Skip to main content

CHANGELOG.md 

# Changelog

All notable changes to this project will be documented in this file.

## [Unreleased]

## [1.6.4] - 2026-06-05

### Changed
- HTTP/3 no longer accumulates received DATA payloads in the stream record. Data still reaches owners and handlers through the existing delivery path, while Content-Length and unbounded-body limits are enforced from a byte counter. The `#h3_stream.body` field is retained for compatibility but is no longer populated.

## [1.6.3] - 2026-06-03

### Added
- `quic:safe_close/1,2,3` closes a connection and ignores any error if it is already gone, for teardown paths that must not crash.

### Fixed
- HTTP/3 connection errors now send a CONNECTION_CLOSE. `handle_connection_error` passed the error reason straight to `quic:close/3`, but several call sites supply a non-binary reason, which failed the function's binary guard and was swallowed by a surrounding `catch`, so the connection was left open. The reason is now coerced to a binary phrase.

### Changed
- Replaced the deprecated bare `catch` expressions in the library and test suites with `try ... catch`, clearing the OTP 27+ compiler warnings. CI now runs the unit tests on OTP 26, 27, 28 and 29 (the matrix previously collapsed to one OTP version per OS).

## [1.6.2] - 2026-06-03

### Fixed
- Happy Eyeballs + HTTP/3: a client connecting to a hostname that resolves to more than one address (so the race path runs) could hang in `quic_h3:connect/3` until `connect_timeout`. The QUIC connection completes its handshake while owned by the race coordinator, so the server's HTTP/3 control stream and SETTINGS were delivered to the transient owner and dropped before the H3 connection process existed. `set_owner` re-delivers `{connected}` but not that already-arrived stream data; the race coordinator and `quic_h3:connect/3` now forward the buffered `{quic, Conn, _}` backlog to the new owner at each ownership handoff. Diagnosed and originally fixed by ycastorium (#160, #161).
- Server certificate validation recovers from an expired cross-signed root. When the served chain anchors at an expired cross-signed root (Let's Encrypt ISRG Root X2 cross-signed by the now-expired ISRG Root X1) and the trust store holds a still-valid root with the same public key, the client retries the alternative trust anchors instead of failing with `cert_expired`. A genuinely expired leaf or intermediate still fails.

## [1.6.1] - 2026-06-02

### Fixed
- Server-side 0-RTT acceptance now works end to end. The server echoes the empty `early_data` extension in EncryptedExtensions when it accepts 0-RTT, so a resuming client reports `early_data_accepted/1 =:= true` instead of always seeing the data rejected. Inbound 0-RTT frames are dispatched at the application level, so the early request and its control/QPACK streams are processed rather than dropped, and the resumed request completes normally.

## [1.6.0] - 2026-06-02

### Added
- 0-RTT (early data) support. On resumption a client can send application data in its first flight, and HTTP/3 can issue an early request, before the handshake completes. `quic:has_early_keys/1` reports whether 0-RTT keys are available, and `quic:early_data_accepted/1` / `quic_h3:early_data_accepted/1` report whether the server accepted the early data. (#148)
- `quic_listener:get_sockname/1` and `quic:get_server_sockname/1` return the listener's bound `{IP, Port}`, resolved live from the socket so it is correct when the listener was opened with `inet6`, `{ip, _}` or `{ifaddr, _}`. (#153)

### Fixed
- Streams aborted with RESET_STREAM_AT are reclaimed from the connection's stream map once their reliable obligation is met (local reset: reliable bytes acked; incoming reset: reliable bytes delivered), instead of being retained for the life of the connection. Data beyond the reliable size is trimmed from the send queue and retransmit path, and dropped on receive. (#152)
- A lost-packet retransmission deferred by congestion control is re-queued and resent when the window reopens, instead of being dropped (it had already been removed from the sent queue, so it was never retried).
- STREAM data referencing a locally-initiated stream that was never opened is rejected with STREAM_STATE_ERROR instead of creating the stream. (#152)
- Erlang distribution over QUIC: the keep-alive PING is paced off `net_ticktime` instead of the QUIC idle timeout, so a healthy connection is no longer declared down by `net_kernel` under load. (#157)

## [1.5.0] - 2026-05-30

### Added
- IPv6 client connections: `quic:connect/4` accepts a hostname, an IP-literal string (IPv4 or IPv6, optionally bracketed), or an `inet:ip_address()` tuple. Dual-stack hostnames use RFC 8305 Happy Eyeballs (IPv6-first racing) with `happy_eyeballs`, `family`, `connection_attempt_delay` and `connect_timeout` options. A hostname that fails to resolve returns `{error, Reason}` instead of dialing a default address. (#150)
- Listeners can bind to IPv6: pass `inet6` or an IPv6 `{ip, Addr}` in `extra_socket_opts`; the address family is inferred from those options. (#149)

## [1.4.5] - 2026-05-28

### Fixed
- Server certificate chain validation accepts chains where the server sends an extra or cross-signed cert above the cert that actually anchors. The previous topmost-only anchor lookup rejected valid chains (notably `cloudflare.com` over Google Trust Services on Mozilla NSS, `certifi` and FreeBSD `ca_root_nss`) with `unknown_ca`. The client now walks the served chain for the highest cert whose issuer is in the trust store and validates the sub-path from there.
- Server certificate verification failures reach the QUIC owner as a synchronous `{closed, {certificate_invalid, _}}` event alongside the existing `{error, {certificate_invalid, _}}` notification, so HTTP/3 clients waiting on the close fail fast instead of stalling until their connect timeout fires.

