zttp 0.0.2__tar.gz

zttp-0.0.2/.gitignore

@@ -0,0 +1,17 @@
+.venv/
+.zig-cache/
+zig-out/
+zttp/_zttp*.so
+zttp/_zttp*.pyd
+__pycache__/
+*.pyc
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+.coverage
+.coverage.*
+dist/
+build/
+*.egg-info/
+site/
+.cache/

zttp-0.0.2/LICENSE

@@ -0,0 +1,28 @@
+BSD 3-Clause License
+
+Copyright (c) 2026, Marcelo Trylesinski
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

zttp-0.0.2/PKG-INFO

@@ -0,0 +1,117 @@
+Metadata-Version: 2.4
+Name: zttp
+Version: 0.0.2
+Summary: A sans-IO HTTP parser for Python with a Zig core.
+Project-URL: Homepage, https://github.com/Kludex/zttp
+Project-URL: Source, https://github.com/Kludex/zttp
+Project-URL: Issues, https://github.com/Kludex/zttp/issues
+Author-email: Marcelo Trylesinski <marcelotryle@gmail.com>
+License-Expression: BSD-3-Clause
+License-File: LICENSE
+Keywords: asgi,http,parser,sans-io,zig
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: BSD License
+Classifier: Operating System :: MacOS
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Programming Language :: Zig
+Classifier: Topic :: Internet :: WWW/HTTP
+Requires-Python: >=3.12
+Description-Content-Type: text/markdown
+
+# zttp
+
+A [sans-IO](https://sans-io.readthedocs.io/) HTTP parser for Python, with a core
+written in [Zig](https://ziglang.org). It is to [h11](https://github.com/python-hyper/h11)
+what [zloop](https://github.com/Kludex/zloop) is to asyncio: the same clean,
+event-based API, with a hand-written Zig engine underneath - fast enough to be
+usable as the HTTP/1.1 parser in [uvicorn](https://github.com/encode/uvicorn).
+
+## Sans-IO
+
+zttp does no I/O. You feed it bytes and pull out events; you ask it for bytes to
+send. It never touches a socket. This is the h11 model:
+
+```python
+import zttp
+
+conn = zttp.Connection(zttp.SERVER)
+conn.receive_data(b"GET /path?q=1 HTTP/1.1\r\nHost: example.com\r\n\r\n")
+
+conn.next_event()   # Request(method=b'GET', target=b'/path?q=1', http_version=b'1.1', headers=[(b'Host', b'example.com')])
+conn.next_event()   # EndOfMessage(trailers=[])
+conn.next_event()   # NEED_DATA
+
+# Build a response:
+conn.send_response(b"1.1", 200, b"OK", [(b"Content-Length", b"5")])
+conn.send_data(b"hello")
+conn.end_message()
+conn.data_to_send()  # b'HTTP/1.1 200 OK\r\nContent-Length: 5\r\n\r\nhello'
+```
+
+The read side yields `Request` / `Response` / `Data` / `EndOfMessage`, or the
+`NEED_DATA` sentinel when more bytes are required. The write side serializes a
+head, body data, and the end of the message, framing the body (Content-Length or
+chunked) for you.
+
+## Performance
+
