fix(http/unstable): align Cache-Control with RFC 9111 quoted-string and field-name rules

[tomas-zijdemans]

Tightens parseCacheControl / formatCacheControl against RFC 9111 §5.2 + RFC 9110 §5.6.4 / §5.6.2:

• Accept quoted-string form for numeric arguments. max-age, s-maxage, min-fresh, max-stale, stale-while-revalidate, and stale-if-error now accept both token and quoted-string production (e.g. max-age="60"). Previously the quotes were treated as part of the value and rejected.
• Unescape all quoted-pairs in field names, not just \". RFC 9110 §5.6.4 allows \X for any X in VCHAR / obs-text / SP / HTAB. The old parser only stripped \\"; quoted-pairs like \\\\ (literal backslash) were left intact. A shared unquoteArgument helper now performs the full unescape and is reused by both numeric and field-name argument parsing.
• Validate field names on output. formatCacheControl now rejects any entry of noCache / private that isn't a valid HTTP token (RFC 9110 §5.6.2 tchar), throwing TypeError instead of emitting a malformed no-cache="has space" style header that downstream caches would reject or misinterpret.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.61%. Comparing base (a496da2) to head (2f60d77).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7116   +/-   ##
=======================================
  Coverage   94.61%   94.61%           
=======================================
  Files         634      634           
  Lines       51801    51816   +15     
  Branches     9329     9333    +4     
=======================================
+ Hits        49011    49026   +15     
  Misses       2216     2216           
  Partials      574      574           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bartlomieju]

Thanks for the RFC compliance fix — the unquoteArgument helper and tchar validation are correct and well-tested.

A couple of nits:

Missing PR description — the body is empty. A brief note on what was wrong (e.g. quoted-string numeric args rejected, only \" unescaped instead of all quoted-pairs, no field-name validation on output) would help reviewers and show up in the changelog.

splitDirectives has the same quoted-pair blindspot — it toggles inQuotes on every " including those inside a \" quoted-pair. Since this PR is specifically improving quoted-pair handling in unquoteArgument and parseFieldNames, it would be consistent to also handle backslash escapes in splitDirectives (or at least leave a // TODO noting the limitation). In practice field names are tokens so they can't contain ", but it's an odd gap given the rest of the work here.

[tomas-zijdemans]

Thanks,

• PR description added
• Error message reverted as suggested
• Regarding splitDirectives , the c === 92 && inQuotes branch handles this. It skips the escaped byte before the " toggle, so " and , don't break splitting (covered by the splits correctly when quoted values contain escaped quotes test). The /* \ */ annotation didn't make that obvious though. I added a JSDoc note + inline comment pointing at RFC 9110 §5.6.4.