hyperion-rb 1.0.1 → 1.2.0

data/lib/hyperion/connection.rb

@@ -17,6 +17,7 @@ module Hyperion
     MAX_BODY_BYTES                  = 16 * 1024 * 1024 # 16 MB cap. Phase 5 introduces streaming bodies.
     HEADER_TERM                     = "\r\n\r\n"
     TIMEOUT_SENTINEL                = :__hyperion_read_timeout__
+    DEADLINE_SENTINEL               = :__hyperion_request_deadline__
     IDLE_KEEPALIVE_TIMEOUT_SECONDS  = 5
 
     # Default parser is the C-extension `CParser` when the extension built;
@@ -44,14 +45,20 @@ module Hyperion
       @log_requests = log_requests.nil? ? Hyperion.log_requests? : log_requests
     end
 
-    def serve(socket, app)
+    def serve(socket, app, max_request_read_seconds: 60)
       request_count = 0
       carry = +'' # bytes already pulled off the socket but past the prev request boundary
       peer_addr = peer_address(socket)
       @metrics.increment(:connections_accepted)
       @metrics.increment(:connections_active)
       loop do
-        buffer = read_request(socket, carry)
+        # Per-request wallclock deadline. Captured fresh for every request so
+        # long-lived keep-alive sessions with many small requests don't
+        # falsely trip after the cumulative budget elapses.
+        request_started_clock = Process.clock_gettime(Process::CLOCK_MONOTONIC) if max_request_read_seconds
+        buffer = read_request(socket, carry, deadline_started_at: request_started_clock,
+                                             max_request_read_seconds: max_request_read_seconds,
+                                             peer_addr: peer_addr)
         return unless buffer
 
         if buffer == TIMEOUT_SENTINEL
@@ -65,10 +72,15 @@ module Hyperion
           return
         end
 
+        # Slowloris-style abort: deadline tripped during read. We've already
+        # written the 408 (best-effort) inside read_request; close out here.
+        return if buffer == DEADLINE_SENTINEL
+
         request, body_end = @parser.parse(buffer)
         carry = +(buffer.byteslice(body_end, buffer.bytesize - body_end) || '')
         request = enrich_with_peer(request, peer_addr) if peer_addr && request.peer_address.nil?
 
+        @metrics.increment(:bytes_read, body_end)
         @metrics.increment(:requests_total)
         @metrics.increment(:requests_in_flight)
         request_started_at = Process.clock_gettime(Process::CLOCK_MONOTONIC) if @log_requests
@@ -192,10 +204,16 @@ module Hyperion
     # pipelining). Returns the full buffer (with any trailing pipelined
     # bytes intact); the parser's returned end_offset tells the caller
     # where this request ends. On EOF returns nil; on read timeout returns
-    # TIMEOUT_SENTINEL.
-    def read_request(socket, carry = +'')
+    # TIMEOUT_SENTINEL; on per-request wallclock deadline trip returns
+    # DEADLINE_SENTINEL (and emits a best-effort 408 + close).
+    def read_request(socket, carry = +'', deadline_started_at: nil, max_request_read_seconds: nil,
+                     peer_addr: nil)
       buffer = carry
       until buffer.include?(HEADER_TERM)
+        if deadline_exceeded?(deadline_started_at, max_request_read_seconds)
+          return abort_for_deadline(socket, deadline_started_at, peer_addr)
+        end
+
         chunk = read_chunk(socket)
         return chunk if chunk.nil? || chunk == TIMEOUT_SENTINEL
         return nil if chunk.empty?
@@ -210,6 +228,9 @@ module Hyperion
       if chunked?(headers_part)
         until chunked_body_complete?(buffer, header_end)
           raise ParseError, 'chunked body exceeds limit' if buffer.bytesize - header_end > MAX_BODY_BYTES
+          if deadline_exceeded?(deadline_started_at, max_request_read_seconds)
+            return abort_for_deadline(socket, deadline_started_at, peer_addr)
+          end
 
           chunk = read_chunk(socket)
           break if chunk.nil? || chunk.empty? || chunk == TIMEOUT_SENTINEL
@@ -219,6 +240,10 @@ module Hyperion
       else
         content_length = headers_part[/^content-length:\s*(\d+)/i, 1].to_i
         while buffer.bytesize < header_end + content_length
+          if deadline_exceeded?(deadline_started_at, max_request_read_seconds)
+            return abort_for_deadline(socket, deadline_started_at, peer_addr)
+          end
+
           chunk = read_chunk(socket)
           break if chunk.nil? || chunk.empty? || chunk == TIMEOUT_SENTINEL
 
