http: couple fetch() receive backpressure to JS body consumption (h1/h2/h3)

[robobun]

Couple the fetch() client's receive-side flow control to the JS reader that's actually consuming response.body, so a stalled getReader() backpressures the server instead of letting the HTTP thread buffer the full response in memory. Covers all three transports.

Fixes #28035.

Note (May 2026): originally written against the Zig runtime; after main replaced it with the Rust port, the feature was re-implemented in the .rs sources as part of the 67640e5 merge. The .zig siblings are untouched (frozen porting references per AGENTS.md). Semantics are unchanged from what was reviewed; file names below use the current Rust paths.

What changes

Shared plumbing. ByteStream gains a did_drain(n) hook that fires whenever bytes leave for JS (via on_pull, the pending/pipe/buffer-action paths in on_data, drain()'s pre-buffered handoff, and to_buffered_value's fast path). FetchTasklet wires it to schedule_response_body_consumed(async_http_id, n) on the HTTP thread (coalescing per-id so a tight read() loop is one wakeup, not one per pull). A new body_consumption_tracked signal — distinct from response_body_streaming, which is also set by S3 downloads and abandoned bodies that never report drainage — is armed in on_start_streaming_http_response_body_callback and disarmed (with a saturating u32::MAX sentinel consume) in ignore_remaining_response_body / reader.cancel().

HTTP/2 (h2_client/ClientSession.rs, Stream.rs). Per-stream WINDOW_UPDATE is gated on min(consumed_bytes, unacked_bytes) when body_consumption_tracked is set; the connection-level window stays receipt-based so sibling streams aren't starved. Decompressed byte counts are clamped to wire bytes so a compression surplus can't bank future credit.

HTTP/1.1 (http/lib.rs). on_data's body branches accumulate outstanding_body_bytes (counted as the body_out_str delta — post-dechunk, post-decompress — so framing/encoding overhead can't accumulate as a floor); past a 4 MiB high-water mark the socket read is paused (us_socket_pause → TCP rwnd shrinks) and the idle timer is cleared. consume_response_body resumes below 1 MiB or when the reader detaches. The proxy-tunnel path is excluded (inner TLS needs the carrier readable), the pause is skipped once the body is complete or a redirect is pending, and a defensive resume before keep-alive pool release keeps uSockets' repeat-recv fast path from handing the pool a paused socket. Process-wide H1_SOCKET_PAUSES/H1_SOCKET_RESUMES counters are exposed via fetchInternals.h1BackpressureCounts() for the tests.

HTTP/3 (h3_client/callbacks.rs, ClientSession.rs). on_stream_data counts delivered bytes; past the same high-water mark it calls want_read(false) (us_quic_stream_want_read) so lsquic stops draining its receive buffer and withholds MAX_STREAM_DATA credit. consume_response_body_by_http_id re-enables the read once the reader catches up. A process-wide body_bytes_received counter is exposed through fetchH3Internals.liveCounts() so the test can observe the cap from a subprocess.

pipeThrough() (#28035)

A reader stalled behind res.body.pipeThrough(new TransformStream()) is handled by the same mechanism with no additional changes: the pipeTo loop waits on the TransformStream writable's readyPromise, so once the piped output stops being read, on_pull stops firing on the native ByteStream, did_drain stops crediting, and outstanding_body_bytes climbs past the high-water mark. Previously this path let ByteStream.buffer grow to the full response size (the OOM in #28035). reader.cancel() on the piped output propagates through pipeToErrorsMustBePropagatedBackward → readableStreamCancel(res.body) → ignore_remaining_response_body, which disarms body_consumption_tracked and posts the sentinel consume so the paused socket resumes.

Note: the full proxy scenario in the issue (Bun.serve returning Response(res.body.pipeThrough(t)) to a slow client) has a second unbounded buffer on the send side — readStreamIntoSink doesn't check HTTPServerWritable backpressure — that this PR doesn't touch. That's a separate follow-up; the receive-side cap here is what keeps the SSE-client / stalled-reader shape bounded.

