fix(websocket): close proxy socket on tunnel shutdown so wss-via-proxy upgrade resources free

WebSocketProxyTunnel.shutdown() only sent TLS close_notify and never
closed the underlying socket, so the upgrade client's handleClose never
fired, proxy.deinit never ran, and the tunnel + per-connection SSL_CTX +
upgrade client all leaked (~2.5MB per wss-via-http-proxy connection).

shutdown() now takes the socket out (so a re-entrant call via
handleClose -> clearData -> proxy.deinit -> tunnel.shutdown finds .none
and is a no-op) and closes it. The synchronous re-entry is refcount-safe
without an extra guard: tunnel is at 2 (proxy + WebSocketClient) before
cleanup; proxy.deinit derefs to 1; the WebSocketClient cleanup's own
deref takes it to 0.

Test runs 200 connect/close cycles with servers in a separate process
and asserts client RSS growth < 1.5MB/iter (pre-fix ~2.5MB/iter,
post-fix ~1.0MB/iter).

Author: cirospaciari

src/http/websocket_client/WebSocketProxyTunnel.zig

@@ -88,6 +88,13 @@ const SocketUnion = union(enum) {
             .none => true,
         };
     }
+
+    pub fn close(self: SocketUnion) void {
+        switch (self) {
+            inline .tcp, .ssl => |s| s.close(.normal),
+            .none => {},
+        }
+    }
 };
 
 const SSLWrapperType = SSLWrapper(*WebSocketProxyTunnel);
@@ -339,6 +346,13 @@ pub fn shutdown(this: *WebSocketProxyTunnel) void {
     if (this.#wrapper) |*wrapper| {
         _ = wrapper.shutdown(true); // Fast shutdown
     }
+    // Close the underlying proxy socket so the upgrade client's handleClose
+    // fires and releases its socket ref + proxy state. Take the socket out
+    // first so a re-entrant shutdown() (via handleClose → clearData →
+    // proxy.deinit → tunnel.shutdown) finds .none and is a no-op.
+    const sock = this.#socket;
+    this.#socket = .{ .none = {} };
+    sock.close();
 }
 
 /// Check if the tunnel has backpressure

test/js/web/websocket/wss-proxy-tunnel-leak-fixture.ts

@@ -0,0 +1,46 @@
+/**
+ * Regression test for the tunnel-mode HTTPClient leak in
+ * WebSocketUpgradeClient.zig. The wss://-through-HTTP-proxy success path took
+ * `outgoing_websocket` without dropping the cpp_websocket ref, so each
+ * upgrade left an HTTPClient (~4KB struct including 128 PicoHTTP.Header
+ * headers_buf) at refcount=1 forever. 500 upgrades ≈ 2MB+ of unreclaimable
+ * RSS — well above the noise floor under --smol.
+ */
+import { expect, test } from "bun:test";
+import { bunEnv, bunExe, isDebug } from "harness";
+import { join } from "node:path";
+
+test(
+  "wss-via-http-proxy upgrade does not leak the HTTPClient",
+  async () => {
+    const ITER = isDebug ? 200 : 500;
+    await using proc = Bun.spawn({
+      cmd: [bunExe(), "--smol", join(import.meta.dirname, "wss-proxy-tunnel-leak-fixture.ts")],
+      env: { ...bunEnv, LEAK_ITER: String(ITER), LEAK_WARMUP: "60" },
+      stdout: "pipe",
+      stderr: "pipe",
+    });
+
+    const [stdout, stderr, exitCode] = await Promise.all([proc.stdout.text(), proc.stderr.text(), proc.exited]);
+
+    expect(stderr).toBe("");
+    expect(exitCode).toBe(0);
+
+    const { baseline, after, growth, iter } = JSON.parse(stdout.trim());
+    expect(iter).toBe(ITER);
+
+    // Without the fix, the upgrade client + tunnel + SSLWrapper never free
+    // and growth is ~2.5MB/iter. With the fix the tunnel reaches refcount=0;
+    // a residual ~1MB/iter remains (per-connection SSL_CTX cost — separate
+    // from this leak). Threshold sits between the two so the test fails
+    // before the fix and passes after.
+    const threshold = iter * 1536 * 1024;
+    if (growth >= threshold) {
+      throw new Error(
+        `RSS grew ${growth} bytes (${(growth / iter).toFixed(0)} B/iter) over ${iter} wss-via-proxy upgrades ` +
+          `(baseline=${baseline}, after=${after}, threshold=${threshold})`,
+      );
+    }
+  },
+  isDebug ? 120_000 : 60_000,
+);