+Against httptools and h11 on the same requests (macOS arm64, CPython 3.14,
+`ReleaseFast`), all three verified to extract identical data:
+
+| Workload          | zttp        | httptools    | h11        | zttp vs httptools |
+| ----------------- | -----------: | -----------: | ---------: | -----------------: |
+| Simple GET        | ~1.25M req/s | ~880k req/s  | ~57k req/s | **1.41x**          |
+| POST + JSON body  | ~6.7M req/s  | ~1.84M req/s | ~616k req/s| **3.62x**          |
+
+Run it yourself: `uv run --group bench python bench.py`.
+
+## Why it is fast
+
+- A SWAR newline scanner and comptime-built character-class tables in the Zig
+  core, so the hot loops are branch-light array lookups.
+- The body is emitted as a single `Data` event slicing the parse buffer, rather
+  than copied per callback the way httptools does.
+- The header list is built directly in Zig as `list[tuple[bytes, bytes]]`, with
+  no per-header Python callback.
+
+## Correctness & security
+
+The core enforces the framing rules of RFC 9112 §6 against request smuggling:
+the Content-Length / Transfer-Encoding conflict, duplicate-Content-Length checks,
+and combining multiple `Transfer-Encoding` field-lines into one ordered list so
+`chunked` must be the sole, final coding. Line endings are strict CRLF by default
+(bare LF is rejected), chunk-size is strictly `1*HEXDIG`, and obsolete line
+folding is rejected. Header blocks, trailers, and the receive buffer are all
+bounded (`Limits`) so a malicious peer cannot exhaust memory, and the outbound
+serializer rejects CR/LF/control bytes to prevent response splitting. The build
+defaults to Zig's safety-checked `ReleaseSafe` mode. Malformed input raises
+`RemoteProtocolError`; misusing the send API raises `LocalProtocolError`.
+
+The parser has been through an adversarial security audit (see the `tests/` and
+the in-tree `test "fuzz: ..."` property test); `zig build fuzz` runs the
+adversarial-input net over the core.
+
+## Roadmap
+
+- **HTTP/1.1** - request and response parsing, chunked transfer-coding,
+  trailers, keep-alive, the bidirectional connection state machine. *(done)*
+- **Connection state policy** - h11-parity state machine guards on the read side
+  (reject body bytes after a `close`, enforce request/response pairing).
+- **uvicorn integration** - an `HttpToolsProtocol`-style adapter so uvicorn can
+  use zttp unchanged.
+- **HTTP/2** - HPACK + frame layer in the Zig core, same event API.
+- **HTTP/3** - QPACK + the QUIC-side framing, same event API.
+
+## Status
+
+Alpha. The HTTP/1.1 parser and serializer are implemented and tested; the API
+may still change.
+
+## License
+
+BSD-3-Clause.

