TASK-013: remove v1 *_response subclasses, seal http_response

Deletes the eight public *_response subclasses (string/file/iovec/pipe/
deferred/empty/basic_auth_fail/digest_auth_fail) and the dispatch virtuals
(get_raw_response/decorate_response/enqueue_response) from http_response,
making the new factory-based surface (TASK-009..012) the only way to
build a response.

Phase 1 — migrate every consumer to the v2 surface:
  * webserver.cpp/http_resource.cpp internal callers switched off
    string_response to http_response::string()/empty().
  * test/unit + test/integ + examples/* migrated to factories +
    with_status()/with_header() chains.
  * test/unit/iovec_response_test.cpp deleted (covered by
    http_response_factories_test).

Phase 2 — delete the v1 surface:
  * Eight v1 hpp + cpp pairs deleted.
  * src/Makefile.am drops the deleted sources/headers and the
    HAVE_BAUTH conditional.
  * <httpserver.hpp> umbrella drops the eight removed includes.
  * http_response gains `final`; destructor de-virtualised; the legacy
    2-arg constructor (security-reviewer #24 from TASK-012) and the
    get_response_code() shim are gone; struct MHD_Connection/MHD_Response
    forward declarations dropped from the public header.
  * webserver gains static dispatch helpers materialize_response() and
    decorate_mhd_response(); friended into http_response so it can read
    body_ without widening the public API.
  * file() factory now defaults Content-Type to application/octet-stream
    (matching v1 file_response).
  * empty_render returns a default-constructed http_response so the
    status_code = -1 sentinel keeps routing to internal_error_page (the
    default_render_method test pins this).
  * finalize_answer's catch blocks now wrap internal_error_page() with
    an inner try/catch that falls back to force_our=true so a throwing
    user-supplied internal_error_resource can never escape into MHD.

Acceptance:
  * grep 'class \w+_response :' src/httpserver/*.hpp returns no public
    subclass declarations.
  * grep 'get_raw_response|decorate_response|enqueue_response'
    src/httpserver/*.hpp returns only doxygen prose.
  * static_assert(std::is_final_v<http_response>) compiles
    (test/unit/http_response_sbo_test.cpp).
  * make check: 25 PASS / 1 XFAIL (header_hygiene, expected pre-M5).

Behaviour change accepted per plan §2 / §10 and PRD §3.5: v1's
basic_auth_fail and digest_auth_fail bound to MHD's nonce/opaque
state machine via MHD_queue_basic/auth_required_response3; v2's
unauthorized() emits a static WWW-Authenticate challenge and
enqueues via MHD_queue_response. Four digest-auth round-trip tests
in test/integ/authentication.cpp updated to assert the v2 contract
(challenge issued, handshake does not complete, body remains FAIL).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: etr

examples/allowing_disallowing_methods.cpp

@@ -25,7 +25,7 @@
 class hello_world_resource : public httpserver::http_resource {
  public:
      std::shared_ptr<httpserver::http_response> render(const httpserver::http_request&) {
-         return std::shared_ptr<httpserver::http_response>(new httpserver::string_response("Hello, World!"));
+         return std::shared_ptr<httpserver::http_response>(new httpserver::http_response(httpserver::http_response::string("Hello, World!")));
      }
 };
 

examples/args_processing.cpp

@@ -80,7 +80,7 @@ class args_resource : public httpserver::http_resource {
             response_body << "name (via get_arg_flat): " << name_flat << "\n";
         }
 
-        return std::make_shared<httpserver::string_response>(response_body.str(), 200, "text/plain");
+        return std::make_shared<httpserver::http_response>(httpserver::http_response::string(response_body.str()));
     }
 };
 

examples/basic_authentication.cpp

@@ -27,10 +27,11 @@ class user_pass_resource : public httpserver::http_resource {
  public:
      std::shared_ptr<httpserver::http_response> render_GET(const httpserver::http_request& req) {
          if (req.get_user() != "myuser" || req.get_pass() != "mypass") {
-             return std::shared_ptr<httpserver::basic_auth_fail_response>(new httpserver::basic_auth_fail_response("FAIL", "test@example.com"));
+             return std::make_shared<httpserver::http_response>(
+                 httpserver::http_response::unauthorized("Basic", "test@example.com", "FAIL"));
          }
 
