAppStates()
+      @runSetupForApp!(app) if app.config.entry
+
+    for app in @allAppStates()
+      workers = @getWorkers(app.appId)
+      workers.length = 0
+      desiredWorkers = app.config.workers or @flags.workers
+      for i in [0...desiredWorkers]
+        w = @spawnWorker!(app.appId, @currentVersion)
+        workers.push(w)
 
     if @flags.reload
-      @currentMtime = @getEntryMtime()
+      for app in @allAppStates()
+        @currentMtimes.set(app.appId, @getEntryMtime(app.appId))
+
       interval = setInterval =>
         return clearInterval(interval) if @shuttingDown
         now = Date.now()
         return if now - @lastCheck < 100
         @lastCheck = now
-        mt = @getEntryMtime()
-        if mt > @currentMtime
-          return if @isRolling or (now - @lastRollAt) < 200
-          @currentMtime = mt
-          @isRolling = true
-          @lastRollAt = now
-          @rollingRestart().finally => @isRolling = false
+        for app in @allAppStates()
+          appId = app.appId
+          mt = @getEntryMtime(appId)
+          previous = @currentMtimes.get(appId) or 0
+          if mt > previous
+            continue if @rollingApps.has(appId)
+            continue if now - (@lastRollAt.get(appId) or 0) < 200
+            @currentMtimes.set(appId, mt)
+            @rollingApps.add(appId)
+            @lastRollAt.set(appId, now)
+            @rollingRestart(appId).finally => @rollingApps.delete(appId)
       , 50
 
-      # Watch files in app directory (on by default, --static disables)
+      # Watch files in each app directory (on by default, --static disables)
       if @flags.watch
-        entryFile = @flags.appEntry
-        entryBase = basename(entryFile)
-        watchExt = if @flags.watch.startsWith('*.') then @flags.watch.slice(1) else null
-        try
-          watch @flags.appBaseDir, { recursive: true }, (event, filename) =>
-            return unless filename
-            if watchExt
-              return unless filename.endsWith(watchExt)
-            else
-              return unless filename is @flags.watch or filename.endsWith("/#{@flags.watch}")
-            return if filename is entryBase
-            # Touch entry file to trigger rolling restart
-            try
-              now = new Date()
-              utimesSync(entryFile, now, now)
-            catch
-              null
-        catch e
-          warn "rip-server: directory watch failed: #{e.message}"
+        for app in @allAppStates()
+          continue unless app.config.entry and app.config.appBaseDir
+          entryFile = app.config.entry
+          entryBase = basename(entryFile)
+          try
+            watcher = watch app.config.appBaseDir, { recursive: true }, (event, filename) =>
+              return unless shouldTriggerCodeReload(filename, @flags.watch, entryBase)
+              try
+                now = new Date()
+                utimesSync(entryFile, now, now)
+              catch
+                null
+            @codeWatchers.set(app.appId, watcher)
+          catch e
+            warn "rip-server: directory watch failed for #{app.appId}: #{e.message}"
 
   stop: ->
     for [appId, workers] as @appWorkers
@@ -492,13 +300,17 @@ class Manager
       for watcher in (entry.watchers or [])
         try watcher.close()
     @appWatchers.clear()
+    for [appId, watcher] as @codeWatchers
+      try watcher.close()
+    @codeWatchers.clear()
 
   watchDirs: (prefix, dirs) ->
     registerAppWatchDirs(@appWatchers, prefix, dirs, @server, (-> process.cwd()))
 
-  spawnWorker: (version) ->
+  spawnWorker: (appId, version) ->
     workerId = ++@nextWorkerId
-    tracked = spawnTrackedWorker(@flags, workerId, (version or @currentVersion), nowMs, import.meta.path, @defaultAppId)
+    app = @getAppState(appId) or { appId: appId, config: {} }
+    tracked = spawnTrackedWorker(@flags, workerId, (version or @currentVersion), nowMs, import.meta.path, appId, app.config)
     @monitor(tracked)
     tracked
 
@@ -507,7 +319,7 @@ class Manager
     w.process.exited.then =>
       return if @shuttingDown
       return if @retiringIds.has(w.id)
-      if @isRolling
+      if @rollingApps.has(w.appId)
         @deferredDeaths.add(w.id)
         return
 
@@ -515,7 +327,7 @@ class Manager
       postWorkerQuit(@flags.socketPrefix, w.id)
 
       # Track restart budget by slot (survives worker replacement)
-      workers = @getWorkers()
+      workers = @getWorkers(w.appId)
       slotIdx = workers.findIndex((x) -> x.id is w.id)
       return if slotIdx < 0
 
@@ -536,73 +348,69 @@ class Manager
       @server?.metrics and @server.metrics.workerRestarts++
       logEvent('worker_restart', { workerId: w.id, slot: slotIdx, attempt: budget.count, backoffMs: budget.backoffMs })
       setTimeout =>
-        workers[slotIdx] = @spawnWorker(@currentVersion) if slotIdx < workers.length
+        workers[slotIdx] = @spawnWorker(w.appId, @currentVersion) if slotIdx < workers.length
       , budget.backoffMs
 
   waitWorkerReady: (socketPath, timeoutMs = 5000) ->
     waitForWorkerReady(socketPath, timeoutMs)
 
-  rollingRestart: ->
-    workers = @getWorkers()
-    olds = [...workers]
-    pairs = []
+  rollingRestart: (appId = null) ->
+    apps = if appId then [@getAppState(appId)].filter(Boolean) else @allAppStates()
     nextVersion = @currentVersion + 1
 
