aird 0.4.23.dev2__tar.gz → 0.4.23.dev3__tar.gz

{aird-0.4.23.dev2 → aird-0.4.23.dev3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aird
-Version: 0.4.23.dev2
+Version: 0.4.23.dev3
 Summary: Aird - A lightweight web-based file browser, editor, and streamer with real-time capabilities
 Home-page: https://github.com/blinkerbit/aird
 Author: Viswantha Srinivas P
@@ -36,6 +36,10 @@ Dynamic: summary
 
 # Aird - Modern Web-Based File Management Platform
 
+<p align="center">
+  <img src="aird/static/img/logo.png" alt="Aird" width="280">
+</p>
+
 ![Aird Demo Video](./demo.webp)
 
 🚀 **A lightweight, fast, and secure web-based file browser, editor, and sharing platform built with Python and Tornado.**

{aird-0.4.23.dev2 → aird-0.4.23.dev3}/README.md

@@ -1,5 +1,9 @@
 # Aird - Modern Web-Based File Management Platform
 
+<p align="center">
+  <img src="aird/static/img/logo.png" alt="Aird" width="280">
+</p>
+
 ![Aird Demo Video](./demo.webp)
 
 🚀 **A lightweight, fast, and secure web-based file browser, editor, and sharing platform built with Python and Tornado.**

{aird-0.4.23.dev2 → aird-0.4.23.dev3}/aird/config.py

@@ -42,6 +42,7 @@ FEATURE_FLAGS = {}
 CLOUD_MANAGER = CloudManager()
 WEBSOCKET_CONFIG = {}
 MULTI_USER = False
+WORKERS = None  # None = auto (1.25 * threads_per_core * physical_cores)
 DB_CONN = None
 MAX_FILE_SIZE = _MAX_FILE_SIZE
 MAX_READABLE_FILE_SIZE = _MAX_READABLE_FILE_SIZE
@@ -170,7 +171,7 @@ def init_config():
     global CONFIG_FILE, ROOT_DIR, PORT, ACCESS_TOKEN, ADMIN_TOKEN, LDAP_ENABLED, LDAP_SERVER
     global LDAP_BASE_DN, LDAP_USER_TEMPLATE, LDAP_FILTER_TEMPLATE, LDAP_ATTRIBUTES
     global LDAP_ATTRIBUTE_MAP, HOSTNAME, SSL_CERT, SSL_KEY, ADMIN_USERS, FEATURE_FLAGS, CLOUD_MANAGER
-    global MULTI_USER
+    global MULTI_USER, WORKERS
 
     parser = argparse.ArgumentParser(description="Run Aird")
     parser.add_argument("--config", help="Path to JSON config file")
@@ -202,6 +203,12 @@ def init_config():
         action="store_true",
         help="Enable multi-user mode (each user gets a private home directory)",
     )
+    parser.add_argument(
+        "--workers",
+        type=int,
+        default=None,
+        help="HTTP worker processes (default: ceil(1.25 * threads_per_core * physical_cores); 1 on Windows)",
+    )
     args = parser.parse_args()
 
     config = {}
@@ -247,6 +254,9 @@ def init_config():
 
     MULTI_USER = args.multi_user or config.get("multi_user", False)
 
+    workers_arg = args.workers if args.workers is not None else config.get("workers")
+    WORKERS = int(workers_arg) if workers_arg is not None else None
+
     SSL_CERT = args.ssl_cert or config.get("ssl_cert")
     SSL_KEY = args.ssl_key or config.get("ssl_key")
 

{aird-0.4.23.dev2 → aird-0.4.23.dev3}/aird/constants/__init__.py

@@ -59,10 +59,10 @@ UPLOAD_CONFIG = {
     "allow_all_file_types": 0,  # 0 = use whitelist below, 1 = allow any extension
 }
 
