rsurl 0.0.2

use std::io::{self, BufRead, BufReader, Read, Write};
use std::net::TcpStream;
use std::time::Duration;

use crate::error::{Error, Result};
use crate::url::Url;

const DEFAULT_USER_AGENT: &str = concat!("rsurl/", env!("CARGO_PKG_VERSION"));
const MAX_HEADER_BYTES: usize = 64 * 1024;
pub(crate) const MAX_BODY_BYTES: usize = 256 * 1024 * 1024;

/// Preference for which HTTP version to use over HTTPS. The HTTPS dispatcher
/// picks this up. HTTP/2 is selected via ALPN at TLS-handshake time; if the
/// server doesn't agree (Auto) we transparently fall back to HTTP/1.1.
#[derive(Debug, Clone, Copy, Default, PartialEq, Eq)]
pub enum HttpVersionPref {
    /// Offer ALPN `["h2", "http/1.1"]` and let the server pick. If h2 is
    /// negotiated, dispatch to the HTTP/2 backend; otherwise speak HTTP/1.1.
    #[default]
    Auto,
    /// Speak HTTP/1.1 only; don't offer ALPN. Matches `curl --http1.1`.
    Http11Only,
    /// Require HTTP/2; abort the request if the server doesn't select it.
    /// Matches `curl --http2-prior-knowledge` semantics.
    Http2Only,
}

/// An HTTP request being constructed.
///
/// Fields are `pub(crate)` so that protocol-variant modules (`http2`, `http3`)
/// can read them without going through `&self` accessors.
#[derive(Debug, Clone)]
pub struct Request {
    pub(crate) method: String,
    pub(crate) url: Url,
    pub(crate) headers: Vec<(String, String)>,
    pub(crate) body: Vec<u8>,
    pub(crate) connect_timeout: Option<Duration>,
    pub(crate) read_timeout: Option<Duration>,
    pub(crate) http_version_pref: HttpVersionPref,
    /// Whether to follow `3xx` redirect responses. `false` by default —
    /// matches curl's behaviour without `-L`.
    pub(crate) follow_redirects: bool,
    /// Maximum number of redirects to follow when `follow_redirects` is on.
    /// 50 is curl's default.
    pub(crate) max_redirs: u32,
    /// Optional HTTP Basic auth credentials. Only sent if the caller has
    /// not already set an `Authorization:` header explicitly. Dropped when
    /// a redirect changes host.
    pub(crate) basic_auth: Option<(String, String)>,
    /// Verify the TLS chain. `false` is curl's `-k` / `--insecure`.
    pub(crate) verify_tls: bool,
    /// Path to a PEM CA bundle that overrides the system trust store
    /// (curl `--cacert`).
    pub(crate) ca_bundle: Option<String>,
    /// Wall-clock cap for the whole operation (across redirects), curl
    /// `--max-time`. `None` means no cap beyond `connect_timeout` /
    /// `read_timeout`.
    pub(crate) max_time: Option<Duration>,
    /// Optional outbound HTTP proxy. When set, plain `http://` traffic
    /// uses absolute-form request lines and `Proxy-Authorization:`; HTTPS
    /// traffic is tunnelled via `CONNECT` before the TLS handshake.
    /// `socks5://`, `https://` (TLS-to-proxy), and PAC are out of scope.
    pub(crate) proxy: Option<ProxyConfig>,
    /// List of host suffixes that bypass the proxy. Matches curl's
    /// `NO_PROXY` / `--noproxy`: case-insensitive suffix match against
    /// the request URL host. `*` means "everything bypasses".
    pub(crate) no_proxy: Vec<String>,
}

/// Where to route HTTP(S) traffic through. Parsed from a curl-style proxy
/// URL — typically `http://user:pass@host:port`. Only `http://` proxies are
/// supported in this milestone; TLS-to-proxy (`https://`) and SOCKS are
/// rejected with [`Error::UnsupportedScheme`].
#[derive(Debug, Clone)]
pub struct ProxyConfig {
    pub host: String,
    pub port: u16,
    /// Credentials to send in `Proxy-Authorization: Basic`. Either parsed
    /// from `user:pass@proxy` in the proxy URL or supplied separately via
    /// [`Request::proxy_user`].
    pub auth: Option<(String, String)>,
}

impl ProxyConfig {
    /// Parse a proxy URL such as `http://proxy:8080` or
    /// `http://user:pass@proxy:3128`. A bare `host:port` (no scheme) is
    /// also accepted and treated as `http://` — curl behaves the same way
    /// for the value of `-x`.
    pub fn parse(s: &str) -> Result<Self> {
        // Curl accepts `proxy:8080` (no scheme); add one so the URL parser
        // is happy and our scheme check below still rejects exotic schemes.
        let normalised: String = if s.contains("://") {
            s.to_string()
        } else {
            format!("http://{s}")
        };
        let u = Url::parse(&normalised)?;
        if u.scheme != "http" {
            return Err(Error::UnsupportedScheme(format!(
                "proxy scheme {:?} not supported (only http:// at this milestone)",
                u.scheme
            )));
        }
        let auth = u
            .userinfo
            .as_deref()
            .map(|info| match info.split_once(':') {
                Some((u, p)) => (u.to_string(), p.to_string()),
                None => (info.to_string(), String::new()),
            });
        Ok(ProxyConfig {
            host: u.host.clone(),
            port: u.port,
            auth,
        })
    }
}

impl Request {
    pub fn new(method: &str, url: &str) -> Result<Self> {
        Ok(Request {
            method: method.to_ascii_uppercase(),
            url: Url::parse(url)?,
            headers: Vec::new(),
            body: Vec::new(),
            connect_timeout: Some(Duration::from_secs(30)),
            read_timeout: Some(Duration::from_secs(60)),
            http_version_pref: HttpVersionPref::Auto,
            follow_redirects: false,
            max_redirs: 50,
            basic_auth: None,
            verify_tls: true,
            ca_bundle: None,
            max_time: None,
            proxy: None,
            no_proxy: Vec::new(),
        })
    }

    pub fn get(url: &str) -> Result<Self> {
        Self::new("GET", url)
    }

    pub fn header(mut self, name: &str, value: &str) -> Self {
        self.headers.push((name.to_string(), value.to_string()));
        self
    }

    pub fn body<B: Into<Vec<u8>>>(mut self, body: B) -> Self {
        self.body = body.into();
        self
    }

    pub fn url(&self) -> &Url {
        &self.url
    }

    /// Set the HTTP version preference for HTTPS requests. See
    /// [`HttpVersionPref`].
    pub fn http_version(mut self, pref: HttpVersionPref) -> Self {
        self.http_version_pref = pref;
        self
    }

    /// Force HTTP/2; the request fails if the server does not select ALPN
    /// "h2". Equivalent to `curl --http2` for an `https://` URL.
    pub fn http2_only(mut self) -> Self {
        self.http_version_pref = HttpVersionPref::Http2Only;
        self
    }

    /// Force HTTP/1.1; ALPN is not offered. Equivalent to `curl --http1.1`.
    pub fn http11_only(mut self) -> Self {
        self.http_version_pref = HttpVersionPref::Http11Only;
        self
    }

    /// Toggle redirect following. When on, 301/302/303/307/308 responses
    /// are transparently chased up to [`Self::max_redirs`] hops.
    pub fn follow_redirects(mut self, on: bool) -> Self {
        self.follow_redirects = on;
        self
    }

    /// Cap on redirect hops; only meaningful when
    /// [`Self::follow_redirects`] is on. Default 50.
    pub fn max_redirs(mut self, n: u32) -> Self {
        self.max_redirs = n;
        self
    }

    /// Attach HTTP Basic auth credentials. They become
    /// `Authorization: Basic <base64(user:pass)>` unless the caller already
    /// supplied an `Authorization` header. Credentials are dropped on a
    /// cross-host redirect.
    pub fn basic_auth(mut self, user: &str, pass: &str) -> Self {
        self.basic_auth = Some((user.to_string(), pass.to_string()));
        self
    }

    /// Toggle TLS chain verification. `false` matches curl `-k`.
    pub fn verify_tls(mut self, on: bool) -> Self {
        self.verify_tls = on;
        self
    }

    /// Use a custom CA bundle (PEM) instead of the system trust store.
    pub fn ca_bundle(mut self, path: &str) -> Self {
        self.ca_bundle = Some(path.to_string());
        self
    }

