use cli verbosity flag for cert debug + add tests

Author: ashfame

packages/playground/cli/src/run-cli.ts

@@ -1036,6 +1036,7 @@ export async function runCLI(args: RunCLIArgs): Promise<RunCLIServer | void> {
 		? resolveTlsCertificate({
 				sslCert: args['ssl-cert'] as string | undefined,
 				sslKey: args['ssl-key'] as string | undefined,
+				debug: args.verbosity === 'debug',
 			})
 		: undefined;
 
@@ -1933,7 +1934,7 @@ function openInBrowser(url: string): void {
 	});
 }
 
-const ESTIMATED_WORKER_MEMORY_BYTES = 100 * 1024 * 1024; // ~100MB per worker
+export const ESTIMATED_WORKER_MEMORY_BYTES = 100 * 1024 * 1024; // ~100MB per worker
 
 /**
  * Determines the number of PHP worker threads to spawn based on
@@ -1942,7 +1943,10 @@ const ESTIMATED_WORKER_MEMORY_BYTES = 100 * 1024 * 1024; // ~100MB per worker
  * Uses 50% of free memory as the budget for workers so the system
  * has headroom for the OS, browser, and other processes.
  */
-function computeWorkerCount(minWorkers: number, maxWorkers: number): number {
+export function computeWorkerCount(
+	minWorkers: number,
+	maxWorkers: number
+): number {
 	const freeMemory = os.freemem();
 	const memoryBased = Math.floor(
 		(freeMemory * 0.5) / ESTIMATED_WORKER_MEMORY_BYTES

packages/playground/cli/src/tls.ts

@@ -4,11 +4,9 @@ import { join } from 'path';
 import { tmpdir } from 'os';
 import { logger } from '@php-wasm/logger';
 
-// Flip to true to surface openssl/mkcert output for debugging
-const DEBUG_CERT_GENERATION = false;
-const CERT_STDIO: ('pipe' | 'inherit')[] = DEBUG_CERT_GENERATION
-	? ['inherit', 'inherit', 'inherit']
-	: ['pipe', 'pipe', 'pipe'];
+function certStdio(debug: boolean): ('pipe' | 'inherit')[] {
+	return debug ? ['inherit', 'inherit', 'inherit'] : ['pipe', 'pipe', 'pipe'];
+}
 
 export interface TlsCertificate {
 	key: string;
@@ -22,7 +20,7 @@ export interface TlsCertificate {
  * The certificate is valid for localhost and 127.0.0.1, expires in
  * 30 days, and is intended for local development only.
  */
-export function generateSelfSignedCert(): TlsCertificate {
+export function generateSelfSignedCert(debug = false): TlsCertificate {
 	const tempDir = mkdtempSync(join(tmpdir(), 'playground-tls-'));
 	const keyPath = join(tempDir, 'key.pem');
 	const certPath = join(tempDir, 'cert.pem');
@@ -42,21 +40,25 @@ subjectAltName = DNS:localhost,IP:127.0.0.1
 
 	try {
 		writeFileSync(confPath, opensslConf);
-		execFileSync('openssl', [
-			'req',
-			'-x509',
-			'-newkey',
-			'rsa:2048',
-			'-nodes',
-			'-keyout',
-			keyPath,
-			'-out',
-			certPath,
-			'-days',
-			'30',
-			'-config',
-			confPath,
-		], { stdio: CERT_STDIO });
+		execFileSync(
+			'openssl',
+			[
+				'req',
+				'-x509',
+				'-newkey',
+				'rsa:2048',
+				'-nodes',
+				'-keyout',
+				keyPath,
+				'-out',
+				certPath,
+				'-days',
+				'30',
+				'-config',
+				confPath,
+			],
+			{ stdio: certStdio(debug) }
+		);
 		return {
 			key: readFileSync(keyPath, 'utf8'),
 			cert: readFileSync(certPath, 'utf8'),
@@ -110,20 +112,24 @@ export function getMkcertCaRoot(): string | null {
  * Generates a locally-trusted TLS certificate using mkcert.
  * Requires mkcert to be installed with its CA root set up.
  */
-export function generateMkcertCert(): TlsCertificate {
+export function generateMkcertCert(debug = false): TlsCertificate {
 	const tempDir = mkdtempSync(join(tmpdir(), 'playground-tls-'));
 	const keyPath = join(tempDir, 'key.pem');
 	const certPath = join(tempDir, 'cert.pem');
 