-    for oldWorker in olds
-      replacement = @spawnWorker!(nextVersion)
-      workers.push(replacement)
-      pairs.push({ old: oldWorker, replacement })
-
-    # Wait for all replacements and check readiness
-    readyResults = Promise.all!(pairs.map((p) => @waitWorkerReady(p.replacement.socketPath, 3000)))
-
-    # Check if all replacements are ready
-    allReady = readyResults.every((ready) -> ready)
-    unless allReady
-      console.error "[manager] Rolling restart aborted: not all new workers ready"
-      # Kill failed replacements and keep old workers
-      for pair, i in pairs
-        unless readyResults[i]
-          try pair.replacement.process.kill()
-          idx = workers.indexOf(pair.replacement)
-          workers.splice(idx, 1) if idx >= 0
-      # Reconcile deferred deaths on rollback too
-      if @deferredDeaths.size > 0
-        for deadId as @deferredDeaths
-          idx = workers.findIndex((x) -> x.id is deadId)
-          workers[idx] = @spawnWorker(@currentVersion) if idx >= 0
-        @deferredDeaths.clear()
-      return
+    for app in apps
+      workers = @getWorkers(app.appId)
+      olds = [...workers]
+      pairs = []
+
+      for oldWorker in olds
+        replacement = @spawnWorker!(app.appId, nextVersion)
+        workers.push(replacement)
+        pairs.push({ old: oldWorker, replacement })
+
+      readyResults = Promise.all!(pairs.map((p) => @waitWorkerReady(p.replacement.socketPath, 3000)))
+      allReady = readyResults.every((ready) -> ready)
+      unless allReady
+        console.error "[manager] Rolling restart aborted: not all new workers ready for app #{app.appId}"
+        for pair, i in pairs
+          unless readyResults[i]
+            try pair.replacement.process.kill()
+            idx = workers.indexOf(pair.replacement)
+            workers.splice(idx, 1) if idx >= 0
+        if @deferredDeaths.size > 0
+          for deadId as @deferredDeaths
+            idx = workers.findIndex((x) -> x.id is deadId)
+            workers[idx] = @spawnWorker(app.appId, @currentVersion) if idx >= 0
+          @deferredDeaths.clear()
+        return
 
-    # All verified — now atomically promote the version
-    @currentVersion = nextVersion
+      @currentVersion = nextVersion
 
-    # All ready - retire old workers
-    for { old } in pairs
-      @retiringIds.add(old.id)
-      try old.process.kill()
+      for { old } in pairs
+        @retiringIds.add(old.id)
+        try old.process.kill()
 
-    Promise.all!(pairs.map(({ old }) -> old.process.exited.catch(-> null)))
+      Promise.all!(pairs.map(({ old }) -> old.process.exited.catch(-> null)))
 
-    # Notify server to remove old workers' socket entries
-    for { old } in pairs
-      postWorkerQuit(@flags.socketPrefix, old.id)
+      for { old } in pairs
+        postWorkerQuit(@flags.socketPrefix, old.id)
 
-    retiring = new Set(pairs.map((p) -> p.old.id))
-    filtered = workers.filter((w) -> not retiring.has(w.id))
-    workers.length = 0
-    workers.push(...filtered)
-    @retiringIds.delete(id) for id as retiring
+      retiring = new Set(pairs.map((p) -> p.old.id))
+      filtered = workers.filter((w) -> not retiring.has(w.id))
+      workers.length = 0
+      workers.push(...filtered)
+      @retiringIds.delete(id) for id as retiring
 
-    # Reconcile any workers that died during the roll
-    if @deferredDeaths.size > 0
-      for deadId as @deferredDeaths
-        idx = workers.findIndex((x) -> x.id is deadId)
-        workers[idx] = @spawnWorker(@currentVersion) if idx >= 0
-      @deferredDeaths.clear()
+      if @deferredDeaths.size > 0
+        for deadId as @deferredDeaths
+          idx = workers.findIndex((x) -> x.id is deadId)
+          workers[idx] = @spawnWorker(app.appId, @currentVersion) if idx >= 0
+        @deferredDeaths.clear()
 
-  getEntryMtime: ->
-    try statSync(@flags.appEntry).mtimeMs catch then 0
+  getEntryMtime: (appId = null) ->
+    app = @getAppState(appId or @defaultAppId)
+    entry = app?.config?.entry or @flags.appEntry
+    try statSync(entry).mtimeMs catch then 0
 
 # ==============================================================================
 # Server Class
@@ -612,10 +420,16 @@ class Server
   constructor: (@flags) ->
     @server = null
     @httpsServer = null
+    @internalHttpsServer = null
     @control = null
     @urls = []
     @startedAt = nowMs()
     @httpsActive = false
+    @streamListenersDeferred = false
+    @tlsMaterial = null
+    @multiplexerPorts =
+      publicHttpsPort: null
+      internalHttpsPort: null
     @appRegistry = createAppRegistry()
     @defaultAppId = @flags.appName
     @challengeStore = createChallengeStore()
@@ -626,6 +440,15 @@ class Server
     @mdnsProcesses = new Map()
     @watchGroups = new Map()
     @manager = null
+    @configuredAppIds = new Set()
+    @edgeRuntime = createEdgeRuntime()
+    @retiredEdgeRuntimes = []
+    @streamRuntime = createStreamRuntime()
+    @retiredStreamRuntimes = []
+    @reloadAttemptSeq = 0
+    @configInfo = @edgeRuntime.configInfo
+    @configInfo.reloadHistory = []
+    @configInfo.lastReload = null
     try
       pkg = JSON.parse(readFileSync(import.meta.dir + '/package.json', 'utf8'))
       @serverVersion = pkg.version
@@ -644,44 +467,426 @@ class Server
       appHosts.push(host)
     appHosts.push("#{@flags.appName}.ripdev.io")
     registerApp(@appRegistry, @defaultAppId,
+      entry: @flags.appEntry
+      appBaseDir: @flags.appBaseDir
       hosts: appHosts
+      workers: @flags.workers
       maxQueue: @flags.maxQueue
       queueTimeoutMs: @flags.queueTimeoutMs
       readTimeoutMs: @flags.readTimeoutMs
+      env: {}
     )
 
