Conflict resolution:
- src/config/load.rs: Merge HEAD's is_safe_include_path (path traversal guard)
with upstream/flow's LoadedConfig, normalize_config_path, hash_rendered_snapshot,
and the new 4-parameter preprocess_includes signature. Update two test call
sites that still used the old 3-arg signature.
- src/config/hot_reload.rs: Take upstream/flow's tokio::spawn-contained watcher
setup (inotify + poll via manifest_state). HEAD's pre-spawn block was broken:
it referenced notify_tx before the channel was created.
Copilot review fixes (already applied in working tree, now committed):
- src/transport/pool.rs: Handle EINTR in is_connection_alive with retry loop
(treating it as alive) instead of a false dead-connection verdict.
- src/transport/middle_proxy/wire.rs: On u32 overflow in extra-block length
encoding, truncate buffer back to the length-field position and write 0 so wire
representation stays self-consistent. Annotate 16 MiB boundary tests with
#[ignore] to avoid OOM on low-memory CI runners.
- src/stream/buffer_pool.rs: Restore fail-fast expect() in Deref/DerefMut (was
silently returning empty buffer after take(), masking use-after-take bugs).
Add MAX_POOL_BUFFER_OVERSIZE_MULT upper bound in return_buffer to prevent
memory amplification from excessively-grown buffers staying in the pool.
Fix contradictory test: oversized_buffer_is_returned_to_pool now grows within
the 4x bound; oversized_buffer_is_dropped_not_pooled (8x growth) now passes.
- src/api/mod.rs: Fix constant_time_eq to iterate over b.len() (expected token
length) rather than min(a.len(), b.len()), closing the timing oracle where an
attacker could influence iteration count by sending a shorter candidate
(OWASP ASVS V6.6.1). Revert ApiRuntimeState and ApiShared to pub(super).
- src/protocol/obfuscation.rs: Replace no-op test_obfuscation_params_is_not_clone
with static_assertions::assert_not_impl_any!(ObfuscationParams: Clone) which
is an actual compile-time enforcement.
Added new endpoints:
- GET /v1/system/info
- GET /v1/runtime/gates
- GET /v1/limits/effective
- GET /v1/security/posture
Added API runtime state without impacting the hot path:
- config_reload_count
- last_config_reload_epoch_secs
- admission_open
- process_started_at_epoch_secs
Added background watcher tasks in api::serve:
- configuration reload tracking
- admission gate state tracking
David Osipov