@rip-lang/server 1.4.15 → 1.4.17

package/control/cli.rip

@@ -254,6 +254,7 @@ export parseFlags = (argv, defaultEntryPath = null) ->
     reloadConfig: has('--reload') or has('-r')
     listApps: has('--list') or has('-l')
     stopServer: has('--stop') or has('-s')
+    restartServer: has('--restart')
     envOverride: envOverride
     debug: has('--debug')
   }
@@ -322,6 +323,7 @@ export runHelpOutput = (argv) ->
       -i, --info              Show running server status
       -l, --list              List registered hosts
       -r, --reload            Reload config on running server
+      --restart               Hot restart (rebuild everything, keep listeners)
       -s, --stop              Stop running server
       --watch=<glob>          Watch glob pattern (default: *.rip)
       --static                Disable hot reload and file watching
@@ -400,6 +402,21 @@ export reloadConfig = (prefix, getControlSocketPathFn, fetchFn, exitFn) ->
     warn "rip-server: reload failed: #{e?.message or e}"
     exitFn(1)
 
+export restartServer = (prefix, getControlSocketPathFn, fetchFn, exitFn) ->
+  controlUnix = getControlSocketPathFn(prefix)
+  try
+    res = fetchFn!('http://localhost/restart', { unix: controlUnix, method: 'POST' })
+    j = res.json!
+    if j?.ok
+      p "rip-server: hot restart complete"
+    else
+      reason = j?.error or 'unknown'
+      warn "rip-server: restart failed: #{reason}"
+      exitFn(1)
+  catch e
+    warn "rip-server: restart failed: #{e?.message or e}"
+    exitFn(1)
+
 export listApps = (prefix, getControlSocketPathFn, fetchFn, exitFn) ->
   controlUnix = getControlSocketPathFn(prefix)
   try

package/control/manager.rip

@@ -244,6 +244,17 @@ export class Manager
           workers[idx] = @spawnWorker(app.appId, @currentVersion) if idx >= 0
         @deferredDeaths.clear()
 
+  teardown: ->
+    @shuttingDown = true
+    @stop!
+    @shuttingDown = false
+    @currentMtimes.clear()
+    @rollingApps.clear()
+    @lastRollAt.clear()
+    @retiringIds.clear()
+    @restartBudgets.clear()
+    @deferredDeaths.clear()
+
   getEntryMtime: (appId = null) ->
     app = @getAppState(appId or @defaultAppId)
     entry = app?.config?.entry or @flags.appEntry

package/control/worker.rip

@@ -63,6 +63,10 @@ export runWorkerMode = ->
       workerState.handler or (-> new Response('not ready', { status: 503 }))
     catch e
       warn "[worker #{workerId}] import failed:", e
+      if typeof e.formatHTML is 'function'
+        html = "<!DOCTYPE html><html><head><meta charset=utf-8><title>Rip Compile Error</title><style>body{margin:40px auto;max-width:900px;background:#1e1e2e;color:#cdd6f4;font-family:system-ui,sans-serif}</style></head><body>#{e.formatHTML()}</body></html>"
+        workerState.handler = -> new Response(html, { status: 500, headers: { 'content-type': 'text/html; charset=UTF-8' } })
+        return workerState.handler
       workerState.handler or (-> new Response('not ready', { status: 503 }))
 
   selfJoin = ->

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rip-lang/server",
-  "version": "1.4.15",
+  "version": "1.4.17",
   "description": "Bun-native content server: static sites, apps, HTTP proxy, and TCP/TLS passthrough",
   "type": "module",
   "main": "api.rip",
@@ -47,7 +47,7 @@
   "author": "Steve Shreeve <steve.shreeve@gmail.com>",
   "license": "MIT",
   "dependencies": {
-    "rip-lang": ">=3.13.134"
+    "rip-lang": ">=3.13.136"
   },
   "files": [
     "api.rip",