    /// Cap on the whole operation's wall-clock time (curl `--max-time`).
    pub fn max_time(mut self, d: Duration) -> Self {
        self.max_time = Some(d);
        self
    }

    /// Cap on TCP connect time (curl `--connect-timeout`).
    pub fn connect_timeout(mut self, d: Duration) -> Self {
        self.connect_timeout = Some(d);
        self
    }

    /// Route through an outbound HTTP proxy. `spec` is curl-style:
    /// `http://[user:pass@]host:port`, or bare `host:port` which is
    /// treated as `http://`. For HTTPS targets the proxy tunnel is
    /// established via `CONNECT host:port` before the TLS handshake;
    /// for plain HTTP the proxy receives an absolute-form request line.
    pub fn proxy(mut self, spec: &str) -> Result<Self> {
        self.proxy = Some(ProxyConfig::parse(spec)?);
        Ok(self)
    }

    /// Override (or add) proxy `user:pass` credentials independently of
    /// the proxy URL. Mirrors curl `--proxy-user`.
    pub fn proxy_user(mut self, user: &str, pass: &str) -> Result<Self> {
        match self.proxy.as_mut() {
            Some(p) => {
                p.auth = Some((user.to_string(), pass.to_string()));
                Ok(self)
            }
            None => Err(Error::BadResponse(
                "proxy_user called without a proxy set".into(),
            )),
        }
    }

    /// Replace the no-proxy list (curl `NO_PROXY` / `--noproxy`). Each
    /// entry is a host suffix matched case-insensitively against the
    /// target URL's host; a single `*` means "bypass for every host".
    pub fn no_proxy<I, S>(mut self, entries: I) -> Self
    where
        I: IntoIterator<Item = S>,
        S: Into<String>,
    {
        self.no_proxy = entries.into_iter().map(Into::into).collect();
        self
    }

    pub fn send(self) -> Result<Response> {
        self.send_to(&mut io::sink(), None)
    }

    /// Like [`send`](Self::send), but writes a curl-style `-v` trace to
    /// `trace` as the request progresses: `*` lines for connection / TLS
    /// events, `>` lines for every byte of the request actually placed on
    /// the wire, `<` lines for every status / header byte received. The
    /// trace is built from the same buffers used for I/O, so it cannot
    /// drift from what was sent.
    pub fn send_traced(self, trace: &mut dyn Write) -> Result<Response> {
        self.send_to(trace, None)
    }

    /// Send with cookie support. The jar is consulted before each hop to
    /// inject a `Cookie:` header matching the destination URL, and is
    /// updated with every `Set-Cookie:` line in each response — including
    /// cookies set on intermediate redirect responses. Equivalent to curl's
    /// `-b`/`-c` machinery.
    pub fn send_with_jar(self, jar: &mut crate::cookie::CookieJar) -> Result<Response> {
        self.send_to(&mut io::sink(), Some(jar))
    }

    /// Combination of [`Self::send_traced`] and [`Self::send_with_jar`].
    pub fn send_traced_with_jar(
        self,
        jar: &mut crate::cookie::CookieJar,
        trace: &mut dyn Write,
    ) -> Result<Response> {
        self.send_to(trace, Some(jar))
    }

    /// Single-shot send with no redirect handling. Pure protocol dispatch.
    fn send_once(self, trace: &mut dyn Write) -> Result<Response> {
        if !self.verify_tls && self.url.scheme == "https" {
            let _ = writeln!(trace, "* WARNING: certificate verification disabled (-k)");
        }
        match self.url.scheme.as_str() {
            "http" => send_plain(self, trace),
            "https" => send_https(self, trace),
            other => Err(Error::UnsupportedScheme(other.to_string())),
        }
    }

    /// Send the request, then walk through `3xx Location` chains if
    /// [`Self::follow_redirects`] is on. Public users go through
    /// [`Self::send`] / [`Self::send_traced`], which call this.
    ///
    /// `jar`, when present, is consulted before each hop to attach a
    /// matching `Cookie:` header and is updated from each response's
    /// `Set-Cookie:` lines — including those on the intermediate 3xx hops
    /// the redirect chain walks through.
    fn send_to(
        self,
        trace: &mut dyn Write,
        mut jar: Option<&mut crate::cookie::CookieJar>,
    ) -> Result<Response> {
        let mut req = self;
        let deadline = req.max_time.map(|d| std::time::Instant::now() + d);
        let mut hops_left = req.max_redirs;
        loop {
            // Honour --max-time before each hop (the per-socket timeout
            // already handles the in-flight case).
            if let Some(end) = deadline {
                if std::time::Instant::now() >= end {
                    return Err(Error::BadResponse("operation timed out".into()));
                }
            }
            let mut snapshot = req.clone();
            // Jar-managed Cookie: header. We always strip prior Cookie:
            // entries from the snapshot before re-injecting from the jar,
            // because the previous hop's cookie line is stale once the URL
            // (and thus the matching set) has changed.
            if let Some(j) = jar.as_deref_mut() {
                j.purge_expired();
                snapshot
                    .headers
                    .retain(|(k, _)| !k.eq_ignore_ascii_case("cookie"));
                if let Some(val) = j.cookie_header(&snapshot.url) {
                    snapshot.headers.push(("Cookie".to_string(), val));
                }
            }
            let resp = snapshot.send_once(trace)?;
            if let Some(j) = jar.as_deref_mut() {
                j.ingest_response(&req.url, &resp.headers);
            }
            if !req.follow_redirects || !is_redirect_status(resp.status) {
                return Ok(resp);
            }
            if hops_left == 0 {
                return Err(Error::BadResponse(format!(
                    "maximum ({}) redirects followed",
                    req.max_redirs
                )));
            }
            let location = match resp.header("location") {
                Some(l) => l.to_string(),
                None => return Ok(resp), // 3xx without Location — give it back.
            };
            let next_url = crate::url::resolve(&req.url, &location)?;
            let _ = writeln!(
                trace,
                "* Following redirect to {}",
                url_to_string(&next_url)
            );

            // RFC 9110: drop sensitive headers on cross-host redirects.
            let host_changed = next_url.host != req.url.host
                || next_url.port != req.url.port
                || next_url.scheme != req.url.scheme;

            let prev_method = req.method.clone();
            let prev_body = std::mem::take(&mut req.body);
            let mut next = req;
            next.url = next_url;
            if host_changed {
                next.headers.retain(|(k, _)| {
                    !k.eq_ignore_ascii_case("authorization") && !k.eq_ignore_ascii_case("cookie")
                });
                next.basic_auth = None;
            }

            // Method/body rewriting per RFC 9110 §15.4 plus curl's default
            // backward-compat behaviour: 301/302/303 rewrite POST/PUT/etc
            // to GET and drop the body; 307/308 preserve method + body.
            if (301..=303).contains(&resp.status)
                && !prev_method.eq_ignore_ascii_case("GET")
                && !prev_method.eq_ignore_ascii_case("HEAD")
            {
                next.method = "GET".to_string();
                // body left empty; drop request-body framing headers since
                // we no longer have a body to describe.
                next.headers.retain(|(k, _)| {
                    !k.eq_ignore_ascii_case("content-type")
                        && !k.eq_ignore_ascii_case("content-length")
                        && !k.eq_ignore_ascii_case("transfer-encoding")
                });
            } else {
                // 307/308, or 301/302/303 on a GET/HEAD: preserve method
                // and restore the body verbatim.
                next.body = prev_body;
            }
            hops_left -= 1;
            req = next;
        }
    }
}

fn is_redirect_status(status: u16) -> bool {
    matches!(status, 301 | 302 | 303 | 307 | 308)
}

fn url_to_string(u: &Url) -> String {
    let default = matches!((u.scheme.as_str(), u.port), ("http", 80) | ("https", 443));
    if default {
        format!("{}://{}{}", u.scheme, u.host, u.path)
    } else {
        format!("{}://{}:{}{}", u.scheme, u.host, u.port, u.path)
    }
}

