Add 22 glossary pages, split result tables into sub-tables

- Create docs/content/docs/upgrade/ with 4 test pages (UPGRADE-POST,
  UPGRADE-MISSING-CONN, UPGRADE-UNKNOWN, UPGRADE-INVALID-VER)
- Add 3 request-line pages (METHOD-CONNECT, METHOD-CONNECT-NO-PORT,
  METHOD-TRACE)
- Add 1 headers page (EXPECT-UNKNOWN)
- Add 12 smuggling pages (chunk-ext-lf, chunk-spill, chunk-lf-term,
  chunk-ext-ctrl, chunk-lf-trailer, te-identity, chunk-negative,
  trailer-cl, trailer-te, trailer-host, head-cl-body, options-cl-body)
- Add 2 malformed-input pages (CL-EMPTY, CL-TAB-BEFORE-VALUE)
- Fix 4 stale RFC-prefix keys in render.js TEST_URLS (now SMUG- prefix)
- Add 22 new TEST_URLS entries for all new tests
- Add renderSubTables() to render.js with testIdFilter on renderTable()
- Split Compliance into 8 sub-tables, Smuggling into 7, Malformed into 4
- Update all glossary _index.md files with cards for new tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: MDA2AV

docs/content/compliance/_index.md

@@ -10,14 +10,6 @@ These tests validate that HTTP/1.1 servers correctly implement the protocol requ
 
 Each test sends a request that violates a specific **MUST** or **MUST NOT** requirement from the RFCs. A compliant server should reject these with a `400 Bad Request` (or close the connection). Accepting the request silently means the server is non-compliant and potentially vulnerable to downstream attacks.
 
-**What's tested:**
-- **Line endings** — bare `LF` without `CR`, `CR` without `LF` (RFC 9112 §2.2)
-- **Request-line format** — multiple spaces, missing target, fragments in URI (RFC 9112 §3)
-- **HTTP version** — invalid version strings, HTTP/0.9 requests (RFC 9112 §2.3)
-- **Header syntax** — obs-fold, space before colon, empty names, invalid characters, missing colon (RFC 9112 §5, RFC 9110 §5.6.2)
-- **Host header** — missing or duplicate Host with conflicting values (RFC 9112 §7.1, RFC 9110 §5.4)
-- **Content-Length** — non-numeric, plus sign, overflow (RFC 9112 §6.1)
-
 <div id="lang-filter"></div>
 <div id="table-compliance"><p><em>Loading...</em></p></div>
 
@@ -29,9 +21,44 @@ Each test sends a request that violates a specific **MUST** or **MUST NOT** requ
     document.getElementById('table-compliance').innerHTML = '<p><em>No probe data available yet. Run the Probe workflow manually on <code>main</code> to generate results.</em></p>';
     return;
   }
+  var GROUPS = [
+    { key: 'baseline', label: 'Baseline', testIds: [
+      'COMP-BASELINE'
+    ]},
+    { key: 'line-endings', label: 'Line Endings', testIds: [
+      'RFC9112-2.2-BARE-LF-REQUEST-LINE','RFC9112-2.2-BARE-LF-HEADER',
+      'RFC9112-3-CR-ONLY-LINE-ENDING','COMP-LEADING-CRLF','COMP-WHITESPACE-BEFORE-HEADERS'
+    ]},
+    { key: 'request-line', label: 'Request Line', testIds: [
+      'RFC9112-3-MULTI-SP-REQUEST-LINE','RFC9112-3-MISSING-TARGET',
+      'RFC9112-3.2-FRAGMENT-IN-TARGET','RFC9112-2.3-INVALID-VERSION',
+      'RFC9112-2.3-HTTP09-REQUEST','COMP-ASTERISK-WITH-GET','COMP-OPTIONS-STAR',
+      'COMP-CONNECT-EMPTY-PORT','COMP-ABSOLUTE-FORM','COMP-METHOD-CASE'
+    ]},
+    { key: 'headers', label: 'Header Syntax', testIds: [
+      'RFC9112-5.1-OBS-FOLD','RFC9110-5.6.2-SP-BEFORE-COLON',
+      'RFC9112-5-EMPTY-HEADER-NAME','RFC9112-5-INVALID-HEADER-NAME',
+      'RFC9112-5-HEADER-NO-COLON'
+    ]},
+    { key: 'host', label: 'Host Header', testIds: [
+      'RFC9112-7.1-MISSING-HOST','RFC9110-5.4-DUPLICATE-HOST',
+      'COMP-DUPLICATE-HOST-SAME','COMP-HOST-WITH-USERINFO','COMP-HOST-WITH-PATH'
+    ]},
+    { key: 'content-length', label: 'Content-Length', testIds: [
+      'RFC9112-6.1-CL-NON-NUMERIC','RFC9112-6.1-CL-PLUS-SIGN'
+    ]},
+    { key: 'methods', label: 'Methods & Routing', testIds: [
+      'COMP-METHOD-CONNECT','COMP-METHOD-CONNECT-NO-PORT',
+      'COMP-UNKNOWN-TE-501','COMP-EXPECT-UNKNOWN','COMP-METHOD-TRACE'
+    ]},
+    { key: 'upgrade', label: 'Upgrade / WebSocket', testIds: [
+      'COMP-UPGRADE-POST','COMP-UPGRADE-MISSING-CONN',
+      'COMP-UPGRADE-UNKNOWN','COMP-UPGRADE-INVALID-VER'
+    ]}
+  ];
   function render(data) {
     var ctx = ProbeRender.buildLookups(data.servers);
-    ProbeRender.renderTable('table-compliance', 'Compliance', ctx);
+    ProbeRender.renderSubTables('table-compliance', 'Compliance', ctx, GROUPS);
   }
   render(window.PROBE_DATA);
   ProbeRender.renderLanguageFilter('lang-filter', window.PROBE_DATA, render);

