XQUIC v1.9.3

Changes:

1. [+] RFC 9114 HTTP/3 hardening: reject illegal frames on control stream (H3_FRAME_UNEXPECTED), reject control-only frames on request stream, reject forbidden connection-specific headers per RFC 9114 4.2, enforce SETTINGS-first (H3_MISSING_SETTINGS), detect duplicate/closed critical streams, emit H3_MESSAGE_ERROR for malformed messages @dreamwind1985 @Yanmei-Liu
2. [+] RFC 9000/9001 transport security: validate transport-parameter CIDs, validate all RFC 9000 7.4.1 transport parameters for 0-RTT, header protection boundary check, reject 0-RTT CRYPTO frames, enforce active_connection_id_limit, abandon connection on Version Negotiation @dreamwind1985 @Yanmei-Liu
3. [~] RFC 9002 congestion control & recovery: cap initial window per §7.2 for NewReno/CUBIC, honor init_cwnd override, reset RTT estimator after persistent congestion, use peer max_ack_delay in PTO, fully reset 0-RTT streams on reject @Yanmei-Liu
4. [~] misc fixes: ACK_ECN parsing, initial_salt length, propagate simulate_ecn in server settings, replace fixed TRA_CRYPTO_ERROR with TRA_INTERNAL_ERROR, macOS linker detection, FEC memory leak, MSVC enum overflow @Yanmei-Liu @dreamwind1985 @yukke @mp0rta

Compatibility Notes:

1. Peers sending illegal frames on control stream or request stream will now receive connection error instead of silent ignore.
2. Forbidden connection-specific headers in HTTP/3 are now rejected per RFC 9114 4.2.
3. max_idle_timeout now uses min(local, remote) — connections with a lower remote value may timeout sooner.
4. Initial congestion window capped per RFC 9002 §7.2 — may reduce initial burst on high-MTU paths.
5. All 0-RTT streams are now fully reset on reject — applications relying on partial 0-RTT state survival may see behavior changes.