- secret.rs: swap resp.bytes() for resp.chunk() loop; reject each chunk before
it is appended so hard_cap is never exceeded in memory (OOM/DoS fix).
Replace fixed ".tmp" suffix with unique_temp_path() (timestamp + atomic
counter) to prevent concurrent-writer collisions on the cache file.
- pool_config.rs: add MAX_CONCURRENT_RECONNECTS=32 and batch the reconnect_all
task spawn loop to prevent a thundering-herd burst on large pools.
- buffer_pool.rs: call fill(0u8) before clear() in return_buffer() to
overwrite the initialized region of every returned buffer (OWASP ASVS L2
V8.3.6). Add unsafe backing-byte test to verify zeroization at the
allocation level, not merely via the safe len==0 API.
- api/events.rs, api/runtime_stats.rs: restrict ApiEventStore and
MinimalCacheEntry from pub to pub(crate) — both are consumed only within
the api module tree and should not be part of the public API surface.
Rebase the security hardening stack onto upstream/main after telemt/flow was
merged upstream. This keeps the transport, TLS fronting, middle-proxy, CI
policy, and regression-test changes in a clean PR branch without including
private .David_docs material.
David Osipov