@@ -229,6 +254,33 @@ module Hyperion
       buffer
     end
 
+    # nil-disabled or budget-untripped → false. Otherwise the wallclock cap
+    # has been exceeded and the caller should abort.
+    def deadline_exceeded?(started_at, max_seconds)
+      return false unless started_at && max_seconds
+
+      (Process.clock_gettime(Process::CLOCK_MONOTONIC) - started_at) > max_seconds
+    end
+
+    # Slowloris fallback: log a structured warn, bump :slow_request_aborts,
+    # write a best-effort 408, and let the caller close the socket. We don't
+    # wait on the 408 write — a dribbling client may never read it, and
+    # that's the failure mode we're protecting against anyway.
+    def abort_for_deadline(socket, started_at, peer_addr)
+      elapsed = started_at ? (Process.clock_gettime(Process::CLOCK_MONOTONIC) - started_at).round(3) : nil
+      @metrics.increment(:slow_request_aborts)
+      @logger.warn do
+        { message: 'request read deadline exceeded', remote_addr: peer_addr, elapsed_seconds: elapsed }
+      end
+      begin
+        socket.write("HTTP/1.1 408 Request Timeout\r\nconnection: close\r\ncontent-length: 0\r\n\r\n")
+      rescue StandardError
+        # Peer may have already gone — nothing to do.
+      end
+      @metrics.increment_status(408)
+      DEADLINE_SENTINEL
+    end
+
     def chunked?(headers_part)
       headers_part.match?(/^transfer-encoding:[ \t]*[^\r\n]*chunked\b/i)
     end

data/lib/hyperion/http2_handler.rb

@@ -36,33 +36,143 @@ module Hyperion
     # Also exposes a `window_available` notification fan-out so the
     # response-writer fiber can sleep until WINDOW_UPDATE arrives.
     class RequestStream < ::Protocol::HTTP2::Stream
-      attr_reader :request_headers, :request_body, :request_complete
+      # RFC 7540 §8.1.2.1 — the only pseudo-headers a server MUST accept on a
+      # request. Anything else (notably `:status`, which is response-only, or
+      # an unknown `:foo`) is a malformed request that we reject with
+      # PROTOCOL_ERROR.
+      VALID_REQUEST_PSEUDO_HEADERS = %w[:method :path :scheme :authority].freeze
+
+      # RFC 7540 §8.1.2.2 — these connection-specific headers MUST NOT appear
+      # in HTTP/2 requests; their semantics are folded into HTTP/2 framing.
+      FORBIDDEN_HEADERS = %w[connection transfer-encoding keep-alive upgrade proxy-connection].freeze
+
+      attr_reader :request_headers, :request_body, :request_complete, :protocol_error_reason
 
       def initialize(*)
         super
         @request_headers = []
         @request_body = +''
+        @request_body_bytes = 0
         @request_complete = false
         @window_available = ::Async::Notification.new
+        @protocol_error_reason = nil
+        @declared_content_length = nil
+      end
+
+      # Used by the dispatch loop to decide whether to invoke the app or
+      # send RST_STREAM PROTOCOL_ERROR. Set by `validate_request_headers!`
+      # and `validate_body_length!`.
+      def protocol_error?
+        !@protocol_error_reason.nil?
       end
 
       def process_headers(frame)
         decoded = super
+        # First HEADERS frame on a stream carries the request header block;
+        # any later HEADERS frame is trailers (§8.1) and we deliberately do
+        # not re-validate (re-running the validator would see the original
+        # request pseudo-headers plus the new trailer block and falsely flag
+        # them as misordered).
+        first_block = @request_headers.empty?
         # decoded is an Array of [name, value] pairs (HPACK output).
         decoded.each { |pair| @request_headers << pair }
-        @request_complete = true if frame.end_stream?
+        # Run RFC 7540 §8.1.2 validation as soon as we have a complete header
+        # block. We do it here (not at end_stream) so the dispatcher sees the
+        # error flag before it spawns a fiber for the request.
+        validate_request_headers! if first_block && !protocol_error?
+        if frame.end_stream?
+          validate_body_length! unless protocol_error?
+          @request_complete = true
+        end
         decoded
       end
 
       def process_data(frame)
         data = super
         # rubocop:disable Rails/Present
-        @request_body << data if data && !data.empty?
+        if data && !data.empty?
+          @request_body << data
+          @request_body_bytes += data.bytesize
+        end
         # rubocop:enable Rails/Present
-        @request_complete = true if frame.end_stream?
+        if frame.end_stream?
+          validate_body_length! unless protocol_error?
+          @request_complete = true
+        end
         data
       end
 