-         return std::shared_ptr<httpserver::string_response>(new httpserver::string_response(std::string(req.get_user()) + " " + std::string(req.get_pass()), 200, "text/plain"));
+         return std::shared_ptr<httpserver::http_response>(new httpserver::http_response(httpserver::http_response::string(std::string(req.get_user()) + " " + std::string(req.get_pass()))));
      }
 };
 

examples/benchmark_nodelay.cpp

@@ -48,7 +48,7 @@ int main(int argc, char** argv) {
         .tcp_nodelay()
         .max_threads(atoi(argv[2]));
 
-    std::shared_ptr<httpserver::http_response> hello = std::shared_ptr<httpserver::http_response>(new httpserver::string_response(BODY, 200));
+    std::shared_ptr<httpserver::http_response> hello = std::shared_ptr<httpserver::http_response>(new httpserver::http_response(httpserver::http_response::string(BODY)));
     hello->with_header("Server", "libhttpserver");
 
     hello_world_resource hwr(hello);

examples/benchmark_select.cpp

@@ -47,7 +47,7 @@ int main(int argc, char** argv) {
         .start_method(httpserver::http::http_utils::INTERNAL_SELECT)
         .max_threads(atoi(argv[2]));
 
-    std::shared_ptr<httpserver::http_response> hello = std::shared_ptr<httpserver::http_response>(new httpserver::string_response(BODY, 200));
+    std::shared_ptr<httpserver::http_response> hello = std::shared_ptr<httpserver::http_response>(new httpserver::http_response(httpserver::http_response::string(BODY)));
     hello->with_header("Server", "libhttpserver");
 
     hello_world_resource hwr(hello);

examples/benchmark_threads.cpp

@@ -46,7 +46,7 @@ int main(int argc, char** argv) {
     httpserver::webserver ws = httpserver::create_webserver(atoi(argv[1]))
         .start_method(httpserver::http::http_utils::THREAD_PER_CONNECTION);
 
-    std::shared_ptr<httpserver::http_response> hello = std::shared_ptr<httpserver::http_response>(new httpserver::string_response(BODY, 200));
+    std::shared_ptr<httpserver::http_response> hello = std::shared_ptr<httpserver::http_response>(new httpserver::http_response(httpserver::http_response::string(BODY)));
     hello->with_header("Server", "libhttpserver");
 
     hello_world_resource hwr(hello);

examples/binary_buffer_response.cpp

@@ -66,8 +66,7 @@ class image_resource : public httpserver::http_resource {
 
         // Use string_response with the appropriate content type. The response
         // will send the exact bytes contained in the string.
-        return std::make_shared<httpserver::string_response>(
-                std::move(image_data), 200, "image/png");
+        return std::make_shared<httpserver::http_response>(httpserver::http_response::string(std::move(image_data), "image/png"));
     }
 };
 

examples/centralized_authentication.cpp

@@ -28,29 +28,26 @@ using httpserver::http_response;
 using httpserver::http_resource;
 using httpserver::webserver;
 using httpserver::create_webserver;
-using httpserver::string_response;
-using httpserver::basic_auth_fail_response;
-
 // Simple resource that doesn't need to handle auth itself
 class hello_resource : public http_resource {
  public:
     std::shared_ptr<http_response> render_GET(const http_request&) {
-        return std::make_shared<string_response>("Hello, authenticated user!", 200, "text/plain");
+        return std::make_shared<http_response>(http_response::string("Hello, authenticated user!"));
     }
 };
 
 class health_resource : public http_resource {
  public:
     std::shared_ptr<http_response> render_GET(const http_request&) {
-        return std::make_shared<string_response>("OK", 200, "text/plain");
+        return std::make_shared<http_response>(http_response::string("OK"));
     }
 };
 
