@rip-lang/server 1.3.9 → 1.3.11

package/README.md

@@ -16,7 +16,7 @@ dependencies.
 - **Multi-worker architecture** — Automatic worker spawning based on CPU cores
 - **Hot module reloading** — Watches `*.rip` files by default, rolling restarts on change
 - **Rolling restarts** — Zero-downtime deployments
-- **Automatic HTTPS** — TLS with mkcert or self-signed certificates
+- **Automatic HTTPS** — Shipped `*.ripdev.io` wildcard cert (green lock, zero setup)
 - **mDNS discovery** — `.local` hostname advertisement
 - **Request queue** — Built-in request buffering and load balancing
 - **Built-in dashboard** — Server status UI at `rip.local`
@@ -846,9 +846,8 @@ rip serve [flags] [app-path]@<alias1>,<alias2>,...
 | `https:<port>` | Set HTTPS port | 443, fallback 3443 |
 | `w:<n>` | Worker count (`auto`, `half`, `2x`, `3x`, or number) | `half` of cores |
 | `r:<reqs>,<secs>s` | Restart policy: requests, seconds (e.g., `5000,3600s`) | `10000,3600s` |
-| `--cert=<path>` | TLS certificate path | Auto-generated |
-| `--key=<path>` | TLS private key path | Auto-generated |
-| `--auto-tls` | Try mkcert first, then self-signed | Self-signed only |
+| `--cert=<path>` | TLS certificate path | Shipped `*.ripdev.io` cert |
+| `--key=<path>` | TLS private key path | Shipped `*.ripdev.io` key |
 | `--hsts` | Enable HSTS headers | Disabled |
 | `--no-redirect-http` | Don't redirect HTTP to HTTPS | Redirects enabled |
 | `--json-logging` | Output JSON access logs | Human-readable |
@@ -870,9 +869,6 @@ rip serve
 # HTTP only
 rip serve http
 
-# HTTPS with mkcert
-rip serve --auto-tls
-
 # Production: 8 workers, no hot reload
 rip serve --static w:8
 
@@ -966,17 +962,22 @@ The server provides these endpoints automatically:
 
 ## TLS Certificates
 
-### Automatic Certificate Generation
+### Shipped Wildcard Cert (`*.ripdev.io`)
 
-When HTTPS is enabled without explicit certificates, the server will:
+The server ships with a GlobalSign wildcard certificate for `*.ripdev.io`. Combined with DNS (`*.ripdev.io → 127.0.0.1`), every app gets trusted HTTPS automatically:
 
-1. Try **mkcert** (if installed and `--auto-tls` flag used)
-2. Fall back to **self-signed** certificate via OpenSSL
+```bash
+rip serve streamline    # → https://streamline.ripdev.io (green lock)
+rip serve analytics     # → https://analytics.ripdev.io (green lock)
+rip serve myapp         # → https://myapp.ripdev.io (green lock)
+```
 
-Certificates are stored in `~/.rip/certs/`.
+No setup, no flags, no certificate generation. The app name becomes the subdomain.
 
 ### Custom Certificates
 
+For production domains or custom setups, provide your own cert/key:
+
 ```bash
 rip serve --cert=/path/to/cert.pem --key=/path/to/key.pem
 ```

package/api.rip

@@ -186,6 +186,7 @@ createContext = (req, params = {}) ->
         else parseInt(duration) or 0
       else 0
       out.set 'Cache-Control', "public, max-age=#{seconds}, immutable"
+      out.set 'Expires', new Date(Date.now() + seconds * 1000).toUTCString()
       return
 