zttp-0.0.2/README.md

@@ -0,0 +1,92 @@
+# zttp
+
+A [sans-IO](https://sans-io.readthedocs.io/) HTTP parser for Python, with a core
+written in [Zig](https://ziglang.org). It is to [h11](https://github.com/python-hyper/h11)
+what [zloop](https://github.com/Kludex/zloop) is to asyncio: the same clean,
+event-based API, with a hand-written Zig engine underneath - fast enough to be
+usable as the HTTP/1.1 parser in [uvicorn](https://github.com/encode/uvicorn).
+
+## Sans-IO
+
+zttp does no I/O. You feed it bytes and pull out events; you ask it for bytes to
+send. It never touches a socket. This is the h11 model:
+
+```python
+import zttp
+
+conn = zttp.Connection(zttp.SERVER)
+conn.receive_data(b"GET /path?q=1 HTTP/1.1\r\nHost: example.com\r\n\r\n")
+
+conn.next_event()   # Request(method=b'GET', target=b'/path?q=1', http_version=b'1.1', headers=[(b'Host', b'example.com')])
+conn.next_event()   # EndOfMessage(trailers=[])
+conn.next_event()   # NEED_DATA
+
+# Build a response:
+conn.send_response(b"1.1", 200, b"OK", [(b"Content-Length", b"5")])
+conn.send_data(b"hello")
+conn.end_message()
+conn.data_to_send()  # b'HTTP/1.1 200 OK\r\nContent-Length: 5\r\n\r\nhello'
+```
+
+The read side yields `Request` / `Response` / `Data` / `EndOfMessage`, or the
+`NEED_DATA` sentinel when more bytes are required. The write side serializes a
+head, body data, and the end of the message, framing the body (Content-Length or
+chunked) for you.
+
+## Performance
+
+Against httptools and h11 on the same requests (macOS arm64, CPython 3.14,
+`ReleaseFast`), all three verified to extract identical data:
+
+| Workload          | zttp        | httptools    | h11        | zttp vs httptools |
+| ----------------- | -----------: | -----------: | ---------: | -----------------: |
+| Simple GET        | ~1.25M req/s | ~880k req/s  | ~57k req/s | **1.41x**          |
+| POST + JSON body  | ~6.7M req/s  | ~1.84M req/s | ~616k req/s| **3.62x**          |
+
+Run it yourself: `uv run --group bench python bench.py`.
+
+## Why it is fast
+
+- A SWAR newline scanner and comptime-built character-class tables in the Zig
+  core, so the hot loops are branch-light array lookups.
+- The body is emitted as a single `Data` event slicing the parse buffer, rather
+  than copied per callback the way httptools does.
+- The header list is built directly in Zig as `list[tuple[bytes, bytes]]`, with
+  no per-header Python callback.
+
+## Correctness & security
+
+The core enforces the framing rules of RFC 9112 §6 against request smuggling:
+the Content-Length / Transfer-Encoding conflict, duplicate-Content-Length checks,
+and combining multiple `Transfer-Encoding` field-lines into one ordered list so
+`chunked` must be the sole, final coding. Line endings are strict CRLF by default
+(bare LF is rejected), chunk-size is strictly `1*HEXDIG`, and obsolete line
+folding is rejected. Header blocks, trailers, and the receive buffer are all
+bounded (`Limits`) so a malicious peer cannot exhaust memory, and the outbound
+serializer rejects CR/LF/control bytes to prevent response splitting. The build
+defaults to Zig's safety-checked `ReleaseSafe` mode. Malformed input raises
+`RemoteProtocolError`; misusing the send API raises `LocalProtocolError`.
+
+The parser has been through an adversarial security audit (see the `tests/` and
+the in-tree `test "fuzz: ..."` property test); `zig build fuzz` runs the
+adversarial-input net over the core.
+
+## Roadmap
+
+- **HTTP/1.1** - request and response parsing, chunked transfer-coding,
+  trailers, keep-alive, the bidirectional connection state machine. *(done)*
+- **Connection state policy** - h11-parity state machine guards on the read side
+  (reject body bytes after a `close`, enforce request/response pairing).
+- **uvicorn integration** - an `HttpToolsProtocol`-style adapter so uvicorn can
+  use zttp unchanged.
+- **HTTP/2** - HPACK + frame layer in the Zig core, same event API.
+- **HTTP/3** - QPACK + the QUIC-side framing, same event API.
+
+## Status
+
+Alpha. The HTTP/1.1 parser and serializer are implemented and tested; the API
+may still change.
+
+## License
+
+BSD-3-Clause.