-# Per-request body limit (Cloudflare-compatible chunked uploads; admin sets total file cap separately)
-UPLOAD_CHUNK_SIZE_BYTES = 90 * 1024 * 1024  # 90 MiB per HTTP request
+# Per-request body limit (Cloudflare: keep each POST under ~100 MB and ~100s proxy timeout)
+UPLOAD_CHUNK_SIZE_BYTES = 50 * 1024 * 1024  # 50 MiB per HTTP request
 UPLOAD_REQUEST_MAX_BODY_SIZE = UPLOAD_CHUNK_SIZE_BYTES + (1024 * 1024)  # chunk + slack
-UPLOAD_MAX_PARALLEL_CHUNKS = 5  # max concurrent chunk requests from the browser
+UPLOAD_MAX_PARALLEL_CHUNKS = 3  # fewer concurrent POSTs through reverse proxies
 
 # File operation constants (derived from UPLOAD_CONFIG at startup)
 MAX_FILE_SIZE = UPLOAD_CONFIG["max_file_size_mb"] * 1024 * 1024
@@ -118,3 +118,28 @@ CORPORATE_IP_CIDRS: list[str] = [
     for c in os.environ.get("AIRD_CORPORATE_IP_CIDRS", "").split(",")
     if c.strip()
 ]
+
+
+def _read_app_version() -> str:
+    """Package version for cache-busting static assets in templates (?v=…)."""
+    try:
+        from importlib.metadata import version
+
+        return version("aird")
+    except Exception:
+        pass
+    try:
+        import re
+        from pathlib import Path
+
+        setup_py = Path(__file__).resolve().parents[2] / "setup.py"
+        text = setup_py.read_text(encoding="utf-8")
+        match = re.search(r'version\s*=\s*["\']([^"\']+)["\']', text)
+        if match:
+            return match.group(1)
+    except Exception:
+        pass
+    return "dev"
+
+
+APP_VERSION = _read_app_version()

{aird-0.4.23.dev2 → aird-0.4.23.dev3}/aird/db/shares.py

@@ -316,9 +316,14 @@ def list_shares_accessible_to_user(conn: sqlite3.Connection, username: str) -> l
         result = []
         for row in cursor:
             share = _row_to_share_dict(row, col_names)
+            if login_matches_share_creator_field(share.get("created_by"), username):
+                continue
             allowed = share.get("allowed_users")
-            is_creator = login_matches_share_creator_field(share.get("created_by"), username)
-            if allowed is None or username in allowed or is_creator:
+            modify_users = share.get("modify_users") or []
+            if username in modify_users:
+                result.append(share)
+                continue
+            if allowed is None or username in allowed:
                 result.append(share)
         return result
     except Exception as e:
@@ -375,9 +380,16 @@ def _share_covers_dynamic_path(share: dict, rel_path: str, root_dir: str) -> boo
         try:
             full_folder_path = os.path.abspath(os.path.join(root_dir, folder_path))
             full_file_path = os.path.abspath(os.path.join(root_dir, rel_path))
-            if (
-                os.path.isdir(full_folder_path)
-                and is_within_root(full_file_path, full_folder_path)
+            if not is_within_root(full_file_path, root_dir):
+                continue
+            if os.path.isdir(full_folder_path) and is_within_root(
+                full_file_path, full_folder_path
+            ):
+                if filter_files_by_patterns([rel_path], allow_list, avoid_list):
+                    return True
+            elif (
+                os.path.isfile(full_folder_path)
+                and folder_path.replace("\\", "/") == rel_path.replace("\\", "/")
                 and filter_files_by_patterns([rel_path], allow_list, avoid_list)
             ):
                 return True

{aird-0.4.23.dev2 → aird-0.4.23.dev3}/aird/handlers/api_handlers.py

@@ -927,12 +927,14 @@ class ShareDetailsByIdAPIHandler(BaseHandler):
                 self.write_json_error(404, "Share not found")
                 return None
 