/// A complete HTTP response.
#[derive(Debug, Clone)]
pub struct Response {
    pub status: u16,
    pub reason: String,
    pub version: String,
    pub headers: Vec<(String, String)>,
    pub body: Vec<u8>,
}

impl Response {
    /// Returns the first value of a header, case-insensitive.
    pub fn header(&self, name: &str) -> Option<&str> {
        self.headers
            .iter()
            .find(|(k, _)| k.eq_ignore_ascii_case(name))
            .map(|(_, v)| v.as_str())
    }
}

fn send_plain(req: Request, trace: &mut dyn Write) -> Result<Response> {
    // Pool reuse is only safe for direct connections. Via-proxy we'd be
    // sharing one socket across many origins via absolute-form lines, which
    // works on paper but mixes badly with `Proxy-Authorization:` per-origin
    // semantics — out of scope for this milestone.
    let direct = req.proxy.is_none() || proxy_bypassed(&req);
    if direct {
        if let Some(bufrd) = pool_checkout_plain(&req.url) {
            let _ = writeln!(trace, "* Reusing existing connection from pool");
            match perform_on_pooled_plain(bufrd, &req, trace) {
                Ok(resp) => return Ok(resp),
                Err(PooledError::Stale(why)) => {
                    let _ = writeln!(trace, "* Pooled connection unusable ({why}); reconnecting");
                    // fall through to a fresh dial
                }
                Err(PooledError::Hard(e)) => return Err(e),
            }
        }
    }
    send_plain_fresh(req, direct, trace)
}

fn send_plain_fresh(req: Request, may_pool: bool, trace: &mut dyn Write) -> Result<Response> {
    let stream = tcp_connect(&req, trace)?;
    let mut bufrd = BufReader::new(stream);
    write_request(bufrd.get_mut(), &req, via_plain_http_proxy(&req), trace)?;
    let resp = read_response(&mut bufrd, &req.method, trace)?;
    finalize_plain(bufrd, &req, &resp, may_pool, trace);
    Ok(resp)
}

fn perform_on_pooled_plain(
    mut bufrd: BufReader<TcpStream>,
    req: &Request,
    trace: &mut dyn Write,
) -> std::result::Result<Response, PooledError> {
    if let Err(e) = write_request(bufrd.get_mut(), req, via_plain_http_proxy(req), trace) {
        return Err(stale_or_hard(e));
    }
    let resp = match read_response(&mut bufrd, &req.method, trace) {
        Ok(r) => r,
        Err(e) => return Err(stale_or_hard(e)),
    };
    finalize_plain(bufrd, req, &resp, true, trace);
    Ok(resp)
}

fn finalize_plain(
    bufrd: BufReader<TcpStream>,
    req: &Request,
    resp: &Response,
    may_pool: bool,
    trace: &mut dyn Write,
) {
    if may_pool && response_is_reusable(&req.method, resp) {
        crate::pool::plain()
            .lock()
            .unwrap_or_else(|e| e.into_inner())
            .release(pool_key_for(&req.url), bufrd);
        let _ = writeln!(trace, "* Connection kept alive (pooled)");
    } else {
        let _ = writeln!(trace, "* Connection closed");
    }
}

/// Why a request attempt over a pooled connection failed. `Stale` means the
/// peer probably killed it under us, and the caller should silently retry on
/// a fresh socket. `Hard` is anything else (TLS verification failure, body
/// too large, malformed response, …) and propagates as-is.
enum PooledError {
    Stale(String),
    Hard(Error),
}

fn stale_or_hard(e: Error) -> PooledError {
    // The kinds of failure that mean "the server hung up on the parked
    // socket": EOF on the first read, a connection-reset, a broken pipe on
    // write. Everything else (TLS state errors, bad responses, …) is a real
    // error and the caller must not retry.
    match &e {
        Error::UnexpectedEof => PooledError::Stale("connection closed by peer".into()),
        Error::Io(io_err) => match io_err.kind() {
            io::ErrorKind::UnexpectedEof
            | io::ErrorKind::ConnectionReset
            | io::ErrorKind::ConnectionAborted
            | io::ErrorKind::BrokenPipe
            | io::ErrorKind::NotConnected => PooledError::Stale(io_err.to_string()),
            _ => PooledError::Hard(e),
        },
        _ => PooledError::Hard(e),
    }
}

pub(crate) fn pool_key_for(u: &Url) -> crate::pool::Key {
    crate::pool::Key {
        scheme: u.scheme.clone(),
        host: u.host.clone(),
        port: u.port,
    }
}

fn pool_checkout_plain(u: &Url) -> Option<BufReader<TcpStream>> {
    crate::pool::plain()
        .lock()
        .unwrap_or_else(|e| e.into_inner())
        .checkout(&pool_key_for(u))
}

/// True iff this request's TLS posture matches what a pooled socket can be
/// safely shared with. A connection made with verification off (`-k`) or
/// against a custom CA bundle (`--cacert`) must NEVER be handed to a later
/// verifying request to the same host:port — that would silently downgrade
/// the second request's trust decision (MITM). Mirrors `http2::pool_eligible`.
pub(crate) fn tls_pool_eligible(req: &Request) -> bool {
    req.verify_tls && req.ca_bundle.is_none()
}

fn pool_checkout_tls(req: &Request) -> Option<BufReader<crate::tls::TlsStream<TcpStream>>> {
    if !tls_pool_eligible(req) {
        return None;
    }
    crate::pool::tls()
        .lock()
        .unwrap_or_else(|e| e.into_inner())
        .checkout(&pool_key_for(&req.url))
}

/// Server-side keep-alive eligibility. Caller must also have read the body
/// to completion (true here by construction — `read_response` either returns
/// the whole body or returns `Err`). HTTP/1.0 servers need an explicit
/// `Connection: keep-alive`; HTTP/1.1 servers default to keep-alive and need
/// `Connection: close` to opt out. Close-delimited bodies are never reusable
/// because by definition the server has already closed the connection. The
/// request method is needed to disambiguate "no body framing because HEAD"
/// (reusable) from "no body framing because the server intends to close"
/// (not reusable).
fn response_is_reusable(method: &str, resp: &Response) -> bool {
    let conn_close = resp.headers.iter().any(|(k, v)| {
        k.eq_ignore_ascii_case("connection")
            && v.split(',')
                .any(|tok| tok.trim().eq_ignore_ascii_case("close"))
    });
    if conn_close {
        return false;
    }
    let has_framing = resp.headers.iter().any(|(k, v)| {
        k.eq_ignore_ascii_case("content-length")
            || (k.eq_ignore_ascii_case("transfer-encoding") && v.eq_ignore_ascii_case("chunked"))
    });
    let no_body_allowed = method.eq_ignore_ascii_case("HEAD")
        || (100..200).contains(&resp.status)
        || resp.status == 204
        || resp.status == 304;
    if !has_framing && !no_body_allowed {
        // Close-delimited body: server signalled end-of-message by closing.
        return false;
    }
    if resp.version == "HTTP/1.1" {
        true
    } else {
        // HTTP/1.0 — must see explicit keep-alive.
        resp.headers.iter().any(|(k, v)| {
            k.eq_ignore_ascii_case("connection")
                && v.split(',')
                    .any(|tok| tok.trim().eq_ignore_ascii_case("keep-alive"))
        })
    }
}

/// True iff this request is going to a plain-`http://` target via a proxy
/// and is NOT in the no-proxy bypass set. Such requests must use the
/// absolute-form request line per RFC 9112 §3.2.2 and carry an optional
/// `Proxy-Authorization:` header. HTTPS-via-proxy doesn't qualify because
/// the proxy only sees a `CONNECT` tunnel; the request inside is normal.
pub(crate) fn via_plain_http_proxy(req: &Request) -> bool {
    if req.url.scheme != "http" {
        return false;
    }
    match &req.proxy {
        Some(_) => !proxy_bypassed(req),
        None => false,
    }
}

/// True iff `req.url.host` matches any entry of `req.no_proxy`. A single
/// `*` matches everything; otherwise each entry is a case-insensitive host
/// suffix (matching either the whole host or the part after a `.`).
pub(crate) fn proxy_bypassed(req: &Request) -> bool {
    if req.no_proxy.iter().any(|e| e.trim() == "*") {
        return true;
    }
    let h = req.url.host.to_ascii_lowercase();
    req.no_proxy.iter().any(|e| {
        let e = e.trim().trim_start_matches('.').to_ascii_lowercase();
        if e.is_empty() {
            return false;
        }
        h == e || h.ends_with(&format!(".{e}"))
    })
}