package/server.rip

@@ -40,7 +40,7 @@ import { getControlSocketPath, getPidFilePath, handleWorkerControl, handleWatchC
 import { getLanIP as controlGetLanIP, startMdnsAdvertisement as controlStartMdnsAdvertisement, stopMdnsAdvertisements as controlStopMdnsAdvertisements } from './control/mdns.rip'
 import { registerWatchGroup, handleWatchGroup, broadcastWatchChange } from './control/watchers.rip'
 import { computeHideUrls, logStartupSummary, createCleanup, installShutdownHandlers, setEventJsonMode, logEvent } from './control/lifecycle.rip'
-import { runVersionOutput, runHelpOutput, stopServer, reloadConfig, listApps, showInfo, parseFlags } from './control/cli.rip'
+import { runVersionOutput, runHelpOutput, stopServer, restartServer, reloadConfig, listApps, showInfo, parseFlags } from './control/cli.rip'
 import { runSetupMode, runWorkerMode } from './control/worker.rip'
 import { Manager } from './control/manager.rip'
 
@@ -581,6 +581,47 @@ class Server
 
     controlStopMdnsAdvertisements(@mdnsProcesses)
 
+  restart: ->
+    logEvent('server_restart', { uptime: Math.floor((nowMs() - @startedAt) / 1000) })
+
+    # --- Teardown (listeners stay open) ---
+    @manager?.teardown!
+    stopHealthChecks(@servingRuntime.upstreamPool)
+    stopHealthChecks(runtime.upstreamPool) for runtime in @retiredServingRuntimes
+    stopStreamListeners(@streamRuntime, true)
+    stopStreamListeners(runtime, true) for runtime in @retiredStreamRuntimes
+    clearInterval(@queueSweepTimer) if @queueSweepTimer
+    try @control?.stop()
+    controlStopMdnsAdvertisements(@mdnsProcesses)
+
+    # Drain queues
+    for [appId, app] as @appRegistry.apps
+      while app.queue.length > 0
+        job = app.queue.shift()
+        try job.resolve(new Response('Server restarting', { status: 503, headers: { 'Retry-After': '1' } }))
+
+    # --- Reload ---
+    @tlsMaterial = @loadTlsMaterial()
+    @reloadRuntimeConfig!(@flags, 'restart', false)
+
+    # --- Rebuild ---
+    @queueSweepTimer = setInterval =>
+      for [appId, app] as @appRegistry.apps
+        now = Date.now()
+        while app.queue.length > 0 and now - app.queue[0].enqueuedAt > app.queueTimeoutMs
+          job = app.queue.shift()
+          try job.resolve(new Response('Queue timeout', { status: 504 }))
+          @metrics.queueTimeouts++
+    , 1000
+
+    @startControl!
+    @startActiveStreamListeners() if @streamListenersDeferred or @streamRuntime.listeners.size is 0
+
+    # --- Restart workers ---
+    @manager?.start!
+
+    logEvent('server_restart_complete', {})
+
   proxyRouteToUpstream: (req, route, requestId, clientIp, runtime) ->
     proxyRouteToUpstreamFn!(req, route, requestId, clientIp, runtime, @metrics, @flags, @maybeAddSecurityHeaders.bind(@), @logAccess.bind(@))
 
@@ -913,6 +954,13 @@ class Server
       res = handleReloadControl(req, result)
       return res.response if res.handled
 
+    if req.method is 'POST' and url.pathname is '/restart'
+      try
+        @restart!
+        return new Response(JSON.stringify({ ok: true, restarted: true }), { headers: { 'content-type': 'application/json' } })
+      catch e
+        return new Response(JSON.stringify({ ok: false, error: e?.message or 'restart failed' }), { status: 500, headers: { 'content-type': 'application/json' } })
+
     if url.pathname is '/registry' and req.method is 'GET'
       res = handleRegistryControl(req, @appRegistry.hostIndex)
       return res.response if res.handled
@@ -991,6 +1039,9 @@ main = ->
   if flags.listApps
     listApps!(flags.socketPrefix, getControlSocketPath, fetch, exit)
     return
+  if flags.restartServer
+    restartServer!(flags.socketPrefix, getControlSocketPath, fetch, exit)
+    return
   if flags.stopServer
     stopServer(flags.socketPrefix, getPidFilePath, existsSync, readFileSync, process.kill.bind(process), Bun.spawnSync, import.meta.path)
     return

