MDA2AV
diff --git a/‎.github/workflows/probe.yml‎
Lines changed: 26 additions & 26 deletions b/‎.github/workflows/probe.yml‎
Lines changed: 26 additions & 26 deletions
diff --git a/‎.gitignore‎
Lines changed: 5 additions & 1 deletion b/‎.gitignore‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎docs/assets/css/custom.css‎
Lines changed: 3 additions & 3 deletions b/‎docs/assets/css/custom.css‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎docs/content/docs/_index.md‎
Lines changed: 18 additions & 0 deletions b/‎docs/content/docs/_index.md‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎docs/content/docs/content-length/_index.md‎
Lines changed: 21 additions & 0 deletions b/‎docs/content/docs/content-length/_index.md‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎docs/content/docs/content-length/cl-non-numeric.md‎
Lines changed: 29 additions & 0 deletions b/‎docs/content/docs/content-length/cl-non-numeric.md‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎docs/content/docs/content-length/cl-plus-sign.md‎
Lines changed: 29 additions & 0 deletions b/‎docs/content/docs/content-length/cl-plus-sign.md‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎docs/content/docs/headers/_index.md‎
Lines changed: 30 additions & 0 deletions b/‎docs/content/docs/headers/_index.md‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎docs/content/docs/headers/empty-header-name.md‎
Lines changed: 25 additions & 0 deletions b/‎docs/content/docs/headers/empty-header-name.md‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎docs/content/docs/headers/header-no-colon.md‎
Lines changed: 24 additions & 0 deletions b/‎docs/content/docs/headers/header-no-colon.md‎
Lines changed: 24 additions & 0 deletions
@@ -143,57 +143,57 @@ jobs:
             'RFC9112-2.2-BARE-LF-REQUEST-LINE': {
                 'accept': [400], 'close_ok': True, 'timeout_ok': False,
                 'expected': '400 or close',
-                'reason': 'Bare LF in request-line is a framing violation (RFC 9112 §2.2)'
+                'reason': 'Bare LF — recipient MAY accept but rejection is stricter (RFC 9112 §2.2)'
             },
             'RFC9112-2.2-BARE-LF-HEADER': {
                 'accept': [400], 'close_ok': True, 'timeout_ok': False,
                 'expected': '400 or close',
-                'reason': 'Bare LF in header field is a framing violation (RFC 9112 §2.2)'
+                'reason': 'Bare LF — recipient MAY accept but rejection is stricter (RFC 9112 §2.2)'
             },
             'RFC9112-5.1-OBS-FOLD': {
-                'accept': [400], 'close_ok': True, 'timeout_ok': False,
-                'expected': '400 or close',
-                'reason': 'Obs-fold (line folding) is deprecated and must be rejected (RFC 9112 §5.1)'
+                'accept': [400], 'close_ok': False, 'timeout_ok': False,
+                'expected': '400',
+                'reason': 'MUST reject by sending 400 or replace with SP (RFC 9112 §5.1)'
             },
             'RFC9110-5.6.2-SP-BEFORE-COLON': {
-                'accept': [400], 'close_ok': True, 'timeout_ok': False,
-                'expected': '400 or close',
-                'reason': 'Space between header name and colon is invalid (RFC 9110 §5.6.2)'
+                'accept': [400], 'close_ok': False, 'timeout_ok': False,
+                'expected': '400',
+                'reason': 'MUST reject with 400 (RFC 9112 §5)'
             },
             'RFC9112-3-MULTI-SP-REQUEST-LINE': {
                 'accept': [400], 'close_ok': True, 'timeout_ok': False,
                 'expected': '400 or close',
-                'reason': 'Multiple SP in request-line is malformed (RFC 9112 §3)'
+                'reason': 'SHOULD respond with 400 (RFC 9112 §3)'