/// Compute the base64 token to send in `Authorization: Basic <token>`,
/// preferring the explicit credentials set via [`Request::basic_auth`] over
/// any `user:pass@` userinfo in the URL (RFC 7617). Returns `None` if
/// neither source is set or if the explicit pair is empty.
pub(crate) fn effective_basic_auth(req: &Request) -> Option<String> {
    let (user, pass) = match &req.basic_auth {
        Some((u, p)) => (u.clone(), p.clone()),
        None => {
            let info = req.url.userinfo.as_deref()?;
            match info.split_once(':') {
                Some((u, p)) => (u.to_string(), p.to_string()),
                None => (info.to_string(), String::new()),
            }
        }
    };
    if user.is_empty() && pass.is_empty() {
        return None;
    }
    let combined = format!("{user}:{pass}");
    Some(crate::websocket::base64_encode(combined.as_bytes()))
}

/// Build a [`crate::tls::TlsOpts`] from a [`Request`]'s flags, loading the
/// CA bundle from disk if `--cacert` was set.
pub(crate) fn tls_opts_from(req: &Request, alpn: &[&[u8]]) -> Result<crate::tls::TlsOpts> {
    let mut opts = crate::tls::TlsOpts::verifying();
    opts.alpn = alpn.iter().map(|p| p.to_vec()).collect();
    opts.verify = req.verify_tls;
    if let Some(path) = &req.ca_bundle {
        opts.roots = Some(crate::tls::load_roots_from_file(path)?);
    }
    Ok(opts)
}

fn send_https(req: Request, trace: &mut dyn Write) -> Result<Response> {
    // HTTP version routing:
    //
    // * `Http2Only`: dispatch to the HTTP/2 backend; its `Error::H2NotNegotiated`
    //   bubbles up unchanged so the caller sees the hard failure.
    // * `Auto`: try HTTP/2 first (it offers ALPN "h2"); if the server didn't
    //   select h2, [`crate::http2::send`] returns `Error::H2NotNegotiated`,
    //   which we intercept and retry over HTTP/1.1 on a fresh connection.
    //   This is the same behaviour curl gives you by default — h2 if both
    //   ends support it, http/1.1 otherwise.
    // * `Http11Only`: skip h2 entirely and do not offer ALPN.
    match req.http_version_pref {
        HttpVersionPref::Http2Only => {
            let _ = writeln!(trace, "* HTTP/2 required (--http2)");
            return crate::http2::send(req);
        }
        HttpVersionPref::Auto => {
            let _ = writeln!(trace, "* Trying HTTP/2 via ALPN (h2)");
            match crate::http2::send(req.clone()) {
                Ok(resp) => return Ok(resp),
                Err(Error::H2NotNegotiated) => {
                    let _ = writeln!(
                        trace,
                        "* ALPN: server did not select h2, falling back to HTTP/1.1"
                    );
                }
                Err(e) => return Err(e),
            }
        }
        HttpVersionPref::Http11Only => {
            let _ = writeln!(trace, "* HTTP/1.1 forced (--http1.1)");
        }
    }

    // HTTP/1.1 path (Auto fallback or Http11Only). ALPN is not offered so
    // the cert-only handshake doesn't change behaviour for h2-only servers
    // (those would have been satisfied by the h2 attempt above).
    let direct = req.proxy.is_none() || proxy_bypassed(&req);
    if direct {
        if let Some(bufrd) = pool_checkout_tls(&req) {
            let _ = writeln!(trace, "* Reusing existing connection from pool");
            match perform_on_pooled_tls(bufrd, &req, trace) {
                Ok(resp) => return Ok(resp),
                Err(PooledError::Stale(why)) => {
                    let _ = writeln!(trace, "* Pooled connection unusable ({why}); reconnecting");
                    // fall through
                }
                Err(PooledError::Hard(e)) => return Err(e),
            }
        }
    }
    send_https_fresh(req, direct, trace)
}

fn send_https_fresh(req: Request, may_pool: bool, trace: &mut dyn Write) -> Result<Response> {
    let tcp = tcp_connect(&req, trace)?;
    // HTTPS via proxy means we have to ask the proxy to splice us through
    // to the origin before the TLS handshake — the proxy can't see the
    // encrypted bytes, so a CONNECT tunnel is the only way.
    if let Some(p) = req
        .proxy
        .as_ref()
        .filter(|_| !proxy_bypassed(&req) && req.url.scheme == "https")
    {
        connect_tunnel(&tcp, &req.url, p, trace)?;
    }
    let opts = tls_opts_from(&req, &[])?;
    let tls = crate::tls::connect_over_tls(tcp, &req.url.host, opts)?;
    write_tls_info(&tls, trace);
    let mut bufrd = BufReader::new(tls);
    // Always origin-form here: even with a proxy in play we've already
    // tunnelled past it via CONNECT, so the request the origin sees is
    // the normal direct one.
    write_request(bufrd.get_mut(), &req, false, trace)?;
    let resp = read_response(&mut bufrd, &req.method, trace)?;
    finalize_tls(bufrd, &req, &resp, may_pool, trace);
    Ok(resp)
}

fn perform_on_pooled_tls(
    mut bufrd: BufReader<crate::tls::TlsStream<TcpStream>>,
    req: &Request,
    trace: &mut dyn Write,
) -> std::result::Result<Response, PooledError> {
    if let Err(e) = write_request(bufrd.get_mut(), req, false, trace) {
        return Err(stale_or_hard(e));
    }
    let resp = match read_response(&mut bufrd, &req.method, trace) {
        Ok(r) => r,
        Err(e) => return Err(stale_or_hard(e)),
    };
    finalize_tls(bufrd, req, &resp, true, trace);
    Ok(resp)
}

fn finalize_tls(
    bufrd: BufReader<crate::tls::TlsStream<TcpStream>>,
    req: &Request,
    resp: &Response,
    may_pool: bool,
    trace: &mut dyn Write,
) {
    // Only park sockets whose verification posture matches a default
    // verifying request — never an `-k`/`--cacert` socket — so a later
    // verifying request can't silently inherit a weaker trust decision.
    if may_pool && tls_pool_eligible(req) && response_is_reusable(&req.method, resp) {
        crate::pool::tls()
            .lock()
            .unwrap_or_else(|e| e.into_inner())
            .release(pool_key_for(&req.url), bufrd);
        let _ = writeln!(trace, "* Connection kept alive (pooled)");
    } else {
        let _ = writeln!(trace, "* Connection closed");
    }
}

/// Open a TCP socket pointed at whatever the next-hop endpoint actually
/// is — either the request URL's authority or, when [`Request::proxy`] is
/// in play and the host isn't in the no-proxy list, the proxy itself.
///
/// For HTTPS-via-proxy requests, the caller is expected to invoke
/// [`connect_tunnel`] on the returned socket before any TLS handshake.
/// This function intentionally stops at "TCP connected" so that the
/// HTTP/1.1 and HTTP/2 paths can share the same tunnel logic.
fn tcp_connect(req: &Request, trace: &mut dyn Write) -> Result<TcpStream> {
    let proxy = req.proxy.as_ref().filter(|_| !proxy_bypassed(req));
    let (target_host, target_port, via_proxy_label) = match proxy {
        Some(p) => (p.host.as_str(), p.port, true),
        None => (req.url.host.as_str(), req.url.port, false),
    };
    let addr = format!("{target_host}:{target_port}");
    let first = std::net::ToSocketAddrs::to_socket_addrs(&addr)?
        .next()
        .ok_or_else(|| Error::InvalidUrl(target_host.to_string()))?;
    let _ = writeln!(trace, "*   Trying {first}...");
    let stream = match req.connect_timeout {
        Some(t) => TcpStream::connect_timeout(&first, t)?,
        None => TcpStream::connect(first)?,
    };
    let peer = stream.peer_addr().unwrap_or(first);
    if via_proxy_label {
        let _ = writeln!(
            trace,
            "* Connected to proxy {} ({}) port {}",
            target_host,
            peer.ip(),
            peer.port()
        );
    } else {
        let _ = writeln!(
            trace,
            "* Connected to {} ({}) port {}",
            req.url.host,
            peer.ip(),
            peer.port()
        );
    }
    stream.set_read_timeout(req.read_timeout)?;
    stream.set_write_timeout(req.read_timeout)?;
    Ok(stream)
}