 // Centralized authentication handler
 // Returns nullptr to allow the request, or an http_response to reject it
 std::shared_ptr<http_response> auth_handler(const http_request& req) {
     if (req.get_user() != "admin" || req.get_pass() != "secret") {
-        return std::make_shared<basic_auth_fail_response>("Unauthorized", "MyRealm");
+        return std::make_shared<http_response>(http_response::unauthorized("Basic", "MyRealm", "Unauthorized"));
     }
     return nullptr;  // Allow request
 }

examples/client_cert_auth.cpp

@@ -69,9 +69,7 @@ class secure_resource : public httpserver::http_resource {
     std::shared_ptr<httpserver::http_response> render_GET(const httpserver::http_request& req) {
         // Check if client provided a certificate
         if (!req.has_client_certificate()) {
-            return std::make_shared<httpserver::string_response>(
-                "Client certificate required",
-                httpserver::http::http_utils::http_unauthorized, "text/plain");
+            return std::make_shared<httpserver::http_response>(httpserver::http_response::string("Client certificate required").with_status(httpserver::http::http_utils::http_unauthorized));
         }
 
         // Get certificate information
@@ -83,17 +81,13 @@ class secure_resource : public httpserver::http_resource {
 
         // Check if certificate is verified by our CA
         if (!verified) {
-            return std::make_shared<httpserver::string_response>(
-                "Certificate not verified by trusted CA",
-                httpserver::http::http_utils::http_forbidden, "text/plain");
+            return std::make_shared<httpserver::http_response>(httpserver::http_response::string("Certificate not verified by trusted CA").with_status(httpserver::http::http_utils::http_forbidden));
         }
 
         // Optional: Check fingerprint against allowlist
         if (!allowed_fingerprints.empty() &&
             allowed_fingerprints.find(fingerprint) == allowed_fingerprints.end()) {
-            return std::make_shared<httpserver::string_response>(
-                "Certificate not in allowlist",
-                httpserver::http::http_utils::http_forbidden, "text/plain");
+            return std::make_shared<httpserver::http_response>(httpserver::http_response::string("Certificate not in allowlist").with_status(httpserver::http::http_utils::http_forbidden));
         }
 
         // Check certificate validity times
@@ -102,15 +96,11 @@ class secure_resource : public httpserver::http_resource {
         time_t not_after = req.get_client_cert_not_after();
 
         if (now < not_before) {
-            return std::make_shared<httpserver::string_response>(
-                "Certificate not yet valid",
-                httpserver::http::http_utils::http_forbidden, "text/plain");
+            return std::make_shared<httpserver::http_response>(httpserver::http_response::string("Certificate not yet valid").with_status(httpserver::http::http_utils::http_forbidden));
         }
 
         if (now > not_after) {
-            return std::make_shared<httpserver::string_response>(
-                "Certificate has expired",
-                httpserver::http::http_utils::http_forbidden, "text/plain");
+            return std::make_shared<httpserver::http_response>(httpserver::http_response::string("Certificate has expired").with_status(httpserver::http::http_utils::http_forbidden));
         }
 
         // Build response with certificate info
@@ -121,7 +111,7 @@ class secure_resource : public httpserver::http_resource {
         response += "  Fingerprint (SHA-256): " + fingerprint + "\n";
         response += "  Verified: " + std::string(verified ? "Yes" : "No") + "\n";
 
-        return std::make_shared<httpserver::string_response>(response, 200, "text/plain");
+        return std::make_shared<httpserver::http_response>(httpserver::http_response::string(response));
     }
 };
 
@@ -140,7 +130,7 @@ class info_resource : public httpserver::http_resource {
             response += "Use --cert and --key with curl to provide one.\n";
         }
 
-        return std::make_shared<httpserver::string_response>(response, 200, "text/plain");
+        return std::make_shared<httpserver::http_response>(httpserver::http_response::string(response));
     }
 };
 

examples/custom_access_log.cpp

@@ -31,7 +31,7 @@ void custom_access_log(const std::string& url) {
 class hello_world_resource : public httpserver::http_resource {
  public:
      std::shared_ptr<httpserver::http_response> render(const httpserver::http_request&) {
-         return std::shared_ptr<httpserver::http_response>(new httpserver::string_response("Hello, World!"));
+         return std::shared_ptr<httpserver::http_response>(new httpserver::http_response(httpserver::http_response::string("Hello, World!")));
      }
 };