zigttp is a pure-Zig JavaScript and TypeScript runtime for HTTP handlers. It ships as one binary, runs without npm or Node, and uses a restricted language profile so the compiler can prove useful handler properties before the server starts.
The daily workflow is small:
zigttp init my-app && cd my-app
zigttp dev
zigttp test
zigttp deployzigttp dev watches the handler, recompiles it, and prints a proof card on
every save. zigttp deploy builds a self-contained local binary, writes a
proof ledger entry, and signs a proof receipt by default.
Pre-built binaries are published for macOS and Linux on x86_64 and aarch64:
curl -fsSL https://raw.githubusercontent.com/srdjan/zigttp/main/install.sh | shOr build from source with Zig 0.16.0:
git clone https://github.com/srdjan/zigttp.git
cd zigttp
zig build -Doptimize=ReleaseFastimport type { Spec } from "zigttp:types";
type Guardrails = Spec<
| "deterministic"
| "no_secret_leakage"
| "injection_safe"
>;
function HomePage(): JSX.Element {
return (
<html>
<head><title>Hello</title></head>
<body><h1>Hello from zigttp</h1></body>
</html>
);
}
function handler(req: Request): Response & Guardrails {
if (req.path === "/") {
return Response.html(renderToString(<HomePage />));
}
if (req.path === "/api/echo") {
return Response.json({ method: req.method, path: req.path });
}
return Response.text("Not Found", { status: 404 });
}See examples/ for routing, JSX/TSX, SQL, fetch, durable workflows, WebSocket, and proof examples.
- Five core commands:
init,dev,test,expert,deploy. Advanced commands are listed byzigttp help --all. - Handler API:
function handler(req): Response, plusResponse.text,Response.json, andResponse.html, andresource(data, affordances)for content-negotiated HAL-JSON and HTMX from one declaration. - Language profile: a restricted JS/TS/TSX subset with no
var,while,class, ortry/catch; unsupported constructs fail at compile time. - Proofs: response-path verification, Result/optional checks, state-isolation
checks, active
Spec<...>obligations, flow checks, proof traces, witnesses, and proof receipts. - Virtual modules: 23 native modules under
zigttp:*for env, crypto, auth, validation, cache, SQL, fetch, service calls, WebSocket, routing, durable and multi-handler workflows, structured I/O, logging, IDs, time, text, and more. - Local deploy: self-contained binary output under
.zigttp/deploy/<project-name>with default-on attestation.
Read the Threat Model before running untrusted code or exposing a binary publicly. Two boundaries are easy to miss:
devandservefrom source are not a sandbox. They run handler code with your user's permissions for fast iteration. The enforced surfaces are the precompiled (-Dhandler=) anddeploybinaries, which carry and enforce the contract-derived capability allowlist (egress, env, cache, SQL).- No TLS. The runtime serves plain HTTP and binds
127.0.0.1by default. Terminate TLS at a reverse proxy and set the host explicitly before exposing a deployed binary to public traffic. expertsends your handler source to the configured model provider (Anthropic or OpenAI). Attestation is on by default and publishes a stable per-user public-key fingerprint at/.well-known/zigttp-attest.
Benchmark claims are kept in Performance. The measured
baseline is roughly a 3.5 ms cold-start floor, 7-15 ms typical cold start
depending on host load, about 13 MB RSS after first response, and about 112k
req/s on the documented HTTP benchmark. Cold-start and RSS are reproducible with
zig build bench; the throughput figure comes from the separate zigttp-bench
harness and varies with hardware.
Start at the Documentation Index.
- User Guide - setup, handlers, routing, testing, deployment, proof receipts, and troubleshooting.
- CLI Reference - core commands and advanced machine tools.
- Virtual Modules - complete current module list and runtime requirements.
- Contracts and Sandboxing - contract
extraction, runtime policy, replay, OpenAPI, SDK emit, and
Spec<...>. - Verification, TypeScript, Sound Mode, and Restrictions to Proofs.
- Performance, Reliability, Roadmap, and Architecture.
See CONTRIBUTING.md. Security reports go through SECURITY.md.
MIT.