             },
             'RFC9112-7.1-MISSING-HOST': {
-                'accept': [400], 'close_ok': True, 'timeout_ok': False,
-                'expected': '400 or close',
-                'reason': 'Missing Host header requires 400 (RFC 9112 §7.1)'
+                'accept': [400], 'close_ok': False, 'timeout_ok': False,
+                'expected': '400',
+                'reason': 'MUST respond with 400 (RFC 9112 §3.2)'
             },
             'RFC9112-2.3-INVALID-VERSION': {
                 'accept': [400, 505], 'close_ok': True, 'timeout_ok': False,
                 'expected': '400/505 or close',
-                'reason': 'Invalid HTTP version must be rejected (RFC 9112 §2.3)'
+                'reason': 'No MUST — 505 is available but not mandated (RFC 9112 §2.3)'
             },
             'RFC9112-5-EMPTY-HEADER-NAME': {
                 'accept': [400], 'close_ok': True, 'timeout_ok': False,
                 'expected': '400 or close',
                 'reason': 'Empty header name (leading colon) is invalid (RFC 9112 §5)'
             },
             'RFC9112-3-CR-ONLY-LINE-ENDING': {
-                'accept': [400], 'close_ok': True, 'timeout_ok': False,
-                'expected': '400 or close',
-                'reason': 'CR without LF is a framing violation (RFC 9112 §2.2)'
+                'accept': [400], 'close_ok': False, 'timeout_ok': False,
+                'expected': '400',
+                'reason': 'MUST consider invalid or replace with SP (RFC 9112 §2.2)'
             },
             'SMUG-CL-TE-BOTH': {
                 'accept': [400], 'close_ok': True, 'timeout_ok': False,
                 'expected': '400 or close',
-                'reason': 'CL + TE together enables smuggling — must reject (RFC 9112 §6.1)'
+                'reason': 'CL + TE together "ought to" be handled as error (RFC 9112 §6.3)'
             },
             'SMUG-DUPLICATE-CL': {
                 'accept': [400], 'close_ok': True, 'timeout_ok': False,
                 'expected': '400 or close',
-                'reason': 'Conflicting Content-Length values enable smuggling (RFC 9110 §8.6)'
+                'reason': 'MUST treat as unrecoverable error (RFC 9112 §6.3)'
             },
             'SMUG-CL-LEADING-ZEROS': {
                 'accept': [400], 'close_ok': True, 'timeout_ok': False,
@@ -268,17 +268,17 @@ jobs:
             'RFC9112-3-MISSING-TARGET': {
                 'accept': [400], 'close_ok': True, 'timeout_ok': False,
                 'expected': '400 or close',
-                'reason': 'Missing request-target is malformed (RFC 9112 §3)'
+                'reason': 'SHOULD respond with 400 (RFC 9112 §3)'
             },
             'RFC9112-3.2-FRAGMENT-IN-TARGET': {
                 'accept': [400], 'close_ok': True, 'timeout_ok': False,
                 'expected': '400 or close',
-                'reason': 'Fragment in request-target is invalid (RFC 9112 §3.2)'
+                'reason': 'SHOULD respond with 400 (RFC 9112 §3)'
             },
             'RFC9112-2.3-HTTP09-REQUEST': {
                 'accept': [400], 'close_ok': True, 'timeout_ok': True,
                 'expected': '400/close/timeout',
-                'reason': 'HTTP/0.9 requests must be rejected (RFC 9112 §2.3)'
+                'reason': 'Invalid request-line — SHOULD respond with 400 (RFC 9112 §3)'
             },
             'RFC9112-5-INVALID-HEADER-NAME': {
                 'accept': [400], 'close_ok': True, 'timeout_ok': False,
@@ -291,19 +291,19 @@ jobs:
                 'reason': 'Header line without colon is malformed (RFC 9112 §5)'
             },
             'RFC9110-5.4-DUPLICATE-HOST': {