Tests

test/js/web/fetch/fetch-backpressure.test.ts — three tests per protocol, plus two pipeThrough tests for #28035:

• stalled reader — a child process holds getReader() without calling read(). H2: the raw-frame server sees no per-stream WINDOW_UPDATE for the initial-window overshoot. H1: h1BackpressureCounts().pauses fires. H3: bodyBytesReceived plateaus near RECEIVE_BODY_HIGH_WATER.
• draining reader — the same setup with the reader pulling as fast as it can; the full body arrives.
• cancelled reader — reader.cancel() disarms body_consumption_tracked and posts the sentinel, so the remaining body drains (H1 socket resumes, H2 falls back to receipt-based credit, H3 re-enables want_read).
• stalled pipeThrough(TransformStream) reader (H1) — pauses the socket, then drains through the transform to completion with matched pause/resume counts.
• stalled pipeThrough(TextDecoderStream) reader (H1) — pauses the socket; reader.cancel() on the piped output propagates back and resumes it.
• keep-alive regression — res.body; res.arrayBuffer() across 480 pooled requests; the buffer-action fast path must keep pause/resume accounting exact so no pooled socket is left paused.

All twelve pass with the change; without it the subprocess never observes a pause and the tests fail. node-http-backpressure{,-max}.test.ts timeouts were raised (30→60s / 60→120s) because their 2 GiB fast-drain loops now cycle ~150 pause/resume rounds (~10-20% overhead in release), which had no headroom on the slow darwin-14-x64 runner. Adjacent suites green: fetch-http2-client.test.ts (58), fetch-http3-client.test.ts (49), bun-serve-static.test.ts (34).

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This PR introduces per-reader byte-consumption tracking and backpressure control across HTTP/2, HTTP/1.1, and HTTP/3 fetch response streams. When JS code drains fetch response bodies via ReadableStream, consumed bytes are reported back to the HTTP transport layer, enabling sockets and protocol streams to pause and resume reads based on buffered body thresholds.

Changes

Fetch Response Stream Backpressure

Layer / File(s)	Summary
Data Shape & Callback Wiring src/bun.js/webcore/Body.zig, src/bun.js/webcore/ReadableStream.zig, src/bun.js/webcore/ByteStream.zig, src/http/Signals.zig	Added PendingValue.onStreamConsumed and NewSource drain_handler/drain_ctx fields; added internal ByteStream.didDrain helper and used it in multiple delivery paths; added Signals.body_consumption_tracked atomic flag.
Core Fetch Tasklet Wiring src/bun.js/webcore/fetch/FetchTasklet.zig	Wired onStreamConsumedCallback into toBodyValue() for Body.Value.Locked; arm/disarm signal_store.body_consumption_tracked when streaming is enabled or ignored; clear Source drain callbacks in stream teardown.
HTTP Thread Queue & Posting src/http/HTTPThread.zig	Added queued_response_body_consumed queue, ConsumeMessage type, scheduleResponseBodyConsumed(...) to coalesce/queue consumption deltas, and drainQueuedHTTPResponseBodyConsumed() invoked from drainEvents.
HTTP Core Receive Pausing src/http.zig, src/http/InternalState.zig	Added receive_body_high_water/receive_body_low_water constants; InternalState.outstanding_body_bytes and InternalStateFlags.receive_paused; implemented maybePauseReceive and updated onData/consume logic to pause/resume socket reads based on outstanding buffered body bytes and body_consumption_tracked.
HTTP/2 Consumption Semantics src/http/h2_client/Stream.zig, src/http/h2_client/ClientSession.zig	Renamed/clarified unacked_bytes semantics, added consumed_bytes to Stream, and added consumeResponseBodyByHttpId to advance per-stream consumption and trigger replenishWindow() under consumption-tracked semantics.
HTTP/3 QUIC Read Control src/http/h3_client/Stream.zig, src/http/h3_client/ClientSession.zig, src/http/h3_client/ClientContext.zig, src/deps/uws/quic/Stream.zig, src/http/H3Client.zig, src/http/h3_client/callbacks.zig	H3 Stream: added outstanding_body_bytes and read_paused; callbacks increment outstanding bytes and global body_bytes_received; added consumeResponseBodyByHttpId at session/context levels to decrement and resume reads; added Stream.wantRead() wrapper binding to control lsquic read callbacks; exposed H3 metrics.
Byte-Delivery Notifications src/bun.js/webcore/ByteStream.zig	Ensure drain notifications are emitted when bytes are delivered to JS (pipes, buffer actions, pending buffer copies, onPull, and drain() path), suppressing zero-length reports.
Testing & Metrics test/js/web/fetch/fetch-backpressure.test.ts, src/js/internal-for-testing.ts	Added comprehensive tests exercising HTTP/2 per-stream WINDOW_UPDATE, HTTP/1.1 socket-read pausing, and HTTP/3 lsquic wantRead pausing; extended fetchH3Internals.liveCounts to include bodyBytesReceived.

