zenhttp improvements (robustness / correctness) (#968)

A collection of security, correctness, and robustness fixes in `zenhttp` and `zencore` surfaced by security review. Most items are small, independent commits grouped here because they all tighten trust boundaries or fix UB along the same code paths.

## WebSocket protocol hardening (RFC 6455)

- **Enforce the client-side mask bit**. Server-side frame loops now reject unmasked frames with close code 1002 per §5.1. Prevents HTTP intermediary smuggling.
- **Validate control frames and RSV bits**. Fragmented control frames, oversized (>125 B) control payloads, and any non-zero RSV bit now fail the connection before allocation.
- **Lower per-frame payload cap** from 256 MB → 4 MB. Bounds per-connection accumulator memory.
- **Implement message fragmentation**. Continuation frames are coalesced and delivered as a single message; interleaved non-control frames close with 1002; assembled messages are capped at 4 MB (1009 on overflow). Previously partial fragments were delivered to handlers, bypassing payload validation.
- **Parse the 101 handshake response properly** in `HttpWsClient`. Status-line, `Upgrade`, `Connection`, and `Sec-WebSocket-Accept` are now matched exactly rather than via substring searches against the full body.

## Auth / OIDC hardening

- **Constant-time password compare** in `PasswordSecurity::IsAllowed` (closes a remote length/content timing oracle). Adds a shared `ConstantTimeEquals` helper.
- **Harden Basic-auth header parsing**: trim trailing LWS, reject control bytes and DEL in the credential.
- **OIDC discovery pinning**: require HTTPS (loopback exempt), verify `issuer` matches `BaseUrl`, require `token_endpoint` / `userinfo_endpoint` / `jwks_uri` to share origin with `BaseUrl`, reject empty `token_endpoint`.
- **Restrict `POST /auth/oidc/refreshtoken`** to local-machine requests. Previously unauthenticated in default deployments — remote callers could evict or replace cached tokens.
- **Stop logging OIDC provider response bodies** on refresh failure (IdPs echo `refresh_token` back in error bodies).
- **Drop the unused `IdentityToken` field** from `OidcClient` / `OpenIdToken` so nothing in the tree accidentally trusts an unverified JWT.

## Auth state encryption migration

- Add `AesGcm` AEAD primitive (BCrypt / OpenSSL backends, mbedTLS stubbed) and `CryptoRandom::Fill` CSPRNG helper in `zencore/crypto.h`.
- Migrate authstate file from AES-256-CBC with a fixed IV to AES-GCM with a fresh 12-byte random nonce per write and the 4-byte `ZEN1` magic bound as AAD. Legacy-CBC files are transparently read once and rewritten in the new format.

## Filesystem / IO robustness

- `IoBufferExtendedCore::Materialize` now checks `MAP_FAILED` on POSIX (was comparing to `nullptr`, which let the failure sentinel propagate into later reads and `munmap(MAP_FAILED, ...)`).
- `IoBufferBuilder::MakeFromFile / MakeFromTemporaryFile`: close the FD/HANDLE on exception via a dismissable `ScopeGuard`; actually check the `fstat()` return value (previously used an uninitialized `FileSize`).
- `ReadFromFileMaybe`: loop short reads, retry `EINTR`, chunk Windows `ReadFile` at `0xFFFFFFFF` bytes (fixes silent truncation of multi-GiB reads).
- `WipeDirectory`: compare `FindFirstFileW` handle against `INVALID_HANDLE_VALUE` rather than `nullptr`.
- `RemoveFileNative` (Linux/macOS): report non-`ENOENT` stat failures via the `std::error_code` out-param and stop reading `st_mode` after a failed stat.

## Buffer / compression correctness

- Avoid per-copy `IoBufferCore` heap allocations in `CompositeBuffer::CopyTo / ViewOrCopyRange` iterators; add fast path for `BufferHeader::Read` when the 64-byte header fits in the first plain-memory segment.
- `BufferHeader`: add `IsHeaderValid()` gate covering `BlockSizeExponent` range, `BlockCount * BlockSize` overflow, and `TotalRawSize` bounds before any arithmetic uses them. Defends against attacker-controlled headers that can pass the CRC and trigger OOB writes in `DecompressBlock`.