docs/content/docs/_index.md

@@ -17,4 +17,5 @@ Reference documentation for every test in Http11Probe, organized by topic. Each
   {{< card link="content-length" title="Content-Length" subtitle="Non-numeric CL, plus sign, integer overflow, leading zeros, negative values." icon="calculator" >}}
   {{< card link="smuggling" title="Request Smuggling" subtitle="CL+TE conflicts, TE obfuscation, pipeline injection, and why ambiguous framing is dangerous." icon="shield-exclamation" >}}
   {{< card link="malformed-input" title="Malformed Input" subtitle="Binary garbage, oversized fields, control characters, incomplete requests." icon="lightning-bolt" >}}
+  {{< card link="upgrade" title="Upgrade / WebSocket" subtitle="Protocol upgrade validation, WebSocket handshake method and version checks." icon="arrow-up" >}}
 {{< /cards >}}

docs/content/docs/headers/_index.md

@@ -29,4 +29,5 @@ HTTP header fields follow a strict grammar: `field-name ":" OWS field-value OWS`
   {{< card link="invalid-header-name" title="INVALID-HEADER-NAME" subtitle="Non-token characters in field name." >}}
   {{< card link="header-no-colon" title="HEADER-NO-COLON" subtitle="Header line with no colon separator." >}}
   {{< card link="whitespace-before-headers" title="WHITESPACE-BEFORE-HEADERS" subtitle="Whitespace before the first header line." >}}
+  {{< card link="expect-unknown" title="EXPECT-UNKNOWN" subtitle="Unknown Expect value. Should respond with 417." >}}
 {{< /cards >}}

docs/content/docs/headers/expect-unknown.md

@@ -0,0 +1,31 @@
+---
+title: "EXPECT-UNKNOWN"
+description: "EXPECT-UNKNOWN test documentation"
+weight: 7
+---
+
+| | |
+|---|---|
+| **Test ID** | `COMP-EXPECT-UNKNOWN` |
+| **Category** | Compliance |
+| **RFC** | [RFC 9110 Section 10.1.1](https://www.rfc-editor.org/rfc/rfc9110#section-10.1.1) |
+| **Requirement** | MUST respond with 417 |
+| **Expected** | `417`; `2xx` is a warning |
+
+## What it sends
+
+`Expect: 200-ok` — an Expect header with a value the server cannot fulfill.
+
+## What the RFC says
+
+> "A server that receives an Expect field value containing a member other than 100-continue MAY respond with a 417 (Expectation Failed) status code to indicate that the unexpected expectation cannot be met." — RFC 9110 Section 10.1.1
+
+While the RFC uses "MAY", a `417 Expectation Failed` is the semantically correct response for an unrecognized Expect value. Silently ignoring unknown expectations is permissible but less strict.
+
+## Why it matters
+
+The Expect mechanism is a contract between client and server. If a server ignores unknown Expect values, clients cannot rely on the mechanism for future extensions. Returning `417` signals clear rejection of unsupported expectations.
+
+## Sources
+
+- [RFC 9110 Section 10.1.1](https://www.rfc-editor.org/rfc/rfc9110#section-10.1.1)