-  start: ->
-    httpOnly = @flags.httpsPort is null
+  clearConfiguredApps: ->
+    for appId in @configuredAppIds
+      removeApp(@appRegistry, appId)
+    @configuredAppIds.clear()
+
+  retainEdgeRuntime: (runtime) ->
+    runtime.inflight++
+    runtime
+
+  releaseEdgeRuntime: (runtime) ->
+    runtime.inflight = Math.max(0, runtime.inflight - 1)
+    @cleanupRetiredEdgeRuntimes()
+
+  retainEdgeRuntimeWs: (runtime) ->
+    runtime.wsConnections++
+    runtime
+
+  releaseEdgeRuntimeWs: (runtime) ->
+    runtime.wsConnections = Math.max(0, runtime.wsConnections - 1)
+    @cleanupRetiredEdgeRuntimes()
+
+  retainStreamRuntime: (runtime) ->
+    runtime.inflight++
+    runtime
+
+  releaseStreamRuntime: (runtime) ->
+    runtime.inflight = Math.max(0, runtime.inflight - 1)
+    @cleanupRetiredStreamRuntimes()
+
+  cleanupRetiredEdgeRuntimes: ->
+    keep = []
+    for runtime in @retiredEdgeRuntimes
+      if runtime.inflight > 0 or runtime.wsConnections > 0
+        keep.push(runtime)
+      else
+        stopHealthChecks(runtime.upstreamPool)
+    @retiredEdgeRuntimes = keep
+
+  cleanupRetiredStreamRuntimes: ->
+    keep = []
+    for runtime in @retiredStreamRuntimes
+      if runtime.inflight > 0
+        keep.push(runtime)
+      else
+        stopStreamListeners(runtime, true)
+    @retiredStreamRuntimes = keep
+
+  appendReloadHistory: (entry) ->
+    history = [entry].concat(@configInfo.reloadHistory or [])
+    history.length = Math.min(history.length, 10)
+    @configInfo = Object.assign({}, @configInfo,
+      lastReload: entry
+      reloadHistory: history
+    )
+    @edgeRuntime.configInfo = @configInfo if @edgeRuntime?.configInfo
+
+  nextReloadAttemptId: ->
+    @reloadAttemptSeq++
+    "reload-#{@reloadAttemptSeq}"
+
+  verifyEdgeRuntime: (runtime, loaded) ->
+    return buildVerificationResult(true) unless runtime?.configInfo?.kind is 'edge'
+    verifyRouteRuntime(runtime, @appRegistry, @defaultAppId, getUpstream, checkTargetHealth, getAppState, runtime.verifyPolicy or runtime.configInfo.verifyPolicy or {})
+
+  buildEdgeRuntime: (loaded) ->
+    return createEdgeRuntime() unless loaded?.source?.kind is 'edge'
+    upstreamPool = createUpstreamPool()
+    for upstreamId, upstreamConfig of (loaded.normalized.upstreams or {})
+      addUpstream(upstreamPool, upstreamId, upstreamConfig)
+    routeTable = compileRouteTable(loaded.normalized.routes or [], loaded.normalized.sites or {})
+    configInfo =
+      kind: loaded.source.kind
+      path: loaded.summary.path
+      version: loaded.summary.version
+      counts: loaded.summary.counts
+      lastResult: 'loaded'
+      loadedAt: new Date().toISOString()
+      note: configNote(loaded)
+      lastError: null
+      lastErrorCode: null
+      lastErrorDetails: null
+      rolledBackFrom: null
+      verifyPolicy: loaded.normalized.edge?.verify or null
+      certs: loaded.normalized.certs or null
+      activeRouteDescriptions: (routeTable.routes or []).map(describeRoute).filter(Boolean)
+      lastReload: @configInfo?.lastReload or null
+      reloadHistory: @configInfo?.reloadHistory or []
+    runtime = createEdgeRuntime(configInfo, upstreamPool, routeTable)
+    startHealthChecks(runtime.upstreamPool)
+    runtime
+
+  buildStreamRuntimeForConfig: (loaded) ->
+    return createStreamRuntime() unless loaded?.source?.kind is 'edge'
+    buildStreamRuntime(loaded.normalized)
+
+  startAppServerOnPort: (p, opts = {}) ->
     fetchFn = @fetch.bind(@)
     wsOpts = @buildWebSocketHandlers()
+    port = p
+    while port < p + 100
+      try
+        return Bun.serve(Object.assign({ port, idleTimeout: 0, fetch: fetchFn }, wsOpts, opts))
+      catch e
+        if e?.code is 'EACCES' and port < 1024
+          port = if opts.tls then 3443 else 3000
+          p = port
+          continue
+        throw e unless e?.code is 'EADDRINUSE'
+        port++
+    throw new Error "No available port found (tried #{p}–#{p + 99})"
+
+  captureHttpsMode: ->
+    {
+      useInternal: Boolean(@internalHttpsServer)
+      publicHttpsPort: @flags.httpsPort or null
+    }
+
+  shouldUseInternalHttps: (runtime, publicHttpsPort = @flags.httpsPort or null) ->
+    return false unless @tlsMaterial and publicHttpsPort?
+    streamUsesListenPort(runtime, publicHttpsPort)
+
+  applyHttpsMode: (useInternal, publicHttpsPort = @flags.httpsPort or null) ->
+    return unless @tlsMaterial and publicHttpsPort?
+    if useInternal
+      try @httpsServer?.stop()
+      @httpsServer = null
+      unless @internalHttpsServer
+        fetchFn = @fetch.bind(@)
+        wsOpts = @buildWebSocketHandlers()
+        @internalHttpsServer = Bun.serve(Object.assign(
+          { hostname: '127.0.0.1', port: 0, idleTimeout: 0, fetch: fetchFn }
+          wsOpts
+          { tls: @tlsMaterial }
+        ))
+      @httpsActive = true
+      @flags.httpsPort = publicHttpsPort
+      @multiplexerPorts =
+        publicHttpsPort: publicHttpsPort
+        internalHttpsPort: @internalHttpsServer.port
+      return
 