 	try {
-		execFileSync('mkcert', [
-			'-key-file',
-			keyPath,
-			'-cert-file',
-			certPath,
-			'localhost',
-			'127.0.0.1',
-		], { stdio: CERT_STDIO });
+		execFileSync(
+			'mkcert',
+			[
+				'-key-file',
+				keyPath,
+				'-cert-file',
+				certPath,
+				'localhost',
+				'127.0.0.1',
+			],
+			{ stdio: certStdio(debug) }
+		);
 		return {
 			key: readFileSync(keyPath, 'utf8'),
 			cert: readFileSync(certPath, 'utf8'),
@@ -151,6 +157,7 @@ export function generateMkcertCert(): TlsCertificate {
 export function resolveTlsCertificate(options: {
 	sslCert?: string;
 	sslKey?: string;
+	debug?: boolean;
 }): TlsCertificate {
 	if (options.sslCert && options.sslKey) {
 		logger.log('TLS: using provided certificates');
@@ -160,15 +167,16 @@ export function resolveTlsCertificate(options: {
 		};
 	}
 
+	const debug = !!options.debug;
 	const caRoot = getMkcertCaRoot();
 	if (caRoot) {
 		logger.log('TLS: using mkcert (locally-trusted)');
-		return generateMkcertCert();
+		return generateMkcertCert(debug);
 	}
 
 	logger.log(
 		'TLS: using self-signed certificate' +
 			' (install mkcert for warning-free HTTPS)'
 	);
-	return generateSelfSignedCert();
+	return generateSelfSignedCert(debug);
 }

packages/playground/cli/tests/compute-worker-count.spec.ts

@@ -0,0 +1,58 @@
+import { describe, it, expect, vi, afterEach } from 'vitest';
+import os from 'os';
+import {
+	computeWorkerCount,
+	ESTIMATED_WORKER_MEMORY_BYTES,
+} from '../src/run-cli';
+
+vi.mock('@php-wasm/logger', async (importOriginal) => {
+	const actual = await importOriginal<typeof import('@php-wasm/logger')>();
+	return {
+		...actual,
+		logger: { log: vi.fn(), error: vi.fn(), debug: vi.fn() },
+	};
+});
+
+describe('computeWorkerCount', () => {
+	afterEach(() => {
+		vi.restoreAllMocks();
+	});
+
+	it('returns minWorkers when free memory is very low', () => {
+		vi.spyOn(os, 'freemem').mockReturnValue(50 * 1024 * 1024); // 50MB
+		expect(computeWorkerCount(2, 12)).toBe(2);
+	});
+
+	it('returns maxWorkers when free memory is very high', () => {
+		vi.spyOn(os, 'freemem').mockReturnValue(100 * 1024 * 1024 * 1024); // 100GB
+		expect(computeWorkerCount(2, 12)).toBe(12);
+	});
+
+	it('returns memory-based count when between min and max', () => {
+		// 800MB free -> 400MB budget -> 4 workers
+		vi.spyOn(os, 'freemem').mockReturnValue(800 * 1024 * 1024);
+		expect(computeWorkerCount(2, 12)).toBe(4);
+	});
+
+	it('clamps to minWorkers even when memory suggests fewer', () => {
+		// 300MB free -> 150MB budget -> 1 worker, but min is 4
+		vi.spyOn(os, 'freemem').mockReturnValue(300 * 1024 * 1024);
+		expect(computeWorkerCount(4, 8)).toBe(4);
+	});
+
+	it('clamps to maxWorkers even when memory suggests more', () => {
+		// 4GB free -> 2GB budget -> 20 workers, but max is 8
+		vi.spyOn(os, 'freemem').mockReturnValue(4 * 1024 * 1024 * 1024);
+		expect(computeWorkerCount(2, 8)).toBe(8);
+	});
+
+	it('uses 50% of free memory divided by estimated worker size', () => {
+		const freeMem = 1200 * 1024 * 1024; // 1200MB
+		vi.spyOn(os, 'freemem').mockReturnValue(freeMem);
+		const expected = Math.floor(
+			(freeMem * 0.5) / ESTIMATED_WORKER_MEMORY_BYTES
+		);
+		expect(computeWorkerCount(1, 100)).toBe(expected);
+		expect(expected).toBe(6);
+	});
+});

