quic: get back to addressing some long standing quic updates

[jasnell]

This is a large batch of improvements to the QUIC implementation covering
bug fixes, security hardening, stream data flow, HTTP/3 completeness,
and dead code cleanup.

Stream data flow:

• Add streaming outbound support (InitStreaming, Write, EndWrite) on
  Stream using non-idempotent DataQueue inside Outbound
• Write returns total buffered bytes for JS-side backpressure
• Add inbound read wakeup via Blob::Reader setWakeup/NotifyPull to
  replace busy-polling on STATUS_BLOCK
• Fix connection-level flow control: EntryRead now extends both
  per-stream and per-connection offsets
• Track fin_sent state via new fin parameter on Stream::Commit
• Track bytes_sent and max_offset_received stats
• Remove unused PAUSED state field (pull model makes it unnecessary)
• Add max_data_left() check in DefaultApplication::GetStreamData

HTTP/3:

• Implement on_read_data_callback (critical: enables HTTP/3 body
  transmission via Bob protocol pull from Stream into nghttp3_vec)
• Implement SetStreamPriority override for server-side priority
• Implement OnShutdown (GOAWAY) with graceful session close

Security and TLS:

• Fix use-after-release in TLS session ticket resumption by adding
  OSSLContext::set_session_ticket() method
• Fix null UB in get_selected_alpn when no ALPN negotiated
• Implement client cert verification with reject_unauthorized option
  (default true: reject during handshake; false: defer to JS)
• Fix and re-enable server session ticket generation (root cause was
  invalid cast in GetAppDataSource: TLSSession* to AppData::Source*)
• Implement early data / 0-RTT rejection handling
• Add enable_early_data server option (default true)
• Re-enable ngtcp2_crypto_ossl_init() (moved from static init to
  CreatePerContextProperties with std::call_once)

Bug fixes:

• Fix AF_INET used instead of AF_INET6 in SelectPreferredAddress
• Fix acked_at stat recorded in Commit instead of Acknowledge
• Fix double destroyed_at timestamp in Endpoint::Destroy
• Fix ShouldSetFin is_empty logic (return i == 0, not i > 0)
• Fix token expiration clamping (std::min -> std::clamp with max)
• Fix DCHECK_IMPLIES using = instead of == in token validation
• Fix CID hash truncated to uint8_t (move mixing outside std::hash)
• Fix PreferredAddress::AddressInfo string_view dangling pointer
• Fix Endpoint::Send() stats counted after send failure
• Fix Endpoint::OnReceive buffer leak on UV_UDP_PARTIAL and errors
• Fix memcmp -> CRYPTO_memcmp for constant-time token comparison
• Fix RegularToken memory info macros referencing RetryToken
• Fix LogStream variable shadowing (EmitAlloc gets wrong size)
• Fix [[unlikely]] annotation on common success path in Receive

New features:

• Add on_receive_new_token handling: emits token + remote address
  to JS for storage and future reconnection
• Add token field to Session::Options for client reconnection
• Make 0-RTT retry conditional on validate_address option

Cleanup:

• Remove dead declarations (Release, FastMarkBusy, FastRef)
• Remove ShouldSetFin pure virtual (never called, FIN set directly)
• Remove StreamData::remaining (write-only field)
• Remove UnscheduleStream/Unschedule (ListNode dtor handles it)
• Add static_assert for ngtcp2_vec/nghttp3_vec layout compatibility
• Fix comment bugs (bidi->uni, retry->regular in RegularToken docs)
• Make DebugIndentScope::indent_ thread_local
• Clear server_state_ in Endpoint::Destroy
• Add CreateEntryFromBuffer utility (detach-or-copy for ArrayBuffers)

[codecov]

Codecov Report

❌ Patch coverage is 87.50000% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.69%. Comparing base (2263b4d) to head (b85f58a).

Files with missing lines	Patch %	Lines
src/node_blob.cc	38.46%	6 Missing and 2 partials ⚠️
lib/internal/blob.js	95.23%	3 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #62387   +/-   ##
=======================================
  Coverage   89.68%   89.69%           
=======================================
  Files         676      676           
  Lines      206710   206739   +29     
  Branches    39584    39589    +5     
=======================================
+ Hits       185398   185431   +33     
- Misses      13441    13446    +5     
+ Partials     7871     7862    -9     

Files with missing lines	Coverage Δ
lib/internal/quic/quic.js	100.00% <100.00%> (ø)
lib/internal/quic/state.js	51.73% <ø> (+0.10%)	⬆️
src/node_blob.h	37.50% <ø> (ø)
lib/internal/blob.js	99.43% <95.23%> (-0.57%)	⬇️
src/node_blob.cc	73.94% <38.46%> (-1.26%)	⬇️

... and 24 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.