-                'accept': [400], 'close_ok': True, 'timeout_ok': False,
-                'expected': '400 or close',
-                'reason': 'Duplicate Host headers with different values must be rejected (RFC 9110 §5.4)'
+                'accept': [400], 'close_ok': False, 'timeout_ok': False,
+                'expected': '400',
+                'reason': 'MUST respond with 400 (RFC 9112 §3.2)'
             },
             'RFC9112-6.1-CL-NON-NUMERIC': {
                 'accept': [400], 'close_ok': True, 'timeout_ok': False,
                 'expected': '400 or close',
-                'reason': 'Non-numeric Content-Length is invalid (RFC 9112 §6.1)'
+                'reason': 'MUST treat as unrecoverable error (RFC 9112 §6.3)'
             },
             'RFC9112-6.1-CL-PLUS-SIGN': {
                 'accept': [400], 'close_ok': True, 'timeout_ok': False,
                 'expected': '400 or close',
-                'reason': 'Content-Length with + sign is invalid (RFC 9112 §6.1)'
+                'reason': 'MUST treat as unrecoverable error (RFC 9112 §6.3)'
             },
             'SMUG-TECL-PIPELINE': {
                 'accept': [400], 'close_ok': True, 'timeout_ok': False,
 
@@ -51,4 +51,8 @@ CodeCoverage/
 # NUnit
 *.VisualState.xml
 TestResult.xml
-nunit-*.xml
+nunit-*.xml
+# Hugo build artifacts
+docs/public/
+docs/.hugo_build.lock
+docs/resources/
@@ -80,9 +80,9 @@ a[href$="/probe-results/"] {
   font-size: 1.1em !important;
 }
 
-/* Separator before Glossary */
-a[href$="/glossary"],
-a[href$="/glossary/"] {
+/* Separator before Docs */
+a[href$="/docs"],
+a[href$="/docs/"] {
   margin-left: 12px !important;
   padding-left: 14px !important;
   border-left: 1px solid rgba(128, 128, 128, 0.3) !important;
 
@@ -0,0 +1,18 @@
+---
+title: Docs
+sidebar:
+  open: true
+---
+
+Reference documentation for every test in Http11Probe, organized by topic. Each page explains the RFC requirement, what the test sends, what response is expected, and why it matters.
+
+{{< cards >}}
+  {{< card link="rfc-basics" title="RFC Basics" subtitle="What RFCs are, how to read requirement levels (MUST/SHOULD/MAY), and which RFCs define HTTP/1.1." icon="book-open" >}}
+  {{< card link="line-endings" title="Line Endings" subtitle="CRLF requirements, bare LF handling, and bare CR rejection per RFC 9112 Section 2.2." icon="code" >}}
+  {{< card link="request-line" title="Request Line" subtitle="Request-line format, multiple spaces, missing target, fragments, HTTP version validation." icon="terminal" >}}
+  {{< card link="headers" title="Header Syntax" subtitle="Obs-fold, space before colon, empty names, invalid characters, missing colon." icon="document-text" >}}
+  {{< card link="host-header" title="Host Header" subtitle="Missing Host, duplicate Host — the only tests where RFC explicitly mandates 400." icon="server" >}}
+  {{< card link="content-length" title="Content-Length" subtitle="Non-numeric CL, plus sign, integer overflow, leading zeros, negative values." icon="calculator" >}}
+  {{< card link="smuggling" title="Request Smuggling" subtitle="CL+TE conflicts, TE obfuscation, pipeline injection, and why ambiguous framing is dangerous." icon="shield-exclamation" >}}
+  {{< card link="malformed-input" title="Malformed Input" subtitle="Binary garbage, oversized fields, control characters, incomplete requests." icon="lightning-bolt" >}}
+{{< /cards >}}
@@ -0,0 +1,21 @@
+---
+title: Content-Length
+weight: 6
+sidebar:
+  open: true
+---
+
+The `Content-Length` header indicates the size of the message body in bytes. Its grammar is strict: `Content-Length = 1*DIGIT`. Any deviation — non-numeric characters, plus signs, leading zeros, negative values, overflow — can cause parsers to disagree on body boundaries.