package/serving/config.rip

@@ -5,6 +5,7 @@
 import { existsSync, statSync } from 'node:fs'
 import { join, dirname, resolve, basename } from 'node:path'
 import { normalizeStreams, parseHostPort } from '../streams/config.rip'
+import { scanSslDirectory, matchCertForHost } from './tls.rip'
 
 CONFIG_FILE = 'serve.rip'
 VALID_REDIRECT_STATUSES = new Set([301, 302, 307, 308])
@@ -687,8 +688,225 @@ export normalizeAppConfig = (appId, appConfig, baseDir) ->
   throw validationError("app #{appId}", errors) if errors.length > 0
   normalized
 
+# ==============================================================================
+# serve.rip normalizer: ssl + sites + apps
+# ==============================================================================
+
+SERVE_KEYS = new Set(%w[ssl sites apps version server])
+
+parseAppSpec = (appName, spec, knownSites, errors, path) ->
+  tokens = String(spec or '').trim().split(/\s+/).filter(Boolean)
+  unless tokens.length > 0
+    pushError(errors, 'E_APP_EMPTY', path, "app #{appName}: empty spec")
+    return null
+
+  targetTokens = tokens.filter (t) -> /^(https?:\/\/|tcp:\/\/|\.\/|\.\.\/|\/)/.test(t)
+
+  if targetTokens.length > 1
+    pushError(errors, 'E_APP_MULTI_TARGET', path, "app #{appName}: multiple targets: #{targetTokens.join(', ')}", 'Only one path or URL prefix is allowed.')
+    return null
+
+  if targetTokens.length is 1
+    target = targetTokens[0]
+    siteNames = tokens.filter (t) -> t isnt target
+  else
+    target = '.'
+    siteNames = tokens
+
+  unknown = siteNames.filter (s) -> not knownSites.has(s)
+  if unknown.length > 0
+    pushError(errors, 'E_APP_UNKNOWN_SITE', path, "app #{appName}: unknown site(s): #{unknown.join(', ')}", "Define these in the sites section.")
+    return null
+
+  kind = if /^https?:\/\//.test(target) then 'http-proxy'
+  else if /^tcp:\/\//.test(target) then 'tcp-proxy'
+  else 'local'
+
+  { kind, target, siteNames }
+
+normalizeServeRip = (config, baseDir) ->
+  errors = []
+
+  for key of config
+    unless SERVE_KEYS.has(key)
+      pushError(errors, 'E_UNKNOWN_KEY', key, "unknown top-level key: #{key}", 'Allowed keys: ssl, sites, apps, version, server.')
+
+  # SSL directory
+  sslPath = if typeof config.ssl is 'string' then config.ssl else null
+  certMap = new Map()
+  if sslPath
+    certMap = scanSslDirectory(sslPath)
+
+  # Sites: siteName -> hostname
+  siteToHost = new Map()
+  hostToSite = new Map()
+  if config.sites?
+    unless isPlainObject(config.sites)
+      pushError(errors, 'E_SITES_TYPE', 'sites', 'sites must be an object')
+    else
+      for siteName, hostname of config.sites
+        host = String(hostname).toLowerCase().trim()
+        unless host
+          pushError(errors, 'E_SITE_EMPTY', "sites.#{siteName}", "site #{siteName}: hostname is empty")
+          continue
+        if hostToSite.has(host)
+          pushError(errors, 'E_SITE_DUPLICATE_HOST', "sites.#{siteName}", "hostname #{host} is already assigned to site #{hostToSite.get(host)}")
+          continue
+        siteToHost.set(String(siteName), host)
+        hostToSite.set(host, String(siteName))
+
+  knownSites = new Set(siteToHost.keys())
+
+  # Server settings (optional, defaults)
+  serverSettings = normalizeServerSettings(config.server or {}, errors)
+
+  # Apps
+  apps = {}
+  proxies = {}
+  httpProxies = {}
+  tcpProxies = {}
+  sites = {}
+  resolvedCerts = {}
+  streamUpstreams = {}
+  streams = []
+
+  if config.apps?
+    unless isPlainObject(config.apps)
+      pushError(errors, 'E_APPS_TYPE', 'apps', 'apps must be an object')
+    else
+      for appName, appSpec of config.apps
+        unless typeof appSpec is 'string'
+          if isPlainObject(appSpec)
+            pushError(errors, 'E_APP_OBJECT', "apps.#{appName}", "object app specs are not supported; use a string like 'siteName1 siteName2'")
+          else
+            pushError(errors, 'E_APP_INVALID', "apps.#{appName}", "app value must be a string")