## [1.4.4] - 2026-05-28

### Security
- The QUIC client now authenticates the server. It verifies the CertificateVerify signature, validates the certificate chain against the trust store (`cacerts` option, OS store by default), and checks the hostname. Previously `verify` was a no-op on the client, so any certificate was accepted and a man-in-the-middle on the network path could impersonate any server. `verify` now defaults to on for clients; set `verify => false` to accept any certificate (for example self-signed test servers). HTTP/3 uses the same client and is fixed too. (GHSA-2r8v-p65x-3663, CVE-2026-49457, CWE-295). Reported by benmmurphy.
- Hardening from a full security review: 3x anti-amplification limit with Initial retransmission, CRYPTO-buffer and listener connection caps, MAX_STREAMS and connection-ID limit enforcement, resumption PSK binder verification with single-use 0-RTT, TLS 1.3 handshake state guards, AEAD usage-limit key update, working address-validation Retry with constant-time token compares, and stricter HTTP/3 and QPACK decoding.

## [1.4.3] - 2026-05-25

### Fixed
- QPACK Encoded Field Section Prefix and dynamic table now follow RFC 9204, so the encoder interoperates with strict decoders such as nghttp3. The Base is signalled as S=0 (Base = Required Insert Count), the Required Insert Count is written as an 8-bit prefix integer, and the Insert With Literal Name opcode and dynamic-table field-section encoding are corrected. (#142)

## [1.4.2] - 2026-05-23

### Fixed
- HTTP/3 extended CONNECT (RFC 9220) regressed in 1.4.1: the response-HEADERS coalescing introduced in 1.4.1 buffered a CONNECT tunnel's `200` until the first DATA frame, but a tunnel server sends no DATA until the client does and the client waits for the `200`, so the tunnel deadlocked (WebTransport and WebSocket-over-H3). CONNECT responses now flush the `200` immediately; plain H3 responses still coalesce headers with the first body chunk.

## [1.4.1] - 2026-05-23

### Changed
- Idle and keep-alive timers are now lazy: armed once at connection setup and re-armed only when they fire, from the `last_activity` timestamp, instead of being cancelled and rescheduled on every packet. (#140)
- HTTP/3 responses coalesce the HEADERS frame with the first DATA frame, so a response's headers and first body bytes go out in one 1-RTT packet instead of two. A large body still fragments as before. (#141)

## [1.4.0] - 2026-05-22

### Added
- TLS 1.3 external PSK (RFC 8446 §4.2.11). Client `external_psk` and server `psks` / `psk_callback` options, both `psk_dhe_ke` and `psk_ke` modes, constant-time server-side binder verification, cert and PSK coexistence on one listener, and client downgrade protection. `quic_dist` can authenticate node-to-node with a shared PSK and no certificates. See `docs/PSK.md`. (#133)
- TLS 1.3 HelloRetryRequest with multi-group key exchange. The `groups` option advertises `x25519`, `secp256r1` and `secp384r1`; a server that prefers a group the client did not key-share triggers a HelloRetryRequest and the client retries transparently. (#135)
- Per-handshake signature negotiation via the `signature_algs` option, adding ECDSA secp384r1-SHA384, RSA-PSS-RSAE SHA384/512 and Ed25519 sign/verify. The `connected` event now reports `negotiated_group` and `negotiated_scheme`. (#135)
- Per-pair multi-stream routing for Erlang distribution over QUIC. Dist messages are hashed by `{From, To}` across 16 streams to send concurrently while preserving order within each sender/receiver pair. (#132)
- `SECURITY.md` with a private vulnerability reporting policy.

### Changed
- HTTP/3 header field-character validation inlines the character class into the scanner clause guards, removing a per-byte predicate call from a request hot path. (#136)

### Fixed
- The server now segments its TLS handshake flight so no datagram exceeds `max_udp_payload_size`. The 3-5 KB flight previously went out as one UDP datagram that clients enforcing their advertised limit (Chromium) dropped, stalling the handshake until idle timeout. (#134, #137)
- ex_doc generation no longer breaks on a `@doc` tag preceding a `-callback`. (#129)

## [1.3.3] - 2026-05-03

### Added
- `quic:get_path_stats/1` returns a snapshot of the connection's path metrics (srtt / latest_rtt / min_rtt / rtt_var in microseconds, plus cwnd, bytes_in_flight, in_recovery, congested) for downstream routing layers. Backward-compatible; off the packet-processing path. (#127)
- `quic_dist` `auth_callback` option runs a custom `{Mod,Fun}` (or `fun/3`) on both sides between the QUIC handshake and the dist_util handshake. `{error, _}` closes the connection without ever starting the dist controller. New `quic_dist_auth` behaviour. (#126)
- `quic_dist` `register_with_epmd` option (default `false`) registers the listening port via the configured `epmd_module` so external tooling (e.g. `epmd -names`) can resolve the node. (#126)

## [1.3.2] - 2026-05-03

### Added
- `priv/bin/quic_call.sh`, an `erl_call`-style one-shot RPC helper for `quic_dist` clusters. Boots a hidden probe node with `-proto_dist quic`, runs `rpc:call/5` against the target, asks the target to disconnect so the hidden-node entry is reaped immediately, and halts. Reuses the cluster's `sys.config` (`-C`) for credentials and discovery; cert/key can also be passed via `--cert`/`--key`. (#123, #124)

## [1.3.1] - 2026-04-30

### Added
- `socket_backend => adapter` lets callers plug their own datagram transport (for example a MASQUE CONNECT-UDP session) under a QUIC client. The adapter map carries `send_fun` (and optional `close_fun`, `socket_ref`); batching, GSO and GRO are forced off, and connection migration is rejected on this path. (#121)

## [1.3.0] - 2026-04-25

QUIC and HTTP/3 protocol-conformance hardening: closes the silent-drop
of CONNECTION_CLOSE at handshake-time violations, replaces the
unmaintained h3spec runner with an in-tree RFC 9114 / 9204 compliance
suite, and fixes two externally-reported stream-API bugs.