/// Issue an HTTP/1.1 `CONNECT <host>:<port>` over an already-open TCP
/// socket, parse the response line and headers, and return cleanly if the
/// proxy returned `2xx` — the socket is then a transparent byte pipe to
/// `target`, ready to be wrapped in TLS. A non-2xx response (407 Proxy
/// Authentication Required is the common one) surfaces as
/// [`Error::BadResponse`] so the caller can report it.
///
/// CONNECT responses are headers-only; there's no body. We read the wire
/// byte-by-byte rather than through a [`BufReader`] because any data the
/// server sends after the CRLF/CRLF terminator (typically the first
/// `ClientHello` byte) belongs to the *next* layer, not us — losing it
/// to a BufReader's prefetch would corrupt the TLS handshake.
pub(crate) fn connect_tunnel<S: Read + Write>(
    mut stream: S,
    target: &Url,
    proxy: &ProxyConfig,
    trace: &mut dyn Write,
) -> Result<()> {
    let host_port = format!("{}:{}", target.host, target.port);
    let mut buf = Vec::with_capacity(256);
    write!(&mut buf, "CONNECT {host_port} HTTP/1.1\r\n")?;
    write!(&mut buf, "Host: {host_port}\r\n")?;
    write!(&mut buf, "User-Agent: {DEFAULT_USER_AGENT}\r\n")?;
    write!(&mut buf, "Proxy-Connection: Keep-Alive\r\n")?;
    if let Some((user, pass)) = &proxy.auth {
        let combined = format!("{user}:{pass}");
        let creds = crate::websocket::base64_encode(combined.as_bytes());
        write!(&mut buf, "Proxy-Authorization: Basic {creds}\r\n")?;
    }
    write!(&mut buf, "\r\n")?;

    // Mirror the CONNECT we put on the wire into the trace so `-v` shows
    // it before the TLS handshake noise.
    let head = String::from_utf8_lossy(&buf);
    let head_no_final_crlf = head.strip_suffix("\r\n").unwrap_or(&head);
    for line in head_no_final_crlf.split("\r\n") {
        let _ = writeln!(trace, "> {line}");
    }
    stream.write_all(&buf)?;
    stream.flush()?;

    // Read the response one byte at a time until we see the terminator.
    // Bounded by MAX_HEADER_BYTES so a misbehaving proxy can't blow memory.
    let mut line_buf: Vec<u8> = Vec::with_capacity(128);
    let mut byte = [0u8; 1];
    let mut status_line: Option<String> = None;
    let mut total = 0usize;
    loop {
        if total > MAX_HEADER_BYTES {
            return Err(Error::BadResponse(
                "CONNECT response headers exceed 64 KiB".into(),
            ));
        }
        let n = stream.read(&mut byte)?;
        if n == 0 {
            return Err(Error::UnexpectedEof);
        }
        total += 1;
        line_buf.push(byte[0]);
        if byte[0] == b'\n' {
            let trimmed_owned = String::from_utf8_lossy(
                line_buf
                    .strip_suffix(b"\n")
                    .unwrap_or(&line_buf)
                    .strip_suffix(b"\r")
                    .unwrap_or(line_buf.strip_suffix(b"\n").unwrap_or(&line_buf)),
            )
            .into_owned();
            let _ = writeln!(trace, "< {trimmed_owned}");
            if status_line.is_none() {
                status_line = Some(trimmed_owned.clone());
            }
            if trimmed_owned.is_empty() {
                break;
            }
            line_buf.clear();
        }
    }

    let status = status_line.ok_or_else(|| Error::BadResponse("CONNECT: no status line".into()))?;
    let parts: Vec<&str> = status.splitn(3, ' ').collect();
    if parts.len() < 2 {
        return Err(Error::BadResponse(format!(
            "CONNECT: malformed status line {status:?}"
        )));
    }
    let code: u16 = parts[1]
        .parse()
        .map_err(|_| Error::BadResponse(format!("CONNECT: bad status {:?}", parts[1])))?;
    if !(200..300).contains(&code) {
        return Err(Error::BadResponse(format!(
            "CONNECT to {host_port} failed: {status}"
        )));
    }
    let _ = writeln!(trace, "* CONNECT tunnel established to {host_port}");
    Ok(())
}

fn write_tls_info<S: Read + Write>(tls: &crate::tls::TlsStream<S>, trace: &mut dyn Write) {
    if let Some(v) = tls.negotiated_version() {
        let _ = writeln!(trace, "* SSL connection using {v:?}");
    }
    match tls.alpn_selected() {
        Some(p) => {
            let _ = writeln!(
                trace,
                "* ALPN: server accepted {}",
                String::from_utf8_lossy(p)
            );
        }
        None => {
            let _ = writeln!(trace, "* ALPN: no protocol negotiated");
        }
    }
    let certs = tls.peer_certificates();
    let _ = writeln!(trace, "* Server certificate chain: {} cert(s)", certs.len());
    for (i, der) in certs.iter().enumerate() {
        match purecrypto::x509::Certificate::from_der(der.clone()) {
            Ok(cert) => {
                let subject = cert
                    .subject()
                    .ok()
                    .and_then(|d| d.common_name)
                    .unwrap_or_else(|| "?".into());
                let issuer = cert
                    .issuer()
                    .ok()
                    .and_then(|d| d.common_name)
                    .unwrap_or_else(|| "?".into());
                let _ = writeln!(trace, "*  [{i}] subject CN: {subject}");
                let _ = writeln!(trace, "*      issuer  CN: {issuer}");
                if let Ok(v) = cert.validity() {
                    let _ = writeln!(
                        trace,
                        "*      valid: {}  ->  {}",
                        v.not_before.as_str(),
                        v.not_after.as_str()
                    );
                }
            }
            Err(_) => {
                let _ = writeln!(trace, "*  [{i}] (DER unparseable, {} bytes)", der.len());
            }
        }
    }
}

/// True if `name` is a valid HTTP field-name per RFC 7230 `token`: one or more
/// of the `tchar` set (no separators, no controls, no whitespace).
fn is_valid_header_name(name: &str) -> bool {
    !name.is_empty()
        && name.bytes().all(|b| {
            b.is_ascii_alphanumeric()
                || matches!(
                    b,
                    b'!' | b'#'
                        | b'$'
                        | b'%'
                        | b'&'
                        | b'\''
                        | b'*'
                        | b'+'
                        | b'-'
                        | b'.'
                        | b'^'
                        | b'_'
                        | b'`'
                        | b'|'
                        | b'~'
                )
        })
}

/// True if `value` carries a byte that would forge a header boundary or NUL.
/// CR and LF anywhere in a value let an attacker splice extra header lines.
fn header_value_has_forbidden(value: &str) -> bool {
    value.bytes().any(|b| b == b'\r' || b == b'\n' || b == 0)
}

/// Reject a `(name, value)` pair that could not be safely serialised onto the
/// wire — a name outside the RFC 7230 token set, or a name/value carrying
/// CR, LF, or NUL.
fn validate_header(name: &str, value: &str) -> Result<()> {
    if !is_valid_header_name(name) {
        return Err(Error::BadResponse(format!("invalid header name: {name:?}")));
    }
    if header_value_has_forbidden(value) {
        return Err(Error::BadResponse(format!(
            "invalid header value for {name:?}"
        )));
    }
    Ok(())
}