+      # RFC 7540 §8.1.2 — request header validation. Sets
+      # `@protocol_error_reason` on the first violation we hit; the dispatch
+      # loop turns that into RST_STREAM PROTOCOL_ERROR.
+      def validate_request_headers!
+        seen_regular = false
+        pseudo_counts = Hash.new(0)
+        @request_headers.each do |pair|
+          name, value = pair
+          name = name.to_s
+          if name.start_with?(':')
+            # §8.1.2.1: pseudo-headers MUST precede regular headers.
+            return fail_validation!('pseudo-header after regular header') if seen_regular
+            # §8.1.2.1: only the four request pseudo-headers are valid; in
+            # particular, `:status` is response-only.
+            unless VALID_REQUEST_PSEUDO_HEADERS.include?(name)
+              return fail_validation!("invalid request pseudo-header: #{name}")
+            end
+
+            pseudo_counts[name] += 1
+          else
+            seen_regular = true
+            # §8.1.2: header names must be lowercase in HTTP/2.
+            return fail_validation!('uppercase header name') if /[A-Z]/.match?(name)
+            # §8.1.2.2: connection-specific headers are forbidden.
+            return fail_validation!("forbidden connection-specific header: #{name}") if FORBIDDEN_HEADERS.include?(name)
+            # §8.1.2.2: TE may only carry the value `trailers`.
+            if name == 'te' && value.to_s.downcase.strip != 'trailers'
+              return fail_validation!('TE header with non-trailers value')
+            end
+
+            # Track declared content-length for later body-byte cross-check.
+            @declared_content_length = value.to_s.to_i if name == 'content-length'
+          end
+        end
+
+        # §8.1.2.3: every pseudo-header may appear at most once.
+        pseudo_counts.each do |name, count|
+          return fail_validation!("duplicated pseudo-header: #{name}") if count > 1
+        end
+
+        method = pseudo_value(':method')
+        # CONNECT (§8.3) has its own rules; everything else MUST carry
+        # :method, :scheme and a non-empty :path.
+        if method == 'CONNECT'
+          return fail_validation!('CONNECT with :scheme') if pseudo_value(':scheme')
+          return fail_validation!('CONNECT with :path') if pseudo_value(':path')
+          return fail_validation!('CONNECT without :authority') unless pseudo_value(':authority')
+        else
+          return fail_validation!('missing :method') if method.nil? || method.empty?
+
+          scheme = pseudo_value(':scheme')
+          return fail_validation!('missing :scheme') if scheme.nil? || scheme.empty?
+
+          path = pseudo_value(':path')
+          return fail_validation!('missing or empty :path') if path.nil? || path.empty?
+        end
+
+        nil
+      end
+
+      # RFC 7540 §8.1.2.6 — if `content-length` was advertised, the actual
+      # number of DATA bytes received (across all DATA frames) MUST match.
+      def validate_body_length!
+        return if @declared_content_length.nil?
+        return if @declared_content_length == @request_body_bytes
+
+        fail_validation!(
+          "content-length mismatch: declared #{@declared_content_length}, received #{@request_body_bytes}"
+        )
+      end
+
       # Called by protocol-http2 whenever the remote peer's flow-control
       # window opens up — either via a stream-level WINDOW_UPDATE or via the
       # connection-level fan-out in `Connection#consume_window`. We poke the
@@ -78,11 +188,58 @@ module Hyperion
       def wait_for_window
         @window_available.wait
       end
+
+      private
+
+      # Look up a pseudo-header by name (e.g. `:method`) by scanning the raw
+      # collected pairs. Returns nil if absent. We don't pre-build a hash
+      # because the validator needs to detect duplicates first.
+      def pseudo_value(name)
+        @request_headers.each do |pair|
+          return pair[1].to_s if pair[0].to_s == name
+        end
+        nil
+      end
+
+      # Record the first protocol-error reason and short-circuit further
+      # validation. Returns nil so callers can `return fail_validation!(...)`.
+      def fail_validation!(reason)
+        @protocol_error_reason ||= reason
+        # As soon as a header-block violation is detected we treat the request
+        # as "complete" so the dispatch loop wakes up and emits RST_STREAM.
+        @request_complete = true
+        nil
+      end
     end
 