### Added
- `close_with_error/6` emits CONNECTION_CLOSE at the right encryption level (initial / handshake / app), with fallback to the lower available level. (#111)
- Server-side validation of peer transport parameters per RFC 9000 §18.2: server-only ids (`original_dcid`, `preferred_address`, `retry_scid`, `stateless_reset_token`) and numeric ranges (`max_udp_payload_size` ≥ 1200, `ack_delay_exponent` ≤ 20, `max_ack_delay` < 2^14). (#111)
- Frame-pipeline guards: zero-frame packet → `PROTOCOL_VIOLATION`; unknown frame type → `FRAME_ENCODING_ERROR`. (#111)
- HTTP/3 RFC 9114 + 9204 conformance: 30 in-tree unit tests covering control-stream rules, pseudo-headers, stream-type uniqueness, push-id bounds, CONNECT validation, QPACK static-index and capacity limits, RFC 9218 priority signal, RFC 9297 SETTINGS_H3_DATAGRAM. (#112)
- `docs/h3_compliance.md`: RFC 9114 / 9204 / 9218 / 9297 matrix mapping every MUST and SHOULD to its test. (#112)

### Fixed
- Reject request streams carrying `:status` pseudo-header (RFC 9114 §4.3.1). (#112)
- `quic_qpack:set_dynamic_capacity/2` clamps to `max_allowed_capacity` per RFC 9204 §4.3. (#112)
- `quic:reset_stream/3` keeps the stream entry alive so subsequent `quic:stop_sending/3` emits STOP_SENDING instead of returning `{error, unknown_stream}`. (#113, #115)
- `quic:close/2` with an integer reason propagates that integer as the application error code; previously every input fell through to `?QUIC_APPLICATION_ERROR` (0x0c). (#114, #116)
- NEW_TOKEN received by a server and HANDSHAKE_DONE at the wrong level now route through `close_with_error/6` so the CLOSE frame reaches the peer when app keys are absent. (#111)

### Removed
- `quic_h3_h3spec_SUITE` and `docker/h3spec/`. The corpus is ported into `quic_h3_compliance_tests` as deterministic state-machine tests. (#112)

## [1.2.0] - 2026-04-21

Post-1.1.0 work split across three tracks: a client-side socket-backend
opt-in, a round of hot-path micro-optimisations on the send and
receive paths, and a migration fix for the default gen_udp client.

### Added
- Opt-in `socket_backend => socket` for client connections. Routes
  the client through `quic_socket:open_for_send/2` so it picks up the
  OTP socket NIF on Linux with GSO available per-message via cmsg,
  instead of the `gen_udp` port driver. +18% download throughput on
  arm64 Linux docker (10 MB bench); upload is neutral. (#88, #91)
- Client migration (`quic:migrate/1`) now works on the opt-in socket
  backend. Rebind closes the old OTP socket, stops its dedicated
  receiver process, opens a fresh one, and threads the new handle
  through the connection state. (#90)
- `quic_socket:start_client_receiver/2` / `stop_client_receiver/1`:
  dedicated receiver process for the socket-backend client path
  (the OTP socket NIF has no `{active, N}` mode). (#88)
- `quic_socket:set_socket/2` swaps the underlying socket handle
  inside a `#socket_state{}` while preserving batching configuration.
  Used by the migration rebind path. (#93)
- Instrumentation counters `ack_sent` and `retransmits` on
  `quic_connection:get_stats/1` and the throughput bench output
  (Phase 0a). (#77, #78)

### Fixed
- `quic:migrate/1` on the default gen_udp client no longer drops
  post-migrate traffic. Rebinding previously left
  `#state.socket_state` pointing at the just-closed old socket; every
  send went through the dead handle and was silently dropped. Also
  flushes any pending batch to the old socket before rebind so
  pre-migrate packets reach the server under their original CID.
  (#93)
- `quic_dist`: simultaneous-connect deadlock in the accept path.
  Two nodes dialling each other within a tight window wedged both
  `net_kernel:connect_node/1` calls indefinitely. The old accept
  path ran the dist worker through a nine-hop handoff
  (register_pending / controller rendezvous in acceptor_loop) before
  reaching `dist_util:mark_pending`, so net_kernel's tie-breaker
  arbitration never ran in time. Collapsed to the TCP-dist shape:
  `accept_connection/5` runs `set_supervisor` + `start_timer` +
  `handshake_other_started` inline. Docker 5-node regression now
  passes 5/5. (#106)
- `quic_dist`: batch-yield path in `input_handler_loop` could lose
  or reorder buffered dist bytes when the mailbox had backlog.
  Yield now threads the buffer remnant through the normal return
  channel instead of piggybacking on the self-message. (#104)
- `quic_dist_user_stream_SUITE` / `accept_user_streams/2` doc:
  refreshed to match the auto-assign / direct
  `{quic_dist_stream, _, {data, _, _}}` delivery shape. (#105)
- `docker/dist`: 3+ node cluster mesh formation. Each node now dials
  only higher-named peers and boots with `-connect_all false`, so
  `global` does not re-introduce cross-dials behind the explicit
  test topology. (#95, #106)
- h3: preserve WebTransport and unknown SETTINGS identifiers in the
  peer settings map so extension-stream hooks can read them. (#96)
- `quic_socket`: client migrate path opens the new socket before
  closing the old one, avoiding a window where the client has no
  valid send handle. (#97)
- `quic_socket`: `client_recv_loop` exits cleanly on unexpected
  socket errors instead of spinning. (#98)
- `quic_socket`: clear the pending batch buffer on flush error so
  stale frames do not get retried on the next flush. (#99)
- `quic:connect/4`: reject the `socket` + `{socket_backend, socket}`
  option combination with a clear error instead of silently
  overriding one. (#100)
- Client connection: treat receiver-process exit as a fatal error
  and close the connection, matching server behaviour. (#101)
- Server: build a per-connection sender even when
  `server_send_batching` is `false` so the direct-send path uses the
  same `quic_socket` shape as the batched path. (#102, #103)

