Status: typed initial gate.

darkhttpd is small, but it has the exact security surfaces we need to practice before nginx:

• HTTP request parsing
• path traversal prevention
• overly long requests
• idle timeout / slow client behavior
• optional chroot / privilege dropping
• static-file filesystem boundary

bash harness/security/run.sh

This runs the reference oracle, checks that the traversal corpus gets a rejection-like response, and writes reference-target security evidence to the ledger. It proves the pinned C reference and corpus are wired correctly. It does not prove Rust-target robustness until the Rust server loop exists.

Typed case:

harness/security/traversal/spec.toml

Target:

• darkhttpd_core::http::parse_request_head

Corpus seeds:

• harness/corpus/fixtures/*/request.http
• upstream devel/fuzz_parse_request.c cases

Target:

• darkhttpd_core::path::normalize_url_path
• URL encode/decode helpers

Corpus seeds:

• devel/fuzz_make_safe_uri_testcases
• encoded ..
• mixed slash/backslash
• malformed percent escapes
• NUL bytes
• very long path segments

Target:

• server loop timeout behavior

Cases:

• open socket and send request byte-by-byte
• partial headers never completed
• keepalive idle timeout

Cases:

• ../
• %2e%2e
• symlink handling once policy is known
• single-file mode
• no-listing mode

Initial budget is zero for all crates.

Features that may eventually require a budget:

• sendfile
• chroot
• uid/gid changes
• signal handling

Each needs an architect decision and a test proving the safe fallback still works.