+
+## Key Rules
+
+**Grammar**: `1*DIGIT` means one or more ASCII digits (`0-9`). No signs, no spaces, no hex.
+
+> “If a message is received without Transfer-Encoding and with an invalid Content-Length header field, then the message framing is invalid and the recipient **MUST** treat it as an unrecoverable error...” — RFC 9112 Section 6.3
+
+## Tests
+
+{{< cards >}}
+  {{< card link="cl-non-numeric" title="CL-NON-NUMERIC" subtitle="Non-numeric Content-Length value." >}}
+  {{< card link="cl-plus-sign" title="CL-PLUS-SIGN" subtitle="Content-Length with a + prefix." >}}
+{{< /cards >}}
@@ -0,0 +1,29 @@
+---
+title: "CL-NON-NUMERIC"
+weight: 1
+---
+
+| | |
+|---|---|
+| **Test ID** | `RFC9112-6.1-CL-NON-NUMERIC` |
+| **Category** | Compliance |
+| **RFC** | [RFC 9112 Section 6.1](https://www.rfc-editor.org/rfc/rfc9112#section-6.1), [Section 6.3](https://www.rfc-editor.org/rfc/rfc9112#section-6.3) |
+| **Requirement** | MUST |
+| **Expected** | `400` or close |
+
+## What it sends
+
+A request with a non-numeric `Content-Length` value, e.g., `Content-Length: abc`.
+
+## What the RFC says
+
+Content-Length is defined as `1*DIGIT`. A value containing non-digit characters does not match this grammar.
+
+> “If a message is received without Transfer-Encoding and with an invalid Content-Length header field, then the message framing is invalid and the recipient **MUST** treat it as an unrecoverable error...”
+
+“Unrecoverable error” means the server must reject — either with a 400 response or by closing the connection. It cannot attempt to parse the body.
+
+## Sources
+
+- [RFC 9110 Section 8.6 — Content-Length](https://www.rfc-editor.org/rfc/rfc9110#section-8.6)
+- [RFC 9112 Section 6.3 — Message Body Length](https://www.rfc-editor.org/rfc/rfc9112#section-6.3)
@@ -0,0 +1,29 @@
+---
+title: "CL-PLUS-SIGN"
+weight: 2
+---
+
+| | |
+|---|---|
+| **Test ID** | `RFC9112-6.1-CL-PLUS-SIGN` |
+| **Category** | Compliance |
+| **RFC** | [RFC 9112 Section 6.1](https://www.rfc-editor.org/rfc/rfc9112#section-6.1), [Section 6.3](https://www.rfc-editor.org/rfc/rfc9112#section-6.3) |
+| **Requirement** | MUST |
+| **Expected** | `400` or close |
+
+## What it sends
+
+A request with a plus sign in the Content-Length value: `Content-Length: +42`.
+
+## What the RFC says
+
+The `+` character is not in the DIGIT set (`%x30-39`), so `+42` does not match `1*DIGIT`. This is an invalid Content-Length and MUST be treated as an unrecoverable error.
+
+## Why it matters
+
+Many programming languages’ integer parsers accept leading `+` signs (e.g., `parseInt("+42")` returns `42` in JavaScript). A server that blindly passes Content-Length through such a parser may accept this value while another server in the chain rejects it — creating a framing disagreement.
+
+## Sources
+
+- [RFC 9110 Section 8.6 — Content-Length](https://www.rfc-editor.org/rfc/rfc9110#section-8.6)
+- [RFC 9112 Section 6.3 — Message Body Length](https://www.rfc-editor.org/rfc/rfc9112#section-6.3)
@@ -0,0 +1,30 @@
+---
+title: Header Syntax
+weight: 4
+sidebar:
+  open: true
+---
+
+HTTP header fields follow a strict grammar: `field-name ":" OWS field-value OWS`. RFC 9112 Section 5 and RFC 9110 Section 5.6.2 define what constitutes a valid header. Violations can lead to parser disagreements and smuggling.
