TASK-029: collapse IP-control and stop verbs to canonical names

Public API rename (no aliases, per v2.0 breaking-changes policy):
- webserver::sweet_kill -> webserver::stop_and_wait
- webserver::ban_ip / unban_ip / allow_ip / disallow_ip
  collapsed to webserver::block_ip(std::string_view) /
  webserver::unblock_ip(std::string_view)

Per PRD-NAM-REQ-005 and OQ-004 the public surface keeps only deny-list
manipulation. The internal allowances set and the is_allowed branch in
policy_callback remain in place so default_policy(REJECT) keeps working
at the daemon level, but they are no longer reachable from the public
API. Coverage note: five ban_system tests that drove the allow-list
through the (now-removed) public API are deleted; a follow-up unit
test that pokes the PIMPL could restore that coverage at the cost of
breaking the PIMPL boundary, which is deliberately out of scope here.

webserver::stop() is unchanged ("stop without waiting" verb).
shoutCAST is preserved per OQ-005.

Action items:
- src/httpserver/webserver.hpp: new <string_view> include; old four
  ban/allow declarations replaced with block_ip / unblock_ip; new
  doxygen; sweet_kill renamed to stop_and_wait.
- src/webserver.cpp: stop_and_wait body unchanged; block_ip /
  unblock_ip materialize std::string once at the boundary to call
  ip_representation(const std::string&) (no string_view ctor added
  to ip_representation).
- test/integ/ws_start_stop.cpp: sweet_kill test renamed.
- test/integ/ban_system.cpp: 4 retained tests renamed inline; 5
  allow_ip/disallow_ip tests removed.
- examples/minimal_ip_ban.cpp: rewritten to demonstrate block_ip
  under the default ACCEPT policy.
- examples/daemon_info.cpp: sweet_kill -> stop_and_wait.
- README.md: bullets + code samples updated.

Acceptance criteria verified:
- grep '\\bsweet_kill\\b' src/httpserver/*.hpp src/*.cpp -> empty
- grep '\\b(ban_ip|unban_ip|allow_ip|disallow_ip)\\b'
    src/httpserver/*.hpp -> empty
- camelCase grep on src/httpserver/*.hpp returns pre-existing
  matches only (comments, MHD/GnuTLS types, generateFilenameException,
  shoutCAST). No method names introduced or touched by this task
  use camelCase.
- make check (release + --enable-debug): 40/40 pass.
- cpplint: clean on all touched files.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: etr

README.md

@@ -544,7 +544,7 @@ Once a webserver is created, you can manage its execution through the following
 * _**void** webserver::start(**bool** blocking):_ Allows to start a server. If the `blocking` flag is passed as `true`, it will block the execution of the current thread until a call to stop on the same webserver object is performed.
 * _**void** webserver::stop():_ Allows to stop a server. It immediately stops it.
 * _**bool** webserver::is_running():_ Checks if a server is running
-* _**void** webserver::sweet_kill():_ Allows to stop a server. It doesn't guarantee an immediate halt to allow for thread termination and connection closure.
+* _**void** webserver::stop_and_wait():_ Stop the webserver and wait for in-flight handlers to complete before returning. Use `stop()` when no such guarantee is required.
 * _**int** webserver::quiesce():_ Quiesce the daemon: stop accepting new connections while letting in-flight requests complete. Returns the listen socket file descriptor (the caller can close it), or `-1` on error.
 * _**bool** webserver::run():_ Run the webserver's event loop once (non-blocking). For use with external event loops when the server is started without internal threading. Returns `true` on success.
 * _**bool** webserver::run_wait(**int32_t** millisec):_ Run the webserver's event loop, blocking until there is activity or the timeout expires. Pass `-1` for indefinite wait. Returns `true` on success.
@@ -946,10 +946,8 @@ libhttpserver provides natively a system to blacklist and whitelist IP addresses
 The system supports both IPV4 and IPV6 and manages them transparently. The only requirement is for ipv6 to be enabled on your server - you'll have to enable this by using the `use_ipv6` method on `create_webserver`.
 
