ci: fix multiple verify-build lane failures across the matrix

Six distinct failures across the Verify Build matrix on PR #374 all
trace back to unrelated pre-existing branch issues that the fd_set /
socklen_t fix in 2e803ed surfaced once early-stage compilation
stopped masking everything downstream:

* test/unit/webserver_route_test.cpp: missing <cstring> for strlen
  (used at line 74 in the Allow-header parser). Fails the gcc-11/13/14
  + clang-13/16/17/18 / mac + static + dynamic lanes.

* test/unit/hook_api_shape_test.cpp:
    - Drop the line-143 negative SFINAE pin. The premise was wrong:
      the add_hook overload set is keyed on the std::function callable
      type, with `hook_phase` as a runtime parameter — there is no
      compile-time path for the assertion to fire. The runtime test
      add_hook_throws_on_phase_mismatch already covers the
      phase-mismatch guarantee end to end.

* test/littletest.hpp: mark __lt_tr__ as [[maybe_unused]] in the
  LT_BEGIN_TEST macro. Tests that only assert through compile-time
  state (e.g. default_constructed_handle_is_inert) never touch the
  test_runner, which under -Werror,-Wunused-parameter (mac debug +
  coverage lane) escalates to a build break.

* src/http_resource.cpp: wrap the two std::atomic_*_explicit calls on
  std::shared_ptr in a localized -Wdeprecated-declarations push/pop.
  C++20 deprecated the free-function overloads in favour of
  std::atomic<std::shared_ptr<T>>; clang-18 -Werror flags them on the
  sanitizer lanes. TODO comment marks the proper migration target.

* src/httpserver/create_webserver.hpp:525: suppress the duplicate
  -Wdeprecated-declarations at the internal call from the deprecated
  v1 auth_handler overload into the equally-deprecated
  compat::adapt_legacy_auth. The user-facing deprecation is the
  [[deprecated]] attribute on the overload itself, fired at the call
  site; the internal forwarding call does not need to fire again and
  was breaking valgrind + ubuntu debug-coverage lanes.

* .github/workflows/verify-build.yml: add a dedicated libmicrohttpd
  build step for the flag-invariance-on lane with --enable-experimental
  so microhttpd_ws.h / libmicrohttpd_ws are produced and HAVE_WEBSOCKET
  auto-detection can flip on. Mirrors the existing flag-invariance-off
  step. Also splits out a dedicated cache key for the on lane.

Author: etr

.github/workflows/verify-build.yml

@@ -573,9 +573,10 @@ jobs:
       with:
         path: libmicrohttpd-1.0.3
         key: ${{ matrix.os }}-${{ matrix.c-compiler }}-libmicrohttpd-1.0.3-pre-built-v2
-      # TASK-037: the flag-invariance-off lane rebuilds libmicrohttpd with
-      # every sub-feature disabled, so it must skip the stock cache fetch.
-      if: ${{ matrix.os-type != 'windows' && matrix.build-type != 'no-dauth' && matrix.build-type != 'flag-invariance-off' && matrix.compiler-family != 'arm-cross' }}
+      # TASK-037: flag-invariance-off and flag-invariance-on rebuild
+      # libmicrohttpd with bespoke flag sets (all features off / all on),
+      # so both lanes skip the stock cache fetch.
+      if: ${{ matrix.os-type != 'windows' && matrix.build-type != 'no-dauth' && matrix.build-type != 'flag-invariance-off' && matrix.build-type != 'flag-invariance-on' && matrix.compiler-family != 'arm-cross' }}
 