+
+## Key Rules
+
+**Space before colon** — the only header syntax violation with an explicit MUST-400:
+
+> "A server **MUST** reject, with a response status code of 400 (Bad Request), any received request message that contains whitespace between a header field name and colon." — RFC 9112 Section 5
+
+**Obs-fold** (line folding with leading whitespace):
+
+> "A server that receives an obs-fold in a request message that is not within a message/http container **MUST** either reject the message by sending a 400 (Bad Request)... or replace each received obs-fold with one or more SP octets prior to interpreting the field value." — RFC 9112 Section 5.1
+
+**Field name** must be a `token` = `1*tchar`, meaning at least one valid token character. Empty names, non-ASCII bytes, and special characters are all violations.
+
+## Tests
+
+{{< cards >}}
+  {{< card link="sp-before-colon" title="SP-BEFORE-COLON" subtitle="Space between field name and colon. MUST reject with 400." >}}
+  {{< card link="obs-fold" title="OBS-FOLD" subtitle="Obsolete line folding. MUST reject with 400 or replace with SP." >}}
+  {{< card link="empty-header-name" title="EMPTY-HEADER-NAME" subtitle="Leading colon with no field name." >}}
+  {{< card link="invalid-header-name" title="INVALID-HEADER-NAME" subtitle="Non-token characters in field name." >}}
+  {{< card link="header-no-colon" title="HEADER-NO-COLON" subtitle="Header line with no colon separator." >}}
+{{< /cards >}}
@@ -0,0 +1,25 @@
+---
+title: "EMPTY-HEADER-NAME"
+weight: 3
+---
+
+| | |
+|---|---|
+| **Test ID** | `RFC9112-5-EMPTY-HEADER-NAME` |
+| **Category** | Compliance |
+| **RFC** | [RFC 9112 Section 5](https://www.rfc-editor.org/rfc/rfc9112#section-5) |
+| **Requirement** | Implicit MUST (grammar violation) |
+| **Expected** | `400` or close |
+
+## What it sends
+
+A header line starting with a colon — effectively an empty field name: `: value`.
+
+## What the RFC says
+
+Field names are defined as `token = 1*tchar`, requiring at least one valid token character. An empty string does not match `1*tchar`. While there is no explicit "MUST reject empty field names with 400" statement, a line starting with `:` fails to match the `field-line` grammar entirely.
+
+## Sources
+
+- [RFC 9112 Section 5 — Field Syntax](https://www.rfc-editor.org/rfc/rfc9112#section-5)
+- [RFC 9110 Section 5.1 — Field Names](https://www.rfc-editor.org/rfc/rfc9110#section-5.1)
@@ -0,0 +1,24 @@
+---
+title: "HEADER-NO-COLON"
+weight: 5
+---
+
+| | |
+|---|---|
+| **Test ID** | `RFC9112-5-HEADER-NO-COLON` |
+| **Category** | Compliance |
+| **RFC** | [RFC 9112 Section 5](https://www.rfc-editor.org/rfc/rfc9112#section-5) |
+| **Requirement** | Implicit MUST (grammar violation) |
+| **Expected** | `400` or close |
+
+## What it sends
+
+A header line with no colon: `InvalidHeaderNoColon`.
+
+## What the RFC says
+
+The field-line grammar is `field-name ":" OWS field-value OWS`. A line without a colon does not match this grammar. It could be misinterpreted as a continuation line, a new request, or garbage — any of which is dangerous.
+
+## Sources
+
+- [RFC 9112 Section 5 — Field Syntax](https://www.rfc-editor.org/rfc/rfc9112#section-5)