-    def initialize(app:, thread_pool: nil)
+    # Maps Hyperion-friendly setting names to the integer SETTINGS_* identifiers
+    # protocol-http2 uses on the wire. See RFC 7540 §6.5.2 — these are the
+    # only four parameters Hyperion exposes; the rest of the SETTINGS frame
+    # (HEADER_TABLE_SIZE, ENABLE_PUSH, etc.) keeps protocol-http2's default.
+    SETTINGS_KEY_MAP = {
+      max_concurrent_streams: ::Protocol::HTTP2::Settings::MAXIMUM_CONCURRENT_STREAMS,
+      initial_window_size: ::Protocol::HTTP2::Settings::INITIAL_WINDOW_SIZE,
+      max_frame_size: ::Protocol::HTTP2::Settings::MAXIMUM_FRAME_SIZE,
+      max_header_list_size: ::Protocol::HTTP2::Settings::MAXIMUM_HEADER_LIST_SIZE
+    }.freeze
+
+    # RFC 7540 §6.5.2 floor for SETTINGS_MAX_FRAME_SIZE. protocol-http2 raises
+    # ProtocolError on values below this; we clamp + warn instead so a
+    # misconfigured operator gets a working server, not a boot-time crash.
+    H2_MIN_FRAME_SIZE = 0x4000 # 16384
+
+    # RFC 7540 §6.5.2 ceiling for SETTINGS_MAX_FRAME_SIZE.
+    H2_MAX_FRAME_SIZE = 0xFFFFFF # 16777215
+
+    # RFC 7540 §6.9.2 — INITIAL_WINDOW_SIZE has the same 31-bit max as the
+    # WINDOW_UPDATE frame's Window Size Increment (see protocol-http2's
+    # MAXIMUM_ALLOWED_WINDOW_SIZE).
+    H2_MAX_WINDOW_SIZE = 0x7FFFFFFF
+
+    def initialize(app:, thread_pool: nil, h2_settings: nil)
       @app         = app
       @thread_pool = thread_pool
+      @h2_settings = h2_settings
       @metrics     = Hyperion.metrics
       @logger      = Hyperion.logger
     end
@@ -92,7 +249,7 @@ module Hyperion
       @metrics.increment(:connections_active)
       framer = ::Protocol::HTTP2::Framer.new(socket)
       server = build_server(framer)
-      server.read_connection_preface
+      server.read_connection_preface(initial_settings_payload)
 
       # Extract once — the same TCP peer drives every stream on this conn.
       peer_addr = peer_address(socket)
@@ -158,6 +315,69 @@ module Hyperion
 
     private
 
+    # Build the [setting_id, value] pairs that go in the connection-preface
+    # SETTINGS frame. protocol-http2's Server#read_connection_preface accepts
+    # this array and does the wire encoding for us. Empty array (no overrides
+    # configured) → SETTINGS frame still goes out, just with no entries
+    # (effectively an ack), which is what the spec allows.
+    #
+    # We clamp out-of-range values (max_frame_size below the spec floor or
+    # above its ceiling, initial_window_size above 31-bit max) instead of
+    # letting protocol-http2 raise ProtocolError at handshake time — a
+    # crashing handshake leaks the connection. Operator gets a warn so the
+    # misconfiguration surfaces in logs.
+    def initial_settings_payload
+      return [] unless @h2_settings
+
+      payload = []
+      @h2_settings.each do |key, value|
+        next if value.nil?
+
+        setting_id = SETTINGS_KEY_MAP[key]
+        unless setting_id
+          @logger.warn { { message: 'unknown h2 setting; skipping', setting: key } }
+          next
+        end
+
+        clamped = clamp_h2_setting(key, value)
+        payload << [setting_id, clamped]
+      end
+      payload
+    end
+
+    def clamp_h2_setting(key, value)
+      case key
+      when :max_frame_size
+        if value < H2_MIN_FRAME_SIZE
+          @logger.warn do
+            { message: 'h2 max_frame_size below spec minimum; clamping',
+              configured: value, clamped_to: H2_MIN_FRAME_SIZE }
+          end
+          H2_MIN_FRAME_SIZE
+        elsif value > H2_MAX_FRAME_SIZE
+          @logger.warn do
+            { message: 'h2 max_frame_size above spec maximum; clamping',
+              configured: value, clamped_to: H2_MAX_FRAME_SIZE }
+          end
+          H2_MAX_FRAME_SIZE
+        else
+          value
+        end
+      when :initial_window_size
+        if value > H2_MAX_WINDOW_SIZE
+          @logger.warn do
+            { message: 'h2 initial_window_size above spec maximum; clamping',
+              configured: value, clamped_to: H2_MAX_WINDOW_SIZE }
+          end
+          H2_MAX_WINDOW_SIZE
+        else
+          value
+        end
+      else
+        value
+      end
+    end
+
     def build_server(framer)
       server = ::Protocol::HTTP2::Server.new(framer)
       server.define_singleton_method(:accept_stream) do |stream_id, &block|
@@ -175,6 +395,23 @@ module Hyperion
     end
 
