zenhttp improvements (robustness / correctness) (#968)

A collection of security, correctness, and robustness fixes in `zenhttp` and `zencore` surfaced by security review. Most items are small, independent commits grouped here because they all tighten trust boundaries or fix UB along the same code paths.

## WebSocket protocol hardening (RFC 6455)

- **Enforce the client-side mask bit**. Server-side frame loops now reject unmasked frames with close code 1002 per §5.1. Prevents HTTP intermediary smuggling.
- **Validate control frames and RSV bits**. Fragmented control frames, oversized (>125 B) control payloads, and any non-zero RSV bit now fail the connection before allocation.
- **Lower per-frame payload cap** from 256 MB → 4 MB. Bounds per-connection accumulator memory.
- **Implement message fragmentation**. Continuation frames are coalesced and delivered as a single message; interleaved non-control frames close with 1002; assembled messages are capped at 4 MB (1009 on overflow). Previously partial fragments were delivered to handlers, bypassing payload validation.
- **Parse the 101 handshake response properly** in `HttpWsClient`. Status-line, `Upgrade`, `Connection`, and `Sec-WebSocket-Accept` are now matched exactly rather than via substring searches against the full body.

## Auth / OIDC hardening

- **Constant-time password compare** in `PasswordSecurity::IsAllowed` (closes a remote length/content timing oracle). Adds a shared `ConstantTimeEquals` helper.
- **Harden Basic-auth header parsing**: trim trailing LWS, reject control bytes and DEL in the credential.
- **OIDC discovery pinning**: require HTTPS (loopback exempt), verify `issuer` matches `BaseUrl`, require `token_endpoint` / `userinfo_endpoint` / `jwks_uri` to share origin with `BaseUrl`, reject empty `token_endpoint`.
- **Restrict `POST /auth/oidc/refreshtoken`** to local-machine requests. Previously unauthenticated in default deployments — remote callers could evict or replace cached tokens.
- **Stop logging OIDC provider response bodies** on refresh failure (IdPs echo `refresh_token` back in error bodies).
- **Drop the unused `IdentityToken` field** from `OidcClient` / `OpenIdToken` so nothing in the tree accidentally trusts an unverified JWT.

## Auth state encryption migration

- Add `AesGcm` AEAD primitive (BCrypt / OpenSSL backends, mbedTLS stubbed) and `CryptoRandom::Fill` CSPRNG helper in `zencore/crypto.h`.
- Migrate authstate file from AES-256-CBC with a fixed IV to AES-GCM with a fresh 12-byte random nonce per write and the 4-byte `ZEN1` magic bound as AAD. Legacy-CBC files are transparently read once and rewritten in the new format.

## Filesystem / IO robustness

- `IoBufferExtendedCore::Materialize` now checks `MAP_FAILED` on POSIX (was comparing to `nullptr`, which let the failure sentinel propagate into later reads and `munmap(MAP_FAILED, ...)`).
- `IoBufferBuilder::MakeFromFile / MakeFromTemporaryFile`: close the FD/HANDLE on exception via a dismissable `ScopeGuard`; actually check the `fstat()` return value (previously used an uninitialized `FileSize`).
- `ReadFromFileMaybe`: loop short reads, retry `EINTR`, chunk Windows `ReadFile` at `0xFFFFFFFF` bytes (fixes silent truncation of multi-GiB reads).
- `WipeDirectory`: compare `FindFirstFileW` handle against `INVALID_HANDLE_VALUE` rather than `nullptr`.
- `RemoveFileNative` (Linux/macOS): report non-`ENOENT` stat failures via the `std::error_code` out-param and stop reading `st_mode` after a failed stat.

## Buffer / compression correctness

- Avoid per-copy `IoBufferCore` heap allocations in `CompositeBuffer::CopyTo / ViewOrCopyRange` iterators; add fast path for `BufferHeader::Read` when the 64-byte header fits in the first plain-memory segment.
- `BufferHeader`: add `IsHeaderValid()` gate covering `BlockSizeExponent` range, `BlockCount * BlockSize` overflow, and `TotalRawSize` bounds before any arithmetic uses them. Defends against attacker-controlled headers that can pass the CRC and trigger OOB writes in `DecompressBlock`.