+          continue
+
+        parsed = parseAppSpec(appName, appSpec, knownSites, errors, "apps.#{appName}")
+        continue unless parsed
+
+        hostnames = parsed.siteNames.map (s) -> siteToHost.get(s)
+
+        if parsed.kind is 'local'
+          entryPath = if parsed.target is '.' then baseDir else resolve(baseDir, parsed.target)
+          indexFile = join(entryPath, 'index.rip')
+          entry = if existsSync(indexFile) then indexFile else null
+
+          apps[appName] =
+            id: appName
+            entry: entry
+            hosts: hostnames
+            workers: null
+            maxQueue: 512
+            queueTimeoutMs: 30000
+            readTimeoutMs: 30000
+            env: {}
+
+          for hostname in hostnames
+            sites[hostname] =
+              host: hostname
+              timeouts: {}
+              routes: [
+                id: "#{appName}-default"
+                host: hostname
+                path: '/'
+                methods: '*'
+                priority: 0
+                proxy: null
+                app: appName
+                static: null
+                root: null
+                spa: false
+                browse: false
+                redirect: null
+                headers: null
+                websocket: false
+                timeouts: {}
+              ]
+
+            cert = matchCertForHost(certMap, hostname) if certMap.size > 0
+            resolvedCerts[hostname] = cert if cert
+
+        else if parsed.kind is 'http-proxy'
+          proxyId = "proxy-#{appName}"
+          url = new URL(parsed.target)
+          proxies[proxyId] =
+            id: proxyId
+            kind: 'http'
+            hosts: ["#{url.protocol}//#{url.host}"]
+            targets: [{ url: parsed.target, weight: 1 }]
+            healthCheck: null
+            retry: { count: 1, delayMs: 0 }
+            timeouts: { connectMs: 10000, readMs: 30000 }
+          httpProxies[proxyId] = proxies[proxyId]
+
+          for hostname in hostnames
+            sites[hostname] =
+              host: hostname
+              timeouts: {}
+              routes: [
+                id: "#{appName}-proxy"
+                host: hostname
+                path: '/'
+                methods: '*'
+                priority: 0
+                proxy: proxyId
+                app: null
+                static: null
+                root: null
+                spa: false
+                browse: false
+                redirect: null
+                headers: null
+                websocket: true
+                timeouts: {}
+              ]
+
+            cert = matchCertForHost(certMap, hostname) if certMap.size > 0
+            resolvedCerts[hostname] = cert if cert
+
+        else if parsed.kind is 'tcp-proxy'
+          proxyId = "tcp-#{appName}"
+          url = new URL(parsed.target.replace('tcp://', 'http://'))
+          tcpProxies[proxyId] =
+            id: proxyId
+            targets: [{ host: url.hostname, port: parseInt(url.port) }]
+            connectTimeoutMs: 10000
+          streamUpstreams[proxyId] = tcpProxies[proxyId]
+
+          for hostname in hostnames
+            streams.push
+              id: proxyId
+              order: streams.length
+              listen: 443
+              sni: [hostname]
+              proxy: proxyId
+              timeouts: {}
+
+            cert = matchCertForHost(certMap, hostname) if certMap.size > 0
+            resolvedCerts[hostname] = cert if cert
+
+  throw validationError(CONFIG_FILE, errors) if errors.length > 0
+
+  {
+    kind: 'serve'
+    version: config.version or 2
+    server: serverSettings
+    proxies
+    upstreams: httpProxies
+    apps
+    certs: {}
+    rules: {}
+    groups: {}
+    routes: []
+    sites
+    resolvedCerts
+    streamUpstreams
+    streams
+  }
+
 export normalizeConfig = (config, baseDir) ->
-  normalizeServeConfig(config, baseDir)
+  normalizeServeRip(config, baseDir)
 