Possibly related PRs

• http3: split H3Client into h3_client/ + Alt-Svc upgrade flag #29863 — Adds/structures HTTP/3 client types (ClientContext/ClientSession/Stream) that this PR extends with per-stream consumption tracking and handlers.
• http: harden HTTP/2 fetch client + split into h2_client/ #29809 — Prior work on HTTP/2 flow-control semantics that this PR builds upon when adding consumption-tracked window replenishment.
• fetch: experimental HTTP/3 client via protocol: "http3" #29795 — Related HTTP/3 client and HTTPThread wiring this PR integrates with via cross-thread consumption queue and handlers.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title clearly and specifically describes the main change: coupling fetch() receive backpressure to JS body consumption across HTTP/1, HTTP/2, and HTTP/3 transports, which aligns with the comprehensive changes shown in the raw summary.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	PR description comprehensively details the feature, implementation across all three HTTP transports, test coverage, and issue resolution.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[robobun]

^{Updated 6:39 AM PT - Jun 6th, 2026}

❌ @robobun, your commit df93330 has 1 failures in Build #61096 (All Failures):

• test/cli/install/bunx.test.ts - code 1 on 🐧 13 x64-asan
• test/cli/install/bunx.test.ts - code 1 on 🪟 2019 x64-baseline
• test/cli/install/bunx.test.ts - code 1 on 🪟 2019 x64
• test/cli/install/bunx.test.ts - code 1 on 🐧 25.04 aarch64
• test/cli/install/bunx.test.ts - code 1 on 🐧 13 aarch64
• test/cli/install/bunx.test.ts - code 1 on 🐧 25.04 x64-baseline
• test/cli/install/bunx.test.ts - code 1 on 🐧 13 x64-baseline
• test/cli/install/bunx.test.ts - code 1 on 🐧 25.04 x64
• test/cli/install/bunx.test.ts - code 1 on 🐧 13 x64
• test/cli/install/bunx.test.ts - code 1 on 🐧 3.23 aarch64
• test/cli/install/bunx.test.ts - code 1 on 🐧 3.23 x64-baseline
• test/cli/install/bunx.test.ts - code 1 on 🪟 11 aarch64
• test/cli/install/bunx.test.ts - code 1 on 🐧 3.23 x64
• test/cli/install/bunx.test.ts - code 1 on 🍎 14 x64
• test/cli/install/bunx.test.ts - code 1 on 🍎 26 aarch64
• test/cli/install/bunx.test.ts - code 1 on 🍎 14 aarch64

---

🧪   To try this PR locally:

bunx bun-pr 29831

That installs a local version of the PR into your bun-29831 executable, so you can run:

bun-29831 --bun

[github-actions]

Found 3 issues this PR may fix:

1. fetch().body piped through TransformStream does not propagate backpressure #28035 - fetch().body piped through TransformStream does not propagate backpressure; the PR's drain callbacks and per-stream WINDOW_UPDATE gating directly address this for HTTP/2 connections
2. Bun.write writing a Response from a fetch leaks memory #10686 - Bun.write writing a Response from fetch leaks memory because the response body is fully buffered; gating HTTP/2 flow control on JS consumption would bound memory
3. Memory leak when downloading file (both @google-cloud/storage and Bun's S3) #20487 - Large file downloads via fetch (GCS/S3) cause unbounded RSS growth; per-stream receive-window gating prevents the server from sending faster than JS consumes over HTTP/2

If this is helpful, copy the block below into the PR description to auto-close these issues on merge.