-            if not self.can_manage_share_secrets(share):
+            if not self.can_edit_share_paths(share):
                 self.write_json_error(403, "Access denied")
                 return None
 
             allowed_users = share.get("allowed_users")
             modify_users = share.get("modify_users")
+            show_secret = self.can_manage_share_secrets(share)
+            token = share.get("secret_token")
             share_info = {
                 "id": share["id"],
                 "created": share.get("created", ""),
@@ -940,8 +942,8 @@ class ShareDetailsByIdAPIHandler(BaseHandler):
                 "modify_users": modify_users if modify_users is not None else [],
                 "url": f"/shared/{share['id']}",
                 "paths": share.get("paths", []),
-                "has_token": share.get("secret_token") is not None,
-                "secret_token": share.get("secret_token"),
+                "has_token": token is not None,
+                "secret_token": token if show_secret else None,
                 "share_type": share.get("share_type", "static"),
                 "tag_name": share.get("tag_name"),
                 "allow_list": share.get("allow_list", []),
@@ -950,6 +952,10 @@ class ShareDetailsByIdAPIHandler(BaseHandler):
                 "download_count": share_service.get_download_count(
                     db_conn, share_id
                 ),
+                "is_owner": self.is_share_owner(share),
+                "can_revoke": self.is_share_owner(share),
+                "can_manage": self.is_share_owner(share),
+                "can_edit_paths": self.can_edit_share_paths(share),
             }
 
             return {"share": share_info}
@@ -970,12 +976,14 @@ def _classify_share_for_user(
     allowed_list = allowed_raw if isinstance(allowed_raw, list) else []
     mod_list = share.get("modify_users") or []
 
-    if current_user and current_user in mod_list:
-        return True, False
-    if creator and login_matches_share_creator_field(creator, current_user):
+    if creator and current_user and login_matches_share_creator_field(
+        creator, current_user
+    ):
         return True, False
     if not creator and is_admin:
         return True, False
+    if current_user and current_user in mod_list:
+        return False, True
     if not creator and current_user and (
         allowed_raw is None
         or (isinstance(allowed_raw, list) and current_user in allowed_list)
@@ -986,6 +994,16 @@ def _classify_share_for_user(
     return False, False
 
 
+def _attach_share_capabilities(handler: BaseHandler, share: dict) -> dict:
+    """Add ownership / editor flags for the share management UI."""
+    out = dict(share)
+    out["is_owner"] = handler.is_share_owner(share)
+    out["can_revoke"] = handler.is_share_owner(share)
+    out["can_manage"] = handler.is_share_owner(share)
+    out["can_edit_paths"] = handler.can_edit_share_paths(share)
+    return out
+
+
 class ShareListAPIHandler(BaseHandler):
     @tornado.web.authenticated
     def get(self):
@@ -1010,9 +1028,10 @@ class ShareListAPIHandler(BaseHandler):
         for sid, share in all_shares.items():
             is_mine, is_shared = _classify_share_for_user(share, current_user, is_admin)
             if is_mine:
-                my_shares[sid] = share
+                my_shares[sid] = _attach_share_capabilities(self, share)
             elif is_shared:
-                shared_with_me.append(_redact_share_secret_token(share))
+                redacted = _redact_share_secret_token(share)
+                shared_with_me.append(_attach_share_capabilities(self, redacted))
 
         self.write({"shares": my_shares, "shared_with_me": shared_with_me})
 

{aird-0.4.23.dev2 → aird-0.4.23.dev3}/aird/handlers/base_handler.py

@@ -895,6 +895,7 @@ class BaseHandler(tornado.web.RequestHandler):
         namespace.setdefault("nav_title", "")
         namespace.setdefault("show_admin_link", False)
         namespace.setdefault("ldap_enabled", self.settings.get("ldap_server") is not None)
+        namespace.setdefault("static_version", constants_module.APP_VERSION)
         return namespace
 
     def get_current_user(self):
@@ -954,15 +955,27 @@ class BaseHandler(tornado.web.RequestHandler):
             return _display_username_from_dict(user)
         return _display_username_from_legacy(user, self)
 
-    def can_manage_share_secrets(self, share: dict) -> bool:
-        """True if current user may view raw secret tokens and full management details."""
+    def is_share_owner(self, share: dict) -> bool:
+        """True if the current user created the share (or is admin for legacy rows)."""
         if self.is_admin_user():
             return True
         u = get_username_string_for_db(self)
         if not u:
             return False
         creator = (share.get("created_by") or "").strip()
-        if creator and login_matches_share_creator_field(creator, u):
+        if not creator:
+            return False
+        return login_matches_share_creator_field(creator, u)
+
+    def can_edit_share_paths(self, share: dict) -> bool:
+        """True if the user may add/remove files on an existing share."""
+        if self.is_share_owner(share):
             return True
-        modify_users = share.get("modify_users") or []
-        return u in modify_users
+        u = get_username_string_for_db(self)
+        if not u:
+            return False
+        return u in (share.get("modify_users") or [])
+
+    def can_manage_share_secrets(self, share: dict) -> bool:
+        """True for share owners: tokens, ACL, revoke, and full settings."""
+        return self.is_share_owner(share)