     session: {}

package/certs/ripdev.io.crt

@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIGWzCCBUOgAwIBAgIMFMf54+s6EwpqpLa+MA0GCSqGSIb3DQEBCwUAMFUxCzAJ
+BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSswKQYDVQQDEyJH
+bG9iYWxTaWduIEdDQyBSNiBBbHBoYVNTTCBDQSAyMDI1MB4XDTI2MDIyNTEwMjQz
+MloXDTI3MDMyOTEwMjQzMVowFjEUMBIGA1UEAwwLKi5yaXBkZXYuaW8wggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBzo9MgygbFQH4mw5nj3wdt5HllRdk
+mfbzxi02tJOMSZLgmeYiJ0VUZ9bcIbcif0gFv4na7+oYaKf0vLYsBArTzq6WYa7i
+8Bzr/UYXlynzlZ3GS9qn5AGo1Y+jfHi239XE5xE4qCoybJU/NaFd0n5y/inMjUWx
+G9yRC8foX0zW5tn3dYE8BR3o409sfvaf7gylvPDJGc8p86rCqEInsCbLQguiE5DV
+L2eYia8q0yemuXUEKvdZ0KngyshuWdQkg9F6I68G7QXD/Pvm8sP6MiAx87aykQQb
+1Fm9MQHhxOXyiSVKCR+lKJwcdBJF0hIBIwTeBA/9yQ8HfQl9FD6mXz8dAgMBAAGj
+ggNoMIIDZDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADCBmQYIKwYBBQUH
+AQEEgYwwgYkwSQYIKwYBBQUHMAKGPWh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5j
+b20vY2FjZXJ0L2dzZ2NjcjZhbHBoYXNzbGNhMjAyNS5jcnQwPAYIKwYBBQUHMAGG
+MGh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjZhbHBoYXNzbGNhMjAy
+NTBXBgNVHSAEUDBOMAgGBmeBDAECATBCBgorBgEEAaAyCgEDMDQwMgYIKwYBBQUH
+AgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMEQGA1Ud
+HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNmFs
+cGhhc3NsY2EyMDI1LmNybDAhBgNVHREEGjAYggsqLnJpcGRldi5pb4IJcmlwZGV2
+LmlvMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBTF
+tJOPbyvcHki/txAwhc7RsrtILTAdBgNVHQ4EFgQUOitYLYlCmzpOvCSqT8lWnyEk
+CvMwggGFBgorBgEEAdZ5AgQCBIIBdQSCAXEBbwB9AI7KRwus3mrzogawpHqEt0b+
+H8a/lT4l5ptO5AJI88boAAABnJRUaM0ACAAABQAC9hXVBAMARjBEAiBnEvFsYS+k
+HcN7jHzpg6LHsrSb7aFHnrmsliLKxky4ygIgOJzdjwD9GcO79nbeajca4pxhrLyG
+tjbuhmkQ3gD9COEAdwAcn2gs6frwRWlQ+BuWiofd2zIQ2EzmyLLjglJKxM9ZnwAA
+AZyUVGgbAAAEAwBIMEYCIQC2o2qGrBvv5lPQl+CHYTFdjkiaobqUIC4nvmO9Hj0z
+dgIhAP+96D5I8ryQ3HVslgWXAp1v8JAO8pdVQ+pX1e/j+dEfAHUATGPcmOWcHauI
+9h6KPd6uj6tEozd7X5uUw/uhnPzBviYAAAGclFRm7gAABAMARjBEAiB0vpn6eh9X
+fLVscIMPf+/iigYxxDO/9NkwG497CxM/bwIgWye6IgzH0RPlccR6C2idFtow2nUr
+b7lWSNtHl04+9zAwDQYJKoZIhvcNAQELBQADggEBACSzZXZI5+1PH40ih224gjT3
+8yElNS5rYREiAeJIgmZ8fQnxq0111AS+UWVAwQUFnnaM18E4Vz476J3vPpb+c4NB
+91jHoM+axcvkd9bAlZswu1l1sZTqIbA3q9yCy2VD+tOtDHxZ1+b25ScLRn+IXpRl
+h2h+NUPMllg5jyIhj7hYNd/SoyqyplA7NQ3/gWx1VFD90TfxzWO5/gbMh9QcC8aj
+6ODQvfJovl6EOu6dnycRlm/MnChuM5+Iy+xXnaLiUTBGjnBOqAkuJ/ycOEGGNVyq
+m3DYlp+Pky/a9COQA9Ig/TWFhWDfaOz+vFkvmVflQg9eFv1KsX0w47BbJhb0oos=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFjTCCA3WgAwIBAgIRAIN9TriekS/nLK07x2kt3CAwDQYJKoZIhvcNAQELBQAwTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjYxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMjUwNTIxMDIzNjUyWhcNMjcwNTIxMDAwMDAwWjBVMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTErMCkGA1UEAxMiR2xvYmFsU2lnbiBHQ0MgUjYgQWxwaGFTU0wgQ0EgMjAyNTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ/oiu0Bviq52UUEADbFWmgu3rC7KDSMoorLN1Wd03McG3Z1aP71DlPCE33838r72Dfuj5M9LXfiQLJpAu6MwNExmKOzothw4x0zGf5oBYyrCMGm3fBpLPafwYQ3MchBOWMTbf83rKUPLH48KCJ0MnU8GUl8oA/J81wIvbbKPuNrFf6hvJDccjzc4NyxLz3A89zjV2g5whCg5O0u9YX4Zxk9JHuc/LvllOJO4waAYLjbWBJkz3rV3ts1SmSYnJqmyRTIjXwQgRvhEYqtDbRskt0W7M6cPwCze3GTBN2UHNpHkMs3YmVxku68I0aOQn5+uz//fDROP3z1Z/7I
+APteRtECAwEAAaOCAV8wggFbMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUxbSTj28r3B5Iv7cQMIXO0bK7SC0wHwYDVR0jBBgwFoAUrmwFo5MT4qLn4tcc1sfwf8hnU6AwewYIKwYBBQUHAQEEbzBtMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vcm9vdHI2MDsGCCsGAQUFBzAChi9odHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9yb290LXI2LmNydDA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL3Jvb3QtcjYuY3JsMCEGA1UdIAQaMBgwCAYGZ4EMAQIBMAwGCisGAQQBoDIKAQMwDQYJKoZIhvcNAQELBQADggIBAB/uvBuZf4CiuSahwiXn4geF52roAH+6jxsEPTXTfb7bbeMDXsYgRRsOTNA70ruZ
+Tnz5DfFMuBhNoFhIFb0qR1izdy6VkdKOqFPNF2dOFI1EcnY9l2ory9mrzHqVbrL4vzUd17FLUVyjTVU7PAv4nxyhnO1GTeT83YlrdRF31NyR6bvZVTEERHmpbWSgeveJLRtaMzlGWiLZ8IwkH7o6GH3jp/KPtDW4Npu8w64HrRZdN2pqQhi7+YKwfHM7H+2U
+dM1BGN0sjOWMVbMSB9MtCsleS2Mb7TRZEbOHxECJLLIluQypZr7Pol3+hAqrhyKIk+6y+Da0NeDuWxW59Ku4NvClqW1UFX1SpfNGhzVfp/CH+vPM1tySomx2jE0EnYZuGwVucXPBsp5nUWqUV9+143glVuS7GTg9hFPjNBInn17HbCoIIQIOzj5Vd9bK3A9U
+GxXNpwenDHEalCsD/4eQYDHPhFE7sNe0D/OXu+FAM02VZkARx37Jp4bDdujvgL9PvZPR3wThvDN1CTU8Bc3xea3yKFAraKcPZLkhReQUAm2VpR+HSJRPlUpYizlF9WkLh3KcAVCBJWvnOkVwxyU5QJMcnwW95JlOtx+9100GL99jHE5rs3gXp7F4bg8H01QT9jVOhBBmQ7nQoXuwI0tqal2QUqZz3eeu62CU7xBwtfYR
+-----END CERTIFICATE-----