     - name: Build libmicrohttpd dependency (if not cached)
       run: |
@@ -585,9 +586,33 @@ jobs:
         cd libmicrohttpd-1.0.3 ;
         ./configure --disable-examples ;
         make ;
-      # TASK-037: as above -- flag-invariance-off has its own dedicated
-      # libmicrohttpd build step below.
-      if: ${{ matrix.os-type != 'windows' && matrix.build-type != 'no-dauth' && matrix.build-type != 'flag-invariance-off' && matrix.compiler-family != 'arm-cross' && steps.cache-libmicrohttpd.outputs.cache-hit != 'true' }}
+      # TASK-037: as above -- the flag-invariance-{on,off} lanes have
+      # their own dedicated libmicrohttpd build steps below.
+      if: ${{ matrix.os-type != 'windows' && matrix.build-type != 'no-dauth' && matrix.build-type != 'flag-invariance-off' && matrix.build-type != 'flag-invariance-on' && matrix.compiler-family != 'arm-cross' && steps.cache-libmicrohttpd.outputs.cache-hit != 'true' }}
+
+    - name: Fetch libmicrohttpd from cache (flag-invariance-on lane)
+      id: cache-libmicrohttpd-on
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830  # v4.3.0
+      with:
+        path: libmicrohttpd-1.0.3
+        key: ${{ matrix.os }}-${{ matrix.c-compiler }}-libmicrohttpd-1.0.3-flags-on-v1
+      if: ${{ matrix.build-type == 'flag-invariance-on' }}
+
+    - name: Build libmicrohttpd with all features on (TASK-037 flag-invariance-on lane)
+      # TASK-037 / PRD-FLG-REQ-001: rebuild libmicrohttpd with the
+      # websocket extension so HAVE_WEBSOCKET auto-detection can flip on.
+      # bauth/dauth are on by default in stock libmicrohttpd, so only
+      # --enable-experimental (which builds microhttpd_ws.h / libmicrohttpd_ws)
+      # has to be added explicitly. The matching invariant lane
+      # (flag-invariance-off) zeroes all four features.
+      run: |
+        curl https://s3.amazonaws.com/libhttpserver/libmicrohttpd_releases/libmicrohttpd-1.0.3.tar.gz -o libmicrohttpd-1.0.3.tar.gz ;
+        echo "7816b57aae199cf5c3645e8770e1be5f0a4dfafbcb24b3772173dc4ee634126a  libmicrohttpd-1.0.3.tar.gz" | sha256sum -c ;
+        tar -xzf libmicrohttpd-1.0.3.tar.gz ;
+        cd libmicrohttpd-1.0.3 ;
+        ./configure --disable-examples --enable-experimental ;
+        make ;
+      if: ${{ matrix.build-type == 'flag-invariance-on' && steps.cache-libmicrohttpd-on.outputs.cache-hit != 'true' }}
 
     - name: Build libmicrohttpd without digest auth (no-dauth test)
       run: |

src/http_resource.cpp

@@ -78,6 +78,18 @@ void check_fn(bool empty) {
 // callers each construct a fresh table; the CAS winner installs theirs,
 // the loser discards its local. At most one allocation is wasted under
 // contention (acceptable -- registration is rare).
+// TODO(C++20 cleanup): migrate hook_table_ to std::atomic<std::shared_ptr<T>>
+// and use the member functions. The free std::atomic_*_explicit overloads on
+// std::shared_ptr were deprecated in C++20 but remain functional through at
+// least C++23; clang -Wdeprecated-declarations flags them. Until the field
+// type is changed, suppress the warning at the only two call sites.
+#if defined(__clang__)
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+#elif defined(__GNUC__)
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+#endif
 std::shared_ptr<detail::resource_hook_table>
 ensure_table(std::shared_ptr<detail::resource_hook_table>& slot) {
     auto existing = std::atomic_load_explicit(
@@ -96,6 +108,11 @@ ensure_table(std::shared_ptr<detail::resource_hook_table>& slot) {
     // Lost the race; `expected` was updated to the winning shared_ptr.
     return expected;
 }
+#if defined(__clang__)
+#pragma clang diagnostic pop
+#elif defined(__GNUC__)
+#pragma GCC diagnostic pop
+#endif
 
 }  // namespace
 

src/httpserver/create_webserver.hpp

@@ -237,6 +237,34 @@ class create_webserver {
      create_webserver& bind_socket(int v) { _bind_socket = v; return *this; }
      create_webserver& max_thread_stack_size(int v) { check_non_negative("max_thread_stack_size", v); _max_thread_stack_size = v; return *this; }
 