{aird-0.4.23.dev2 → aird-0.4.23.dev3}/aird/handlers/file_op_handlers.py

@@ -540,8 +540,19 @@ class UploadHandler(BaseHandler):
             username = self.get_display_username()
             self._session_dir = _upload_session_dir(username, chunk_info["upload_id"])
             offset = chunk_info["offset"]
+            # Only reset session on first chunk when no other parts exist (avoid wiping
+            # in-flight parallel chunks if chunk 0 is retried by the browser or proxy).
             if offset == 0 and os.path.isdir(self._session_dir):
-                _remove_upload_session(self._session_dir)
+                try:
+                    other_parts = [
+                        n
+                        for n in os.listdir(self._session_dir)
+                        if n.endswith(".part") and n != "0.part"
+                    ]
+                except OSError:
+                    other_parts = []
+                if not other_parts:
+                    _remove_upload_session(self._session_dir)
             os.makedirs(self._session_dir, exist_ok=True)
             self._temp_path = _chunk_file_path(self._session_dir, offset)
             self._aiofile = await aiofiles.open(self._temp_path, "wb")

{aird-0.4.23.dev2 → aird-0.4.23.dev3}/aird/handlers/share_handlers.py

@@ -283,6 +283,32 @@ def _is_user_allowed_for_modify(share, get_secure_cookie):
     return (True, None)
 
 
+def _collect_files_for_share_paths(root: str, paths: list, *, include_missing_files: bool) -> list[str]:
+    """Resolve share path entries to relative file paths under *root*."""
+    collected: list[str] = []
+    for rel_path in paths or []:
+        try:
+            full_path = os.path.abspath(os.path.join(root, rel_path))
+            if not is_within_root(full_path, root):
+                continue
+            if os.path.isdir(full_path):
+                for sub in get_all_files_recursive(full_path, rel_path):
+                    collected.append(str(sub).replace("\\", "/"))
+            elif os.path.isfile(full_path):
+                collected.append(str(rel_path).replace("\\", "/"))
+            elif include_missing_files:
+                collected.append(str(rel_path).replace("\\", "/"))
+        except Exception:
+            logging.debug("Skipping share path %r", rel_path, exc_info=True)
+    seen: set[str] = set()
+    unique: list[str] = []
+    for path in collected:
+        if path not in seen:
+            seen.add(path)
+            unique.append(path)
+    return unique
+
+
 def _get_share_file_list(share, db_conn=None):
     """Return list of file paths for the share (dynamic, static, or tag-based)."""
     share_type = share.get("share_type", "static")
@@ -295,32 +321,13 @@ def _get_share_file_list(share, db_conn=None):
             db_conn, share.get("tag_name"), root, allow_list, avoid_list
         )
 
+    paths = share.get("paths") or []
     if share_type == "dynamic":
-        dynamic_files = []
-        for folder_path in share.get("paths") or []:
-            try:
-                full_path = os.path.abspath(os.path.join(root, folder_path))
-                if os.path.isdir(full_path) and is_within_root(full_path, root):
-                    all_files = get_all_files_recursive(full_path, folder_path)
-                    dynamic_files.extend(all_files)
-            except Exception:
-                logging.debug(
-                    "Skipping dynamic share folder %r", folder_path, exc_info=True
-                )
-        return filter_files_by_patterns(dynamic_files, allow_list, avoid_list)
+        resolved = _collect_files_for_share_paths(root, paths, include_missing_files=False)
+        return filter_files_by_patterns(resolved, allow_list, avoid_list)
 