     def dispatch_stream(stream, send_mutex, peer_addr = nil)
+      # RFC 7540 §8.1.2 — header validation flagged this stream as malformed.
+      # Send RST_STREAM PROTOCOL_ERROR instead of invoking the app.
+      if stream.protocol_error?
+        @logger.debug do
+          { message: 'h2 request rejected', reason: stream.protocol_error_reason, stream_id: stream.id }
+        end
+        @metrics.increment(:requests_rejected)
+        begin
+          send_mutex.synchronize do
+            stream.send_reset_stream(::Protocol::HTTP2::Error::PROTOCOL_ERROR) unless stream.closed?
+          end
+        rescue StandardError
+          nil
+        end
+        return
+      end
+
       pseudo, regular = partition_pseudo(stream.request_headers)
 
       method    = pseudo[':method'] || 'GET'

data/lib/hyperion/logger.rb

@@ -64,6 +64,34 @@ module Hyperion
       # Colorize when format is text AND the destination is a TTY. We only
       # check the regular stream here — colored text is for humans.
       @colorize = @format == :text && tty?(@out)
+      @c_access_available = nil # lazy-computed on first access — see below.
+      # Registry of every per-thread access buffer ever allocated through
+      # this Logger instance. Walked by #flush_all on shutdown so SIGTERM
+      # doesn't strand buffered lines in dying threads. The Mutex guards
+      # registration on first allocation per thread (rare) and the shutdown
+      # walk; the hot #access path stays lock-free.
+      @access_buffers = []
+      @access_buffers_mutex = Mutex.new
+      # Per-instance thread-local key. A globally-shared key (e.g. a frozen
+      # Symbol constant) lets a buffer created by an earlier Logger in this
+      # thread be picked up by a later Logger — but the buffer is registered
+      # against the *earlier* Logger's @access_buffers, so the new Logger's
+      # #flush_all can't see it. Namespacing the key per-instance fixes that:
+      # each Logger gets its own per-thread buffer, and the registry it
+      # walks at shutdown matches the one #access wrote to. The Symbol is
+      # allocated once at construction; the hot path just reads it.
+      @buffer_key = :"__hyperion_access_buf_#{object_id}__"
+    end
+
+    # Whether Hyperion::CParser.build_access_line is available. Probed lazily
+    # on first call (the C parser is required after Logger is required, so we
+    # can't cache this at constant-define time — it would always be false).
+    # Memoised per-instance to keep the hot path branchless.
+    def c_access_available?
+      return @c_access_available unless @c_access_available.nil?
+
+      @c_access_available = defined?(::Hyperion::CParser) &&
+                            ::Hyperion::CParser.respond_to?(:build_access_line)
     end
 