Fixes #28035
Fixes #10686
Fixes #20487

🤖 Generated with Claude Code

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/bun.js/webcore/fetch/FetchTasklet.zig (1)

922-930: ⚠️ Potential issue | 🟠 Major

Don't clear the drain callback before the final chunk is consumed.

clearStreamCancelHandler() now removes drain_handler, but onBodyReceived(...has_more = false) calls this before handing the last buffered bytes to ByteStream.onData(). That means the tail bytes can never report actual JS consumption, so the HTTP/2 stream stays under-credited at end-of-body.

🔧 Suggested fix

 fn clearStreamCancelHandler(this: *FetchTasklet) void {
     if (this.readable_stream_ref.get(this.global_this)) |readable| {
         if (readable.ptr == .Bytes) {
             const source = readable.ptr.Bytes.parent();
             source.cancel_handler = null;
             source.cancel_ctx = null;
-            source.drain_handler = null;
-            source.drain_ctx = null;
         }
     }
 }

Keep drain teardown separate so the final buffered bytes can still trigger didDrain().

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/bun.js/webcore/fetch/FetchTasklet.zig` around lines 922 - 930, The
function clearStreamCancelHandler currently clears drain_handler and drain_ctx
prematurely, which prevents the final chunk from reporting consumption
correctly. Modify clearStreamCancelHandler in FetchTasklet to only clear
cancel_handler and cancel_ctx, keeping drain_handler and drain_ctx intact.
Implement a separate method to clear drain callbacks after the last buffered
bytes are fully consumed, ensuring proper crediting of the HTTP/2 stream in
onBodyReceived.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/http/h2_client/ClientSession.zig`:
- Around line 355-363: The current consumeResponseBodyByHttpId updates
per-stream stream.consumed_bytes with JS-delivered bytes and then calls
replenishWindow(), which lets stale decompressed-byte surplus drive
WINDOW_UPDATEs; modify consumeResponseBodyByHttpId (and corresponding logic used
by replenishWindow) to limit carried consumed balance to at most the
wire-received bytes for that stream or track a separate wire_consumed counter:
either add a stream.wire_consumed field and increment that by the actual
received DATA/WIRE bytes (and use that in replenishWindow/when deciding
WINDOW_UPDATEs) or clamp stream.consumed_bytes to the lesser of the existing
consumed balance and the total_wire_received - already_windowed_wire_consumed
before calling replenishWindow; update any places that read
stream.consumed_bytes (e.g., replenishWindow, the WINDOW_UPDATE computation) to
use the new wire-aware value so decompressing reads cannot overspend window
credits.

In `@test/js/web/fetch/fetch-http2-backpressure.test.ts`:
- Around line 9-13: Move the test cases from fetch-http2-backpressure.test.ts
into the existing fetch-http2-client.test.ts file instead of a new file; if they
must run serially, place those tests outside the existing describe.concurrent
block (e.g. put them in a top-level describe or a separate describe that is not
.concurrent) so they don’t run concurrently with the heavy TLS/debug-build
tests; ensure you import any helpers used by the tests into
fetch-http2-client.test.ts and remove the standalone
fetch-http2-backpressure.test.ts to keep tests co-located with fetch HTTP/2
specs.

---

Outside diff comments:
In `@src/bun.js/webcore/fetch/FetchTasklet.zig`:
- Around line 922-930: The function clearStreamCancelHandler currently clears
drain_handler and drain_ctx prematurely, which prevents the final chunk from
reporting consumption correctly. Modify clearStreamCancelHandler in FetchTasklet
to only clear cancel_handler and cancel_ctx, keeping drain_handler and drain_ctx
intact. Implement a separate method to clear drain callbacks after the last
buffered bytes are fully consumed, ensuring proper crediting of the HTTP/2
stream in onBodyReceived.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: fdef9a93-7969-48fe-95b0-f2e4605bfa45

📥 Commits

Reviewing files that changed from the base of the PR and between 4d615e8 and dc050be.