-    # Helper to start server, trying the given port first, then incrementing.
-    # Falls back to unprivileged range (3000 for HTTP, 3443 for HTTPS) if
-    # the initial port fails due to permission denied (EACCES).
-    startOnPort = (p, opts = {}) =>
-      port = p
-      while port < p + 100
-        try
-          return Bun.serve(Object.assign({ port, idleTimeout: 0, fetch: fetchFn }, wsOpts, opts))
-        catch e
-          if e?.code is 'EACCES' and port < 1024
-            port = if opts.tls then 3443 else 3000
-            p = port
-            continue
-          throw e unless e?.code is 'EADDRINUSE'
-          port++
-      throw new Error "No available port found (tried #{p}–#{p + 99})"
+    try @internalHttpsServer?.stop()
+    @internalHttpsServer = null
+    unless @httpsServer?.port is publicHttpsPort
+      try @httpsServer?.stop()
+      @httpsServer = @startAppServerOnPort(publicHttpsPort, { tls: @tlsMaterial })
+    @httpsActive = true
+    @flags.httpsPort = @httpsServer.port
+    @multiplexerPorts =
+      publicHttpsPort: @httpsServer.port
+      internalHttpsPort: null
+
+  restoreHttpsMode: (snapshot) ->
+    return unless snapshot?.publicHttpsPort?
+    @applyHttpsMode(snapshot.useInternal is true, snapshot.publicHttpsPort)
+
+  buildStreamListenerOptions: ->
+    options =
+      hostname: '0.0.0.0'
+      onConnectionOpen: @retainStreamRuntime.bind(@)
+      onConnectionClose: @releaseStreamRuntime.bind(@)
+    if @internalHttpsServer and @flags.httpsPort?
+      fallback = {}
+      fallback[@flags.httpsPort] =
+        hostname: '127.0.0.1'
+        port: @internalHttpsServer.port
+      options.httpFallback = fallback
+    options
+
+  startActiveStreamListeners: ->
+    startStreamListeners(@streamRuntime, @buildStreamListenerOptions())
+    @streamListenersDeferred = false
+
+  activateEdgeRuntime: (runtime) ->
+    return unless runtime
+    oldRuntime = @edgeRuntime
+    @edgeRuntime = runtime
+    @configInfo = runtime.configInfo
+    if oldRuntime and oldRuntime isnt runtime
+      oldRuntime.retiredAt = new Date().toISOString()
+      @retiredEdgeRuntimes.push(oldRuntime)
+      @cleanupRetiredEdgeRuntimes()
+    oldRuntime
+
+  activateStreamRuntime: (runtime, options = {}) ->
+    return unless runtime
+    oldRuntime = @streamRuntime
+    httpsSnapshot = @captureHttpsMode()
+    if oldRuntime and oldRuntime isnt runtime
+      stopStreamListeners(oldRuntime, false)
+      oldRuntime.retiredAt = new Date().toISOString()
+    try
+      unless options.deferListeners is true
+        @applyHttpsMode(@shouldUseInternalHttps(runtime, httpsSnapshot.publicHttpsPort), httpsSnapshot.publicHttpsPort) if @tlsMaterial and httpsSnapshot.publicHttpsPort?
+        startStreamListeners(runtime, @buildStreamListenerOptions())
+        @streamListenersDeferred = false
+      else
+        @streamListenersDeferred = true
+    catch err
+      @restoreHttpsMode(httpsSnapshot) if @tlsMaterial and httpsSnapshot.publicHttpsPort?
+      if oldRuntime and oldRuntime isnt runtime
+        startStreamListeners(oldRuntime, @buildStreamListenerOptions()) unless oldRuntime.listeners.size > 0
+        oldRuntime.retiredAt = null
+      throw err
+    @streamRuntime = runtime
+    if oldRuntime and oldRuntime isnt runtime
+      @retiredStreamRuntimes.push(oldRuntime)
+      @cleanupRetiredStreamRuntimes()
+    oldRuntime
+
+  rollbackEdgeRuntime: (oldRuntime, failedRuntime, snapshot, verification) ->
+    restoreRegistrySnapshot(@appRegistry, snapshot)
+    @configuredAppIds = new Set(snapshot.configured)
+
+    stopHealthChecks(failedRuntime.upstreamPool)
+    @retiredEdgeRuntimes = @retiredEdgeRuntimes.filter((runtime) -> runtime isnt oldRuntime and runtime isnt failedRuntime)
+    if oldRuntime
+      oldRuntime.retiredAt = null
+      @edgeRuntime = oldRuntime
+      @configInfo = Object.assign({}, oldRuntime.configInfo,
+        lastResult: 'rolled_back'
+        lastError: verification.message
+        lastErrorCode: verification.code
+        lastErrorDetails: verification.details or null
+        rolledBackFrom: failedRuntime?.configInfo?.path or null
+        loadedAt: new Date().toISOString()
+      )
+    failedRuntime.retiredAt = new Date().toISOString()
+    failedRuntime.configInfo = Object.assign({}, failedRuntime.configInfo,
+      lastResult: 'rolled_back'
+      lastError: verification.message
+      lastErrorCode: verification.code
+      lastErrorDetails: verification.details or null
+    )
+    @retiredEdgeRuntimes.push(failedRuntime)
+    @cleanupRetiredEdgeRuntimes()
+
+  rollbackStreamRuntime: (oldRuntime, failedRuntime) ->
+    stopStreamListeners(failedRuntime, true)
+    @retiredStreamRuntimes = @retiredStreamRuntimes.filter((runtime) -> runtime isnt oldRuntime and runtime isnt failedRuntime)
+    if oldRuntime
+      oldRuntime.retiredAt = null
+      @applyHttpsMode(@shouldUseInternalHttps(oldRuntime), @flags.httpsPort) if @tlsMaterial and @flags.httpsPort?
+      startStreamListeners(oldRuntime, @buildStreamListenerOptions()) unless oldRuntime.listeners.size > 0
+      @streamRuntime = oldRuntime
+    @cleanupRetiredStreamRuntimes()
+
+  reloadRuntimeConfig: (flags, source = 'startup', verifyAfterActivate = false) ->
+    attemptId = @nextReloadAttemptId()
+    oldVersion = @configInfo?.version or null
+    try
+      loaded = loadRuntimeConfig!(flags)
+      applied = @applyRuntimeConfig(loaded,
+        source: source
+        verifyAfterActivate: verifyAfterActivate
+      )
+      newVersion = @configInfo?.version or null