     LEVELS.each_key do |lvl|
@@ -106,13 +134,23 @@ module Hyperion
       return unless emit?(:info)
 
       ts = cached_timestamp
-      line = if @format == :json
+      # The C extension builds the line in a stack scratch buffer (~10× faster
+      # than the Ruby interpolation path). It only fires when colorization is
+      # off — a colored TTY line needs ANSI escapes around the level label,
+      # which the C builder doesn't emit. Production deploys (non-TTY,
+      # log-aggregator destinations) take the C path; local TTY runs keep the
+      # colored Ruby fallback.
+      line = if !@colorize && c_access_available?
+               ::Hyperion::CParser.build_access_line(@format, ts, method, path,
+                                                     query, status, duration_ms,
+                                                     remote_addr, http_version)
+             elsif @format == :json
                build_access_json(ts, method, path, query, status, duration_ms, remote_addr, http_version)
              else
                build_access_text(ts, method, path, query, status, duration_ms, remote_addr, http_version)
              end
 
-      buf = (Thread.current[:__hyperion_access_buf__] ||= +'')
+      buf = Thread.current[@buffer_key] || allocate_access_buffer
       buf << line
       return if buf.bytesize < ACCESS_FLUSH_BYTES
 
@@ -126,7 +164,7 @@ module Hyperion
     # loop when a connection closes (so log lines from a closing keep-alive
     # session don't get stuck behind the buffer until the next connection).
     def flush_access_buffer
-      buf = Thread.current[:__hyperion_access_buf__]
+      buf = Thread.current[@buffer_key]
       return if buf.nil? || buf.empty?
 
       @out.write(buf)
@@ -135,8 +173,61 @@ module Hyperion
       # Swallow logger failures — never let logging crash the server.
     end
 
+    # Flush every per-thread access-log buffer ever allocated through this
+    # Logger, then sync the underlying IOs.
+    #
+    # Why this exists: under SIGTERM, Master#shutdown_children logs the
+    # 'master draining' / 'master exiting' lines and then exits. The 'info'
+    # path doesn't go through the access buffer, but it does rely on glibc
+    # stdio buffering being flushed before the process dies — and per-thread
+    # access buffers (Thread.current[:__hyperion_access_buf__]) are *only*
+    # flushed when the buffer reaches ACCESS_FLUSH_BYTES or when the owning
+    # thread closes a connection. On a clean SIGTERM both can be missed and
+    # the operator sees nothing in the captured log. This method walks every
+    # registered per-thread buffer, writes any pending bytes, then calls
+    # IO#flush on @out / @err so the kernel sees them before exec_exit.
+    #
+    # Safe to call from any thread. Idempotent. Never raises.
+    def flush_all
+      buffers = @access_buffers_mutex.synchronize { @access_buffers.dup }
+      buffers.each do |buf|
+        next if buf.empty?
+
+        begin
+          @out.write(buf)
+          buf.clear
+        rescue StandardError
+          # Continue — one bad buffer must not block the rest.
+        end
+      end
+
+      flush_io(@out)
+      flush_io(@err) unless @err.equal?(@out)
+    rescue StandardError
+      # Swallow logger failures — never let logging crash the server.
+    end
+
     private
 
+    # First-touch path for a thread's access buffer. Allocates the String,
+    # stores it in the thread-local for lock-free access on subsequent calls,
+    # and registers it in @access_buffers so #flush_all can find it later.
+    # Mutex is taken once per thread (not per request).
+    def allocate_access_buffer
+      buf = +''
+      Thread.current[@buffer_key] = buf
+      @access_buffers_mutex.synchronize { @access_buffers << buf }
+      buf
+    end
+
+    def flush_io(io)
+      io.flush if io.respond_to?(:flush)
+    rescue StandardError
+      # Some IO destinations raise on flush (closed pipes during SIGPIPE,
+      # custom IO-likes that don't implement it cleanly). Logging must
+      # never crash the server, especially during shutdown.
+    end
+
     # Cached UTC iso8601(3) timestamp, refreshed at most once per millisecond
     # per thread. At 24k r/s with 16 threads we render ~1500 r/s/thread; only
     # ~1000 of those allocate a new String. The other 500 reuse the cached one.