📒 Files selected for processing (8)

• src/bun.js/webcore/Body.zig
• src/bun.js/webcore/ByteStream.zig
• src/bun.js/webcore/ReadableStream.zig
• src/bun.js/webcore/fetch/FetchTasklet.zig
• src/http/HTTPThread.zig
• src/http/h2_client/ClientSession.zig
• src/http/h2_client/Stream.zig
• test/js/web/fetch/fetch-http2-backpressure.test.ts

[robobun]

Status: ready to merge — the diff is green; the only hard CI failure is an external npm-registry breakage. Head df93330 (review-nit fix on top of the 574eedb merge with main, through #31875). Fixes #28035. All 25 review threads resolved; claude-bot's latest review found one test-diagnostics nit, addressed in df93330 (lineReader now drains child stderr and appends it to the EOF error at all 11 call sites, replacing the three hand-rolled h3 wrappers).

CI triage (#61096 on current head df93330, same as #61091 on 574eedb): the only hard-failing test is test/cli/install/bunx.test.ts › should handle package that requires node 24 (exit 3 instead of 0, identical on debian-13-x64-asan and both windows-2019 lanes). Root cause, proven by reproducing on a pristine main checkout with a stock pre-PR bun: the test runs bunx --bun @angular/cli@latest --help against the live registry; @angular/cli@22.0.0 (published 2026-06-03) requires node ^22.22.3 || ^24.15.0 || >=26.0.0, and Bun reports 24.3.0, so Angular's version gate process.exit(3)s. Main builds that show green only avoid it when agents resolve @latest from a warm bunx cache that still has 21.x. The fix belongs on main (pin the package version in the test or bump the reported node version). All other annotations in both builds are retried-and-passed flakes on tests this PR doesn't touch (serve-body-leak, spawn-pipe-leak, bun-install workspaces, update_interactive, hot.test). Every fetch/HTTP/backpressure suite is green on every lane, including the asan lane that runs the new tests.

Track record: build 58083 (head bf070b0) passed fully — this PR has a green full-CI run on record. #57647 was 280-green (one unrelated darwin FSEvents segfault), #56864 282-green (darwin agent infra). The one permitted CI retrigger was spent on that infra failure.

What's in the diff (vs main): ~715 lines across 19 src/**/*.rs files + internal-for-testing.ts + 3 test files — h1 maybe_pause_receive/consume_response_body (4 MiB/1 MiB watermarks, keep-alive-pool safety, idle-timer handling), coalescing HTTPThread consume queue, h2 per-stream WINDOW_UPDATE gated on min(consumed, unacked), h3 want_read(false) past high water, ByteStream.did_drain + Body.on_stream_consumed + FetchTasklet arm/disarm plumbing, and the fetchInternals/fetchH3Internals testing counters. .zig files untouched per AGENTS.md.

Verification: 12/12 fetch-backpressure.test.ts (h2/h1/h3 × stalled/draining/cancelled, 2× pipeThrough for #28035, keep-alive regression) locally on this head; fetch-http2-client 58/58, fetch-http3-client 49/49, bun-serve-static 34/34, node-http-backpressure{,-max} green on prior heads in CI.

A maintainer can merge over the @angular/cli registry breakage (or land a main-side fix for bunx.test.ts first) — it is independent of this PR.

[Jarred-Sumner]

@robobun fix the comments

[claude]

All three of my earlier findings are addressed and I found nothing new on c28c8c0, but this reworks h2 per-stream flow control across the JS↔HTTP thread boundary with a new body_consumption_tracked signal — worth a human pass before merge.

Extended reasoning...

Overview

This PR changes how the experimental HTTP/2 fetch client credits the per-stream receive window: instead of sending WINDOW_UPDATE on receipt, it now gates per-stream credit on bytes actually drained by the JS ReadableStream reader. The plumbing spans ByteStream/ReadableStream.NewSource (new drain_handler), Body.Value (toReadableStream and tee() wiring), FetchTasklet (new onStreamConsumed callback + body_consumption_tracked signal management in onStartStreaming/ignoreRemainingResponseBody), HTTPThread (new scheduleResponseBodyConsumed queue + drain), Signals (new atomic), and ClientSession/Stream (new consumed_bytes counter + reworked replenishWindow). Three new wire-level tests cover stalled reader, draining reader, and reader.cancel() fallback.

Security risks

No new attack surface for untrusted input — the change governs outbound WINDOW_UPDATE based on local reader behaviour. The risk profile is the inverse: getting it wrong stalls or leaks streams. My earlier reviews found three such cases (S3/abandoned-body deadlock, res.clone() deadlock, pre-buffered drain() floor) and all three are now fixed; the body_consumption_tracked signal was introduced specifically so paths that don't report consumption (S3, ignored bodies) degrade to receipt-based instead of deadlocking.