1 files changed, 34 insertions, 18 deletions

diff --git a/src/zencore/compositebuffer.cpp b/src/zencore/compositebuffer.cpp
index ed2b16384..1dee8477f 100644
--- a/src/zencore/compositebuffer.cpp
+++ b/src/zencore/compositebuffer.cpp
@@ -179,12 +179,11 @@ CompositeBuffer::GetIterator(uint64_t Offset) const
 MemoryView
 CompositeBuffer::ViewOrCopyRange(Iterator& It, uint64_t Size, UniqueBuffer& CopyBuffer) const
 {
-	// We use a sub range IoBuffer when we want to copy data from a segment.
-	// This means we will only materialize that range of the segment when doing
-	// GetView() rather than the full segment.
-	// A hot path for this code is when we call CompressedBuffer::FromCompressed which
-	// is only interested in reading the header (first 64 bytes or so) and then throws
-	// away the materialized data.
+	// A hot path for this code is CompressedBuffer::FromCompressed, which only reads the header
+	// (first 64 bytes or so). For plain memory segments we take a direct view (no allocation);
+	// for extended (file-backed) segments we materialize only the requested slice via a
+	// sub-range IoBuffer whose lifetime must extend across the CopyFrom below — otherwise its
+	// view would dangle into freed memory the moment the IoBuffer goes out of scope.
 	if (CopyBuffer.GetSize() < Size)
 	{
 		CopyBuffer = UniqueBuffer::Alloc(Size);
@@ -198,9 +197,20 @@ CompositeBuffer::ViewOrCopyRange(Iterator& It, uint64_t Size, UniqueBuffer& Copy
 		const SharedBuffer& Segment		= m_Segments[It.SegmentIndex];
 		size_t				SegmentSize = Segment.GetSize();
 		size_t				CopySize	= zen::Min(SegmentSize - It.OffsetInSegment, SizeLeft);
-		IoBuffer			SubSegment(Segment.AsIoBuffer(), It.OffsetInSegment, CopySize);
-		MemoryView			ReadView = SubSegment.GetView();
-		WriteView					 = WriteView.CopyFrom(ReadView);
+
+		IoBuffer   SubSegment;	// lifetime holder for the extended-segment view
+		MemoryView ReadView;
+		if (Segment.IsExtended())
+		{
+			SubSegment = IoBuffer(Segment.AsIoBuffer(), It.OffsetInSegment, CopySize);
+			ReadView   = SubSegment.GetView();
+		}
+		else
+		{
+			ReadView = Segment.GetView().Mid(It.OffsetInSegment, CopySize);
+		}
+		WriteView = WriteView.CopyFrom(ReadView);
+
 		It.OffsetInSegment += CopySize;
 		ZEN_ASSERT_SLOW(It.OffsetInSegment <= SegmentSize);
 		if (It.OffsetInSegment == SegmentSize)
@@ -216,12 +226,7 @@ CompositeBuffer::ViewOrCopyRange(Iterator& It, uint64_t Size, UniqueBuffer& Copy
 void
 CompositeBuffer::CopyTo(MutableMemoryView WriteView, Iterator& It) const
 {
-	// We use a sub range IoBuffer when we want to copy data from a segment.
-	// This means we will only materialize that range of the segment when doing
-	// GetView() rather than the full segment.
-	// A hot path for this code is when we call CompressedBuffer::FromCompressed which
-	// is only interested in reading the header (first 64 bytes or so) and then throws
-	// away the materialized data.
+	// See ViewOrCopyRange above for rationale on the extended vs. plain segment split.
 
 	size_t SizeLeft		= WriteView.GetSize();
 	size_t SegmentCount = m_Segments.size();
@@ -231,9 +236,20 @@ CompositeBuffer::CopyTo(MutableMemoryView WriteView, Iterator& It) const
 		const SharedBuffer& Segment		= m_Segments[It.SegmentIndex];
 		size_t				SegmentSize = Segment.GetSize();
 		size_t				CopySize	= zen::Min(SegmentSize - It.OffsetInSegment, SizeLeft);
-		IoBuffer			SubSegment(Segment.AsIoBuffer(), It.OffsetInSegment, CopySize);
-		MemoryView			ReadView = SubSegment.GetView();
-		WriteView					 = WriteView.CopyFrom(ReadView);
+
+		IoBuffer   SubSegment;	// lifetime holder for the extended-segment view
+		MemoryView ReadView;
+		if (Segment.IsExtended())
+		{
+			SubSegment = IoBuffer(Segment.AsIoBuffer(), It.OffsetInSegment, CopySize);
+			ReadView   = SubSegment.GetView();
+		}
+		else
+		{
+			ReadView = Segment.GetView().Mid(It.OffsetInSegment, CopySize);
+		}
+		WriteView = WriteView.CopyFrom(ReadView);
+
 		It.OffsetInSegment += CopySize;
 		ZEN_ASSERT_SLOW(It.OffsetInSegment <= SegmentSize);
 		if (It.OffsetInSegment == SegmentSize)