### Performance
- Fuse per-packet cwnd + pacing check into `quic_cc:send_check/3`
  (one BIF call and one record match instead of the previous four).
  (#79)
- Hoist per-chunk lookups (`stream_urgency`, `max_stream_data_per_packet`,
  pre-computed stream-frame header prefix) out of the chunked send
  loop. (#80, #85)
- ACK 1-RTT packets immediately on reorder (RFC 9002 §6.2) while
  keeping the decimation window for in-order traffic. (#81)
- Fast-path single-stream-frame in `contains_ack_eliciting_frames/1`
  on the bulk-upload hot path. (#82)
- Thread the updated `socket_state` back from `do_socket_send` via
  the return value, dropping the process-dictionary roundtrip. (#83)
- Replace the `crypto:exor/2` NIF call with inline Erlang XOR for
  the 1-4 byte header-protection mask. (#84)
- Inline the `?QLOG_ENABLED` check at packet/frame event call
  sites so the event-map is never built when qlog is off. (#86)
- Coalesce the `monotonic_time` samples on the receive hot path
  (one BIF call per received datagram instead of three). (#87)
- Flush the pending stream-data batch before emitting an ACK-only
  packet so it does not break GSO uniformity on the opt-in socket
  backend. +6.4% upload throughput on arm64 Linux docker. (#92)
- Re-enable GSO on the opt-in socket-backend client: drop the
  socket-level `UDP_SEGMENT` setsockopt and rely on per-message cmsg
  via `flush_gso/1`. (#91)

## [1.1.0] - 2026-04-18

Server-side throughput work. Per-connection send batching over the
shared listener socket on Linux + socket backend coalesces outgoing
packets into sendmsg super-datagrams via UDP_SEGMENT (GSO); on macOS /
gen_udp it is functionally neutral. Several GSO correctness fixes
after CI surfaced a handshake stall. Extra observability so tests and
operators can see the batching win directly.

### Added
- Per-connection send batching on the server. Each server connection
  owns a `quic_socket` batch buffer that reuses the listener's UDP
  socket. Gated by the new `server_send_batching` option on
  `start_server/3` (default `true`); set to `false` to fall back to
  the previous direct `gen_udp:send/4` path. (#66)
- `quic_socket:info/1` — map with `backend`, `gso_supported`,
  `gso_size`, `gro_enabled`, `batching_enabled`, `max_batch_packets`,
  and the new `batch_flushes` / `packets_coalesced` counters.
- `quic_socket:send_immediate/4` — public wrapper that bypasses the
  per-connection batch for one-shot control-plane sends.
- `quic_socket:new_sender/2` — build a per-connection sender that
  inherits backend + GSO capability from the listener without owning
  the socket.
- `quic_connection:get_stats/1` now returns `batch_flushes` and
  `packets_coalesced` so tests and benchmarks can assert batching
  behaviour rather than just wiring.
- `quic_server_batching_SUITE` — behaviour-level regression: real
  256 KB server-to-client downloads assert `packets_coalesced > 1`
  when batching is on, and both counters stay at 0 when disabled.
- `docker/gso-debug/` — Erlang 28 + tcpdump + strace container that
  reproduces the GSO handshake stall against a bind-mounted tree.
  (#74)
- `bench/run_download_bench.erl` and
  `quic_throughput_bench:run_download_sink/0,1` drive server-to-client
  bulk transfers and report MB/s alongside `batch_flushes` /
  `packets_coalesced` so the batching effect is visible next to
  throughput.

### Changed
- Stream send path is iovec-native. `quic_frame:encode_iodata/1`
  returns `[Header, Data]` and threads iodata through header
  protection and `quic_aead` without copying `Data` into a fresh
  binary. AEAD specs relaxed to accept iodata.
- 1-RTT ACKs delayed to every 2nd packet or `max_ack_delay` per
  RFC 9002 §6.2. Halves receiver ACK traffic on the server and
  sender event-processing on the client. Measured on macOS gen_udp:
  10 MB upload 45 → 56 MB/s. (#69)
- `quic_loss` switched to a single `queue:queue(#sent_packet{})` for
  outstanding packets. Per-ACK work scales with the ACK window, not
  the full outstanding queue. Measured on macOS gen_udp: 10 MB
  upload 55 → 59 MB/s, 5 MB download 34 → 50 MB/s. (#72)
- `flush_gso/1` passes the batch as an iov list directly to
  `socket:sendmsg/2` with the UDP_SEGMENT cmsg, saving up to
  ~76 KB of user-space copy per flush on a 64-packet batch. (#70)
- `send_app_packet_internal/3` samples `monotonic_time` once per
  packet and reuses it for loss tracking and `last_activity`. (#71)
- Per-packet overhead on the bulk-send path reduced: single
  `#state{}` update, PTO timer reschedule skipped when within
  tolerance, `process_send_queue` and pacing timeout short-circuit
  on empty queue, stream data normalised to binary once at the
  fragmentation boundary.
- `state_to_map/1` replaces the coarse `send_batching` boolean with
  three explicit fields: `send_backend` (`direct` | `gen_udp` |
  `socket`), `send_batching_enabled`, `send_gso_supported`.

