Add separate pages for Compliance, Smuggling, Malformed Input, Glossary

- Each category gets its own nav tab and dedicated page with explanation
- Glossary page explains RFCs, smuggling mechanics with CL.TE/TE.CL examples
- Shared render.js extracted to avoid JS duplication across pages
- Home page cards link to individual category pages
- Probe icon logo added

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: MDA2AV

docs/content/_index.md

@@ -27,7 +27,7 @@ layout: hextra-home
 ## Features
 
 {{< cards >}}
-  {{< card link="probe-results" title="Compliance Testing" subtitle="RFC 9110/9112 protocol requirements — bare LF, obs-fold, missing Host, invalid versions, and more." icon="check-circle" >}}
-  {{< card link="probe-results" title="Smuggling Detection" subtitle="CL/TE ambiguity, duplicate Content-Length, leading zeros, pipeline probes, and obfuscation vectors." icon="shield-exclamation" >}}
-  {{< card link="probe-results" title="Robustness Testing" subtitle="Binary garbage, oversized URLs/headers, control characters, integer overflow, and incomplete requests." icon="lightning-bolt" >}}
+  {{< card link="compliance" title="Compliance Testing" subtitle="RFC 9110/9112 protocol requirements — bare LF, obs-fold, missing Host, invalid versions, and more." icon="check-circle" >}}
+  {{< card link="smuggling" title="Smuggling Detection" subtitle="CL/TE ambiguity, duplicate Content-Length, leading zeros, pipeline probes, and obfuscation vectors." icon="shield-exclamation" >}}
+  {{< card link="malformed-input" title="Robustness Testing" subtitle="Binary garbage, oversized URLs/headers, control characters, integer overflow, and incomplete requests." icon="lightning-bolt" >}}
 {{< /cards >}}

docs/content/compliance/_index.md

@@ -0,0 +1,34 @@
+---
+title: Compliance
+layout: wide
+toc: false
+---
+
+## RFC 9110/9112 Compliance
+
+These tests validate that HTTP/1.1 servers correctly implement the protocol requirements defined in [RFC 9110](https://www.rfc-editor.org/rfc/rfc9110) (HTTP Semantics) and [RFC 9112](https://www.rfc-editor.org/rfc/rfc9112) (HTTP/1.1 Message Syntax and Routing).
+
+Each test sends a request that violates a specific **MUST** or **MUST NOT** requirement from the RFCs. A compliant server should reject these with a `400 Bad Request` (or close the connection). Accepting the request silently means the server is non-compliant and potentially vulnerable to downstream attacks.
+
+**What's tested:**
+- **Line endings** — bare `LF` without `CR`, `CR` without `LF` (RFC 9112 §2.2)
+- **Request-line format** — multiple spaces, missing target, fragments in URI (RFC 9112 §3)
+- **HTTP version** — invalid version strings, HTTP/0.9 requests (RFC 9112 §2.3)
+- **Header syntax** — obs-fold, space before colon, empty names, invalid characters, missing colon (RFC 9112 §5, RFC 9110 §5.6.2)
+- **Host header** — missing or duplicate Host with conflicting values (RFC 9112 §7.1, RFC 9110 §5.4)
+- **Content-Length** — non-numeric, plus sign, overflow (RFC 9112 §6.1)
+
+<div id="table-compliance"><p><em>Loading...</em></p></div>
+
+<script src="/Http11Probe/probe/data.js"></script>
+<script src="/Http11Probe/probe/render.js"></script>
+<script>
+(function () {
+  if (!window.PROBE_DATA) {
+    document.getElementById('table-compliance').innerHTML = '<p><em>No probe data available yet. Run the Probe workflow manually on <code>main</code> to generate results.</em></p>';
+    return;
+  }
+  var ctx = ProbeRender.buildLookups(window.PROBE_DATA.servers);
+  ProbeRender.renderTable('table-compliance', 'Compliance', ctx);
+})();
+</script>