/// Reject a request method that carries CR, LF, a space, or any control char —
/// any of which would corrupt the request line / forge an extra line.
fn validate_method(method: &str) -> Result<()> {
    if method.is_empty() || method.bytes().any(|b| b < 0x20 || b == 0x7f || b == b' ') {
        return Err(Error::BadResponse(format!("invalid method: {method:?}")));
    }
    Ok(())
}

fn write_request<W: Write>(
    mut w: W,
    req: &Request,
    absolute_form: bool,
    trace: &mut dyn Write,
) -> Result<()> {
    // Validate everything that lands on the request line / header block before
    // emitting a single byte, so nothing carrying CR/LF can reach the socket.
    validate_method(&req.method)?;
    for (k, v) in &req.headers {
        validate_header(k, v)?;
    }

    let host_header = if (req.url.scheme == "http" && req.url.port == 80)
        || (req.url.scheme == "https" && req.url.port == 443)
    {
        req.url.host.clone()
    } else {
        format!("{}:{}", req.url.host, req.url.port)
    };

    let mut buf = Vec::with_capacity(256);
    // Absolute-form per RFC 9112 §3.2.2: required when sending to a proxy
    // on a plain HTTP connection. Origin-form (`/path`) for everything
    // else (direct connections, and HTTPS-via-proxy because we tunnel).
    if absolute_form {
        // Re-serialise the target as `scheme://host[:port]<path>` so the
        // proxy can route it. Userinfo is omitted — we move it into
        // `Authorization:`/`Proxy-Authorization:` elsewhere.
        let target = if (req.url.scheme == "http" && req.url.port == 80)
            || (req.url.scheme == "https" && req.url.port == 443)
        {
            format!("{}://{}{}", req.url.scheme, req.url.host, req.url.path)
        } else {
            format!(
                "{}://{}:{}{}",
                req.url.scheme, req.url.host, req.url.port, req.url.path
            )
        };
        write!(&mut buf, "{} {target} HTTP/1.1\r\n", req.method)?;
    } else {
        write!(&mut buf, "{} {} HTTP/1.1\r\n", req.method, req.url.path)?;
    }
    write!(&mut buf, "Host: {host_header}\r\n")?;
    // Proxy-Authorization: Basic ... rides with every request to a plain
    // HTTP proxy. (For HTTPS the credentials went on the CONNECT, not
    // here — origin servers must not see them.)
    if absolute_form {
        if let Some(p) = &req.proxy {
            if let Some((user, pass)) = &p.auth {
                let combined = format!("{user}:{pass}");
                let creds = crate::websocket::base64_encode(combined.as_bytes());
                write!(&mut buf, "Proxy-Authorization: Basic {creds}\r\n")?;
            }
        }
    }

    let mut have_ua = false;
    let mut have_accept = false;
    let mut have_accept_enc = false;
    let mut have_clen = false;
    let mut have_auth = false;
    for (k, v) in &req.headers {
        if k.eq_ignore_ascii_case("user-agent") {
            have_ua = true;
        }
        if k.eq_ignore_ascii_case("accept") {
            have_accept = true;
        }
        if k.eq_ignore_ascii_case("accept-encoding") {
            have_accept_enc = true;
        }
        if k.eq_ignore_ascii_case("content-length") {
            have_clen = true;
        }
        if k.eq_ignore_ascii_case("authorization") {
            have_auth = true;
        }
        write!(&mut buf, "{k}: {v}\r\n")?;
    }
    if !have_auth {
        if let Some(creds) = effective_basic_auth(req) {
            write!(&mut buf, "Authorization: Basic {creds}\r\n")?;
        }
    }
    if !have_ua {
        write!(&mut buf, "User-Agent: {DEFAULT_USER_AGENT}\r\n")?;
    }
    if !have_accept {
        write!(&mut buf, "Accept: */*\r\n")?;
    }
    if !have_accept_enc {
        // Default-on equivalent of curl's `--compressed`: we always know
        // how to decode these on the way back (see `crate::compress`).
        write!(&mut buf, "Accept-Encoding: gzip, deflate\r\n")?;
    }
    if !req.body.is_empty() && !have_clen {
        write!(&mut buf, "Content-Length: {}\r\n", req.body.len())?;
    }
    // No explicit `Connection:` header: HTTP/1.1's default is keep-alive,
    // which is what we want for the connection pool. Servers that don't
    // want to keep alive announce it back via `Connection: close` on the
    // response, and we'll honour that in the reuse decision.
    write!(&mut buf, "\r\n")?;

    // Trace what we're about to put on the wire — read straight from `buf`
    // so the trace can't lie about what was sent. Stripping just one trailing
    // `\r\n` leaves the header terminator's blank line, which becomes the
    // closing `> ` line on the trace.
    let head = String::from_utf8_lossy(&buf);
    let head_no_final_crlf = head.strip_suffix("\r\n").unwrap_or(&head);
    for line in head_no_final_crlf.split("\r\n") {
        let _ = writeln!(trace, "> {line}");
    }

    w.write_all(&buf)?;
    if !req.body.is_empty() {
        let _ = writeln!(trace, "* uploading {} body bytes", req.body.len());
        w.write_all(&req.body)?;
    }
    w.flush()?;
    Ok(())
}

/// Read one HTTP/1.1 response from a buffered stream. The buffer is held by
/// the caller (rather than created inline) because connection-reuse hands
/// the same `BufReader` to back-to-back requests, and the buffer's leftover
/// bytes — even if empty in practice — must travel with the connection.
fn read_response<R: Read>(
    r: &mut BufReader<R>,
    method: &str,
    trace: &mut dyn Write,
) -> Result<Response> {
    let mut status_line = String::new();
    let n = r.read_line(&mut status_line)?;
    if n == 0 {
        return Err(Error::UnexpectedEof);
    }
    let trimmed_status = status_line.trim_end_matches(['\r', '\n']);
    let _ = writeln!(trace, "< {trimmed_status}");
    let (version, status, reason) = parse_status_line(trimmed_status)?;

    let mut headers: Vec<(String, String)> = Vec::new();
    let mut header_bytes = 0usize;
    loop {
        let mut line = String::new();
        let n = r.read_line(&mut line)?;
        if n == 0 {
            return Err(Error::UnexpectedEof);
        }
        header_bytes += n;
        if header_bytes > MAX_HEADER_BYTES {
            return Err(Error::BadResponse("headers exceed 64 KiB".into()));
        }
        let trimmed = line.trim_end_matches(['\r', '\n']);
        let _ = writeln!(trace, "< {trimmed}");
        if trimmed.is_empty() {
            break;
        }
        let (k, v) = trimmed
            .split_once(':')
            .ok_or_else(|| Error::BadResponse(format!("malformed header line: {trimmed:?}")))?;
        headers.push((k.trim().to_string(), v.trim().to_string()));
    }

    let body = read_body(r, &headers, &version, status, method)?;
    let wire_len = body.len();
    let _ = writeln!(trace, "* Received {wire_len} body bytes");
    let (headers, body) = maybe_decode_body(headers, body, trace)?;

    Ok(Response {
        status,
        reason,
        version,
        headers,
        body,
    })
}

/// Headers + body pair, the shape every HTTP-version backend assembles
/// before publishing a [`Response`]. Used by [`maybe_decode_body`] so the
/// signature doesn't trip `clippy::type_complexity`.
pub(crate) type HeadersAndBody = (Vec<(String, String)>, Vec<u8>);

/// If the response carries `Content-Encoding: gzip|deflate|x-gzip|identity`,
/// decode the body and strip the now-stale `Content-Encoding` and
/// `Content-Length` headers. Returns the (possibly-modified) headers + body.
/// Unknown encodings (brotli, zstd, compress, ...) are left intact so a
/// caller that knows how to handle them can still try.
///
/// Shared by HTTP/1.1, HTTP/2, and HTTP/3 — they all assemble a `(headers,
/// body)` pair and need identical post-processing.
pub(crate) fn maybe_decode_body(
    headers: Vec<(String, String)>,
    body: Vec<u8>,
    trace: &mut dyn Write,
) -> Result<HeadersAndBody> {
    let Some(enc) = headers
        .iter()
        .find(|(k, _)| k.eq_ignore_ascii_case("content-encoding"))
        .map(|(_, v)| v.clone())
    else {
        return Ok((headers, body));
    };
    let wire_len = body.len();
    let out = crate::compress::decode_body(body, &enc)?;
    if out.decoded {
        let _ = writeln!(
            trace,
            "* Decompressed body: {} -> {} bytes ({})",
            wire_len,
            out.body.len(),
            enc
        );
        Ok((crate::compress::strip_after_decode(headers), out.body))
    } else {
        Ok((headers, out.body))
    }
}

fn parse_status_line(line: &str) -> Result<(String, u16, String)> {
    let mut parts = line.splitn(3, ' ');
    let version = parts
        .next()
        .ok_or_else(|| Error::BadResponse(format!("missing version: {line:?}")))?
        .to_string();
    if !version.starts_with("HTTP/") {
        return Err(Error::BadResponse(format!("not HTTP: {version}")));
    }
    let status: u16 = parts
        .next()
        .ok_or_else(|| Error::BadResponse(format!("missing status: {line:?}")))?
        .parse()
        .map_err(|_| Error::BadResponse(format!("bad status: {line:?}")))?;
    let reason = parts.next().unwrap_or("").to_string();
    Ok((version, status, reason))
}