### Fixed
- Server connection crashed with `function_clause` when the listener
  was on `socket_backend => socket` because `inet:sockname/1` rejects
  `{'$socket', Ref}` handles. Branch on socket shape:
  `socket:sockname/1` for OTP socket handles, `inet:sockname/1` for
  `gen_udp` ports.
- UDP_SEGMENT `setsockopt` now uses `sizeof(int)` (32-bit native)
  instead of u16, which Linux rejected with `EINVAL`; GSO capability
  detection silently returned false and the GSO CT job was skipping.
  The cmsg path already used u16 correctly. (#67)
- GSO skipped for single-packet batches: UDP_SEGMENT with a
  sub-`gso_size` single-packet payload drops silently on
  ubuntu-24.04. `batch_count == 1` has no segmentation work; fall
  through to `flush_individual`. (#73)
- Listener no longer sets UDP_SEGMENT at socket level. A socket-wide
  UDP_SEGMENT forces segmentation on every outbound datagram,
  including short handshake packets that can't be segmented. GSO is
  now applied only via the per-message cmsg in `flush_gso`. (#73)
- GSO bypassed when a batch mixes packet sizes (padded 1200-byte
  Initial + ~400-byte Handshake). UDP_SEGMENT requires every segment
  except the last to be exactly `gso_size`, otherwise the client
  sees undecodable datagrams and stalls at
  `awaiting_encrypted_extensions`. `flush/1` checks uniformity and
  falls through to `flush_individual` when it fails. (#75)
- Listener self-send: `send_packet/6` was calling `quic_socket:send/4`
  and dropping the returned state, so version-negotiation / retry /
  stateless-reset packets were buffered then lost on the socket
  backend with `batching_enabled=true`. Switched to
  `send_immediate/4`.
- `send_queue_bytes` accounting leaked on ACK-coalesce dequeues and
  could eventually trip `?MAX_SEND_QUEUE_BYTES` on long-lived
  connections. Added `send_queue_count` as an explicit O(1)
  emptiness predicate so zero-byte FIN-only sends enqueued under
  pacing are no longer stranded.
- `examples/echo_server.erl`: `handle_connection/2` expects a DCID
  binary, not an info map; returns `{ok, HandlerPid}` so the listener
  transfers ownership; peer address fetched via `quic:peername/1`.
  (#65)
- `examples/qlog_example.erl`: added a `connection_handler` so the
  server echoes client data; waits for the client connection to
  terminate before returning so the qlog writer flushes. (#68)

## [1.0.2] - 2026-04-16

### Fixed
- h3: thread FIN through the peer uni stream-type dispatch so a
  STREAM frame carrying type-varint + payload + FIN surfaces as one
  `{stream_type_data, uni, _, _, true}` event to claimed-stream
  owners (#64)

## [1.0.1] - 2026-04-15

### Fixed
- h3: consult `stream_type_handler` on fresh peer-initiated bidi
  streams so extensions can claim them before default request
  handling (#62)
- docs: `rebar3 ex_doc` now runs clean (#63)

## [1.0.0] - 2026-04-15

First release with HTTP/3. Brings full client + server HTTP/3
(RFC 9114) with QPACK (RFC 9204), HTTP Datagrams (RFC 9297),
Server Push, Extensible Priorities, Extended CONNECT, and the
extension-stream hooks WebTransport needs. Also a critical
flow-control deadlock fix in the QUIC core, a BBR loopback
throughput fix, and the H3 server owner default change.

### HTTP/3 (`quic_h3`, new module)

#### Added
- HTTP/3 client and server (RFC 9114) with QPACK header compression
  (RFC 9204): request/response, body data, trailers, GOAWAY,
  cancellation, CLI tools (`bin/quic_h3c`, `bin/quic_h3d`)
- Server Push (RFC 9114 §4.6): `push/3`, `send_push_response/4`,
  `send_push_data/4`, `set_max_push_id/2`, `cancel_push/2`
- Extensible Priorities (RFC 9218): `priority` request option,
  PRIORITY_UPDATE frames, urgency / incremental hints
- Extended CONNECT (RFC 9220) for WebTransport-style upgrades
- HTTP Datagrams (RFC 9297): `send_datagram/3`,
  `h3_datagrams_enabled/1`, `max_datagram_size/2`, capsule framing
- Extension-stream hook: `stream_type_handler` option on
  `start_server/3` claims peer-initiated uni and bidi streams whose
  first varint matches a caller-supplied filter; claimed bytes are
  delivered as `{stream_type_data, ...}` owner messages instead of
  being parsed as HTTP/3 requests. Owner also receives
  `stream_type_open`, `stream_type_closed`, `stream_type_reset`,
  `stream_type_stop_sending` events
- Client-initiated extension streams: `quic_h3:open_bidi_stream/1,2`
  pre-claims a bidi stream with a signal-type varint (e.g.
  WebTransport's `0x41`) so inbound bytes route through the
  claimed-bidi path
- Per-connection owner override via `connection_handler` callback on
  `start_server/3` for hosting many sessions per listener
- Per-stream handler registration: `set_stream_handler/3,4`,
  `unset_stream_handler/2` to redirect body data to a worker pid
- Query API: `get_settings/1`, `get_peer_settings/1`,
  `get_quic_conn/1`
- Documentation: `docs/HTTP3.md` reference + benchmarks section
- E2E test infrastructure: `quic_h3_e2e_SUITE`, `quic_h3_h3spec_SUITE`,
  `quic_h3_owner_SUITE`; dedicated CI job
- Performance benchmark: `quic_h3_bench`

#### Changed
- Server connection owner now defaults to the listener gen_server
  (long-lived, trap_exit'ed) instead of the `start_server` caller
  pid; durable owners for datagram / stream-type events should be
  supplied via the per-connection `connection_handler` callback
- SETTINGS directionality validation tightened to RFC 9114