package/certs/ripdev.io.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBzo9MgygbFQH4
+mw5nj3wdt5HllRdkmfbzxi02tJOMSZLgmeYiJ0VUZ9bcIbcif0gFv4na7+oYaKf0
+vLYsBArTzq6WYa7i8Bzr/UYXlynzlZ3GS9qn5AGo1Y+jfHi239XE5xE4qCoybJU/
+NaFd0n5y/inMjUWxG9yRC8foX0zW5tn3dYE8BR3o409sfvaf7gylvPDJGc8p86rC
+qEInsCbLQguiE5DVL2eYia8q0yemuXUEKvdZ0KngyshuWdQkg9F6I68G7QXD/Pvm
+8sP6MiAx87aykQQb1Fm9MQHhxOXyiSVKCR+lKJwcdBJF0hIBIwTeBA/9yQ8HfQl9
+FD6mXz8dAgMBAAECggEAGv6CmqFdDXKeYOp19eo4GyqFrYDX7oj8auVkSE2cDIr1
+5IdDFOg74Z8KAATJLYqldTmBwccvZ8Fx/WZoiFZyzKAp1KPb+FuB58PSBrilHPqu
+rF9F4CMjsQi39klAxhYEwCWAElBn+jiCDDkT1g3a03j/yPA3cA0FqoVFzaGyge8M
+7vITBEyA0ZwJeFs0tQe+7t1r6hbf9+3w2Z3v+hQfAglIStjS5hXqXY+qlHKVg/cH
+qt2dnQFjwUCs2JpPkT7aZJdAaOfDv2A6B1tXlEjvIXbjRHNy+gnuUAxN8KB8XxGF
+iBgTkowuLSo5VzmV8E24UC916rI/2ZsS3ShztLmuGQKBgQDsDqS5yqm/zbioWX1O
+kx95CNi9x9YOCLrV/fui8NIsKWueVEHXlgcaDO6HNyNEVHvuIrqtUWYh62C7Eyad
+YtBRyITZvtyS1T4JPCd0eblu2XDFTccKyLccPW8VaeNMzV8GNYHx0MmPH1wLw7nu
+FCQ47FUAA9Qr6bWLZaImmzl+5QKBgQDSLiRf60DKtqar6js815YTCdCCzl6HUFqV
+DIDFcF7Hher5fxAKD3OQAVLBIu5S4dJLOajew94W5FukMcfN9Wk332ZH4AxWCuHv
+vbws14d3vNAvlKCYiQ3R2052rM3KqCE4rMJc6AQ/2GEE1XzS2CWEKLbOkk4qoKxs
+U2HxpS4D2QKBgA9pmVnEILc0QGVFiofx1TE64aPqg1BhQ4mrTp3B6YcWoT8yMyZX
+VlleFMjhUb0pYvoWbGfak7eNPcCZLIFELWPZmsr4ykAQCj/iHJVfSTsymUlYnbFX
+j5UZccJNKpkeI6EtJzHZtv9QRdtCyUYBLKhGzfn1Rgoj9UWHukGZCvT9AoGAVsx5
+dydXbZ/6uvqTli/OKXSfKLYDMcyMbAtqzp72dV2nyXug6xaweeMiAuLjG1VpHGnm
+hIDNIhUSh3+LbVIRLuLSgZJUZeA+qFxp7vbfWiKes1ek7vmCvIzeHYKFxlCiz54A
+8o9a2ecJQg7MauKas7aAsFSZdV8/dckFpN67XxkCgYEApSsiCH3/FSKpmriCEBcI
+aqz132RvkQ9622kkMnLo3TOIbjGmW3tnTGpCeCP5iCsknkJMoyA6CF/8lJcvBBVp
+S/sFuOblz6i1+11yfir3znkWfotA0c4ClHtp0ebcjjbf2Y2f+T9XVHsVYoIevirk
+5IxlgMVXTb4IG5lOEdl8TRA=
+-----END PRIVATE KEY-----