Level of scrutiny

High. This is production-critical networking with cross-thread atomics, and the correctness depends on every path that flips body_consumption_tracked also keeping consumed_bytes fed (or disarming the signal). The fact that three real bugs surfaced across two review rounds before reaching the current state confirms it's subtle enough to warrant a maintainer's eyes on the final design — particularly the ignoreRemainingResponseBody saturate-then-disarm sequence and whether any other ByteStream delivery path was missed.

Other factors

CI on the latest commit shows a timeout in fetch-http2-client.test.ts on x64-asan, which the author has documented as a pre-existing shard-7 flake also seen on unrelated PRs; the new fetch-http2-backpressure.test.ts is not in that shard. Jarred is already engaged on the thread. All CodeRabbit and claude inline threads are resolved.

[Jarred-Sumner]

@robobun make this PR work for http/1 and http/3. Write extensive tests. Merge main. Make this good.

[robobun]

This also fixes #22514 ("Out of memory while copying request body" panic in ByteStream.onData) — same root cause, a stalled res.body.getReader() lets the HTTP client buffer the full response in ByteStream.buffer until allocation fails.

Verified locally on the HTTP/1.1 path with a firehose server + stalled reader: without this change RSS climbs ~1.3 GB/s and panics; with it the socket pauses at the high-water mark and RSS stays flat, then resumes and delivers intact data once the reader drains.

[claude]

Automated review is now clean — all 23 prior inline findings resolved and nothing new on this pass. Given the scope (cross-thread flow-control wiring across h1/h2/h3, socket pause/resume around the keep-alive pool, plus the acknowledged h3 decompression-currency follow-up), this one's worth a human look before merge.

Extended reasoning...

Overview

This PR couples fetch() receive-side flow control to JS body consumption across HTTP/1.1, HTTP/2, and HTTP/3. It adds a did_drain hook to ByteStream, a new body_consumption_tracked signal, a coalescing JS→HTTP-thread consume queue in HTTPThread, and per-transport gating: h2 per-stream WINDOW_UPDATE clamped to min(consumed, unacked), h1 us_socket_pause/resume around 4 MiB / 1 MiB watermarks with idle-timer suspension and a defensive resume before keep-alive pool release, and h3 lsquic_stream_wantread toggling. ~715 lines across 19 .rs files plus a 808-line test file and two timeout bumps. The feature was originally written in Zig and re-implemented in Rust after main switched runtimes.

Security risks

None identified. No auth/crypto/permissions surface; the change is internal flow-control accounting. The new fetchInternals.h1BackpressureCounts() / fetchH3Internals.liveCounts().bodyBytesReceived are read-only process-wide counters exposed via bun:internal-for-testing.

Level of scrutiny

High. This is production-critical HTTP client code with several subtle invariants: cross-thread atomic signal ordering (arm/disarm + sentinel), uSockets repeat-recv interaction with pause_stream(), keep-alive pool hand-off of a possibly-paused socket, and byte-counting currency (post-dechunk/post-decompress vs. wire). The review history bears this out — eight distinct correctness issues were found and fixed across multiple rounds (S3/abandoned-body deadlock, tee() wiring, drain()/toBufferedValue floors, chunked-framing and Content-Encoding currency mismatches, idle-timer re-arm during repeat-recv, resume-counter symmetry on the close branch). All are resolved, but the density of edge cases argues for a maintainer pass on the final shape.

Other factors

• Jarred is already engaged (requested the h1/h3 extension and asked robobun to address comments) but hasn't signed off on the post-Rust-port revision.
• The author explicitly deferred one known issue to a follow-up (h3 outstanding_body_bytes is pre-decompression; the gzip-on-incompressible floor is theoretically reachable at multi-GiB over h3).
• CI is currently blocked by darwin-x64 agent infra (build-cpp succeeded then buildkite-agent ENOENT on artifact upload), not by this diff; a maintainer retrigger is needed regardless.
• Test coverage is thorough (12 tests across protocols + keep-alive regression + two pipeThrough tests for #28035), and adjacent suites are reported green.