zttp-0.0.2/build.zig

@@ -0,0 +1,117 @@
+const std = @import("std");
+
+pub fn build(b: *std.Build) void {
+    const target = b.standardTargetOptions(.{});
+    const optimize = b.standardOptimizeOption(.{});
+
+    // Pure-Zig unit tests for the parser core. Defined first so `zig build test`
+    // works without any Python configuration.
+    const core_tests = b.addTest(.{
+        .root_module = b.createModule(.{
+            .root_source_file = b.path("src/core/root.zig"),
+            .target = target,
+            .optimize = optimize,
+        }),
+    });
+    const run_core_tests = b.addRunArtifact(core_tests);
+    const test_step = b.step("test", "Run pure-Zig core unit tests");
+    test_step.dependOn(&run_core_tests.step);
+
+    // The parser-core property test ("fuzz: reader never panics ...") runs as
+    // part of `zig build test`; `zig build fuzz` is an alias that runs the same
+    // suite, kept as an explicit entry point for the adversarial-input net.
+    const fuzz_step = b.step("fuzz", "Run the parser-core adversarial-input property test");
+    fuzz_step.dependOn(&run_core_tests.step);
+
+    // Python build configuration is discovered by build_ext.sh and passed in as
+    // -D options or environment variables. Resolved lazily so the test step
+    // above never requires a Python toolchain.
+    const py_include = b.option([]const u8, "python-include", "Path to the CPython include dir") orelse
+        (b.graph.environ_map.get("ZTTP_PYTHON_INCLUDE") orelse return);
+    const ext_suffix = b.option([]const u8, "ext-suffix", "Extension module suffix") orelse
+        (b.graph.environ_map.get("ZTTP_EXT_SUFFIX") orelse return);
+    // Windows only: the directory holding pythonXY.lib (the import library the
+    // .pyd must link against). On POSIX, interpreter symbols resolve at load.
+    const py_libdir = b.option([]const u8, "python-libdir", "Path to the CPython libs dir (Windows)") orelse
+        b.graph.environ_map.get("ZTTP_PYTHON_LIBDIR");
+    // Windows only: the import library to link, e.g. "python314" (no extension).
+    const py_lib = b.option([]const u8, "python-lib", "CPython import library name (Windows)") orelse
+        b.graph.environ_map.get("ZTTP_PYTHON_LIB");
+
+    const core_mod = b.createModule(.{
+        .root_source_file = b.path("src/core/root.zig"),
+        .target = target,
+        .optimize = optimize,
+        .link_libc = true,
+    });
+
+    // Translate the CPython C-API to Zig from a real header, then patch the
+    // result. Zig 0.16's translate-c emits the MSVC secure-CRT `_s` forwarders
+    // (wcscat_s/wcscpy_s) as unused local constants and rejects them; @cImport
+    // output can't be patched, but a translate-c file artifact can. `fix_cimport`
+    // strips those unused blocks; on glibc/macOS there are none and it's a no-op.
+    const translate = b.addTranslateC(.{
+        .root_source_file = b.path("src/python/cimport.h"),
+        .target = target,
+        .optimize = optimize,
+    });
+    translate.addIncludePath(.{ .cwd_relative = py_include });
+
+    const fixer = b.addExecutable(.{
+        .name = "fix_cimport",
+        .root_module = b.createModule(.{
+            .root_source_file = b.path("tools/fix_cimport.zig"),
+            .target = b.graph.host,
+            .optimize = .Debug,
+        }),
+    });
+    const fix = b.addRunArtifact(fixer);
+    fix.addFileArg(translate.getOutput());
+    // The patched copy fix_cimport writes out, used as the `pyc` module source.
+    const pyc_file = fix.addOutputFileArg("cimport.zig");
+
+    const pyc_mod = b.createModule(.{
+        .root_source_file = pyc_file,
+        .target = target,
+        .optimize = optimize,
+        .link_libc = true,
+    });
+    pyc_mod.addIncludePath(.{ .cwd_relative = py_include });
+
+    const mod = b.createModule(.{
+        .root_source_file = b.path("src/python/module.zig"),
+        .target = target,
+        .optimize = optimize,
+        .link_libc = true,
+    });
+    mod.addIncludePath(.{ .cwd_relative = py_include });
+    mod.addImport("core", core_mod);
+    mod.addImport("pyc", pyc_mod);
+
+    const lib = b.addLibrary(.{
+        .name = "_zttp",
+        .root_module = mod,
+        .linkage = .dynamic,
+    });
+
+    switch (target.result.os.tag) {
+        // macOS: interpreter symbols resolve at load time; allow them undefined.
+        .macos => lib.linker_allow_shlib_undefined = true,
+        // Windows: a .pyd must resolve Py* symbols at link time against the
+        // interpreter's import library (pythonXY.lib in the `libs` dir).
+        .windows => {
+            const libdir = py_libdir orelse @panic("python-libdir / ZTTP_PYTHON_LIBDIR is required on Windows");
+            const libname = py_lib orelse @panic("python-lib / ZTTP_PYTHON_LIB is required on Windows");
+            mod.addLibraryPath(.{ .cwd_relative = libdir });
+            mod.linkSystemLibrary(libname, .{});
+        },
+        // Linux/BSD: interpreter symbols are global at load; nothing extra.
+        else => {},
+    }
+
+    // Install the shared object into the python package directory under the name
+    // CPython expects so it imports as `zttp._zttp`.
+    const out_name = b.fmt("_zttp{s}", .{ext_suffix});
+    const install = b.addInstallFileWithDir(lib.getEmittedBin(), .{ .custom = "../zttp" }, out_name);
+    b.getInstallStep().dependOn(&install.step);
+}