packages/playground/cli/tests/run-cli.spec.ts

@@ -1,6 +1,8 @@
 import path from 'node:path';
 import os from 'node:os';
 import http from 'node:http';
+import http2 from 'node:http2';
+import https from 'node:https';
 import {
 	runCLI,
 	parseOptionsAndRunCLI,
@@ -1723,3 +1725,106 @@ describe('other run-cli behaviors', () => {
 		});
 	});
 });
+
+describe(
+	'HTTP/2 integration',
+	() => {
+		function h2Get(url: string): Promise<{ status: number; body: string }> {
+			const parsed = new URL(url);
+			return new Promise((resolve, reject) => {
+				const client = http2.connect(parsed.origin, {
+					rejectUnauthorized: false,
+				});
+				client.on('error', reject);
+				const req = client.request({ ':path': parsed.pathname });
+				let body = '';
+				let status = 0;
+				req.on('response', (headers) => {
+					status = headers[':status'] as number;
+				});
+				req.on('data', (chunk: Buffer) => {
+					body += chunk.toString();
+				});
+				req.on('end', () => {
+					client.close();
+					resolve({ status, body });
+				});
+				req.on('error', reject);
+				req.end();
+			});
+		}
+
+		test('serves over HTTPS, reports correct SERVER_PROTOCOL for h2 and h1, and filters pseudo-headers', async () => {
+			await using cliServer = await runCLI({
+				command: 'server',
+				http2: true,
+				'min-workers': 2,
+				'max-workers': 4,
+				wordpressInstallMode: 'do-not-attempt-installing',
+				skipSqliteSetup: true,
+				blueprint: undefined,
+			});
+
+			// serverUrl uses https:// scheme with --http2
+			expect(cliServer.serverUrl).toMatch(/^https:\/\//);
+
+			// Consume the auto-login 302 redirect on the first request
+			await h2Get(new URL('/', cliServer.serverUrl).href);
+
+			// Write test PHP files
+			await cliServer.playground.writeFile(
+				'/wordpress/protocol.php',
+				'<?php echo $_SERVER["SERVER_PROTOCOL"]; ?>'
+			);
+			await cliServer.playground.writeFile(
+				'/wordpress/headers.php',
+				`<?php
+			header('Content-Type: application/json');
+			$pseudo = array_filter(
+				$_SERVER,
+				fn($k) => str_starts_with($k, 'HTTP_:'),
+				ARRAY_FILTER_USE_KEY
+			);
+			echo json_encode($pseudo);
+			?>`
+			);
+
+			// $_SERVER['SERVER_PROTOCOL'] reports HTTP/2.0 for h2 requests
+			const h2Result = await h2Get(
+				new URL('/protocol.php', cliServer.serverUrl).href
+			);
+			expect(h2Result.status).toBe(200);
+			expect(h2Result.body).toBe('HTTP/2.0');
+
+			// $_SERVER['SERVER_PROTOCOL'] reports HTTP/1.1 for h1 fallback
+			const h1Body = await new Promise<string>((resolve, reject) => {
+				const req = https.get(
+					new URL('/protocol.php', cliServer.serverUrl).href,
+					{ rejectUnauthorized: false },
+					(res) => {
+						let data = '';
+						res.on('data', (chunk: Buffer) => {
+							data += chunk.toString();
+						});
+						res.on('end', () => resolve(data));
+					}
+				);
+				req.on('error', reject);
+			});
+			expect(h1Body).toBe('HTTP/1.1');
+
+			// No HTTP/2 pseudo-headers leak into $_SERVER
+			const headersResult = await h2Get(
+				new URL('/headers.php', cliServer.serverUrl).href
+			);
+			expect(headersResult.status).toBe(200);
+			const pseudoHeaders = JSON.parse(headersResult.body);
+			expect(
+				Array.isArray(pseudoHeaders)
+					? pseudoHeaders.length
+					: Object.keys(pseudoHeaders).length
+			).toBe(0);
+		});
+	},
+	60_000 * 5
+);