data/lib/hyperion/master.rb

@@ -47,6 +47,20 @@ module Hyperion
       end
     end
 
+    # Pulls the four configurable HTTP/2 SETTINGS values out of the Config
+    # and returns them as a Hash. Nils are stripped so an operator who
+    # explicitly sets one to `nil` (meaning "leave protocol-http2 default in
+    # place") doesn't accidentally send a SETTINGS entry with a nil value.
+    # Empty hash → no override → Http2Handler skips the SETTINGS push.
+    def self.build_h2_settings(config)
+      {
+        max_concurrent_streams: config.h2_max_concurrent_streams,
+        initial_window_size: config.h2_initial_window_size,
+        max_frame_size: config.h2_max_frame_size,
+        max_header_list_size: config.h2_max_header_list_size
+      }.compact
+    end
+
     def initialize(host:, port:, app:, workers: DEFAULT_WORKER_COUNT,
                    read_timeout: Server::DEFAULT_READ_TIMEOUT_SECONDS, tls: nil,
                    thread_count: Server::DEFAULT_THREAD_COUNT, config: nil)
@@ -64,6 +78,10 @@ module Hyperion
       @stopping     = false
       @worker_model = self.class.detect_worker_model
       @listener     = nil # populated only in :share mode
+      @worker_max_rss_mb     = @config.worker_max_rss_mb
+      @worker_check_interval = @config.worker_check_interval || 30
+      @last_health_check     = 0  # monotonic seconds
+      @cycling               = {} # pid => true while we wait for it to exit
     end
 
     def run
@@ -80,6 +98,12 @@ module Hyperion
         }
       end
 
+      # Pre-allocate Rack env-pool entries and eager-touch lazy constants
+      # BEFORE we fork. Children inherit the warm memory via copy-on-write
+      # so the first batch of requests on each fresh worker doesn't pay
+      # the allocation/autoload tax.
+      Hyperion.warmup!
+
       # `before_fork` runs ONCE in the master before any worker is forked.
       # Operators use it to close shared resources (DB pools, Redis sockets)
       # so each child gets fresh connections rather than inheriting the
@@ -139,7 +163,10 @@ module Hyperion
           host: @host, port: @port, app: @app,
           read_timeout: @read_timeout, tls: @tls,
           thread_count: @thread_count, config: @config,
-          worker_index: worker_index
+          worker_index: worker_index,
+          max_pending: @config.max_pending,
+          max_request_read_seconds: @config.max_request_read_seconds,
+          h2_settings: Master.build_h2_settings(@config)
         }
         # Hand the inherited socket to the worker in :share mode. In
         # :reuseport mode the worker binds its own with SO_REUSEPORT.
@@ -165,6 +192,7 @@ module Hyperion
         end
 
         reap_and_respawn
+        maybe_cycle_workers
       end
 
       shutdown_children
@@ -177,12 +205,47 @@ module Hyperion
 
         Hyperion.logger.warn { { message: 'worker died, respawning', worker_pid: pid } }
         @children.delete(pid)
+        @cycling.delete(pid)
         spawn_worker unless @stopping
       end
     rescue Errno::ECHILD
       # No children — happens during shutdown.
     end
 
+    # Periodically poll worker RSS and SIGTERM any that exceed the configured
+    # cap. The dying worker is reaped by `reap_and_respawn` on the next tick,
+    # which also clears the @cycling guard so the slot can be replaced.
+    # Skips entirely when no cap is configured — zero overhead by default.
+    def maybe_cycle_workers
+      return unless @worker_max_rss_mb
+
+      now = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+      return if now - @last_health_check < @worker_check_interval
+
+      @last_health_check = now
+      @children.each_key do |pid|
+        next if @cycling.key?(pid)
+
+        rss = WorkerHealth.rss_mb(pid)
+        next unless rss && rss > @worker_max_rss_mb
+
+        Hyperion.logger.warn do
+          {
+            message: 'cycling worker for memory',
+            worker_pid: pid,
+            rss_mb: rss,
+            limit_mb: @worker_max_rss_mb
+          }
+        end
+        @cycling[pid] = true
+        begin
+          Process.kill('TERM', pid)
+        rescue StandardError
+          # process already gone — reap_and_respawn will handle it
+        end
+      end
+    end
+
     def shutdown_children
       Hyperion.logger.info do
         { message: 'master draining', graceful_timeout: @graceful_timeout }
@@ -216,6 +279,11 @@ module Hyperion
       @children.clear
 
       Hyperion.logger.info { { message: 'master exiting' } }
+      # Drain per-thread access buffers + sync stdio so the 'master draining'
+      # / 'master exiting' lines (and any in-flight access-log lines from
+      # threads that never reached the 4-KiB flush threshold) actually reach
+      # the operator's log file before the process exits on SIGTERM.
+      Hyperion.logger.flush_all
     end
   end
 end