+      result = if applied then (@configInfo?.lastResult or 'loaded') else 'rejected'
+      reason = if applied then null else (@configInfo?.lastError or 'rejected')
+      code = if applied then null else (@configInfo?.lastErrorCode or null)
+      details = if applied then null else (@configInfo?.lastErrorDetails or null)
+      entry = createReloadHistoryEntry(attemptId, source, oldVersion, newVersion, result, reason, code, details)
+      @appendReloadHistory(entry)
+      if loaded and not flags.quiet
+        label = if loaded.source.kind is 'edge' then 'Edgefile.rip' else 'config.rip'
+        p "rip-server: loaded #{label} with #{loaded.summary.counts.apps} app(s), #{loaded.summary.counts.upstreams} upstream(s), #{loaded.summary.counts.routes} route(s)"
+        p "rip-server: note: #{@configInfo.note}" if @configInfo.note
+      logEvent('config_loaded',
+        id: attemptId
+        source: source
+        kind: @configInfo.kind
+        path: @configInfo.path
+        oldVersion: oldVersion
+        newVersion: newVersion
+        result: result
+        reason: reason
+        code: code
+        apps: @configInfo.counts.apps
+        upstreams: @configInfo.counts.upstreams
+        routes: @configInfo.counts.routes
+        sites: @configInfo.counts.sites
+      ) if loaded or source isnt 'startup'
+      {
+        ok: applied
+        id: attemptId
+        source: source
+        result: result
+        reason: reason
+        code: code
+        details: details
+        oldVersion: oldVersion
+        newVersion: newVersion
+      }
+    catch e
+      @configInfo = Object.assign({}, @configInfo,
+        lastResult: 'rejected'
+        loadedAt: new Date().toISOString()
+        lastError: e.message or String(e)
+        lastErrorCode: 'reload_exception'
+        lastErrorDetails: null
+      )
+      entry = createReloadHistoryEntry(attemptId, source, oldVersion, @configInfo?.version or null, 'rejected', e.message or String(e), 'reload_exception', null)
+      @appendReloadHistory(entry)
+      if e.validationErrors
+        label = if flags.edgefilePath or findEdgeFile(flags.appEntry) then 'Edgefile.rip' else 'config.rip'
+        console.error formatConfigErrors(label, e.validationErrors)
+      else
+        console.error "rip-server: failed to load active config: #{e.message or e}"
+      logEvent('config_loaded',
+        id: attemptId
+        source: source
+        kind: @configInfo.kind
+        path: @configInfo.path
+        oldVersion: oldVersion
+        newVersion: @configInfo?.version or null
+        result: 'rejected'
+        reason: e.message or String(e)
+        code: 'reload_exception'
+      )
+      {
+        ok: false
+        id: attemptId
+        source: source
+        result: 'rejected'
+        reason: e.message or String(e)
+        code: 'reload_exception'
+        details: null
+        oldVersion: oldVersion
+        newVersion: @configInfo?.version or null
+      }
+
+  applyRuntimeConfig: (loaded, options = {}) ->
+    source = options.source or 'startup'
+    verifyAfterActivate = options.verifyAfterActivate is true
+    snapshot =
+      apps: new Map(@appRegistry.apps)
+      hostIndex: new Map(@appRegistry.hostIndex)
+      wildcardIndex: new Map(@appRegistry.wildcardIndex)
+      configured: new Set(@configuredAppIds)
+    oldRuntime = @edgeRuntime
+    oldStreamRuntime = @streamRuntime
+    stagedRuntime = @buildEdgeRuntime(loaded)
+    stagedStreamRuntime = @buildStreamRuntimeForConfig(loaded)
+
+    @clearConfiguredApps()
+    unless loaded
+      @activateEdgeRuntime(stagedRuntime)
+      @activateStreamRuntime(stagedStreamRuntime, deferListeners: source is 'startup')
+      return
+
+    baseDir = dirname(loaded.source.path)
+    try
+      registered = if loaded.source.kind is 'edge'
+        applyEdgeConfig(loaded.normalized, @appRegistry, registerApp, baseDir)
+      else
+        applyConfig(loaded.normalized, @appRegistry, registerApp, baseDir)
+      for app in registered
+        @configuredAppIds.add(app.id) unless app.id is @defaultAppId
+      oldRuntime = @activateEdgeRuntime(stagedRuntime)
+      oldStreamRuntime = @activateStreamRuntime(stagedStreamRuntime, deferListeners: source is 'startup')
+      if verifyAfterActivate
+        result = @verifyEdgeRuntime!(stagedRuntime, loaded)
+        unless result.ok
+          @rollbackEdgeRuntime(oldRuntime, stagedRuntime, snapshot, result)
+          @rollbackStreamRuntime(oldStreamRuntime, stagedStreamRuntime)
+          logEvent('config_rollback',
+            source: source
+            oldVersion: oldRuntime?.configInfo?.version
+            newVersion: stagedRuntime?.configInfo?.version
+            reason: result.message
+            code: result.code
+          )
+          return false
+        @configInfo = Object.assign({}, @configInfo,
+          lastResult: 'applied'
+          lastError: null
+          lastErrorCode: null
+          lastErrorDetails: null
+          rolledBackFrom: null
+          loadedAt: new Date().toISOString()
+        )
+        @edgeRuntime.configInfo = @configInfo
+        logEvent('config_activated',
+          source: source
+          oldVersion: oldRuntime?.configInfo?.version
+          newVersion: stagedRuntime?.configInfo?.version
+          result: 'applied'
+        )
+      true
+    catch err
+      stopHealthChecks(stagedRuntime.upstreamPool)
+      stopStreamListeners(stagedStreamRuntime, true)
+      restoreRegistrySnapshot(@appRegistry, snapshot)
+      @configuredAppIds = new Set(snapshot.configured)
+      throw err
+
+  start: ->
+    httpOnly = @flags.httpsPort is null
 