1 files changed, 75 insertions, 6 deletions

diff --git a/src/zencore/filesystem.cpp b/src/zencore/filesystem.cpp
index e8ceac5c0..1e18ef8be 100644
--- a/src/zencore/filesystem.cpp
+++ b/src/zencore/filesystem.cpp
@@ -181,7 +181,7 @@ WipeDirectory(const wchar_t* DirPath, bool KeepDotFiles)
 
 	bool Success = true;
 
-	if (hFind != nullptr)
+	if (hFind != INVALID_HANDLE_VALUE)
 	{
 		do
 		{
@@ -436,15 +436,18 @@ RemoveFileNative(const std::filesystem::path& Path, bool ForceRemoveReadOnlyFile
 	if (!ForceRemoveReadOnlyFiles)
 	{
 		struct stat Stat;
-		int			err = stat(Path.native().c_str(), &Stat);
-		if (err != 0)
+		if (stat(Path.native().c_str(), &Stat) != 0)
 		{
-			int32_t err = errno;
-			if (err == ENOENT)
+			const int StatErrno = errno;
+			if (StatErrno == ENOENT)
 			{
 				Ec.clear();
-				return false;
 			}
+			else
+			{
+				Ec = MakeErrorCode(StatErrno);
+			}
+			return false;
 		}
 		const uint32_t Mode = (uint32_t)Stat.st_mode;
 		if (IsFileModeReadOnly(Mode))
@@ -3437,6 +3440,37 @@ MakeSafeAbsolutePath(const std::filesystem::path& Path)
 	return Tmp;
 }
 
+std::optional<std::filesystem::path>
+ResolveSafeRelativePath(const std::filesystem::path& TrustedRoot, std::string_view RelativePath)
+{
+	if (RelativePath.empty())
+	{
+		return std::nullopt;
+	}
+
+	std::filesystem::path Requested(RelativePath);
+	if (Requested.is_absolute() || Requested.has_root_name() || Requested.has_root_directory())
+	{
+		return std::nullopt;
+	}
+	for (const std::filesystem::path& Component : Requested)
+	{
+		if (Component == "..")
+		{
+			return std::nullopt;
+		}
+	}
+
+	const std::filesystem::path NormalizedRoot = TrustedRoot.lexically_normal();
+	const std::filesystem::path Joined		   = (NormalizedRoot / Requested).lexically_normal();
+	if (std::mismatch(NormalizedRoot.begin(), NormalizedRoot.end(), Joined.begin(), Joined.end()).first != NormalizedRoot.end())
+	{
+		return std::nullopt;
+	}
+
+	return Joined;
+}
+
 class SharedMemoryImpl : public SharedMemory
 {
 public:
@@ -4238,6 +4272,41 @@ TEST_CASE("filesystem.MakeSafeAbsolutePath")
 #	endif	// ZEN_PLATFORM_WINDOWS
 }
 
+TEST_CASE("filesystem.ResolveSafeRelativePath")
+{
+	const std::filesystem::path Root = std::filesystem::path("root") / "traces";
+
+	// Empty input is rejected.
+	CHECK_FALSE(ResolveSafeRelativePath(Root, "").has_value());
+
+	// A plain relative path resolves under the root.
+	{
+		auto Resolved = ResolveSafeRelativePath(Root, "session.utrace");
+		REQUIRE(Resolved.has_value());
+		CHECK_EQ(*Resolved, (Root.lexically_normal() / "session.utrace"));
+	}
+
+	// Nested relative segments are allowed as long as they stay inside the root.
+	{
+		auto Resolved = ResolveSafeRelativePath(Root, "2026-04/session.utrace");
+		REQUIRE(Resolved.has_value());
+		CHECK_EQ(*Resolved, (Root.lexically_normal() / "2026-04" / "session.utrace"));
+	}
+
+	// ".." components are rejected before normalisation can collapse them.
+	CHECK_FALSE(ResolveSafeRelativePath(Root, "..").has_value());
+	CHECK_FALSE(ResolveSafeRelativePath(Root, "../etc/passwd").has_value());
+	CHECK_FALSE(ResolveSafeRelativePath(Root, "foo/../../bar").has_value());
+
+	// Absolute paths are rejected on both platforms.
+	CHECK_FALSE(ResolveSafeRelativePath(Root, "/etc/passwd").has_value());
+#	if ZEN_PLATFORM_WINDOWS
+	CHECK_FALSE(ResolveSafeRelativePath(Root, "C:/Windows/win.ini").has_value());
+	CHECK_FALSE(ResolveSafeRelativePath(Root, "C:\\Windows\\win.ini").has_value());
+	CHECK_FALSE(ResolveSafeRelativePath(Root, "\\\\server\\share\\evil").has_value());
+#	endif
+}
+
 TEST_CASE("ExpandEnvironmentVariables")
 {
 	// No variables - pass-through