/// Resolve the effective `Content-Length` from the header set, rejecting
/// smuggling-friendly ambiguity per RFC 9112 §6.3. Multiple `Content-Length`
/// header lines — or a single line that is itself a comma list — are only
/// acceptable if every value parses and they all agree; any disagreement (or
/// an unparseable value) is a hard error. Returns `None` when no
/// `Content-Length` is present.
fn parse_content_length(headers: &[(String, String)]) -> Result<Option<u64>> {
    let mut seen: Option<u64> = None;
    for (k, v) in headers {
        if !k.eq_ignore_ascii_case("content-length") {
            continue;
        }
        // A value may be a comma list (`5, 5`); split and validate each part.
        for part in v.split(',') {
            let n: u64 = part
                .trim()
                .parse()
                .map_err(|_| Error::BadResponse(format!("bad Content-Length: {v:?}")))?;
            match seen {
                Some(prev) if prev != n => {
                    return Err(Error::BadResponse(
                        "conflicting Content-Length values".into(),
                    ));
                }
                _ => seen = Some(n),
            }
        }
    }
    Ok(seen)
}

fn read_body<R: BufRead>(
    r: &mut R,
    headers: &[(String, String)],
    _version: &str,
    status: u16,
    method: &str,
) -> Result<Vec<u8>> {
    // RFC 9110: HEAD responses never have a body, nor do these statuses.
    if method.eq_ignore_ascii_case("HEAD")
        || (100..200).contains(&status)
        || status == 204
        || status == 304
    {
        return Ok(Vec::new());
    }

    // RFC 9112 §6.1: `Transfer-Encoding` present means the message is framed by
    // the transfer coding, and a `Content-Length` alongside it is a smuggling
    // vector (the two framings can disagree). Reject the message rather than
    // pick a side. We only know how to decode `chunked`, so any other coding is
    // its own error below.
    let has_te = headers
        .iter()
        .any(|(k, _)| k.eq_ignore_ascii_case("transfer-encoding"));
    let has_cl = headers
        .iter()
        .any(|(k, _)| k.eq_ignore_ascii_case("content-length"));
    if has_te && has_cl {
        return Err(Error::BadResponse(
            "both Transfer-Encoding and Content-Length present".into(),
        ));
    }

    let chunked = headers.iter().any(|(k, v)| {
        k.eq_ignore_ascii_case("transfer-encoding") && v.eq_ignore_ascii_case("chunked")
    });
    if chunked {
        return read_chunked(r);
    }

    let content_length = parse_content_length(headers)?;

    let mut body = Vec::new();
    match content_length {
        Some(len) => {
            // Compare against the cap as `u64` *before* any `as usize` cast, so
            // a value that wraps to a small `usize` on a 32-bit target can't
            // slip past the guard.
            if len > MAX_BODY_BYTES as u64 {
                return Err(Error::BadResponse(format!("body too large: {len}")));
            }
            body.reserve(len as usize);
            r.take(len).read_to_end(&mut body)?;
            if (body.len() as u64) < len {
                return Err(Error::UnexpectedEof);
            }
        }
        None => {
            // No content-length, no chunked — read until EOF (Connection: close).
            r.take(MAX_BODY_BYTES as u64).read_to_end(&mut body)?;
        }
    }
    Ok(body)
}

fn read_chunked<R: BufRead>(r: &mut R) -> Result<Vec<u8>> {
    let mut body = Vec::new();
    loop {
        let mut size_line = String::new();
        let n = r.read_line(&mut size_line)?;
        if n == 0 {
            return Err(Error::UnexpectedEof);
        }
        let size_str = size_line
            .trim_end_matches(['\r', '\n'])
            .split(';')
            .next()
            .unwrap_or("");
        let size = usize::from_str_radix(size_str.trim(), 16)
            .map_err(|_| Error::BadResponse(format!("bad chunk size: {size_str:?}")))?;
        if body.len().saturating_add(size) > MAX_BODY_BYTES {
            return Err(Error::BadResponse("body too large".into()));
        }
        if size == 0 {
            // Consume trailers until empty line.
            loop {
                let mut t = String::new();
                let n = r.read_line(&mut t)?;
                if n == 0 || t.trim_end_matches(['\r', '\n']).is_empty() {
                    break;
                }
            }
            break;
        }
        let start = body.len();
        body.resize(start + size, 0);
        r.read_exact(&mut body[start..])?;
        let mut crlf = [0u8; 2];
        r.read_exact(&mut crlf)?;
        if &crlf != b"\r\n" {
            return Err(Error::BadResponse("missing CRLF after chunk".into()));
        }
    }
    Ok(body)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn parses_status_line_ok() {
        let (v, s, r) = parse_status_line("HTTP/1.1 200 OK").unwrap();
        assert_eq!(v, "HTTP/1.1");
        assert_eq!(s, 200);
        assert_eq!(r, "OK");
    }

    #[test]
    fn parses_status_line_no_reason() {
        let (_, s, r) = parse_status_line("HTTP/1.0 204").unwrap();
        assert_eq!(s, 204);
        assert_eq!(r, "");
    }

    #[test]
    fn rejects_non_http() {
        assert!(parse_status_line("RTSP/1.0 200 OK").is_err());
    }

    #[test]
    fn header_name_token_validation() {
        assert!(is_valid_header_name("X-Custom-Header"));
        assert!(is_valid_header_name("Content-Type"));
        assert!(!is_valid_header_name(""));
        assert!(!is_valid_header_name("Bad Name")); // space
        assert!(!is_valid_header_name("Bad:Name")); // colon is a separator
        assert!(!is_valid_header_name("Bad\r\nName"));
    }

    #[test]
    fn validate_header_rejects_crlf_in_value() {
        assert!(validate_header("X", "ok").is_ok());
        assert!(validate_header("X", "evil\r\nInjected: 1").is_err());
        assert!(validate_header("X", "evil\rstuff").is_err());
        assert!(validate_header("X", "evil\nstuff").is_err());
        assert!(validate_header("X", "evil\0stuff").is_err());
    }

    #[test]
    fn validate_method_rejects_control_and_space() {
        assert!(validate_method("GET").is_ok());
        assert!(validate_method("PROPFIND").is_ok());
        assert!(validate_method("").is_err());
        assert!(validate_method("GET HTTP/1.1\r\nEvil:").is_err());
        assert!(validate_method("BAD\r\n").is_err());
        assert!(validate_method("BAD METHOD").is_err());
    }

    #[test]
    fn write_request_refuses_injected_header() {
        // Nothing carrying CR/LF must ever reach the socket: write_request
        // returns an error before emitting a byte.
        let mut req = Request::get("http://example.com/").unwrap();
        req.headers
            .push(("X-Evil".into(), "a\r\nInjected: 1".into()));
        let mut sink = Vec::new();
        let mut trace = Vec::new();
        let err = write_request(&mut sink, &req, false, &mut trace).unwrap_err();
        assert!(matches!(err, Error::BadResponse(_)));
        assert!(sink.is_empty(), "nothing should have been written");
    }

    #[test]
    fn write_request_refuses_injected_method() {
        let mut req = Request::get("http://example.com/").unwrap();
        req.method = "GET\r\nEvil: 1".into();
        let mut sink = Vec::new();
        let mut trace = Vec::new();
        assert!(write_request(&mut sink, &req, false, &mut trace).is_err());
        assert!(sink.is_empty());
    }

    #[test]
    fn tls_pool_eligible_only_for_default_posture() {
        let mut req = Request::get("https://example.com/").unwrap();
        assert!(tls_pool_eligible(&req)); // verify on, no custom CA
        req.verify_tls = false;
        assert!(!tls_pool_eligible(&req)); // -k
        req.verify_tls = true;
        req.ca_bundle = Some("/tmp/ca.pem".into());
        assert!(!tls_pool_eligible(&req)); // --cacert
    }

    #[test]
    fn content_length_single_ok() {
        let h = vec![("Content-Length".to_string(), "42".to_string())];
        assert_eq!(parse_content_length(&h).unwrap(), Some(42));
    }

    #[test]
    fn content_length_absent_is_none() {
        let h = vec![("X".to_string(), "y".to_string())];
        assert_eq!(parse_content_length(&h).unwrap(), None);
    }