     if httpOnly
-      @server = startOnPort(@flags.httpPort or 80)
+      @server = @startAppServerOnPort(@flags.httpPort or 80)
       @flags.httpPort = @server.port
     else
-      tls = @loadTlsMaterial!
-      @httpsServer = startOnPort(@flags.httpsPort or 443, { tls })
-
-      httpsPort = @httpsServer.port
-      @flags.httpsPort = httpsPort
-      @httpsActive = true
+      @tlsMaterial = @loadTlsMaterial!
+      if @edgeRuntime?.configInfo?.certs and Object.keys(@edgeRuntime.configInfo.certs).length > 0
+        @tlsMaterial = buildTlsArray(@tlsMaterial, @edgeRuntime.configInfo.certs)
+      publicHttpsPort = @flags.httpsPort or 443
+      @applyHttpsMode(@shouldUseInternalHttps(@streamRuntime, publicHttpsPort), publicHttpsPort)
+      httpsPort = @flags.httpsPort
+      @streamListenersDeferred = true if @internalHttpsServer and @streamRuntime.listeners.size is 0
 
       if @flags.redirectHttp or @flags.acme or @flags.acmeStaging
         challengeStore = @challengeStore
@@ -701,6 +906,8 @@ class Server
 
       @flags.httpPort = if @server then @server.port else 0
 
+    @startActiveStreamListeners() if @streamListenersDeferred or @streamRuntime.listeners.size is 0
+
     @startControl!
 
     # Periodic queue timeout sweep — expire queued requests even when no workers are available
@@ -714,6 +921,10 @@ class Server
     , 1000
 
   stop: ->
+    stopHealthChecks(@edgeRuntime.upstreamPool)
+    stopHealthChecks(runtime.upstreamPool) for runtime in @retiredEdgeRuntimes
+    stopStreamListeners(@streamRuntime, true)
+    stopStreamListeners(runtime, true) for runtime in @retiredStreamRuntimes
     clearInterval(@queueSweepTimer) if @queueSweepTimer
     logEvent('server_stop', { uptime: Math.floor((nowMs() - @startedAt) / 1000) })
     # Drain all per-app queues — resolve pending requests with 503
@@ -725,10 +936,97 @@ class Server
     # Stop listeners with graceful drain
     try @server?.stop()
     try @httpsServer?.stop()
+    try @internalHttpsServer?.stop()
     try @control?.stop()
 
     controlStopMdnsAdvertisements(@mdnsProcesses)
 