docs/content/docs/malformed-input/_index.md

@@ -36,4 +36,11 @@ These tests send pathological, oversized, or completely invalid payloads. The go
   {{< card link="chunk-size-overflow" title="CHUNK-SIZE-OVERFLOW" subtitle="Chunk size integer overflow." >}}
   {{< card link="h2-preface" title="H2-PREFACE" subtitle="HTTP/2 preface sent to HTTP/1.1 server." >}}
   {{< card link="chunk-extension-long" title="CHUNK-EXTENSION-LONG" subtitle="100KB chunk extension value." >}}
+  {{< card link="cl-empty" title="CL-EMPTY" subtitle="Empty Content-Length value." >}}
+{{< /cards >}}
+
+### Unscored
+
+{{< cards >}}
+  {{< card link="cl-tab-before-value" title="CL-TAB-BEFORE-VALUE" subtitle="Tab as OWS before Content-Length value." >}}
 {{< /cards >}}

docs/content/docs/malformed-input/cl-empty.md

@@ -0,0 +1,31 @@
+---
+title: "CL-EMPTY"
+description: "CL-EMPTY test documentation"
+weight: 19
+---
+
+| | |
+|---|---|
+| **Test ID** | `MAL-CL-EMPTY` |
+| **Category** | Malformed Input |
+| **RFC** | [RFC 9110 Section 8.6](https://www.rfc-editor.org/rfc/rfc9110#section-8.6) |
+| **Requirement** | MUST reject |
+| **Expected** | `400` or close |
+
+## What it sends
+
+`Content-Length: ` — a Content-Length header with an empty value (just whitespace after the colon).
+
+## What the RFC says
+
+> "Content-Length = 1*DIGIT" — RFC 9110 Section 8.6
+
+The grammar requires at least one digit. An empty value is not a valid Content-Length and indicates invalid message framing.
+
+## Why it matters
+
+Parsers that treat an empty Content-Length as `0` will read no body, while others may reject it or wait for data. This disagreement between parsers can be exploited for smuggling when the request also carries a body.
+
+## Sources
+
+- [RFC 9110 Section 8.6](https://www.rfc-editor.org/rfc/rfc9110#section-8.6)

docs/content/docs/malformed-input/cl-tab-before-value.md

@@ -0,0 +1,32 @@
+---
+title: "CL-TAB-BEFORE-VALUE"
+description: "CL-TAB-BEFORE-VALUE test documentation"
+weight: 20
+---
+
+| | |
+|---|---|
+| **Test ID** | `MAL-CL-TAB-BEFORE-VALUE` |
+| **Category** | Malformed Input |
+| **RFC** | [RFC 9110 Section 5.5](https://www.rfc-editor.org/rfc/rfc9110#section-5.5) |
+| **Requirement** | valid per RFC |
+| **Expected** | `400` preferred; `2xx` is a warning |
+
+## What it sends
+
+`Content-Length:\t5` — a Content-Length header where a horizontal tab character separates the colon from the value, instead of a space.
+
+## What the RFC says
+
+> "OWS = *( SP / HTAB )" — RFC 9110 Section 5.6.3
+
+The optional whitespace (OWS) between the colon and the field value may be either spaces or horizontal tabs. A tab character is technically valid per the grammar.
+
+## Why it matters
+
+While tabs are valid OWS, they are rarely used in practice. Some parsers may not handle tab characters correctly — for example, treating the tab as part of the value rather than whitespace, resulting in a failed integer parse or a different numeric interpretation. This edge case tests parser robustness.
+
+## Sources
+
+- [RFC 9110 Section 5.5](https://www.rfc-editor.org/rfc/rfc9110#section-5.5)
+- [RFC 9110 Section 5.6.3](https://www.rfc-editor.org/rfc/rfc9110#section-5.6.3)