docs/content/glossary/_index.md

@@ -0,0 +1,163 @@
+---
+title: Glossary
+layout: wide
+toc: true
+---
+
+## What is an RFC?
+
+An **RFC** (Request for Comments) is a formal document published by the [Internet Engineering Task Force (IETF)](https://www.ietf.org/) that defines the standards and protocols that power the internet. Despite the informal-sounding name, RFCs are the authoritative specifications that all implementations must follow for interoperability.
+
+HTTP/1.1 is defined by two key RFCs:
+
+- **[RFC 9110](https://www.rfc-editor.org/rfc/rfc9110)** — *HTTP Semantics*. Defines the meaning of HTTP methods, status codes, headers, and content negotiation. This is the "what" of HTTP.
+- **[RFC 9112](https://www.rfc-editor.org/rfc/rfc9112)** — *HTTP/1.1 Message Syntax and Routing*. Defines the wire format: how requests and responses are framed as bytes on a TCP connection. This is the "how" of HTTP/1.1.
+
+RFCs use specific keywords defined in [RFC 2119](https://www.rfc-editor.org/rfc/rfc2119):
+
+| Keyword | Meaning |
+|---------|---------|
+| **MUST** | Absolute requirement. Violating this means the implementation is non-compliant. |
+| **MUST NOT** | Absolute prohibition. |
+| **SHOULD** | Recommended but there may be valid reasons to deviate in particular circumstances. |
+| **MAY** | Optional behavior. |
+
+When a test in Http11Probe references `RFC 9112 §5.1`, it means the test validates a specific requirement from section 5.1 of that document.
+
+## What is HTTP Request Smuggling?
+
+HTTP request smuggling is an attack that exploits disagreements between HTTP processors about where one request ends and the next begins in a TCP byte stream.
+
+### How it works
+
+In a typical web architecture, requests flow through multiple layers:
+
+```
+Client  -->  CDN / Load Balancer  -->  Application Server
+             (front-end)               (back-end)
+```
+
+Both the front-end and back-end must parse the HTTP stream to determine request boundaries. HTTP/1.1 provides two mechanisms for this:
+
+1. **Content-Length** — an explicit byte count of the body
+2. **Transfer-Encoding: chunked** — the body is sent in length-prefixed chunks
+
+When a request contains **both** headers, or contains them in ambiguous forms, different servers may disagree on the body length. This disagreement lets an attacker hide a second request inside the body of the first.
+
+### CL.TE Smuggling Example
+
+The attacker sends a request where the front-end uses `Content-Length` and the back-end uses `Transfer-Encoding`:
+
+```http
+POST / HTTP/1.1
+Host: example.com
+Content-Length: 13
+Transfer-Encoding: chunked
+
+0\r\n
+\r\n
+SMUGGLED
+```
+
+**Front-end** (reads Content-Length: 13): sees 13 bytes of body (`0\r\n\r\nSMUGGLED`), forwards the whole thing as one request.
+
+**Back-end** (reads Transfer-Encoding: chunked): reads chunk size `0`, which signals end-of-body. The remaining bytes (`SMUGGLED`) are left in the TCP buffer and interpreted as the **start of the next request**.
+
+The attacker has now injected a request that bypasses the front-end entirely.
+
+### TE.CL Smuggling Example
+
+The reverse: the front-end uses `Transfer-Encoding` and the back-end uses `Content-Length`:
+
+```http
+POST / HTTP/1.1
+Host: example.com
+Content-Length: 3
+Transfer-Encoding: chunked
+
+8\r\n
+SMUGGLED\r\n
+0\r\n
+\r\n
+```
+
+**Front-end** (chunked): reads chunk of size 8 (`SMUGGLED`), then chunk of size 0 (end). Forwards everything.
+
+**Back-end** (Content-Length: 3): reads only 3 bytes of body (`8\r\n`). The rest (`SMUGGLED\r\n0\r\n\r\n`) becomes the next request.
+
+### Why servers must reject ambiguous requests
+
+The only safe behavior is to **reject** any request with ambiguous framing:
+
+- Both `Content-Length` and `Transfer-Encoding` present → **400**
+- Duplicate `Content-Length` with different values → **400**
+- Obfuscated `Transfer-Encoding` (e.g. `xchunked`, `chunked `) → **400**
+
+A server that "guesses" which header to use is a smuggling vector waiting to happen.
+
+### Real-world impact
+
+HTTP smuggling has been used to:
+- **Bypass authentication** — smuggle requests that skip WAF/auth layers
+- **Poison web caches** — inject responses that get cached and served to other users
+- **Hijack sessions** — prepend attacker-controlled headers to other users' requests
+- **Exfiltrate data** — redirect internal responses to attacker-controlled endpoints
+
+## Test Definitions
+
+Every test ID links back here from the result tables. Click a test name in any results table to jump to its definition.
+
+<div id="glossary-tests"><p><em>Loading...</em></p></div>
+
+<script src="/Http11Probe/probe/data.js"></script>
+<script src="/Http11Probe/probe/render.js"></script>
+<script>
+(function () {
+  if (!window.PROBE_DATA) {
+    document.getElementById('glossary-tests').innerHTML = '<p><em>No probe data available yet.</em></p>';
+    return;
+  }
+  var ctx = ProbeRender.buildLookups(window.PROBE_DATA.servers);
+  var names = ctx.names, lookup = ctx.lookup, testIds = ctx.testIds;
+
+  var categories = [
+    { key: 'Compliance', title: 'Compliance Tests' },
+    { key: 'Smuggling', title: 'Smuggling Tests' },
+    { key: 'MalformedInput', title: 'Malformed Input Tests' }
+  ];
+
+  var html = '';
+  categories.forEach(function (cat) {
+    var tests = testIds.filter(function (tid) {
+      return lookup[names[0]][tid] && lookup[names[0]][tid].category === cat.key;
+    });
+    if (tests.length === 0) return;
+
+    var scored = tests.filter(function (tid) { return lookup[names[0]][tid].scored !== false; });
+    var unscored = tests.filter(function (tid) { return lookup[names[0]][tid].scored === false; });
+
+    html += '<h3>' + cat.title + '</h3>';
+    html += '<div style="margin-bottom:1.5rem;">';
+
+    function row(tid) {
+      var r = lookup[names[0]][tid];
+      if (!r) return '';
+      var rfc = r.rfc ? ' <span style="color:#656d76;font-size:11px;">(' + r.rfc + ')</span>' : '';
+      return '<div id="test-' + tid + '" style="display:flex;gap:8px;align-items:baseline;padding:6px 0;border-bottom:1px solid #f0f0f0;">'
+        + '<div style="min-width:260px;"><code style="font-size:12px;">' + tid + '</code>' + rfc + '</div>'
+        + '<div style="min-width:60px;text-align:center;">' + ProbeRender.pill(ProbeRender.EXPECT_BG, r.expected) + '</div>'
+        + '<div style="flex:1;font-size:13px;">' + r.reason + '</div>'
+        + '</div>';
+    }
+
+    scored.forEach(function (tid) { html += row(tid); });
+    if (unscored.length > 0) {
+      html += '<div style="padding:8px 0;font-weight:700;font-size:12px;color:#656d76;border-bottom:1px solid #d0d7de;margin-top:4px;">Not scored (RFC-compliant behavior)</div>';
+      unscored.forEach(function (tid) { html += row(tid); });
+    }
+    html += '</div>';
+  });
+
+  document.getElementById('glossary-tests').innerHTML = html;
+})();
+</script>