+  proxyRouteToUpstream: (req, route, requestId, clientIp, runtime) ->
+    upstream = getUpstream(runtime.upstreamPool, route.upstream)
+    return serviceUnavailableResponse() unless upstream
+
+    attempt = 1
+    start = performance.now()
+
+    while attempt <= upstream.retry.attempts
+      target = selectTarget(upstream, runtime.upstreamPool.nowFn)
+      return serviceUnavailableResponse() unless target
+
+      markTargetBusy(target)
+      workerSeconds = 0
+      res = null
+      success = false
+
+      try
+        t0 = performance.now()
+        timeoutMs = route.timeouts?.readMs or upstream.timeouts?.readMs or @flags.readTimeoutMs
+        res = proxyToUpstream!(req, target.url,
+          timeoutMs: timeoutMs
+          clientIp: clientIp
+        )
+        workerSeconds = (performance.now() - t0) / 1000
+        success = res.status < 500
+      catch err
+        console.error "[server] proxyRouteToUpstream error:", err.message or err if isDebug()
+        res = serviceUnavailableResponse()
+      finally
+        releaseTarget(target, workerSeconds * 1000, success, runtime.upstreamPool)
+
+      if res and shouldRetryUpstream(upstream.retry, req.method, res.status, false) and attempt < upstream.retry.attempts
+        delayMs = computeRetryDelayMs(upstream.retry, attempt, runtime.upstreamPool.randomFn)
+        await new Promise (r) -> setTimeout(r, delayMs)
+        attempt++
+        continue
+
+      totalSeconds = (performance.now() - start) / 1000
+      @metrics.forwarded++
+      @metrics.recordLatency(totalSeconds)
+      @metrics.recordStatus(res.status)
+      response = buildUpstreamResponse(
+        res,
+        req,
+        totalSeconds,
+        workerSeconds,
+        @maybeAddSecurityHeaders.bind(@),
+        @logAccess.bind(@),
+        stripInternalHeaders
+      )
+      response.headers.set('X-Request-Id', requestId) if requestId
+      response.headers.set('X-Rip-Route', route.id) if route.id
+      return response
+
+    serviceUnavailableResponse()
+
+  upgradeProxyWebSocket: (req, bunServer, route, requestId, runtime) ->
+    upstream = getUpstream(runtime.upstreamPool, route.upstream)
+    return new Response('Service unavailable', { status: 503 }) unless upstream
+    target = selectTarget(upstream, runtime.upstreamPool.nowFn)
+    return new Response('Service unavailable', { status: 503 }) unless target
+
+    inUrl = new URL(req.url)
+    protocols = (req.headers.get('sec-websocket-protocol') or '')
+      .split(',')
+      .map((p) -> p.trim())
+      .filter(Boolean)
+
+    markTargetBusy(target)
+    data =
+      kind: 'edge-proxy'
+      runtime: runtime
+      requestId: requestId
+      routeId: route.id
+      upstreamTarget: target
+      upstreamUrl: toUpstreamWsUrl(target.url, inUrl.pathname, inUrl.search)
+      protocols: protocols
+      passthrough: null
+      released: false
+
+    if bunServer.upgrade(req, { data })
+      return
+
+    releaseTarget(target, 0, false, runtime.upstreamPool)
+    new Response('WebSocket upgrade failed', { status: 400 })
+
   fetch: (req, bunServer) ->
     url = new URL(req.url)
     host = url.hostname.toLowerCase()
@@ -741,19 +1039,13 @@ class Server
     if host is 'rip.local' and url.pathname in ['/', '']
       return new Response Bun.file(import.meta.dir + '/server.html')
 
-    # Resolve host to app — all routes below require a valid host
-    appId = resolveHost(@appRegistry, host)
-    return new Response('Host not found', { status: 404 }) unless appId
-    app = getAppState(@appRegistry, appId)
-    return new Response('Host not found', { status: 404 }) unless app
-
     # Rate limiting — applied early, covers all endpoints
+    clientIp = bunServer?.requestIP?(req)?.address or '127.0.0.1'
     if @rateLimiter.maxRequests > 0
-      clientIp = bunServer?.requestIP?(req)?.address or '127.0.0.1'
       { allowed, retryAfter } = @rateLimiter.check(clientIp)
       return rateLimitResponse(retryAfter) unless allowed
 
-    # Built-in endpoints (require valid host)
+    # Built-in endpoints
     return @status() if url.pathname is '/status'
     return @diagnostics() if url.pathname is '/diagnostics'
 
@@ -793,6 +1085,30 @@ class Server
     # Assign request ID for tracing
     requestId = req.headers.get('x-request-id') or generateRequestId()
 
+    # Edge route table — upstream proxy routes can handle hosts outside the managed app registry
+    runtime = @edgeRuntime
+    matchedRoute = matchRoute(runtime.routeTable, host, url.pathname, req.method)
+    if matchedRoute?.upstream and matchedRoute.websocket and bunServer
+      return @upgradeProxyWebSocket(req, bunServer, matchedRoute, requestId, runtime)
+    if matchedRoute?.upstream
+      @retainEdgeRuntime(runtime)
+      try
+        return @proxyRouteToUpstream!(req, matchedRoute, requestId, clientIp, runtime)
+      finally
+        @releaseEdgeRuntime(runtime)
+    if matchedRoute?.static
+      return serveStaticRoute(req, url, matchedRoute)
+    if matchedRoute?.redirect
+      return buildRedirectResponse(req, url, matchedRoute)
+
+    # Resolve host to app — app traffic falls back to the managed worker registry
+    appId = matchedRoute?.app or resolveHost(@appRegistry, host)
+    return new Response('Host not found', { status: 404 }) unless appId
+    app = getAppState(@appRegistry, appId)
+    return new Response('Host not found', { status: 404 }) unless app
+
+    @retainEdgeRuntime(runtime) if matchedRoute?.app
+
     # Fast path: try available worker
     if app.inflightTotal < Math.max(1, app.sockets.length)
       sock = @getNextAvailableSocket(app)
@@ -802,15 +1118,26 @@ class Server
         try
           return @forwardToWorker!(req, sock, app, requestId)
         finally
+          @releaseEdgeRuntime(runtime) if matchedRoute?.app
           app.inflightTotal--
           setImmediate => @drainQueue(app)
 
     if app.queue.length >= app.maxQueue
       @metrics.queueShed++
+      @releaseEdgeRuntime(runtime) if matchedRoute?.app
       return serverBusyResponse()
 
