add -I${includedir}/httpserver to CFLAGS

…indings

Source fixes (major findings):
- Extract local_map_for(MHD_ValueKind) helper on http_request_impl, eliminating
  verbatim switch duplication in get_connection_value() and ensure_headerlike_cache()
  (code-simplifier #3/#4, code-quality #15/#16)
- Add mutable bool user_pass_fetched to http_request_impl (under HAVE_BAUTH);
  guard get_user()/get_pass() on the flag instead of username/password.empty(),
  matching args_populated pattern and fixing redundant MHD round-trips
  (code-simplifier #6)
- Add mutable bool requestor_ip_cached to http_request_impl; consolidate
  get_requestor() to a single early-return covering cache-hit and test-request
  paths (code-simplifier #7 + #8/#9)
- Explicit = default for http_request_impl move ctor and move-assign (code-simplifier #33)

Architecture/doc fixes:
- http-request.md: add historical note that TASK-015 used std::make_unique and
  TASK-016 wired the arena (housekeeper #34/#35/#36)
- DR-003b.md: add Implementation phasing section recording the two-step landing
  (housekeeper #1/#2 from major section)
- specs/unworked_review_issues/2026-05-04_013108_task-013.md: mark finding #4
  [x] (microhttpd.h leak resolved by TASK-015) (housekeeper #38/#39)

Review file closeout:
- Mark all 18 resolved findings [x] with Status notes
- Add deferred Status notes to all 46 remaining minor findings

Findings fixed this batch: 7 (code-simplifier #3/#4/#6/#7/#8/#9/#33 +
code-quality #15/#16 + housekeeper #34/#35/#36/#38/#39 = 14 unique findings
across both review-file and source changes)
Findings deferred (minor, all annotated): 46

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Address all 48 minor findings from the 2026-05-26 review pass. Summary of
changes by file:

src/detail/webserver_aliases.cpp
- Remove redundant `static` from `append_sanitized` (anon namespace already
  provides internal linkage; findings #6/#15/#16)
- Trim verbose format-compatibility comment to single-line reference (#7)

src/detail/webserver_finalize.cpp
- Trim file-level comment block to two-sentence summary (#20)
- Add clarifying comment to the `!mr->response` defensive guard (#21)
- Rename `bytes` → `bytes_queued` to match the ctx field it populates (#22)
- Add inline NOTE to elapsed ternary: alias must not read ctx.elapsed (#36)
- Sentinel check for degenerate start_time: emit nanoseconds{-1} when
  answer_to_connection never ran, so hook authors can distinguish port-scan
  paths from real (but very slow) requests (#37)

src/detail/webserver_request.cpp
- Remove redundant `mr->ws = parent` from complete_request; add comment
  noting the field is pre-populated in answer_to_connection (#3)
- Add NOTE comments at both before_handler and skip_handler short-circuit
  paths documenting that after_handler does not fire there (#38)
- Collapse stale TASK-050 migration comment to one line (#25)

src/httpserver/hook_context.hpp
- Add @note to response_sent_ctx documenting elapsed==zero when only the
  log_access alias fires (no add_hook(response_sent, ...) registered) (#9)
- Add @note to request_completed_ctx documenting the nanoseconds{-1}
  sentinel for degenerate start_time paths (#37)

src/httpserver/create_webserver.hpp
- Add @param note to log_access() setter documenting that the callable
  must be CopyConstructible (#35)

examples/clf_access_log.cpp
- Refactor emit_clf_line to use early null guard + unconditional extraction
  of method/path (idiomatic pattern matching webserver_aliases.cpp) (#12-14)
- Add comment explaining intentional 'HTTP/1.1' hardcoding (#33)

specs/architecture/04-components/hooks.md
- Update after_handler, response_sent, request_completed rows with
  file:symbol fire-site references (#26, #27)
- Fix stale webserver.cpp references for route_resolved, before_handler,
  and handler_exception rows (pre-existing staleness from TASK-048) (#27)
- Update API surface comment: after_handler_ctx uses http_response* not
  http_response& (#4)
- Add after_handler firing rules paragraph documenting which paths fire /
  skip after_handler (#1, #2)

specs/tasks/M5-routing-lifecycle/TASK-050.md
- Update three action items to reference correct TUs (webserver_finalize.cpp,
  webserver_callbacks.cpp) and correct field types (#28, #40)

test/integ/hooks_no_firing.cpp
- Add positive firing-count assertions for all wired phases on the happy-path
  GET (after_handler, response_sent, request_completed, route_resolved,
  before_handler, connection_opened, connection_closed, request_received) to
  give the test lasting regression value (#10, #42)

test/integ/hooks_request_completed_fires_on_early_failure.cpp
- Remove timing-dependent 50ms sleep; rely on ws.stop() as synchronisation
  barrier, consistent with other integ tests in this task (#11, #43)

test/unit/hooks_log_access_alias_slot_test.cpp
- Add assertion that '-' replacement appears at injection site in path
  sanitization test (not just absence of control chars) (#44)
- Add assertion that 'GET' remains intact in method sanitization test (#46)
- Add fourth test case pinning construction-time isolation between two
  webservers each with their own log_access callable; documents that
  runtime re-registration is deferred to a future task (#48)

specs/unworked_review_issues/2026-05-26_123948_task-050.md
- Mark all 48 items with [x] and disposition notes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