docs/content/malformed-input/_index.md

@@ -0,0 +1,35 @@
+---
+title: Malformed Input
+layout: wide
+toc: false
+---
+
+## Malformed Input Handling
+
+These tests send pathological, oversized, or completely invalid payloads to verify the server handles them gracefully — rejecting with an appropriate error status rather than crashing, hanging, or consuming unbounded resources.
+
+A well-implemented server should respond with `400 Bad Request`, `414 URI Too Long`, or `431 Request Header Fields Too Large` depending on the violation, or simply close the connection.
+
+**What's tested:**
+- **Binary garbage** — random bytes that aren't valid HTTP at all
+- **Oversized fields** — 100 KB URLs, header names, header values, and method names
+- **Too many headers** — 10,000 headers in a single request
+- **Invalid bytes** — NUL bytes in URL, control characters in header values, non-ASCII in header names and URLs
+- **Integer overflow** — `Content-Length` value exceeding 64-bit integer range
+- **Incomplete/empty requests** — partial HTTP or zero bytes sent
+- **Whitespace-only request** — just spaces/tabs with no method or URI
+
+<div id="table-malformed"><p><em>Loading...</em></p></div>
+
+<script src="/Http11Probe/probe/data.js"></script>
+<script src="/Http11Probe/probe/render.js"></script>
+<script>
+(function () {
+  if (!window.PROBE_DATA) {
+    document.getElementById('table-malformed').innerHTML = '<p><em>No probe data available yet. Run the Probe workflow manually on <code>main</code> to generate results.</em></p>';
+    return;
+  }
+  var ctx = ProbeRender.buildLookups(window.PROBE_DATA.servers);
+  ProbeRender.renderTable('table-malformed', 'MalformedInput', ctx);
+})();
+</script>