#### Fixed
- Server connections wedged with `connect_timeout` when the process
  that called `start_server/3` exited before a client arrived and
  either `h3_datagram_enabled` or `stream_type_handler` was set
- Discard unknown unidirectional stream payload (RFC 9114 §6.2
  unknown-stream-type rule) instead of erroring the connection
- Emit trailing empty DATA event when response carries FIN so owners
  always see `Fin = true` exactly once
- Strict PRIORITY_UPDATE frame parsing per RFC 9218
- DoS hardening on header / capsule / frame parsing
- Header / trailer / `:path` / `:status` symmetry between client and
  server validation
- GOAWAY drain enforcement: reject new requests after a GOAWAY is
  sent or received
- Server push lifecycle correctness (PUSH_PROMISE pairing, duplicate
  detection, MAX_PUSH_ID enforcement)
- Tighten RFC 9114 / 9204 compliance across multiple parsers
- `sync` option on `connect/3` resolves an E2E race where the client
  tried to send before SETTINGS exchange completed
- Improved frame error handling and header validation
- aioquic SETTINGS compatibility
- QPACK: encoder eviction guard prevents references to
  unacknowledged dynamic-table entries; rejects `Increment = 0`

### QUIC transport

#### Added
- Spin bit (RFC 9000 §17.4)
- Stateless reset support (RFC 9000 §10.3)
- Full NEW_TOKEN issuance and validation loop
- `RESET_STREAM_AT` transport parameter and frame plumbing
- `quic:set_congestion_control/2` runtime CC switch API
- `quic:get_peer_transport_params/1` introspection API

#### Changed
- BBR internal clock switched to microseconds; loopback transfers no
  longer pin to the InitialRtt fallback

#### Fixed
- Stream-level `MAX_STREAM_DATA` window stopped sliding once
  `recv_max_data` reached `fc_max_receive_window` (8 MB default).
  Past the cap, the auto-tune re-sent the same value forever and the
  sender stalled at 8 MB lifetime per stream. The window now slides
  past `recv_offset` like the connection-level window already does
- BBR loopback throughput regression: ms-precision clock collapsed
  delivery-rate intervals to 0/1 ms and clamped BDP to the 4-packet
  minimum, holding throughput at ~0.03 Mbps. Microsecond-precision
  internal clock restores expected behavior
- Send `MAX_STREAMS` as peer-initiated streams complete
  (RFC 9000 §4.6); previously peers could exhaust the stream-id space

### Distribution (`quic_dist`)

#### Added
- User-accessible streams API: `quic_dist:open_stream/1,2`, `send/3`,
  `close_stream/1`, `reset_stream/1,2`, `controlling_process/2`,
  `list_streams/0,1`, with acceptor pool and stream priorities
- Connection migration logging
- Distributed Erlang benchmarks + multi-node test scripts
- Per-iteration latency stats in throughput benchmark (min/p50/p99/max
  + timeout counts)

#### Changed
- Test runner logs each test's results as it returns rather than at
  the end, so a stalled middle test no longer hides the others

### Tests and infrastructure
- `quic_e2e_*_SUITE` and `quic_h3_e2e_SUITE` run against in-process
  servers; Docker no longer required for these jobs

## [0.11.0] - 2026-04-09

### Added
- Full QUIC connection migration support (RFC 9000 Section 9)
  - Server-side address change detection (NAT rebinding vs active migration)
  - Path validation with PATH_CHALLENGE/PATH_RESPONSE
  - CID rotation for path unlinkability
  - `disable_active_migration` transport parameter
- Application error code support for CONNECTION_CLOSE frames
- Client certificate support (`verify` server option)
- CUBIC congestion control (RFC 9438)
- BBR congestion control
- HyStart++ slow start (RFC 9406) for all CC algorithms
- UDP packet batching with GSO/GRO support
- Configurable UDP buffer sizing (recbuf/sndbuf options)
- QLOG tracing for debug visibility
- Pluggable congestion control behavior
- Stream deadlines for per-stream timeout control
- STOP_SENDING API (`quic:stop_sending/3`)
- `max_udp_payload_size` transport parameter
- Async send API and socket receive optimizations
- Throughput benchmarks (`quic_throughput_bench`, `quic_batch_bench`)
- QUIC-based Erlang distribution (`quic_dist`) for node communication over QUIC
- Distribution modules: `quic_dist`, `quic_dist_controller`, `quic_dist_sup`
- EPMD replacement module (`quic_epmd`) for QUIC-based node discovery
- Discovery backends: `quic_discovery_static` (static config), `quic_discovery_dns` (DNS SRV)
- Session ticket storage (`quic_dist_tickets`) for 0-RTT reconnection
- Stream prioritization for distribution: control stream (urgency 0), data streams (urgency 4-6)
- Backpressure mechanism for distribution congestion control
- Keep-alive PING frames for transport-level liveness (configurable via `keep_alive_interval`)
- `quic:get_stats/1` API for connection packet counts (used for liveness detection)
- `quic:send_ping/1` API for transport-level PING frames
- RTT-based flow control auto-tuning for improved throughput
- Packet pacing (RFC 9002 Section 7.7) to prevent bursts

### Changed
- ConnRef is now connection PID (simpler API)
- Improved ACK processing performance (O(n^2) to O(n) with gb_sets)
- Timer batching for reduced overhead
- Zero-copy packet processing optimizations
- Distribution liveness detection now uses QUIC packet counts instead of application ticks
- Improved congestion control with quic-go-inspired settings (larger initial cwnd)
- Flow control windows auto-tune based on RTT measurements

### Fixed
- Throughput regression in connection migration (wasteful binary allocation)
- CUBIC cwnd collapse issue
- BBR delivery rate interval causing cwnd collapse
- BBR initial pacing rate causing transfer hangs
- Pacing precision loss causing transfer stalls
- Various RFC compliance fixes for QUIC connection migration
- `net_tick_timeout` errors under heavy load by using QUIC-level activity as liveness proof
- Stream flow control `recv_max_data` using wrong limits
- Distribution controller backpressure data loss
- Congestion control protocol compliance issues
- Recovery exit when only non-ack-eliciting packets are ACKed
- Tick timeout issues in distribution controller
- Flow control blocking that caused deadlocks
- Message framing for large message transfers