zttp-0.0.2/build_ext.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# Build the zttp Zig extension against the interpreter that will import it.
+# Usage: ./build_ext.sh [path-to-python]   (defaults to the project venv python)
+set -euo pipefail
+
+PY="${1:-$(pwd)/.venv/bin/python}"
+cd "$(dirname "$0")"
+
+read -r INCLUDE SUFFIX < <("$PY" -c \
+  'import sysconfig as s; print(s.get_path("platinclude"), s.get_config_var("EXT_SUFFIX"))')
+
+export ZTTP_PYTHON_INCLUDE="$INCLUDE"
+export ZTTP_EXT_SUFFIX="$SUFFIX"
+
+# ReleaseSafe by default: this parser ingests untrusted bytes, so keeping
+# bounds/overflow checks on turns a would-be UB/crash into a trapped panic.
+MODE="${ZTTP_BUILD_MODE:-ReleaseSafe}"
+zig build "-Doptimize=$MODE" "$@" 2>/dev/null || zig build "-Doptimize=$MODE"
+echo "built zttp/_zttp$SUFFIX against $("$PY" --version) ($INCLUDE)"

zttp-0.0.2/hatch_build.py

@@ -0,0 +1,113 @@
+from __future__ import annotations
+
+import os
+import shutil
+import subprocess
+import sys
+import sysconfig
+from pathlib import Path
+from typing import Any
+
+from hatchling.builders.hooks.plugin.interface import BuildHookInterface
+
+ROOT = Path(__file__).parent
+
+# cibuildwheel builds every macOS wheel on the arm64 runner and asks for a
+# specific arch through ARCHFLAGS; translate it into a Zig cross-compile target
+# so the produced `.so` matches the wheel tag delocate enforces.
+_MACOS_ZIG_TARGET = {"arm64": "aarch64-macos", "x86_64": "x86_64-macos"}
+
+
+def _zig_target_args() -> list[str]:
+    archflags = os.environ.get("ARCHFLAGS", "")
+    arches = archflags.split()[1::2]  # "-arch x86_64 -arch arm64" -> ["x86_64", "arm64"]
+    if len(arches) != 1 or sys.platform != "darwin":
+        return []
+    target = _MACOS_ZIG_TARGET.get(arches[0])
+    if not target:
+        return []
+    # Pin the binary's minimum macOS version to the deployment target so it
+    # matches the wheel's platform tag; otherwise delocate rejects the wheel
+    # (e.g. a 13.0 binary in a macosx_10_13 wheel). Zig encodes it in the triple.
+    dep_target = os.environ.get("MACOSX_DEPLOYMENT_TARGET")
+    if dep_target:
+        target = f"{target}.{dep_target}"
+    return [f"-Dtarget={target}"]
+
+
+def _windows_python_link() -> dict[str, str]:
+    """On Windows, the .pyd must link the interpreter's import library
+    (pythonXY.lib), which lives in `<base>/libs`. Return the env vars build.zig
+    needs: the libs dir and the bare lib name (e.g. python314)."""
+    if sys.platform != "win32":
+        return {}
+    libdir = os.path.join(sys.base_prefix, "libs")
+    # e.g. (3, 14) -> "python314"; free-threaded builds use "python314t".
+    abiflags = sysconfig.get_config_var("abiflags") or ""
+    libname = f"python{sys.version_info.major}{sys.version_info.minor}{abiflags}"