docs/content/docs/request-line/_index.md

@@ -26,11 +26,14 @@ Note this is a SHOULD, not a MUST. The RFC recommends 400 but does not mandate i
   {{< card link="options-star" title="OPTIONS-STAR" subtitle="OPTIONS * — valid asterisk-form request." >}}
   {{< card link="unknown-te-501" title="UNKNOWN-TE-501" subtitle="Unknown Transfer-Encoding without CL." >}}
   {{< card link="connect-empty-port" title="CONNECT-EMPTY-PORT" subtitle="CONNECT with empty port in authority-form." >}}
+  {{< card link="method-connect" title="METHOD-CONNECT" subtitle="CONNECT to an origin server must be rejected." >}}
+  {{< card link="method-connect-no-port" title="METHOD-CONNECT-NO-PORT" subtitle="CONNECT without port in authority-form." >}}
 {{< /cards >}}
 
 ### Unscored
 
 {{< cards >}}
   {{< card link="absolute-form" title="ABSOLUTE-FORM" subtitle="Absolute-form request-target (http://host/)." >}}
   {{< card link="method-case" title="METHOD-CASE" subtitle="Lowercase method 'get'. Methods are case-sensitive." >}}
+  {{< card link="method-trace" title="METHOD-TRACE" subtitle="TRACE request — should be disabled in production." >}}
 {{< /cards >}}

docs/content/docs/request-line/method-connect-no-port.md

@@ -0,0 +1,31 @@
+---
+title: "METHOD-CONNECT-NO-PORT"
+description: "METHOD-CONNECT-NO-PORT test documentation"
+weight: 13
+---
+
+| | |
+|---|---|
+| **Test ID** | `COMP-METHOD-CONNECT-NO-PORT` |
+| **Category** | Compliance |
+| **RFC** | [RFC 9112 Section 3.2.3](https://www.rfc-editor.org/rfc/rfc9112#section-3.2.3) |
+| **Requirement** | MUST reject |
+| **Expected** | `400` or close |
+
+## What it sends
+
+`CONNECT example.com HTTP/1.1` — a CONNECT request with authority-form that is missing the required port.
+
+## What the RFC says
+
+> "The 'authority-form' of request-target is only used for CONNECT requests... authority = uri-host ':' port" — RFC 9112 Section 3.2.3
+
+The authority-form grammar requires both host and port separated by a colon. Omitting the port makes the request-target invalid.
+
+## Why it matters
+
+A server or proxy that accepts CONNECT without a port must guess the target port, which can lead to unexpected connections. This is a parsing ambiguity that could be exploited for SSRF or port confusion attacks.
+
+## Sources
+
+- [RFC 9112 Section 3.2.3](https://www.rfc-editor.org/rfc/rfc9112#section-3.2.3)

docs/content/docs/request-line/method-connect.md

@@ -0,0 +1,31 @@
+---
+title: "METHOD-CONNECT"
+description: "METHOD-CONNECT test documentation"
+weight: 12
+---
+
+| | |
+|---|---|
+| **Test ID** | `COMP-METHOD-CONNECT` |
+| **Category** | Compliance |
+| **RFC** | [RFC 9110 Section 9.3.6](https://www.rfc-editor.org/rfc/rfc9110#section-9.3.6) |
+| **Requirement** | origin server SHOULD reject |
+| **Expected** | `400`, `405`, `501`, or close |
+
+## What it sends
+
+`CONNECT example.com:443 HTTP/1.1` — a CONNECT request sent directly to an origin server (not a proxy).
+
+## What the RFC says
+
+> "CONNECT is intended only for use in requests to a proxy... A server that does not act as a tunnel for the requested host and port, or which chooses not to open a TCP connection, MUST respond with an appropriate error status code." — RFC 9110 Section 9.3.6
+
+Origin servers are not proxies. They have no reason to accept CONNECT and establish a TCP tunnel.
+
+## Why it matters
+
+If an origin server accepts CONNECT, it effectively becomes an open proxy. This can be exploited for port scanning internal networks, bypassing firewalls, or pivoting attacks through the server.
+
+## Sources
+
+- [RFC 9110 Section 9.3.6](https://www.rfc-editor.org/rfc/rfc9110#section-9.3.6)