-    static_paths = []
-    for rel_path in share.get("paths") or []:
-        try:
-            full_path = os.path.abspath(os.path.join(root, rel_path))
-            if os.path.isdir(full_path):
-                continue
-        except Exception:
-            logging.debug(
-                "Skipping static share path check for %r", rel_path, exc_info=True
-            )
-        static_paths.append(rel_path)
-    return filter_files_by_patterns(static_paths, allow_list, avoid_list)
+    resolved = _collect_files_for_share_paths(root, paths, include_missing_files=True)
+    return filter_files_by_patterns(resolved, allow_list, avoid_list)
 
 
 def _is_path_in_share(share, path, db_conn=None):
@@ -557,6 +564,21 @@ def _execute_share_update(handler, db_conn, share_id, share_data, data):
     )
 
 
+_EDITOR_SHARE_UPDATE_KEYS = frozenset({"share_id", "paths", "remove_files"})
+
+
+def _share_update_payload_for_user(handler, share_data: dict, data: dict) -> dict | None:
+    """Return update body allowed for this user, or None if forbidden."""
+    if handler.can_manage_share_secrets(share_data):
+        return data
+    if not handler.can_edit_share_paths(share_data):
+        return None
+    filtered = {k: v for k, v in data.items() if k in _EDITOR_SHARE_UPDATE_KEYS}
+    if not any(k in filtered for k in ("paths", "remove_files")):
+        return None
+    return filtered
+
+
 def _apply_metadata_updates(data, share_data, update_fields):
     """Apply users/token/filters/expiry metadata to update_fields."""
     if "allowed_users" in data:
@@ -718,9 +740,9 @@ class ShareRevokeHandler(XSRFTokenMixin, BaseHandler):
                 self.set_status(404)
                 self.write({"error": "Share not found"})
                 return
-            if not self.can_manage_share_secrets(share):
+            if not self.is_share_owner(share):
                 self.set_status(403)
-                self.write({"error": "Access denied"})
+                self.write({"error": "Only the share owner can revoke this share"})
                 return
             self.get_service("share_service").delete_share(self.db_conn, sid)
             self.get_service("audit_service").log(
@@ -759,7 +781,8 @@ class ShareUpdateHandler(XSRFTokenMixin, BaseHandler):
             self.set_status(err_status)
             self.write(err_body)
             return None, None, []
-        if not self.can_manage_share_secrets(share_data):
+        data = _share_update_payload_for_user(self, share_data, data)
+        if data is None:
             self.set_status(403)
             self.write({"error": "Access denied"})
             return None, None, []

{aird-0.4.23.dev2 → aird-0.4.23.dev3}/aird/main.py

@@ -5,10 +5,15 @@ import socket
 import sqlite3
 import ssl
 
+import tornado.httpserver
 import tornado.ioloop
+import tornado.netutil
+import tornado.process
 import tornado.web
 import logging.handlers
 
+from aird.server_runtime import describe_worker_layout, resolve_worker_count
+
 
 import aird.constants as constants
 import aird.config as config
@@ -486,42 +491,87 @@ def _build_app_context() -> AppContext:
     )
 
