zigttp

The JavaScript runtime that proves your code

Compile-time verification - Automatic sandboxing - Deterministic replay

3ms cold start

1.2MB binary size

4MB memory baseline

The Problem

FaaS handlers are black boxes

You write a handler. You ship it. You pray.

⚠

Runtime surprises Truthy/falsy bugs, missing env vars, unreachable code paths - all discovered at 3am in production.

⚠

Config drift IAM policies, env vars, egress rules drift from what the code actually needs. Manual YAML ≠ intent.

⚠

Invisible blast radius Change a handler - what breaks? No way to know without shipping and watching dashboards.

⚠

Async spaghetti Promises, await chains, error swallowing. Concurrency model bleeds into business logic.

The Insight

What if your compiler could see everything?

Virtual modules are the only I/O boundary.

The handler's IR tree IS the control flow graph - no back-edges, no exceptions. The compiler can prove what every handler does, what it accesses, what it returns.

Handler Code

→

Compiler Analysis

→

Proven Contract

→

Auto Sandbox

Language Design

TypeScript, minus the footguns

REMOVED

✕ classes / this

✕ var

✕ while loops

✕ async / await / Promises

✕ truthy/falsy coercion

✕ exceptions (throw/catch)

KEPT

✓ arrow functions

✓ const / let

✓ destructuring

✓ for...of

✓ match expressions

✓ pipe operator (|>)

✓ JSX (first-class)

Unsupported features fail at parse time with a suggested alternative - not at runtime.

Verification

Your handler is proven correct at build time

✓

Every code path returns a Response No forgotten early returns. No implicit undefined.

✓

Result values checked before access jwtVerify(...).ok must be tested - the BoolChecker enforces it.

✓

No unreachable code Dead branches are a build error, not a linter warning.

✓

Boolean enforcement Truthy/falsy coercion rejected everywhere. Progressive type inference for env(), cacheGet(), match arms.

✓

Full type checking Variable types, function signatures, property access, nominal interfaces - all validated.

$ zigttp build handler.ts -Dverify → all code paths verified ✓

Security

Automatic least-privilege sandboxing

The compiler extracts a contract of what the handler does - then restricts runtime access to exactly those proven values.

contract.json

{
  "env": ["API_KEY", "DB_URL"],
  "egress": ["api.stripe.com"],
  "cache": ["sessions"],
  "sql": ["getUserById"],
  "properties": {
    "read_only": true,
    "retry_safe": true
  },
  "proof": "complete"
}

🛡 Zero configuration required

🛡 Env vars scoped to declared set

🛡 Egress locked to proven hosts

🛡 Effect classification per handler

🛡 OpenAPI spec from -Dopenapi

Concurrency & Durability

Linear code. Parallel I/O. Crash recovery.

⚡ Structured Concurrent I/O

parallel() and race() from zigttp:io

Handler code stays synchronous and linear. Concurrency happens in the I/O layer using OS threads.

3 API calls × 50ms each = ~50ms total

🔄 Durable Execution

--durable <dir> enables crash recovery

Write-ahead oplog. Each I/O call persisted before returning. On crash, replay without touching the network.

sleep() - sleepUntil() - waitSignal()

Evolution

Ship with confidence - prove before deploy

Deterministic Replay

Record every I/O boundary with --trace. Replay against new versions. Handlers = pure functions of (Request, VirtualModuleResponses).

--trace / --replay

Proven Evolution

Diff contracts + replay traces between handler versions. Result: equivalent, additive, or breaking - with a proof certificate.

-Dprove=contract:traces

Proven Deploys

Generate platform-specific deployment configs from proven contracts. Env vars → params, routes → API events, egress → tags.

-Ddeploy=aws

Composition

Zero-overhead composition. Native speed.

📦 Guard Composition

guard(auth) |> guard(log) |> handler |> guard(cors)

Desugared to a single flat function with sequential if-checks at compile time. Zero runtime overhead.

⚙️ Native Virtual Modules

zigttp:auth JWT + webhooks

zigttp:validate JSON Schema

zigttp:cache KV store

zigttp:crypto SHA/HMAC/B64

zigttp:sql SQLite

zigttp:io Parallel I/O

zigttp:compose Guards + pipe

zigttp:durable Crash recovery

Implemented in Zig - zero interpretation overhead.

zigttp

Write handlers. Prove them. Ship them.

Opinionated subset Parse-time rejection of footguns

Compile-time verification Every path, every type, every boolean

Automatic sandboxing Least-privilege derived from analysis

Structured I/O Linear code, parallel execution

Durable execution Crash recovery via write-ahead oplog

Deterministic replay Record I/O boundaries, replay anywhere

Proven evolution Diff contracts, classify changes

Effect classification Handler properties proven at build time

OpenAPI generation Response schemas from type inference

Native performance 3ms init - 1.2MB - 4MB baseline