zigttp

v0.1.0-beta: proof-first TypeScript handlers

zigts subset - proven live reload - contract-aware local deploy

~7ms cold start

4.8MB binary size

~13MB memory baseline

The Product

v0.1.0-beta turns the subset into a live proof loop

Install once. Edit your handler. Run zigttp dev --watch --prove and watch the proof chips flip on every save. Ship only what the verifier and contract diff both keep green.

📦 Single-binary install

Linux and macOS builds keep the first run short and start from a binary, not a toolchain.

🔗 Proven live reload

zigttp dev --watch --prove re-verifies on every save and hot-swaps only on safe / safe_with_additions, blocking breaking diffs in place.

⚙️ Compiler-native coding loop

zigttp expert writes only inside zigts, reruns the verifier, satisfies every guarantee enforced by default, and persists every counterexample to the witness corpus.

The Insight

The subset is what makes proof tractable

Your handler code is the spec.

No back-edges, no exceptions, no hidden I/O. The compiler walks every path in finite time, enforces every guarantee by default (narrow with Spec<...> when you need only a few), and emits a behavioral contract small enough to diff between versions.

Handler Code

→

Compiler Analysis

→

Proven Contract

→

Auto Sandbox

Language Design

TypeScript, narrowed until it can be proved

REMOVED (zigts)

✕ classes / this / new

✕ var / null / == / !=

✕ while / do...while

✕ async / await / Promises

✕ try / catch / throw

✕ regex / delete / any / as

KEPT + ADDED (zigts)

✓ arrow functions + destructuring

✓ const / let / for...of

✓ match expressions (exhaustive)

✓ pipe operator (|>)

✓ guard() composition

✓ comptime() evaluation

✓ JSX / TSX (first-class SSR)

Unsupported features fail at parse time with a suggested alternative, not after deploy.

Verification

Stacked proofs: paths, sound mode, contract, guarantees by default

✓

Every code path returns a Response No forgotten early returns. No implicit undefined.

✓

Result values checked before access jwtVerify(...).ok must be tested - the BoolChecker enforces it.

✓

No unreachable code Dead branches are a build error, not a linter warning.

✓

Boolean enforcement Truthy/falsy coercion rejected everywhere. Progressive type inference for env(), cacheGet(), and match arms.

✓

Full type checking Variable types, function signatures, property access, nominal interfaces - all validated.

$ zigts check handler.ts --json --contract

→ PROVEN 7/7 paths + Spec<idempotent, deterministic>
                ✓

Security

Automatic least-privilege sandboxing

The compiler extracts a contract of what the handler does - then restricts runtime access to exactly those proven values.

contract.json

{
  "env": ["API_KEY", "DB_URL"],
  "egress": ["api.stripe.com"],
  "cache": ["sessions"],
  "sql": ["getUserById"],
  "properties": {
    "read_only": true,
    "retry_safe": true
  },
  "proof": "complete"
}

🛡 Zero configuration required

🛡 Env vars scoped to declared set

🛡 Egress locked to proven hosts

🛡 Effect classification per handler

🛡 OpenAPI spec from -Dopenapi

Concurrency & Durability

Linear code. Parallel I/O. Crash recovery.

⚡ Structured Concurrent I/O

parallel() and race() from zigttp:io

Handler code stays synchronous and linear. Concurrency happens in the I/O layer using OS threads.

3 API calls × 50ms each = ~50ms total

🔄 Durable Execution

--durable <dir> enables crash recovery

Write-ahead oplog. Each I/O call persisted before returning. On crash, replay without touching the network.

sleep() - sleepUntil() - waitSignal()

Evolution

Ship with confidence - prove before deploy

Deterministic Replay

Record every I/O boundary with --trace. Replay against new versions. Handlers = pure functions of (Request, VirtualModuleResponses).

--trace / --replay

Proven Evolution

Diff behavioral contracts and replay traces between handler versions. Verdicts are safe, safe_with_additions, breaking, or needs_review - with a proof certificate.

zigts prove old.json new.json

Proof Ledger

Every successful deploy and proven hot-swap appends one row to .zigttp/proofs.jsonl with verdicts, proven facts, and contract sha. Export as markdown, HTML, or an SVG verdict badge for the PR description.

zigttp proofs list | show | diff | export

Developer Experience

Three binaries. Proof loop in the terminal. Expert in the loop.

▶ zigttp CLI v0.1.0-beta

init → dev → test → expert →
                deploy

$

zigttp init my-app Scaffold a project with a handler, zigttp.json, and zigts-ready defaults

$

zigttp test Run handler tests as golden request/response cases against the proven handler

$

zigttp dev --watch --prove Proven live reload - hot-swap only on safe / safe_with_additions verdicts

$

zigttp deploy Self-contained binary + one proof-ledger row; verify with zigttp verify against the embedded Ed25519 key

$

zigttp expert Interactive coding agent with token accounting, session fork/compact, skills, and Route Forge

$

zigttp proofs / witnesses Browse the proof ledger; manage the per-handler witness corpus that defends against regressions

curl -fsSL
                https://raw.githubusercontent.com/srdjan/zigttp/main/install.sh
                | sh

Pre-built binaries for macOS and Linux (x86_64, aarch64) -
                v0.1.0-beta

Composition

Zero-overhead composition. Native speed.

📦 Guard Composition

guard(auth) |> guard(log) |> handler |>
                guard(cors)

Desugared to a single flat function with sequential if-checks at compile time. Zero runtime overhead.

⚙️ Native Virtual Modules

zigttp:auth JWT + webhooks

zigttp:crypto SHA/HMAC/B64

zigttp:validate JSON Schema

zigttp:decode Parse + validate

zigttp:cache KV store + TTL

zigttp:sql SQLite

zigttp:io Parallel I/O

zigttp:durable Crash recovery

zigttp:compose Guards + pipe

zigttp:router Route matching

zigttp:env Environment

zigttp:http Cookies + CORS

zigttp:url URL parsing

zigttp:id UUID/ULID/nano

zigttp:log Structured logs

zigttp:text Escape + slug

zigttp:time ISO/HTTP dates

zigttp:ratelimit Token bucket

zigttp:service Service calls

zigttp:scope Resource scopes

20 modules implemented in Zig - zero interpretation overhead.

Comparison

zigttp vs the general-purpose runtimes

zigttp

Node.js

Deno

Bun

Performance

Cold start

~7ms

~200-300ms

~150-200ms

~100-130ms

Binary

4.8MB

~80MB

~130MB

~90MB

Memory

~13MB

~30MB

~25MB

~20MB

Verification

Compile-time proofs

✓

-

Auto sandboxing

✓

-

Perms

-

Injection prevention

Proof

Manual

OWASP compliance

Auto

Audit

DX & Trade-offs

Deploy manifest

Compiler

Template

AI agents

Built-in

Generic

Language

zigts subset

Yes

npm ecosystem

Virtual

Full

zigttp trades generality for verification, security, and deployment automation.

zigttp

Write handlers. Prove them. Ship them.

Opinionated subset Parse-time rejection of footguns

Compile-time verification Every path, every type, every boolean

Automatic sandboxing Least-privilege derived from analysis

Structured I/O Linear code, parallel execution

Durable execution Crash recovery via write-ahead oplog

Deterministic replay Record I/O boundaries, replay anywhere

Proven evolution Diff contracts, classify changes into four verdicts

Guarantees by default All enforced by default; Spec<...> narrows to a chosen few

Proof ledger A persistent verdict timeline for every deploy

Witness corpus Counterexamples persist; regressions are caught, not rediscovered

Native performance ~7ms cold start - 4.8MB - ~13MB baseline