 You can explicitly ban or allow an IP address using the following methods on the `webserver` class:
-* _**void** ban_ip(**const std::string&** ip):_ Adds one IP (or a range of IPs) to the list of the banned ones. Takes in input a `string` that contains the IP (or range of IPs) to ban. To use when the `default_policy` is `ACCEPT`.
-* _**void** allow_ip(**const std::string&** ip):_ Adds one IP (or a range of IPs) to the list of the allowed ones. Takes in input a `string` that contains the IP (or range of IPs) to allow.  To use when the `default_policy` is `REJECT`.
-* _**void** unban_ip(**const std::string&** ip):_ Removes one IP (or a range of IPs) from the list of the banned ones. Takes in input a `string` that contains the IP (or range of IPs) to remove from the list.  To use when the `default_policy` is `ACCEPT`.
-* _**void** disallow_ip(**const std::string&** ip):_ Removes one IP (or a range of IPs) from the list of the allowed ones. Takes in input a `string` that contains the IP (or range of IPs) to remove from the list.  To use when the `default_policy` is `REJECT`.
+* _**void** block_ip(**std::string_view** ip):_ Add one IP (or a range, e.g. `"127.0.0.*"`) to the block list. Connections from a matching address are refused at the policy callback. Intended for use under the default `ACCEPT` policy.
+* _**void** unblock_ip(**std::string_view** ip):_ Remove one IP (or a range) from the block list. Idempotent: removing an entry that is not currently blocked is a no-op.
 
 ### IP String Format
 The IP string format can represent both IPV4 and IPV6. Addresses will be normalized by the webserver to operate in the same sapce. Any valid IPV4 or IPV6 textual representation works.
@@ -977,10 +975,11 @@ Examples of valid IPs include:
     };
 
     int main(int argc, char** argv) {
-        webserver ws = create_webserver(8080)
-            .default_policy(http::http_utils::REJECT);
+        webserver ws = create_webserver(8080);
 
-        ws.allow_ip("127.0.0.1");
+        // Refuse connections from this address; everything else is accepted
+        // by default. Use a range like "127.0.0.*" to block a wildcard.
+        ws.block_ip("10.0.0.1");
 
         hello_world_resource hwr;
         ws.register_resource("/hello", &hwr);
@@ -1728,7 +1727,7 @@ You can also check this example on [github](https://github.com/etr/libhttpserver
         std::cout << "HTTP 404 reason: "
                   << http::http_utils::reason_phrase(404) << std::endl;
 