 
-def _start_server(app, ssl_options, port: int, hostname: str) -> None:
+def _build_application():
+    """Create the Tornado app (call after _init_database in each process)."""
+    cookie_secret = os.environ.get("AIRD_COOKIE_SECRET") or secrets.token_urlsafe(64)
+    settings = {
+        "cookie_secret": cookie_secret,
+        "xsrf_cookies": True,
+        "login_url": "/login",
+        "admin_login_url": "/admin/login",
+        "cloud_manager": constants.CLOUD_MANAGER,
+    }
+    settings["app_context"] = _build_app_context()
+    return make_app(
+        settings,
+        config.LDAP_ENABLED,
+        config.LDAP_SERVER,
+        config.LDAP_BASE_DN,
+        config.LDAP_USER_TEMPLATE,
+        config.LDAP_FILTER_TEMPLATE,
+        config.LDAP_ATTRIBUTES,
+        config.LDAP_ATTRIBUTE_MAP,
+        config.ADMIN_USERS,
+    )
+
+
+def _run_http_server(app, ssl_options, sockets) -> None:
+    server = tornado.httpserver.HTTPServer(
+        app,
+        ssl_options=ssl_options,
+        max_body_size=constants.UPLOAD_REQUEST_MAX_BODY_SIZE,
+        max_buffer_size=constants.UPLOAD_REQUEST_MAX_BODY_SIZE,
+    )
+    server.add_sockets(sockets)
+    if tornado.process.task_id() in (0, None):
+        tornado.ioloop.IOLoop.current().call_later(
+            3600, _run_cleanup_expired_shares
+        )
+    tornado.ioloop.IOLoop.current().start()
+
+
+def _start_server(ssl_options, port: int, hostname: str, worker_count: int) -> None:
     _MAX_PORT_RETRIES = 3
+    proto = "https" if ssl_options else "http"
     for attempt in range(_MAX_PORT_RETRIES):
         try:
-            if ssl_options:
-                proto = "https"
-                app.listen(
-                    port,
-                    ssl_options=ssl_options,
-                    max_body_size=constants.UPLOAD_REQUEST_MAX_BODY_SIZE,
-                    max_buffer_size=constants.UPLOAD_REQUEST_MAX_BODY_SIZE,
-                )
+            sockets = tornado.netutil.bind_sockets(port, address="")
+            if worker_count <= 1:
                 logger.info(
-                    f"Serving HTTPS on 0.0.0.0 port {port} ({proto}://0.0.0.0:{port}/) ..."
-                )
-            else:
-                proto = "http"
-                app.listen(
+                    "Serving %s on 0.0.0.0 port %d (single process) ...",
+                    proto.upper(),
                     port,
-                    max_body_size=constants.UPLOAD_REQUEST_MAX_BODY_SIZE,
-                    max_buffer_size=constants.UPLOAD_REQUEST_MAX_BODY_SIZE,
-                )
-                logger.info(
-                    f"Serving HTTP on 0.0.0.0 port {port} ({proto}://0.0.0.0:{port}/) ..."
                 )
-            _print_server_urls(port, hostname, proto)
-            tornado.ioloop.IOLoop.current().call_later(
-                3600, _run_cleanup_expired_shares
+                _init_database()
+                app = _build_application()
+                _print_server_urls(port, hostname, proto)
+                _run_http_server(app, ssl_options, sockets)
+                return
+
+            logger.info(
+                "Serving %s on 0.0.0.0 port %d (%s) ...",
+                proto.upper(),
+                port,
+                describe_worker_layout(worker_count),
             )
-            tornado.ioloop.IOLoop.current().start()
+            logger.warning(
+                "Multiple workers: in-memory WebSocket/P2P state is per process; "
+                "use sticky sessions at the load balancer if needed."
+            )
+            tornado.process.fork_processes(worker_count)
+            _init_database()
+            app = _build_application()
+            if tornado.process.task_id() == 0:
+                _print_server_urls(port, hostname, proto)
+            _run_http_server(app, ssl_options, sockets)
             return
         except OSError:
             logger.exception("Failed to bind on port %d", port)
             if attempt < _MAX_PORT_RETRIES - 1:
                 port += 1
-                logger.warning("Retrying on port %d (%d/%d)", port, attempt + 2, _MAX_PORT_RETRIES)
+                logger.warning(
+                    "Retrying on port %d (%d/%d)", port, attempt + 2, _MAX_PORT_RETRIES
+                )
             else:
                 logger.error(
                     "Could not bind after %d attempts. Set a different --port and retry.",
@@ -570,34 +620,12 @@ def main():
     else:
         logger.info("Single-user mode — all users share root: %s", constants.ROOT_DIR)
 
-    cookie_secret = os.environ.get("AIRD_COOKIE_SECRET") or secrets.token_urlsafe(64)
     if not os.environ.get("AIRD_COOKIE_SECRET"):
+        os.environ["AIRD_COOKIE_SECRET"] = secrets.token_urlsafe(64)
         logger.warning(
             "cookie_secret is randomly generated; sessions will be invalidated on restart. "
             "Set the AIRD_COOKIE_SECRET environment variable for persistent sessions."
         )
-    settings = {
-        "cookie_secret": cookie_secret,
-        "xsrf_cookies": True,
-        "login_url": "/login",
-        "admin_login_url": "/admin/login",
-        "cloud_manager": constants.CLOUD_MANAGER,
-    }
-
-    _init_database()
-    settings["app_context"] = _build_app_context()
-
-    app = make_app(
-        settings,
-        config.LDAP_ENABLED,
-        config.LDAP_SERVER,
-        config.LDAP_BASE_DN,
-        config.LDAP_USER_TEMPLATE,
-        config.LDAP_FILTER_TEMPLATE,
-        config.LDAP_ATTRIBUTES,
-        config.LDAP_ATTRIBUTE_MAP,
-        config.ADMIN_USERS,
-    )
 