    #[test]
    fn content_length_duplicate_agreeing_ok() {
        let h = vec![
            ("Content-Length".to_string(), "5".to_string()),
            ("content-length".to_string(), "5".to_string()),
        ];
        assert_eq!(parse_content_length(&h).unwrap(), Some(5));
    }

    #[test]
    fn content_length_conflicting_rejected() {
        let h = vec![
            ("Content-Length".to_string(), "5".to_string()),
            ("Content-Length".to_string(), "6".to_string()),
        ];
        assert!(parse_content_length(&h).is_err());
    }

    #[test]
    fn content_length_comma_list_conflicting_rejected() {
        let h = vec![("Content-Length".to_string(), "5, 6".to_string())];
        assert!(parse_content_length(&h).is_err());
    }

    #[test]
    fn content_length_comma_list_agreeing_ok() {
        let h = vec![("Content-Length".to_string(), "5, 5".to_string())];
        assert_eq!(parse_content_length(&h).unwrap(), Some(5));
    }

    #[test]
    fn content_length_unparseable_rejected() {
        let h = vec![("Content-Length".to_string(), "not-a-number".to_string())];
        assert!(parse_content_length(&h).is_err());
    }

    #[test]
    fn read_body_rejects_te_and_cl_together() {
        use std::io::Cursor;
        // A response advertising both chunked TE and a Content-Length is a
        // smuggling vector and must be rejected outright.
        let headers = vec![
            ("Transfer-Encoding".to_string(), "chunked".to_string()),
            ("Content-Length".to_string(), "5".to_string()),
        ];
        let mut r = BufReader::new(Cursor::new(b"0\r\n\r\n".to_vec()));
        let err = read_body(&mut r, &headers, "HTTP/1.1", 200, "GET").unwrap_err();
        assert!(matches!(err, Error::BadResponse(_)));
    }

    #[test]
    fn read_body_rejects_conflicting_content_length() {
        use std::io::Cursor;
        let headers = vec![
            ("Content-Length".to_string(), "3".to_string()),
            ("Content-Length".to_string(), "4".to_string()),
        ];
        let mut r = BufReader::new(Cursor::new(b"abcd".to_vec()));
        assert!(read_body(&mut r, &headers, "HTTP/1.1", 200, "GET").is_err());
    }

    #[test]
    fn proxy_parse_basic() {
        let p = ProxyConfig::parse("http://proxy.example:3128").unwrap();
        assert_eq!(p.host, "proxy.example");
        assert_eq!(p.port, 3128);
        assert!(p.auth.is_none());
    }

    #[test]
    fn proxy_parse_with_creds() {
        let p = ProxyConfig::parse("http://alice:hunter2@proxy:8080").unwrap();
        assert_eq!(p.host, "proxy");
        assert_eq!(p.port, 8080);
        assert_eq!(p.auth.as_ref().unwrap().0, "alice");
        assert_eq!(p.auth.as_ref().unwrap().1, "hunter2");
    }

    #[test]
    fn proxy_parse_bare_hostport_is_http() {
        // Curl accepts `proxy:8080`; we normalise to http://.
        let p = ProxyConfig::parse("proxy.local:8080").unwrap();
        assert_eq!(p.host, "proxy.local");
        assert_eq!(p.port, 8080);
    }

    #[test]
    fn proxy_parse_rejects_https() {
        let err = ProxyConfig::parse("https://proxy:443").unwrap_err();
        matches!(err, Error::UnsupportedScheme(_));
    }

    #[test]
    fn proxy_bypass_matches_suffix() {
        let mut req = Request::get("http://api.example.com/x").unwrap();
        req.proxy = Some(ProxyConfig::parse("http://proxy:8080").unwrap());
        req.no_proxy = vec!["example.com".into()];
        assert!(proxy_bypassed(&req));
        // sibling host not under example.com
        req.url = Url::parse("http://other.org/x").unwrap();
        assert!(!proxy_bypassed(&req));
    }

    #[test]
    fn proxy_bypass_wildcard() {
        let mut req = Request::get("http://anywhere/").unwrap();
        req.proxy = Some(ProxyConfig::parse("http://p:1").unwrap());
        req.no_proxy = vec!["*".into()];
        assert!(proxy_bypassed(&req));
    }

    #[test]
    fn connect_tunnel_happy_path() {
        // A tiny mock stream: serves the canned `HTTP/1.1 200 OK\r\n\r\n`
        // response and records everything written to it. Confirms that the
        // CONNECT line and Host: target are correctly framed and that the
        // tunnel completes without consuming any byte past the terminator.
        use std::io::{self, Cursor};
        struct Mock {
            written: Vec<u8>,
            reply: Cursor<Vec<u8>>,
            trailing: Vec<u8>, // bytes the reader would deliver AFTER the response
        }
        impl Read for Mock {
            fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
                let n = self.reply.read(buf)?;
                if n == 0 && !self.trailing.is_empty() {
                    let take = buf.len().min(self.trailing.len());
                    buf[..take].copy_from_slice(&self.trailing[..take]);
                    self.trailing.drain(..take);
                    return Ok(take);
                }
                Ok(n)
            }
        }
        impl Write for Mock {
            fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
                self.written.extend_from_slice(buf);
                Ok(buf.len())
            }
            fn flush(&mut self) -> io::Result<()> {
                Ok(())
            }
        }

        let mut mock = Mock {
            written: Vec::new(),
            reply: Cursor::new(b"HTTP/1.1 200 Connection established\r\n\r\n".to_vec()),
            // Pretend the server pre-sent the first byte of a TLS
            // ClientHello immediately after the terminator. The tunnel
            // function must NOT have eaten it.
            trailing: vec![0x16],
        };
        let target = Url::parse("https://origin.example:443/").unwrap();
        let proxy = ProxyConfig {
            host: "proxy".into(),
            port: 3128,
            auth: Some(("u".into(), "p".into())),
        };
        connect_tunnel(&mut mock, &target, &proxy, &mut io::sink()).unwrap();

        let written = String::from_utf8(mock.written.clone()).unwrap();
        assert!(
            written.starts_with("CONNECT origin.example:443 HTTP/1.1\r\n"),
            "request line missing: {written:?}",
        );
        assert!(
            written.contains("Host: origin.example:443\r\n"),
            "Host header missing: {written:?}",
        );
        assert!(
            written.contains("Proxy-Authorization: Basic dTpw\r\n"),
            "auth header missing or wrong: {written:?}",
        );
        // The trailing 0x16 must still be readable through the same stream —
        // any BufReader-style prefetch would have stolen it.
        let mut byte = [0u8; 1];
        assert_eq!(mock.read(&mut byte).unwrap(), 1);
        assert_eq!(byte[0], 0x16, "next-layer byte was consumed by the tunnel");
    }

    #[test]
    fn connect_tunnel_reports_407() {
        use std::io::{self, Cursor};
        let payload =
            b"HTTP/1.1 407 Proxy Authentication Required\r\nProxy-Authenticate: Basic\r\n\r\n";
        let mut mock = std::io::Cursor::new(Vec::new());
        // We need a Read+Write; chain Cursor over a buffer that has the
        // canned reply followed by writes appended; the simplest is to use
        // two structs but for one test just inline a tiny helper.
        struct RW<'a> {
            inner: Cursor<&'a [u8]>,
            sink: &'a mut Vec<u8>,
        }
        impl<'a> Read for RW<'a> {
            fn read(&mut self, b: &mut [u8]) -> io::Result<usize> {
                self.inner.read(b)
            }
        }
        impl<'a> Write for RW<'a> {
            fn write(&mut self, b: &[u8]) -> io::Result<usize> {
                self.sink.extend_from_slice(b);
                Ok(b.len())
            }
            fn flush(&mut self) -> io::Result<()> {
                Ok(())
            }
        }
        let mut sink = Vec::new();
        let mut rw = RW {
            inner: Cursor::new(payload),
            sink: &mut sink,
        };
        let target = Url::parse("https://origin/").unwrap();
        let proxy = ProxyConfig {
            host: "p".into(),
            port: 1,
            auth: None,
        };
        let err = connect_tunnel(&mut rw, &target, &proxy, &mut io::sink()).unwrap_err();
        match err {
            Error::BadResponse(msg) => assert!(msg.contains("407"), "got {msg:?}"),
            other => panic!("unexpected: {other:?}"),
        }
        // unused so clippy doesn't complain about `mock`
        let _ = mock.write(&[]);
    }
}