[Audit] zerg: /upload returns Content-Length header value instead of reading body

[jerrythetruckdriver]

Violation

File: frameworks/zerg/Program.cs
Endpoint: /upload

What it does

The upload handler returns req.ContentLength — the parsed Content-Length header value — instead of the actual body bytes received:

static void HandleUpload(Connection conn, in HttpRequest req)
{
    HttpResponse.WriteText(conn, Encoding.UTF8.GetBytes(req.ContentLength.ToString()));
}

Looking at the HttpRequest struct, ContentLength is parsed from the HTTP header:

readonly struct HttpRequest
{
    // ...
    public readonly int ContentLength;
    // ...
    public readonly ReadOnlyMemory<byte> Body;

The handler should return the actual body length (req.Body.Length), not the header-declared length.

What the spec requires

POST /upload with 20MB binary body → read entire body, return byte count as text/plain
Must ACTUALLY READ the body, not just return Content-Length header value

Why this matters

The benchmark measures actual I/O throughput — reading 20MB of binary data from the socket. Returning the Content-Length header skips all body reading, which is exactly what the spec prohibits.

Suggested fix

static void HandleUpload(Connection conn, in HttpRequest req)
{
    HttpResponse.WriteText(conn, Encoding.UTF8.GetBytes(req.Body.Length.ToString()));
}

Note: This fix only works if the HTTP parser actually buffers the full body into req.Body. Verify that HttpParser.TryParse reads the complete 20MB body into the Body field — if Body is empty for large uploads, the parser may need adjustment too.