     ssl_options = None
     if config.SSL_CERT and config.SSL_KEY:
@@ -606,7 +634,8 @@ def main():
         ssl_context.load_cert_chain(config.SSL_CERT, config.SSL_KEY)
         ssl_options = ssl_context
 
-    _start_server(app, ssl_options, config.PORT, config.HOSTNAME)
+    worker_count = resolve_worker_count(config.WORKERS)
+    _start_server(ssl_options, config.PORT, config.HOSTNAME, worker_count)
 
 
 if __name__ == "__main__":

aird-0.4.23.dev3/aird/server_runtime.py

@@ -0,0 +1,87 @@
+"""HTTP server process count and Tornado prefork helpers."""
+
+from __future__ import annotations
+
+import logging
+import math
+import os
+import sys
+
+logger = logging.getLogger(__name__)
+
+
+def detect_threads_per_core() -> float:
+    """Logical CPUs per physical core (hyperthreading); default 2."""
+    raw = os.environ.get("AIRD_THREADS_PER_CORE", "").strip()
+    if raw:
+        try:
+            value = float(raw)
+            if value > 0:
+                return value
+        except ValueError:
+            logger.warning("Invalid AIRD_THREADS_PER_CORE=%r; using 2", raw)
+    return 2.0
+
+
+def detect_physical_cpu_count() -> int:
+    """Best-effort physical core count; falls back to logical / threads_per_core."""
+    logical = os.cpu_count() or 1
+    threads_per_core = detect_threads_per_core()
+    if sys.platform == "linux":
+        try:
+            ids: set[int] = set()
+            with open("/proc/cpuinfo", encoding="utf-8", errors="replace") as cpuinfo:
+                for line in cpuinfo:
+                    if line.lower().startswith("core id") or line.lower().startswith(
+                        "cpu cores"
+                    ):
+                        _, _, val = line.partition(":")
+                        ids.add(int(val.strip()))
+            if ids:
+                return max(1, len(ids))
+        except OSError:
+            pass
+    return max(1, round(logical / threads_per_core))
+
+
+def compute_default_worker_count() -> int:
+    """
+    Process count = ceil(1.25 * threads_per_core * physical_cores).
+
+    Example: 4 physical cores, 2 threads/core -> ceil(1.25 * 2 * 4) = 10 workers.
+    """
+    threads_per_core = detect_threads_per_core()
+    physical = detect_physical_cpu_count()
+    return max(1, math.ceil(1.25 * threads_per_core * physical))
+
+
+def resolve_worker_count(configured: int | None = None) -> int:
+    """CLI/config > env AIRD_WORKERS > computed default; 1 on Windows."""
+    if sys.platform == "win32":
+        if configured and configured > 1:
+            logger.warning(
+                "Multiprocess serving is not supported on Windows; using 1 worker"
+            )
+        return 1
+    if configured is not None and configured > 0:
+        return configured
+    env_workers = os.environ.get("AIRD_WORKERS", "").strip()
+    if env_workers:
+        try:
+            parsed = int(env_workers)
+            if parsed > 0:
+                return parsed
+        except ValueError:
+            logger.warning("Invalid AIRD_WORKERS=%r; using default formula", env_workers)
+    return compute_default_worker_count()
+
+
+def describe_worker_layout(worker_count: int) -> str:
+    logical = os.cpu_count() or 1
+    tpc = detect_threads_per_core()
+    physical = detect_physical_cpu_count()
+    return (
+        f"workers={worker_count} "
+        f"(logical_cpus={logical}, physical_cpus={physical}, "
+        f"threads_per_core={tpc:g}, formula=ceil(1.25*tpc*physical))"
+    )