### Removed
- NAT traversal support from `quic_dist` (use standard QUIC connection migration instead)

## [0.10.2] - 2026-02-21

### Fixed
- Deprecated `catch` expressions replaced with `try...catch...end`
- Undefined `dynamic()` type replaced with `term()` in type specs
- CI workflow consolidated with separate unit-tests, e2e, and interop jobs

## [0.10.1] - 2026-02-21

### Fixed
- ACK range encoding crash for out-of-order packets: when packets arrived out
  of order (e.g., 10, 5, 6), ACK ranges were not properly maintained in
  descending order or merged, causing negative Gap values that crashed
  `quic_varint:encode/1` with `badarg`

## [0.10.0] - 2026-02-21

### Added
- RFC 9312 QUIC-LB Connection ID encoding support for load balancer routing
- New `quic_lb` module with three encoding algorithms:
  - Plaintext: server_id visible in CID (no encryption)
  - Stream Cipher: AES-128-CTR encryption of server_id
  - Block Cipher: 4-round Feistel network for <16 bytes, AES-CTR for 16 bytes,
    truncated cipher for >16 bytes
- `#lb_config{}` record for LB configuration (algorithm, server_id, key, nonce_len)
- `#cid_config{}` record for CID generation configuration
- `lb_config` option in `quic_listener` to enable LB-aware CID generation
- Variable DCID length support in short header packet parsing
- LB-aware CID generation in `quic_connection` for NEW_CONNECTION_ID frames
- E2E test suite `quic_lb_e2e_SUITE` with 21 integration tests
- `quic:server_spec/3` to get a child spec for embedding QUIC servers in custom
  supervision trees
- Stream reassembly test suite `quic_stream_reassembly_SUITE` for ordered delivery
  verification

### Changed
- `quic:set_owner/2` is now asynchronous (cast instead of call)

### Fixed
- `quic:get_server_port/1` now returns the actual OS-assigned port when server
  was started with port 0 (ephemeral port), instead of returning 0
- `quic:get_server_connections/1` now correctly returns connection PIDs; was
  returning empty list due to `get_listeners/1` returning supervisor pids
  instead of actual listener processes
- Removed redundant `link/1` call in listener (connection already linked via
  `gen_statem:start_link`)
- Unhandled calls in connection state machine now return `{error, {invalid_state, State}}`
  instead of silently timing out
- Server-side connection termination no longer closes shared listener socket:
  previously when a server connection terminated, it would close the UDP socket
  shared with the listener, breaking all subsequent connections
- Cancel delayed ACK timer in connection terminate to prevent timer messages
  to dead processes
- Session ticket table now has TTL (7 days) and size limit (10,000 entries) to
  prevent unbounded memory growth
- Listener now properly cleans up ETS tables on terminate (standalone mode only,
  pool mode tables are managed by the pool manager)
- Draining state now uses calculated `3 * PTO` timeout per RFC 9000 Section 10.2
  instead of hardcoded 3 seconds
- Pre-connection pending data queue now has size limit (1000 entries) to prevent
  memory exhaustion from slow handshakes
- Buffer contiguity calculation now has iteration limit to prevent stack overflow
  with highly fragmented receive buffers
- Stream data is now properly reassembled before delivery: previously data was
  delivered immediately as received, causing corruption when packets arrived out
  of order during large file transfers. Data is still streamed incrementally as
  contiguous chunks become available
- Server connections no longer modify listener's socket active state: server-side
  connections were calling `inet:setopts(Socket, [{active, once}])` on the shared
  listener socket, overriding the listener's `{active, N}` configuration and
  causing the socket to go passive after receiving packets

## [0.9.0] - 2026-02-20

### Added
- Multi-pool server support with ranch-style named server pools
- `quic:start_server/3` to start named server with connection pooling
- `quic:stop_server/1` to stop named server
- `quic:get_server_info/1` to get server information (pid, port, opts, started_at)
- `quic:get_server_port/1` to get server listening port
- `quic:get_server_connections/1` to get server connection PIDs
- `quic:which_servers/0` to list all running servers
- Application supervision structure (`quic_app`, `quic_sup`, `quic_server_sup`)
- ETS-based server registry (`quic_server_registry`) with process monitoring
- `pool_size` option for listener process pooling with SO_REUSEPORT
- FreeBSD CI testing workflow
- Expanded Linux CI matrix (Ubuntu 22.04/24.04, OTP 26-28)

### Changed
- `quic.app.src` now includes `{mod, {quic_app, []}}` for OTP application behaviour
- Listener supervisor registers with server registry on init for restart recovery

## [0.8.0] - 2026-02-20

### Added
- Stream prioritization (RFC 9218): urgency-based scheduling with 8 priority
  levels (0-7) and incremental delivery flag
- `quic:set_stream_priority/4` and `quic:get_stream_priority/2` API
- Bucket-based priority queue for O(1) stream scheduling
- Preferred address handling (RFC 9000 Section 9.6): server can advertise a
  preferred address during handshake, client validates via PATH_CHALLENGE and
  automatically migrates to validated preferred address
- `preferred_ipv4` and `preferred_ipv6` listener options for server configuration
- `#preferred_address{}` record for IPv4/IPv6 addresses, CID, and reset token
- `quic_tls:encode_preferred_address/1` and `quic_tls:decode_preferred_address/1`
- Idle timeout enforcement (RFC 9000 Section 10.1): when `idle_timeout` option
  is set, internal timer automatically closes connection after timeout with no
  activity (set to 0 to disable)
- Persistent congestion detection (RFC 9002 Section 7.6): detects prolonged packet
  loss spanning > PTO * 3 and resets cwnd to minimum window
- Frame coalescing: ACK frames are coalesced with small pending stream data
  (< 500 bytes) for more efficient packet utilization