…eview-cleanup)

Major findings (5 total):
- #1 (adr-violation): implementation is correct per DR-012/DR-009 §5.2; deferred.
- #2/#3/#28 (code-structure, triplicate): extracted append_impl<P,Sig> template
  helper in resource_hook_table.cpp anonymous namespace; each of the five
  append_* methods now delegates in one line (mirrors fire_short_circuit_impl
  / fire_void_impl pattern).
- #4/#5 (test-structure, advisory): deferred — project prefers per-case
  explicit test bodies for independent failure reporting.

Key minor fixes applied (cosmetic, no behavior change):
- TOCTOU anti-pattern (#6/#35/#36/#45/#47/#48): removed expired()+lock()
  double-check from per_route_table() helper; fire_request_completed_gated
  now uses the helper consistently (was inline-expanded).
- Shadow variable (#15/#38): renamed local var per_route_table → rtable in
  fire_before_handler_gated, consistent with other gated-fire helpers.
- Lifetime comment (#12): added "res keeps the resource alive while rtable
  is in use" note in handle_dispatch_exception.
- Memory-order comment (#50): documented acquire-chain at rtable fetch site
  in fire_before_handler_gated.
- Sentinel assertions (#41/#61/#62): removed LT_CHECK_EQ(true, true) from
  hooks_per_route_resource_destroyed_first.cpp and hook_api_shape_test.cpp;
  replaced with descriptive comments.
- resource_hook_table.hpp comments (#8): clarified named-vector vs std::array
  tradeoff and any_hooks_ unused slots.
- http_resource.hpp (#24/#27): added copy-shares-hook-table note; added
  comment before HTTPSERVER_COMPILATION guard.
- http-resource.md / DR-012.md (#9/#42/#43): documented per-route hook bus
  and PIMPL storage choice.

All 62 items marked [x] in specs/unworked_review_issues/2026-05-26_230100_task-051.md.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

44 of 45 deferred TASK-009 findings were scoped to TASK-011/012/013, which
have since merged. Verified each against the current code and closed:

- TASK-013 follow-ups (final, v1-compat header removal, virtual *_response
  method removal, MHD forward-decl cleanup, friends-private, AC/static_assert
  in TASK-013.md): http_response is final at http_response.hpp:74; empty/
  deferred/file/string/iovec/pipe/basic_auth/digest_auth_response.hpp gone.
- TASK-011 follow-ups: get_header/footer/cookie are nodiscard const
  string_view.
- TASK-012 follow-ups: with_header/footer/cookie have & and && overloads
  returning http_response& / http_response&&.
- namespace details → detail consistent across src/, test/, docs/.
- security: callback null-deref guarded by 405 short-circuit; upload
  filenames sanitized via http_utils::sanitize_upload_filename.

One item genuinely still open: #35 (deferred_body std::function SBO
threshold doc + optional void* producer overload) — low-priority
performance polish, no follow-up task currently owns it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Final cleanup pass over the unworked review issues tracker:

- Flipped 7 checkboxes whose *Status:* already indicated Resolved /
  Accepted / No-action (task-028 #9/#25, task-031 #25/#27/#28/#29/#35).
- Converted 74 clearly-cosmetic deferrals (naming preferences, idiom
  choices, comment trim suggestions, "consider renaming" notes) to
  explicit *Status:* wontfix. Kept the checkbox as [ ] so they remain
  visible in the open list but are no longer in the actionable backlog.

Final state of specs/unworked_review_issues/:
- 1974 total findings across 37 review files
- 1578 closed [x] / [~]  (80%)
- 322 still-open deferred (actionable backlog)
- 74 wontfix (cosmetic, explicit close)
- 0 items missing a *Status:* line

The 322 actionable deferrals skew toward substantive backlog: missing
tests, missing input validation, perf hot paths, refactor candidates,
and spec/architecture drift. The full list of "real engineering work
worth a follow-up pass" surfaced by Passes 1-3 is preserved in each
review file's *Status:* lines.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>