Merge TASK-052 review cleanup (31/34 fixed, 3 deferred bench design)

Author: etr

README.md

@@ -1534,7 +1534,6 @@ so the registration persists for the webserver's lifetime.
 |-------|----------|---------------|--------------------|
 | `connection_opened` | New TCP / TLS connection accepted by MHD | No | No |
 | `accept_decision` | After the default-policy / block-list verdict; the connection has been accepted or denied | No | No |
-| `connection_closed` | Connection torn down (peer close or server close) | No | No |
 | `request_received` | Request line and headers parsed, body not yet consumed | Yes (`hook_action`) | No |
 | `body_chunk` | Each upload-body chunk delivered by MHD | Yes (`hook_action`) | No |
 | `route_resolved` | After URL → resource resolution; carries the matched route or "no match" | No | No |
@@ -1543,6 +1542,7 @@ so the registration persists for the webserver's lifetime.
 | `after_handler` | Handler returned a response, before it is queued on the wire (mutation point) | Yes (`hook_action`) | Yes |
 | `response_sent` | Response handed to `MHD_queue_response`; carries `status`, `bytes_queued`, `elapsed` | No | Yes |
 | `request_completed` | Request lifecycle finished (success or failure); last hook to fire per request | No | Yes |
+| `connection_closed` | Connection torn down (peer close or server close) | No | No |
 
 ### Short-circuit semantics
 

RELEASE_NOTES.md

@@ -103,10 +103,10 @@ v1.x is end-of-life on the day v2.0 ships.
   every removed `#define`.
 - **Lifecycle hook bus (`webserver::add_hook` / `http_resource::add_hook`).**
   Eleven phases (`hook_phase` enum: `connection_opened`,
-  `accept_decision`, `connection_closed`, `request_received`,
-  `body_chunk`, `route_resolved`, `before_handler`,
-  `handler_exception`, `after_handler`, `response_sent`,
-  `request_completed`) spanning connection, request, routing, handler,
+  `accept_decision`, `request_received`, `body_chunk`,
+  `route_resolved`, `before_handler`, `handler_exception`,
+  `after_handler`, `response_sent`, `request_completed`,
+  `connection_closed`) spanning connection, request, routing, handler,
   and response. Multi-subscriber, server-wide and per-route. The v1
   single-slot setters (`log_access`, `not_found_handler`,
   `method_not_allowed_handler`, `internal_error_handler`,

examples/per_route_auth.cpp

@@ -18,6 +18,16 @@
 //   export AUTH_USER=alice AUTH_PASS=hunter2
 //   ./per_route_auth
 //
+// TRANSPORT NOTE: HTTP Basic auth sends credentials base64-encoded but
+// NOT encrypted. In production, serve only over TLS (use
+// create_webserver().use_ssl(...)).
+//
+// CONSTANT-TIME NOTE: The credential comparison below uses
+// std::string_view::operator==, which short-circuits on the first
+// differing byte and can leak information via timing side-channels
+// (CWE-208). In production, replace with a constant-time comparison
+// (e.g., CRYPTO_memcmp or an equivalent fixed-length loop).
+//
 // Then:
 //
 //   curl -v http://localhost:8080/public                       # 200 OK
@@ -81,8 +91,14 @@ int main() {
     auto h = priv->add_hook(hs::hook_phase::before_handler,
         std::function<hs::hook_action(hs::before_handler_ctx&)>(
             [user, pass](hs::before_handler_ctx& ctx) {
+                // Null should never occur at before_handler on a matched
+                // route, but fail closed (deny) rather than pass on any
+                // unexpected null to avoid a fail-open security hole
+                // (CWE-636).
                 if (ctx.request == nullptr) {
-                    return hs::hook_action::pass();
+                    return hs::hook_action::respond_with(
+                        hs::http_response::unauthorized(
+                            "Basic", "private-realm", "Unauthorized"));
                 }
                 std::string_view u = ctx.request->get_user();
                 std::string_view p = ctx.request->get_pass();