-        ws.sweet_kill();
+        ws.stop_and_wait();
         return 0;
     }
 ```

examples/daemon_info.cpp

@@ -53,7 +53,7 @@ int main() {
               << ". Press Ctrl+C to stop." << std::endl;
 
     // Block until interrupted
-    ws.sweet_kill();
+    ws.stop_and_wait();
 
     return 0;
 }

examples/minimal_ip_ban.cpp

@@ -29,10 +29,13 @@ class hello_world_resource : public httpserver::http_resource {
      }
 };
 
+// TASK-029: The v2.0 public IP-control API is the pair block_ip / unblock_ip,
+// usable under the default ACCEPT policy. The historical allow_ip /
+// disallow_ip pair (under REJECT) was dropped from the public surface.
 int main() {
-    httpserver::webserver ws = httpserver::create_webserver(8080).default_policy(httpserver::http::http_utils::REJECT);
+    httpserver::webserver ws = httpserver::create_webserver(8080);
 
-    ws.allow_ip("127.0.0.1");
+    ws.block_ip("10.0.0.1");
 
     auto hwr = std::make_shared<hello_world_resource>();
     ws.register_path("/hello", hwr);

src/httpserver/webserver.hpp

@@ -32,6 +32,7 @@
 #include <functional>
 #include <memory>
 #include <string>
+#include <string_view>
 #include <type_traits>
 #include <utility>
 #include <vector>
@@ -298,10 +299,21 @@ class webserver {
       * and unregister_prefix; idempotent.
      **/
      void unregister_resource(const std::string& path);
-     void ban_ip(const std::string& ip);
-     void allow_ip(const std::string& ip);
-     void unban_ip(const std::string& ip);
-     void disallow_ip(const std::string& ip);
+
+     /**
+      * Add @p ip (or a range, e.g. "127.0.0.*") to the IP block list.
+      * Connections from a matching address are refused at the policy
+      * callback. Intended for use under the default ACCEPT policy.
+      * No-op semantics are preserved when the same IP is added twice;
+      * a more specific entry replaces a previously-recorded wildcard.
+     **/
+     void block_ip(std::string_view ip);
+
+     /**
+      * Remove @p ip from the IP block list. Idempotent: removing an IP
+      * that is not currently blocked is a no-op.
+     **/
+     void unblock_ip(std::string_view ip);
 
      log_access_ptr get_access_logger() const {
          return log_access;
@@ -320,9 +332,10 @@ class webserver {
      }
 
      /**
-      * Method used to kill the webserver waiting for it to terminate
+      * Stop the webserver and wait for in-flight handlers to complete
+      * before returning. Use stop() when no such guarantee is required.
      **/
-     void sweet_kill();
+     void stop_and_wait();
 
      /**
       * Run the webserver's event loop once (non-blocking).

src/webserver.cpp

@@ -243,7 +243,7 @@ webserver::~webserver() {
     // when the unique_ptr is destroyed, after this body finishes.
 }
 
-void webserver::sweet_kill() {
+void webserver::stop_and_wait() {
     stop();
 }
 
@@ -1088,38 +1088,27 @@ void webserver::unregister_resource(const string& resource) {
     impl_->route_cache_v2.clear();
 }
 
-void webserver::ban_ip(const string& ip) {
+// TASK-029: The v2.0 public IP-control API is the pair block_ip / unblock_ip.
+// The historical ban_ip / unban_ip / allow_ip / disallow_ip quartet was
+// collapsed to a single name pair operating on the deny list. The internal
+// allowances set and the allow-list branch in policy_callback remain in
+// place so default_policy(REJECT) keeps working at the daemon level, but
+// they are no longer reachable from the public API.
+void webserver::block_ip(std::string_view ip) {
     std::unique_lock bans_lock(impl_->bans_mutex);
-    ip_representation t_ip(ip);
-    set<ip_representation>::iterator it = impl_->bans.find(t_ip);
-    if (it != impl_->bans.end() && (t_ip.weight() < (*it).weight())) {
+    ip_representation t_ip{std::string{ip}};
+    auto it = impl_->bans.find(t_ip);
+    if (it != impl_->bans.end() && (t_ip.weight() < it->weight())) {
         impl_->bans.erase(it);
         impl_->bans.insert(t_ip);
     } else {
         impl_->bans.insert(t_ip);
     }
 }
 
-void webserver::allow_ip(const string& ip) {
-    std::unique_lock allowances_lock(impl_->allowances_mutex);
-    ip_representation t_ip(ip);
-    set<ip_representation>::iterator it = impl_->allowances.find(t_ip);
-    if (it != impl_->allowances.end() && (t_ip.weight() < (*it).weight())) {
-        impl_->allowances.erase(it);
-        impl_->allowances.insert(t_ip);
-    } else {
-        impl_->allowances.insert(t_ip);
-    }
-}
-
-void webserver::unban_ip(const string& ip) {
+void webserver::unblock_ip(std::string_view ip) {
     std::unique_lock bans_lock(impl_->bans_mutex);
-    impl_->bans.erase(ip_representation(ip));
-}
-
-void webserver::disallow_ip(const string& ip) {
-    std::unique_lock allowances_lock(impl_->allowances_mutex);
-    impl_->allowances.erase(ip_representation(ip));
+    impl_->bans.erase(ip_representation{std::string{ip}});
 }
 
 namespace detail {