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rip-lang/server",
-  "version": "1.3.9",
+  "version": "1.3.11",
   "description": "Pure Rip web framework and application server",
   "type": "module",
   "main": "api.rip",
@@ -45,13 +45,14 @@
   "author": "Steve Shreeve <steve.shreeve@gmail.com>",
   "license": "MIT",
   "dependencies": {
-    "rip-lang": ">=3.13.15"
+    "rip-lang": ">=3.13.18"
   },
   "files": [
     "api.rip",
     "middleware.rip",
     "server.rip",
     "server.html",
+    "certs/",
     "bin/",
     "tests/",
     "docs/",

package/server.rip

@@ -12,9 +12,9 @@
 #   bun server.rip list                    # List registered hosts
 # ==============================================================================
 
-import { existsSync, statSync, readFileSync, writeFileSync, unlinkSync, mkdirSync, watch, utimesSync } from 'node:fs'
+import { existsSync, statSync, readFileSync, writeFileSync, unlinkSync, watch, utimesSync } from 'node:fs'
 import { basename, dirname, isAbsolute, join, resolve } from 'node:path'
-import { homedir, cpus, networkInterfaces } from 'node:os'
+import { cpus, networkInterfaces } from 'node:os'
 import { X509Certificate } from 'node:crypto'
 
 # Match capture holder for Rip's =~
@@ -33,6 +33,7 @@ SHUTDOWN_TIMEOUT_MS = 30000   # Max time to wait for in-flight requests on shutd
 # ==============================================================================
 
 nowMs = -> Date.now()
+formatPort = (protocol, port) -> if (protocol is 'https' and port is 443) or (protocol is 'http' and port is 80) then '' else ":#{port}"
 
 getWorkerSocketPath = (prefix, id) -> "/tmp/#{prefix}.#{id}.sock"
 getControlSocketPath = (prefix) -> "/tmp/#{prefix}.ctl.sock"
@@ -330,7 +331,6 @@ parseFlags = (argv) ->
     httpsPort
     certPath: getKV('--cert=')
     keyPath: getKV('--key=')
-    autoTls: has('--auto-tls')
     hsts: has('--hsts')
     redirectHttp: not has('--no-redirect-http')
     reload
@@ -739,6 +739,7 @@ class Server
     for alias in @flags.appAliases
       host = if alias.includes('.') then alias else "#{alias}.local"
       @hostRegistry.add(host)
+    @hostRegistry.add("#{@flags.appName}.ripdev.io")
 
   start: ->
     httpOnly = @flags.httpsPort is null
@@ -1009,6 +1010,10 @@ class Server
       host = if alias.includes('.') then alias else "#{alias}.local"
       @startMdnsAdvertisement(host)
 
