Merge TASK-032 review cleanup (29/38 fixed, 4 deferred)

Author: etr

specs/architecture/09-testing.md

@@ -7,6 +7,6 @@ The architecture itself does not prescribe test frameworks (out of architecture
 3. **Move semantics on `http_response`** (DR-5): sanitizer-clean tests for inline↔inline, inline↔heap, heap↔inline, heap↔heap on both move-construct and move-assign.
 4. **SBO size invariant** (DR-5): `static_assert(sizeof(detail::deferred_body) <= http_response::body_buf_size, ...)` at the end of `detail/body.hpp`. Compile-time guarantee.
 5. **Routing semantics preservation** (DR-7): the v1 routing-test corpus runs against v2.0 unchanged. Any regression is treated as a release-blocker.
-6. **Thread-safety contract** (DR-8): a stress test exercises `register_resource` / `block_ip` from within handlers, verifies no deadlock except for the documented `stop()` case.
+6. **Thread-safety contract** (DR-8): a stress test exercises `register_path` / `unregister_path` / `block_ip` / `unblock_ip` from within handlers, verifies no deadlock except for the documented `stop()` case. An opt-in negative test (`stop_from_handler_deadlocks_as_documented`, enabled via `HTTPSERVER_RUN_STOP_FROM_HANDLER=1`) confirms the deadlock contract by forking a child that calls `stop()` from inside a handler.
 
 ---

specs/architecture/11-decisions/DR-008.md

@@ -22,6 +22,6 @@
 **Verification (TASK-032):**
 - `test/integ/threadsafety_stress.cpp` — stress test binary `threadsafety_stress` runs 16 concurrent curl clients for 60 seconds (override via `HTTPSERVER_STRESS_SECONDS=N`), each request randomly invoking `register_path`, `unregister_path`, `block_ip`, and `unblock_ip` against the running `webserver` from inside a handler thread. A duplicate-registration from a handler throws `std::invalid_argument` rather than causing a data race.
 - CI coverage: the `build-type: tsan` matrix entry in `.github/workflows/verify-build.yml` compiles with `-fsanitize=thread` and runs `make check`, which automatically picks up `threadsafety_stress` as a registered `check_PROGRAMS` entry — no separate workflow wiring is needed.
-- Opt-in negative test `stop_from_handler_deadlocks_as_documented` (enabled via `HTTPSERVER_RUN_STOP_FROM_HANDLER=1`) forks a child process that calls `stop()` from inside a handler. A non-zero child exit (libmicrohttpd self-join abort, exit code 42) or a 5-second parent timeout (exit code 43) both count as positive observation of the documented deadlock contract. These exit codes serve as regression sentinels.
+- Opt-in negative test `stop_from_handler_deadlocks_as_documented` (enabled via `HTTPSERVER_RUN_STOP_FROM_HANDLER=1`) forks a child process that calls `stop()` from inside a handler. Positive observations of the contract are signal-terminated (libmicrohttpd self-join abort, `WIFSIGNALED`) or SIGKILL-from-parent after a 5-second timeout (silent deadlock, also `WIFSIGNALED`). Two sentinel exit codes mark regressions: the unreachable-after-`stop()` line inside the child (`stop()` returned from a handler — regression) and the post-curl line (`stop()` did not block at all — regression). A zero child exit means `stop()` returned cleanly, which is also a regression against DR-008. `~webserver()` carries the same threading constraint as `stop()` but is not separately exercised because destructor invocation from a running handler is inherently process-unsafe; the `stop()` test is considered representative.
 
 ---

specs/product_specs.md

@@ -36,6 +36,9 @@
 - **Hot-path performance:** Per-request getters shall not allocate or copy containers; they return `const&` or `string_view`.
 - **Naming:** All public method names shall be snake_case; one canonical verb per concept.
 - **Documentation:** v2.0 ships with a rewritten `README` and an updated examples set. A short `RELEASE_NOTES.md` summarizes the API changes for users porting from v1; it is informational, not a compatibility commitment.
+- **Concurrency (DR-008):**
+  - `PRD-CON-REQ-001` When a caller invokes any `webserver` public method from a handler thread (except `stop()` or `~webserver()`), the system shall complete the call without deadlock or data race.
+  - `PRD-CON-REQ-002` When a caller invokes `stop()` or `~webserver()` from inside a handler thread, the system shall either deadlock (join waits indefinitely) or abort (libmicrohttpd self-join detection); it shall not return successfully.
 
 ---