     @metrics.queued++
     new Promise (resolve, reject) =>
+      if matchedRoute?.app
+        originalResolve = resolve
+        originalReject = reject
+        resolve = (value) =>
+          @releaseEdgeRuntime(runtime)
+          originalResolve(value)
+        reject = (err) =>
+          @releaseEdgeRuntime(runtime)
+          originalReject(err)
       app.queue.push({ req, resolve, reject, enqueuedAt: nowMs() })
 
   status: ->
@@ -822,12 +1149,13 @@ class Server
     new Response(body, { headers })
 
   diagnostics: ->
-    snap = @metrics.snapshot(@startedAt, @appRegistry)
+    snap = @metrics.snapshot(@startedAt, @appRegistry, @edgeRuntime.upstreamPool)
     body = JSON.stringify
       status: if snap.gauges.workersActive > 0 then 'healthy' else 'degraded'
       version: { server: @serverVersion, rip: @ripVersion }
       uptime: snap.uptime
       apps: snap.apps
+      upstreams: snap.upstreams
       metrics:
         requests: snap.counters.requests
         responses: snap.counters.responses
@@ -839,6 +1167,33 @@ class Server
       gauges: snap.gauges
       realtime: getRealtimeStats(@realtimeHub)
       hosts: Array.from(@appRegistry.hostIndex.keys())
+      streams: streamDiagnostics(@streamRuntime)
+      config: Object.assign({}, @configInfo,
+        multiplexer:
+          enabled: Boolean(@internalHttpsServer)
+          publicHttpsPort: @multiplexerPorts.publicHttpsPort
+          internalHttpsPort: @multiplexerPorts.internalHttpsPort
+        activeRuntime:
+          id: @edgeRuntime.id
+          inflight: @edgeRuntime.inflight
+          wsConnections: @edgeRuntime.wsConnections
+        retiredRuntimes: @retiredEdgeRuntimes.map((runtime) ->
+          id: runtime.id
+          inflight: runtime.inflight
+          wsConnections: runtime.wsConnections
+          retiredAt: runtime.retiredAt
+        )
+        activeStreamRuntime:
+          id: @streamRuntime.id
+          inflight: @streamRuntime.inflight
+          listeners: Array.from(@streamRuntime.listeners.keys())
+        retiredStreamRuntimes: @retiredStreamRuntimes.map((runtime) ->
+          id: runtime.id
+          inflight: runtime.inflight
+          listeners: Array.from(runtime.listeners.keys())
+          retiredAt: runtime.retiredAt
+        )
+      )
     headers = new Headers({ 'content-type': 'application/json', 'cache-control': 'no-cache' })
     @maybeAddSecurityHeaders(headers)
     new Response(body, { headers })
@@ -999,6 +1354,11 @@ class Server
       res = handleWatchControl!(req, @registerWatch.bind(@), (prefix, dirs) => @manager?.watchDirs(prefix, dirs))
       return res.response if res.handled
 
+    if req.method is 'POST' and url.pathname is '/reload'
+      result = @reloadRuntimeConfig!(@flags, 'control_api', true)
+      res = handleReloadControl(req, result)
+      return res.response if res.handled
+
     if url.pathname is '/registry' and req.method is 'GET'
       res = handleRegistryControl(req, @appRegistry.hostIndex)
       return res.response if res.handled
@@ -1065,6 +1425,11 @@ class Server
       sendPings: true    # Bun auto-sends pings to detect dead connections
 
       open: (ws) ->
+        if ws.data?.kind is 'edge-proxy'
+          server.retainEdgeRuntimeWs(ws.data.runtime)
+          ws.data.passthrough = createWsPassthrough(ws, ws.data.upstreamUrl, ws.data.protocols or [])
+          return
+
         { clientId, headers } = ws.data
         addClient(hub, clientId, ws)
         server.metrics.wsConnections++
@@ -1073,6 +1438,10 @@ class Server
         processResponse(hub, response, clientId) if response
 
       message: (ws, message) ->
+        if ws.data?.kind is 'edge-proxy'
+          ws.data.passthrough?.sendToUpstream(message)
+          return
+
         { clientId, headers } = ws.data
         server.metrics.wsMessages++
         isBinary = typeof message isnt 'string'
@@ -1082,6 +1451,14 @@ class Server
         processResponse(hub, response, clientId) if response
 
       close: (ws) ->
+        if ws.data?.kind is 'edge-proxy'
+          ws.data.passthrough?.close()
+          unless ws.data.released
+            releaseTarget(ws.data.upstreamTarget, 0, true, ws.data.runtime.upstreamPool)
+            server.releaseEdgeRuntimeWs(ws.data.runtime)
+            ws.data.released = true
+          return
+
         { clientId, headers } = ws.data
         logEvent 'ws_close', { clientId }
         removeClient(hub, clientId)
@@ -1109,7 +1486,11 @@ main = ->
       return
 
   # Normal startup
-  flags = parseFlags(process.argv)
+  flags = parseFlags(process.argv, defaultEntry)
+  applyFlagSideEffects(flags)
+  if flags.checkConfig
+    runCheckConfig!(flags)
+    return
   setEventJsonMode(flags.jsonLogging)
   pidFile = getPidFilePath(flags.socketPrefix)
   writeFileSync(pidFile, String(process.pid))
@@ -1119,16 +1500,17 @@ main = ->
   svr.manager = mgr
   mgr.server = svr
 
-  # Load config.rip if present — register additional apps
-  configPath = findConfigFile(flags.appEntry)
-  if configPath
-    config = loadConfig!(configPath)
-    if config
-      registered = applyConfig(config, svr.appRegistry, registerApp, dirname(flags.appEntry))
-      p "rip-server: loaded config.rip with #{registered.length} app(s)" unless flags.quiet
+  startupReload = svr.reloadRuntimeConfig!(flags, 'startup', false)
+  exit 1 unless startupReload.ok
 
   cleanup = createCleanup(pidFile, svr, mgr, unlinkSync, fetch, process)
-  installShutdownHandlers(cleanup, process)
+  installShutdownHandlers(cleanup, process, ->
+    p 'rip-server: received SIGHUP, reloading config...'
+    if svr.reloadRuntimeConfig!(flags, 'sighup', true).ok
+      p 'rip-server: config reload applied'
+    else
+      p 'rip-server: config reload rejected, keeping previous config'
+  )
 
   # Suppress top URL lines if setup.rip will print them at the bottom
   flags.hideUrls = computeHideUrls(flags.appEntry, join, dirname, existsSync)