+    return {"ZTTP_PYTHON_LIBDIR": libdir, "ZTTP_PYTHON_LIB": libname}
+
+
+def _zig_command() -> list[str]:
+    """Resolve how to invoke Zig: a `zig` on PATH, else the `ziglang` pip package.
+
+    The pip fallback (`python -m ziglang`) works identically on the host and inside
+    cibuildwheel's manylinux containers, where a host-installed `zig` isn't visible.
+    """
+    if shutil.which("zig"):
+        return ["zig"]
+    try:
+        import ziglang  # noqa: F401
+    except ImportError:
+        raise RuntimeError(
+            "Zig toolchain not found: install Zig and put it on PATH, or `pip install ziglang`."
+        ) from None
+    return [sys.executable, "-m", "ziglang"]
+
+
+class ZigBuildHook(BuildHookInterface):
+    """Compile the Zig extension against the building interpreter during the wheel build.
+
+    This makes `uv build` / `pip wheel` / cibuildwheel produce a correct, platform-tagged
+    wheel with no out-of-band step: the `.so` is built here, against `sys.executable`, and
+    `build.zig` installs it into the `zttp/` package as `_zttp<EXT_SUFFIX>`.
+    """
+
+    PLUGIN_NAME = "custom"
+
+    def initialize(self, version: str, build_data: dict[str, Any]) -> None:
+        if self.target_name != "wheel":
+            return
+
+        include = sysconfig.get_path("platinclude")
+        ext_suffix = sysconfig.get_config_var("EXT_SUFFIX")
+        if not include or not ext_suffix:
+            raise RuntimeError("could not resolve platinclude / EXT_SUFFIX from the building interpreter")
+
+        # ReleaseSafe by default: the parser ingests untrusted bytes, so keeping
+        # Zig's bounds/overflow checks on trades a little speed for turning any
+        # reachable UB into a trapped panic instead of memory corruption.
+        mode = os.environ.get("ZTTP_BUILD_MODE", "ReleaseSafe")
+        env = {**os.environ, "ZTTP_PYTHON_INCLUDE": include, "ZTTP_EXT_SUFFIX": ext_suffix, **_windows_python_link()}
+        subprocess.run(
+            [*_zig_command(), "build", f"-Doptimize={mode}", *_zig_target_args()],
+            cwd=ROOT,
+            env=env,
+            check=True,
+        )
+
+        artifact = f"zttp/_zttp{ext_suffix}"
+        if not (ROOT / artifact).exists():
+            raise RuntimeError(f"zig build did not produce {artifact}")
+
+        # Tag the wheel for this interpreter + platform rather than py3-none-any.
+        build_data["pure_python"] = False
+        build_data["infer_tag"] = True
+        build_data["artifacts"].append(artifact)
+
+    def clean(self, versions: list[str]) -> None:
+        for path in ROOT.glob("zttp/_zttp*.so"):
+            path.unlink()
+        for path in ROOT.glob("zttp/_zttp*.pyd"):
+            path.unlink()
+        print(f"removed compiled extensions; building Zig core via {sys.executable}", file=sys.stderr)