 export normalizeEdgeConfig = (config, baseDir) -> normalizeConfig(config, baseDir)
 

package/serving/tls.rip

@@ -2,8 +2,8 @@
 # serving/tls.rip — TLS material loading helpers
 # ==============================================================================
 
-import { readFileSync } from 'node:fs'
-import { join } from 'node:path'
+import { readFileSync, readdirSync, existsSync } from 'node:fs'
+import { join, basename, extname } from 'node:path'
 import { X509Certificate } from 'node:crypto'
 
 hostSpecificity = (serverName) ->
@@ -66,3 +66,69 @@ export loadTlsMaterial = (flags, serverDir, acmeLoadCertFn) ->
     warn "rip-server: failed to load TLS certs from #{certsDir}: #{e.message}"
     warn 'Use --cert/--key to provide your own, or use http to disable TLS.'
     exit 2
+
+# ==============================================================================
+# SSL directory scanning — scan for cert/key pairs, extract SANs
+# ==============================================================================
+
+normalizeHostname = (host) ->
+  return null unless typeof host is 'string'
+  host = host.trim().toLowerCase().replace(/\.$/, '')
+  return null unless host.length > 0
+  host
+
+parseCertSans = (certPath) ->
+  pem = readFileSync(certPath, 'utf8')
+  x = new X509Certificate(pem)
+  san = x.subjectAltName or ''
+  san.split(',')
+    .map (entry) -> entry.trim()
+    .filter (entry) -> entry.startsWith('DNS:')
+    .map (entry) -> normalizeHostname(entry.slice(4))
+    .filter Boolean
+
+export scanSslDirectory = (sslPath) ->
+  certMap = new Map()
+  return certMap unless sslPath
+
+  files = try
+    readdirSync(sslPath).sort()
+  catch err
+    throw new Error "cannot read ssl directory #{sslPath}: #{err.message}"
+
+  fileSet = new Set(files)
+
+  for crtFile in files
+    continue unless extname(crtFile) is '.crt'
+    stem = basename(crtFile, '.crt')
+    keyFile = "#{stem}.key"
+    continue unless fileSet.has(keyFile)
+
+    certPath = join(sslPath, crtFile)
+    keyPath  = join(sslPath, keyFile)
+
+    sans = null
+    try
+      sans = parseCertSans(certPath)
+    catch err
+      warn "rip-server: failed to parse certificate #{certPath}: #{err.message}"
+    continue unless sans
+
+    for san in sans
+      certMap.set(san, { certPath, keyPath }) unless certMap.has(san)
+
+  certMap
+
+export matchCertForHost = (certMap, hostname) ->
+  host = normalizeHostname(hostname)
+  return null unless host
+
+  return certMap.get(host) if certMap.has(host)
+
+  hostLabels = host.split('.')
+  return null unless hostLabels.length >= 2
+
+  wildcard = "*.#{hostLabels.slice(1).join('.')}"
+  return certMap.get(wildcard) if certMap.has(wildcard)
+
+  null