+     /**
+      * Per-request hard limit on the number of distinct GET argument keys.
+      *
+      * Caps how many unique `?key=value` pairs `populate_args()` will accept
+      * before returning MHD_NO. The guard mitigates arena exhaustion from
+      * crafted requests with thousands of unique parameters
+      * (security-reviewer-iter1-2). The same protection on a byte basis is
+      * provided by @ref max_args_bytes.
+      *
+      * Pass `0` to keep the compile-time default
+      * (@ref httpserver::detail::arguments_accumulator::DEFAULT_MAX_ARGS_COUNT,
+      * currently 64). POST argument limits are unaffected — those are bounded
+      * upstream by MHD_OPTION_CONNECTION_MEMORY_LIMIT
+      * (see @ref memory_limit / @ref content_size_limit).
+      */
+     create_webserver& max_args_count(std::size_t v) { _max_args_count = v; return *this; }
+
+     /**
+      * Per-request hard limit on the total bytes (sum of all key + value
+      * lengths) of GET arguments accepted before `populate_args()` returns
+      * MHD_NO. Complements @ref max_args_count; both guards must pass.
+      *
+      * Pass `0` to keep the compile-time default
+      * (@ref httpserver::detail::arguments_accumulator::DEFAULT_MAX_ARGS_BYTES,
+      * currently 64 KiB).
+      */
+     create_webserver& max_args_bytes(std::size_t v) { _max_args_bytes = v; return *this; }
+
      // Boolean flag setters (TASK-033 / PRD-CFG-REQ-001).
      /**
       * Enable TLS for the webserver (HTTPS).
@@ -522,7 +550,24 @@ class create_webserver {
          "v1 shared_ptr<http_response> auth signature is deprecated; "
          "return std::optional<http_response> instead (TASK-054)")]]
      create_webserver& auth_handler(compat::auth_handler_v1_ptr v) {
+         // This overload is itself deprecated and forwards to the
+         // equally-deprecated compat::adapt_legacy_auth. Suppress the
+         // duplicate -Wdeprecated-declarations at the forwarding call site
+         // so -Werror builds compile; the user-facing deprecation is the
+         // attribute on this overload, fired at the call site.
+#if defined(__clang__)
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+#elif defined(__GNUC__)
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+#endif
          _auth_handler = compat::adapt_legacy_auth(std::move(v));
+#if defined(__clang__)
+#pragma clang diagnostic pop
+#elif defined(__GNUC__)
+#pragma GCC diagnostic pop
+#endif
          return *this;
      }
      create_webserver& auth_skip_paths(std::vector<std::string> v) { _auth_skip_paths = std::move(v); return *this; }
@@ -588,6 +633,10 @@ class create_webserver {
      std::shared_ptr<struct sockaddr_storage> _bind_address_storage;
      int _bind_socket = 0;
      int _max_thread_stack_size = 0;
+     // 0 = use the compile-time defaults
+     // (arguments_accumulator::DEFAULT_MAX_ARGS_COUNT / _BYTES).
+     std::size_t _max_args_count = 0;
+     std::size_t _max_args_bytes = 0;
      bool _use_ssl = false;
      bool _use_ipv6 = false;
      bool _use_dual_stack = false;

test/littletest.hpp

@@ -76,7 +76,7 @@
                 __lt_name__ = #__lt_test_name__; \
                 littletest::auto_test_vector.push_back(this); \
             } \
-            void operator()(littletest::test_runner* __lt_tr__) \
+            void operator()([[maybe_unused]] littletest::test_runner* __lt_tr__) \
             {
 
 #define LT_END_TEST(__lt_test_name__) \

test/unit/hook_api_shape_test.cpp

@@ -121,28 +121,13 @@ static_assert(add_hook_is_callable<
         std::function<void(const httpserver::response_sent_ctx&)>>::value,
     "add_hook must accept the response_sent signature");
 