+    port = @flags.httpsPort or @flags.httpPort or 80
+    protocol = if @flags.httpsPort then 'https' else 'http'
+    console.log "rip-server: #{protocol}://#{@flags.appName}.ripdev.io#{formatPort(protocol, port)}"
+
   controlFetch: (req) ->
     url = new URL(req.url)
 
@@ -1065,42 +1070,18 @@ class Server
         console.error 'Failed to read TLS cert/key from provided paths. Use http or fix paths.'
         process.exit(2)
 
-    # Ensure certs directory exists
-    certsDir = join(homedir(), '.rip', 'certs')
-    try mkdirSync(certsDir, { recursive: true }) catch then null
-
-    # Try mkcert first (trusted local CA)
-    if @flags.autoTls
-      certPath = join(certsDir, 'localhost.pem')
-      keyPath = join(certsDir, 'localhost-key.pem')
-      unless existsSync(certPath) and existsSync(keyPath)
-        try
-          Bun.spawnSync(['mkcert', '-install'])
-          Bun.spawnSync(['mkcert', '-key-file', keyPath, '-cert-file', certPath, 'localhost', '127.0.0.1', '::1'])
-        catch
-          null  # fall through to self-signed
-      if existsSync(certPath) and existsSync(keyPath)
-        cert = readFileSync(certPath, 'utf8')
-        key = readFileSync(keyPath, 'utf8')
-        @printCertSummary(cert)
-        return { cert, key }
-
-    # Self-signed via openssl
-    certPath = join(certsDir, 'selfsigned-localhost.pem')
-    keyPath = join(certsDir, 'selfsigned-localhost-key.pem')
-    unless existsSync(certPath) and existsSync(keyPath)
-      try
-        Bun.spawnSync(['openssl', 'req', '-x509', '-nodes', '-newkey', 'rsa:2048', '-keyout', keyPath, '-out', certPath, '-subj', '/CN=localhost', '-days', '3650'])
-      catch
-        console.error 'TLS required but could not provision a certificate (mkcert/openssl missing). Use http or provide --cert/--key.'
-        process.exit(2)
+    # Shipped wildcard cert for *.ripdev.io (GlobalSign, valid for all subdomains)
+    certsDir = join(import.meta.dir, 'certs')
+    certPath = join(certsDir, 'ripdev.io.crt')
+    keyPath = join(certsDir, 'ripdev.io.key')
     try
       cert = readFileSync(certPath, 'utf8')
       key = readFileSync(keyPath, 'utf8')
       @printCertSummary(cert)
       return { cert, key }
-    catch
-      console.error 'Failed to read generated self-signed cert/key from ~/.rip/certs'
+    catch e
+      console.error "rip-server: failed to load TLS certs from #{certsDir}: #{e.message}"
+      console.error 'Use --cert/--key to provide your own, or use http to disable TLS.'
       process.exit(2)
 
   printCertSummary: (certPem) ->
@@ -1153,7 +1134,7 @@ class Server
         stderr: 'ignore'
 
       @mdnsProcesses.set(host, proc)
-      console.log "rip-server: #{protocol}://#{host}:#{port}"
+      console.log "rip-server: #{protocol}://#{host}#{formatPort(protocol, port)}"
     catch e
       console.error "rip-server: failed to advertise #{host} via mDNS:", e.message
 
@@ -1191,11 +1172,10 @@ main = ->
 
       Network:
         http                    HTTP only (no TLS)
-        https                   HTTPS with auto TLS (default)
+        https                   HTTPS with trusted *.ripdev.io cert (default)
         <port>                  Listen on specific port
-        --cert=<path>           TLS certificate file
-        --key=<path>            TLS key file
-        --auto-tls              Generate TLS cert via mkcert
+        --cert=<path>           TLS certificate file (overrides shipped cert)
+        --key=<path>            TLS key file (overrides shipped cert)
         --hsts                  Enable HSTS header
         --no-redirect-http      Don't redirect HTTP to HTTPS
 
@@ -1301,8 +1281,9 @@ main = ->
   mgr.start!
 
   httpOnly = flags.httpsPort is null
-  url = if httpOnly then "http://localhost:#{flags.httpPort}/server" else "https://localhost:#{flags.httpsPort}/server"
-  console.log "rip-server: app=#{flags.appName} workers=#{flags.workers} url=#{url}"
+  protocol = if httpOnly then 'http' else 'https'
+  port = flags.httpsPort or flags.httpPort or 80
+  console.log "rip-server: app=#{flags.appName} workers=#{flags.workers} url=#{protocol}://#{flags.appName}.ripdev.io#{formatPort(protocol, port)}/server"
 
 # ==============================================================================
 # Entry Point