Module http_connection_limiter 

Bounded handler-thread admission for the clear-text HTTP accept loop.

Slice 1 of issue #570 / parent #569. The synchronous HTTP transport spawns one OS thread per accepted connection. Without an admission cap the server can degrade into thread-storm and lock starvation under load. HttpConnectionLimiter is a single AtomicUsize-backed semaphore consulted in the accept loop before parsing or handler work. A rejected connection gets a static 503 + Retry-After written and the socket closed without ever entering the runtime.

Hard cap for this slice is (2 * available_parallelism).clamp(8, 256). Config knobs (env / CLI) land in slice 5 per the parent brief.

Structs

HttpConnectionLimiter

HttpConnectionPermit

Permit handle — owns one slot of the limiter. Dropping the permit returns the slot. The permit is intentionally !Clone so the slot accounting can’t drift.