## [0.7.1] - 2026-02-20

### Fixed
- Packet number reconstruction per RFC 9000 Appendix A: truncated packet numbers
  are now properly reconstructed using the largest received PN, fixing decryption
  failures for large responses (>255 packets with 1-byte PN encoding)

## [0.7.0] - 2026-02-20

### Added
- Docker interop runner integration (client and server images)
- Session resumption interop test (`resumption`)
- 0-RTT early data interop test (`zerortt`)
- Connection migration interop test (`connectionmigration`)
- `quic:migrate/1` API for triggering active path migration
- All 10 QUIC Interop Runner test cases now pass:
  - handshake, transfer, retry, keyupdate, chacha20, multiconnect, v2,
    resumption, zerortt, connectionmigration

### Fixed
- Connection-level flow control: now properly tracks `data_received` and sends
  MAX_DATA frames when 50% of connection window is consumed (RFC 9000 Section 4.1)
- Large downloads: interop client now writes to disk incrementally (streaming)
  instead of accumulating in memory
- Server DCID initialization: server now correctly sets DCID from client's
  Initial packet SCID field, fixing short header packet alignment
- Key update HP key preservation: header protection keys are no longer rotated
  during key updates per RFC 9001 Section 6.6
- Fixed bit validation: skip padding bytes (0x00) and invalid short headers
  (fixed bit not set) in coalesced packets
- Role-based key selection in 1-RTT packet decryption

## [0.6.5] - 2026-02-19

### Added
- `quic_listener:start/2` for unlinked listener processes
- `set_owner` call handling in idle and handshaking states

### Fixed
- IPv4/IPv6 address family matching when opening client sockets
- Race condition: transfer socket ownership before sending packet
- Handle header unprotection errors gracefully in packet decryption
- Removed verbose debug logging from listener

## [0.6.4] - 2026-02-17

### Fixed
- Server now selects correct signature algorithm based on key type (EC vs RSA)

## [0.6.3] - 2026-02-17

### Fixed
- Fixed transport params parsing in ClientHello - properly unwrap {ok, Map} result

## [0.6.2] - 2026-02-17

### Fixed
- Fixed key selection for all packet types based on role (server vs client)
- Server now uses correct keys for both sending and receiving packets
- Fixed Initial, Handshake, and 1-RTT packet encryption/decryption

## [0.6.1] - 2026-02-17

### Fixed
- Server-side packet decryption now uses correct keys (client keys for Initial/Handshake packets received from clients)

## [0.6.0] - 2026-02-17

### Added
- DATAGRAM frame support (RFC 9221) for unreliable data transmission
- `quic:set_owner/2` to transfer connection ownership (like gen_tcp:controlling_process/2)
- `quic:peercert/1` to retrieve peer certificate (DER-encoded)
- `quic:send_datagram/2` to send QUIC datagrams
- Connection handler callback in `quic_listener` for custom connection handling
- ACK delay for datagram-only packets per RFC 9221 Section 5.2
- Proper ACK generation at packet level for all ack-eliciting frames

### Fixed
- Datagrams are not retransmitted on loss (RFC 9221 compliance)
- ACKs now sent for all ack-eliciting frames, not just stream data

## [0.5.1] - 2026-02-17

### Fixed
- Pad payload for header protection sampling to prevent crashes during PTO timeout

## [0.5.0] - 2026-02-17

### Added
- Retry packet handling (RFC 9000 Section 8.1)
- Stateless reset support (RFC 9000 Section 10.3)
- Connection ID limit enforcement (RFC 9000 Section 5.1.1)
- ECN support for congestion control (RFC 9002 Section 7.1)
- RFC 9000/9001 test vectors
- Interoperability test suite with quic-go server
- E2E tests in CI pipeline

### Fixed
- CI compatibility with OTP 28 (use rebar3 nightly)
- quic-go Docker build (pin to v0.48.2)

## [0.4.0] - 2025-02-17

### Changed
- Moved `doc/` to `docs/` to prevent ex_doc from overwriting documentation
- Consolidated `hash_len/1` and `cipher_to_hash/1` functions in `quic_crypto` module
- Refactored key derivation in `quic_keys` using `cipher_params/1` helper
- Improved socket cleanup on initialization failure in `quic_connection`

### Removed
- Removed `send_headers/4` API (HTTP/3 functionality, not core QUIC transport)

### Fixed
- Added bounds checking for header protection sample extraction in `quic_aead`
- Added CID length validation (max 20 bytes per RFC 9000) in `quic_packet`
- Added token length validation in `quic_packet`
- Added frame data length limits in `quic_frame` to prevent memory exhaustion
- Added ACK range limits in `quic_ack` to prevent DoS attacks
- Fixed weak random: use `crypto:strong_rand_bytes/1` for ticket age_add
- Fixed dialyzer warning in `quic_tls` by adding error handling to `decode_transport_params/1`

## [0.3.0] - 2025-02-16

### Added
- Server mode with `quic_listener` module
- 0-RTT early data support (RFC 9001 Section 4.6)
- Connection migration support (RFC 9000 Section 9)
- Key update support (RFC 9001 Section 6)

## [0.2.0] - 2025-02-15

### Added
- Stream multiplexing (bidirectional and unidirectional)
- Flow control (connection and stream level)
- Congestion control (NewReno)
- Loss detection and packet retransmission (RFC 9002)

## [0.1.0] - 2025-02-14

### Added
- Initial release
- TLS 1.3 handshake (RFC 8446)
- Basic QUIC transport (RFC 9000)
- AEAD packet protection (RFC 9001)