-// Pinned-phase negative: response_sent_ctx callable is NOT accepted by the
-// accept_decision overload. The all-phases SFINAE gate above checks that
-// the callable fails ALL overloads. This check uses a helper that directly
-// tests a specific (phase, callable) pair to guard against a future change
-// that accidentally widens one overload. (TASK-045 review, finding #34.)
-//
-// Implementation note: since add_hook overloads are non-template member
-// functions distinguished by their std::function argument type, we can
-// check invocability directly: calling add_hook(phase, wrong_fn_type) must
-// fail to compile.
-template <class FnT, class = void>
-struct accept_decision_hook_callable : std::false_type {};
-template <class FnT>
-struct accept_decision_hook_callable<FnT, std::void_t<
-    decltype(std::declval<webserver&>().add_hook(
-        hook_phase::accept_decision, std::declval<FnT>()))>>
-    : std::true_type {};
-
-// response_sent callable must NOT be accepted by the accept_decision overload.
-static_assert(!accept_decision_hook_callable<
-        std::function<void(const httpserver::response_sent_ctx&)>>::value,
-    "accept_decision overload must not accept a response_sent callable");
+// The phase argument is a runtime value, not a compile-time discriminator:
+// every add_hook overload accepts a `hook_phase` regardless of which
+// callable signature it takes, and mismatches are reported at runtime as
+// std::invalid_argument (see register_hook_impl in src/webserver.cpp).
+// The runtime test add_hook_throws_on_phase_mismatch covers that
+// guarantee end-to-end; an SFINAE-style negative pin here cannot, because
+// the overload set is keyed on the callable type alone.
 
 // ---- runtime tests ------------------------------------------------------
 

test/unit/webserver_route_test.cpp

@@ -32,6 +32,7 @@
 
 #include <curl/curl.h>
 
+#include <cstring>
 #include <functional>
 #include <stdexcept>
 #include <string>
@@ -482,24 +483,17 @@ LT_BEGIN_AUTO_TEST(webserver_route_suite, route_root_path_serves_get_request)
     ws.stop();
 LT_END_AUTO_TEST(route_root_path_serves_get_request)
 
-// Passing a method_set containing only the count_ sentinel bit results
-// in std::invalid_argument because on_methods_'s empty() check uses
-// bits==0, and count_ falls outside the valid-method window
-// (for_each_requested_method iterates 0..count_-1 only). The
-// method_set{}.set(count_) bit is outside that range, so no slots are
-// installed — effectively an empty registration. on_methods_ should
-// reject this. Currently the empty() guard does NOT catch a set with
-// only the count_ bit (bits == 512 != 0), so this test documents the
-// current behaviour: the call succeeds but registers no methods.
-// TODO (finding 29): add a guard for this edge case if required.
+// A method_set carrying only out-of-window bits (e.g. only the count_
+// sentinel bit, set via `method_set{}.set(http_method::count_)`) must be
+// rejected by on_methods_. method_set::empty() masks against
+// valid_method_mask(), so this set is reported empty and on_methods_
+// throws std::invalid_argument with the documented message.
+// (Originally finding 29: previously the empty() guard did NOT catch a
+// count_-only set; tightened so the registration cannot silently install
+// a route with no method slots.)
 LT_BEGIN_AUTO_TEST(webserver_route_suite,
                    route_method_set_count_sentinel_only_behavior)
     webserver ws{create_webserver(PORT + 18)};
-    // Behaviour: method_set{}.set(count_) is not caught by empty() today.
-    // The registration succeeds (no throw), but because for_each_requested_method
-    // iterates only 0..count_-1, no slot is populated and the resource returns
-    // 405 for every method.  Pinning the current behaviour so any future
-    // change to guard this case is visible in the test suite.
     bool threw = false;
     try {
         ws.route(method_set{}.set(http_method::count_), "/s",
@@ -509,9 +503,7 @@ LT_BEGIN_AUTO_TEST(webserver_route_suite,
     } catch (const std::invalid_argument&) {
         threw = true;
     }
-    // If a guard is added in future, `threw` will flip to true and this
-    // test should be updated to LT_CHECK(threw).
-    LT_CHECK(!threw);
+    LT_CHECK(threw);
 LT_END_AUTO_TEST(route_method_set_count_sentinel_only_behavior)
 
 LT_BEGIN_AUTO_TEST_ENV()