zttp-0.0.2/pyproject.toml

@@ -0,0 +1,131 @@
+[build-system]
+requires = ["hatchling", "uv-dynamic-versioning>=0.8.0", "ziglang==0.16.0"]
+build-backend = "hatchling.build"
+
+[project]
+name = "zttp"
+description = "A sans-IO HTTP parser for Python with a Zig core."
+readme = "README.md"
+license = "BSD-3-Clause"
+license-files = ["LICENSE"]
+requires-python = ">=3.12"
+authors = [{ name = "Marcelo Trylesinski", email = "marcelotryle@gmail.com" }]
+keywords = ["http", "parser", "sans-io", "zig", "asgi"]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: BSD License",
+    "Operating System :: POSIX :: Linux",
+    "Operating System :: MacOS",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
+    "Programming Language :: Zig",
+    "Topic :: Internet :: WWW/HTTP",
+]
+dynamic = ["version"]
+
+[project.urls]
+Homepage = "https://github.com/Kludex/zttp"
+Source = "https://github.com/Kludex/zttp"
+Issues = "https://github.com/Kludex/zttp/issues"
+
+[dependency-groups]
+dev = [
+    "pytest>=8.0",
+    "coverage>=7.0",
+    "ruff",
+    "mypy",
+]
+bench = [
+    "httptools",
+    "h11",
+]
+docs = [
+    "zensical",
+]
+
+[tool.hatch.version]
+source = "uv-dynamic-versioning"
+
+[tool.uv-dynamic-versioning]
+vcs = "git"
+style = "pep440"
+bump = true
+metadata = false  # drop the +<hash> local segment; PyPI rejects it on uploads
+fallback-version = "0.0.0"
+
+[tool.hatch.build.targets.wheel]
+packages = ["zttp"]
+artifacts = ["zttp/*.so"]
+
+[tool.hatch.build.targets.wheel.hooks.custom]
+path = "hatch_build.py"
+
+[tool.hatch.build.targets.sdist]
+# Ship the sources needed to compile the extension from an sdist.
+include = ["zttp", "src", "tools", "build.zig", "build_ext.sh", "hatch_build.py"]
+
+[tool.cibuildwheel]
+# Zig comes from the `ziglang` build requirement (build isolation), so no system
+# toolchain install is needed. The sans-IO core has no OS dependencies, so it
+# builds for glibc, musl, macOS, and Windows alike. Skip only 32-bit and PyPy.
+build = "cp312-* cp313-* cp314-*"
+skip = "*_i686 *-pp*"
+build-frontend = "build[uv]"
+test-command = 'python -c "import zttp; c = zttp.Connection(zttp.SERVER); c.receive_data(b\"GET / HTTP/1.1\r\n\r\n\"); assert type(c.next_event()).__name__ == \"Request\""'
+
+[tool.cibuildwheel.linux]
+# Both glibc (manylinux) and musl (musllinux) on each native arch.
+archs = ["auto"]
+
+[tool.cibuildwheel.macos]
+archs = ["arm64", "x86_64"]
+# Pin the deployment target so the wheel's platform tag matches the min-OS
+# version Zig stamps into the binary (hatch_build.py reads this and encodes it
+# in the Zig target triple). Without it the tag and binary disagree and
+# delocate rejects the wheel.
+environment = { MACOSX_DEPLOYMENT_TARGET = "11.0" }
+
+[tool.cibuildwheel.windows]
+archs = ["AMD64"]
+
+[tool.pytest.ini_options]
+addopts = "-rxXs --strict-config --strict-markers"
+xfail_strict = true
+testpaths = ["tests"]
+filterwarnings = ["error"]
+
+[tool.coverage.run]
+source_pkgs = ["zttp", "tests"]
+branch = true
+parallel = true
+omit = ["zttp/_zttp*"]
+
+[tool.coverage.report]
+precision = 2
+fail_under = 100
+show_missing = true
+skip_covered = true
+exclude_lines = [
+    "pragma: no cover",
+    "if TYPE_CHECKING:",
+    "raise NotImplementedError",
+    "@overload",
+]
+
+[tool.ruff]
+line-length = 120
+
+[tool.ruff.lint]
+select = ["E", "F", "I", "FA", "UP", "RUF100"]
+
+[tool.ruff.lint.isort]
+combine-as-imports = true
+
+[tool.mypy]
+strict = true
+warn_unused_ignores = true
+show_error_codes = true
+files = ["zttp"]