fix: security hardening, body pump redesign, perf optimizations, and lifecycle reliability

[st0o0]

Summary

Major stabilization and performance pass covering security fixes, a complete body drain redesign, server/client
performance optimizations, and actor lifecycle reliability improvements. 127 commits, 290 files changed (+10.8k /
-4.8k lines).

Security Hardening

• Bound cleartext protocol-sniffing window (DoS mitigation)
• Tighten Content-Length parsing, block duplicate CL on H1.0, plug redirect credential leak
• Enforce body-size limit on Content-Length framed bodies
• RFC 9113 frame compliance: settings overflow, padded DATA flow control, half-closed(remote)
• Enforce advertised HEADER_TABLE_SIZE in the server HPACK decoder
• Size HPACK encode buffer to actual header block (prevent over-allocation)
• Suppress response body for HEAD requests (H1.1 + H2)
• Fix chunked decoder duplicating stashed partial control lines
• H3: surface malformed frame bodies, process inbound QPACK encoder-stream, guard response body-drain UAF

Body Pump Redesign

• Replace push-based body drain across all protocols with pull-based pumps:
  • SerialBodyPump for H1.x (capacity model + starvation guard)
  • BodyDrainScheduler with AIMD for H2 (limbo zero-copy, slot pooling)
  • MultiplexedBodyPump with fixed cap for H3 (slot pooling, starvation guard)
  • FlowControlledBodyPump shared refactoring for H2/H3
• Generic IBodyDrainTarget, BodyDrainSlot, BodyPumpHelper, ChunkedFramingHelper
• Delete 15 legacy body files (BufferedBodyWriter, StreamingBodyWriter, ConnectionBodyPool, etc.)
• Retain HttpContent reference in drain slots to prevent GC disposal race

Performance (Server)

• Pre-bake H1.x status lines as static byte tables
• Intern common request targets to avoid per-request string alloc
• Replace LINQ hot-path allocations in H1.1 state machine
• Pool feature collection, HttpContext, CancellationTokenSource, and request features per connection
• Cache send delegate and pool PassthroughFramingEncoder
• H2 HPACK header block cache for repeated response patterns
• Defer H2 per-stream WINDOW_UPDATE until app consumes body
• Eliminate per-response pipe lock on buffered write path
• Remove TryCoalesceOutbound memcpy (writev handles scatter natively)
• Replace per-encode MemoryPool.Rent with scratch buffer in H2 encoder
• Short-circuit body classification for no-body requests
• Replace QPACK per-decode MemoryPool.Rent with per-decoder scratch buffer

Performance (Client)

• Avoid CreateLinkedTokenSource when only caller token is cancelable
• Replace ConcurrentStack pools with ObjectPool in client path
• Sync fast-path for body drain reads, remove .AsTask() allocations
• Per-connection HeaderNameCache for HPACK/QPACK decoding
• H3: pre-compute QPACK static table sizes, reuse encode buffers and instruction decoders
• Build H1.1 request headers once and rent exact-size buffer
• Drop per-response decode allocations (reason phrase + header value)
• Rent body chunks from cross-thread ArrayPool

Performance (Shared)

• Per-connection ConnectionPoolContext with ObjectPool and IResettable pattern
• Pool QueuedBodyReader per-connection for H2/H3 request bodies
• Replace per-byte branching with lookup tables + H3 sawDate flag
• H2/H3 pseudo-header typed fields instead of Dictionary
• Lock-free pending list, span-based parsing, pre-baked content headers

Lifecycle & Reliability

• ServerSupervisorActor: failure responses, drain timeout, Watch+Terminated cleanup
• ListenerActor: fix PipeTo throw bug, BindFailed message, supervisor logging
• ConnectionActor: failure handler and PostStop cleanup
• StreamOwner: stops after retry exhaustion, actor-scoped materializer
• Consumer: stops on sink error instead of continuing
• ClientStreamManager: differentiated supervisor, Watch+Terminated cleanup
• Handle ListenersFailed and DrainComplete.TimedOut in TurboServer
• Consistent full exception logging in CleanupForRetry
• Fix ApplicationBridgeStage double-emitting on handler timeout
• Bound server routing pending queue by propagating backpressure

Client Fixes

• Fix multi-connection pipeline deadlock in GroupByRequestEndpointStage
• Decouple substream source creation from upstream pull gating
• Route responses by compacting consumer index (fix same-name misroute)
• Don't retry non-rewindable bodies; stop parked retries blocking intake
• Correct request cancellation logic
• Prevent GC pressure from body buffering under high concurrency
• Pass request cancellation to H2 body drain
• H1.0: use streaming CloseDelimitedFramingDecoder for connection-close bodies

Server Fixes

• H1.x SerialBodyPump backpressure stall on streaming responses
• Empty-body responses, outbound queue drain, body-message ShouldComplete
• Await ActorSystem WhenTerminated in StopAsync
• Recycle FeatureCollection on body-suppressed (204/304/HEAD) responses
• Wire MaxConcurrentStreams to QUIC and MaxRequestBufferSize to TCP input buffer
• H3: replay DATA received while response HEADERS are QPACK-blocked

Benchmarks

• Add client-side benchmarks (--protocol client-h1|h2|h3)
• Add in-memory state-machine benchmarks (--protocol mem-h1|mem-h2)
• Add H2/H3 loadtest support, Kestrel comparison benchmarks
• Per-type allocation profiling via BDN custom exporter
• Open-loop load driver + out-of-process allocation profiler
• Remove TurboHTTP.StressBenchmarks project (replaced by BDN suite)

Other

• Bump servus.akka submodule (vectored writev, IOQueue scheduler, QUIC-aware loops, array-based transport pool)
• Fix stale docs and integration-test commands
• Add ReceiveBufferHint server option

Test plan

• All ~5660 unit + stage tests pass
• Run client integration tests
• Run server integration tests
• Run end-to-end integration tests
• Verify benchmark suite runs cleanly