The symptom was the kind that makes you doubt your own eyes. curl against the API worked perfectly. A small POST worked. A large POST hung, forever, no error, no timeout, just a cursor blinking at me. SSH into the box was fine until I ran ls in a directory with a lot of files, at which point the session froze. Anything small: instant. Anything that filled a few packets: dead.
If you've done this for a while, a little alarm goes off at that pattern. Small fine, large stalls, no reset. That's not the application. That's path MTU discovery being broken somewhere, and ICMP "fragmentation needed" being dropped by a firewall that thinks it's helping.
The traffic was going over a freshly added WireGuard tunnel, which knocks 80 bytes off the usable MTU. The interface was still advertising 1500, so the kernel happily built full-size frames that could never make it through, and the ICMP that should have told it to back off was being eaten upstream.
ip link set wg0 mtu 1420
Connections that had been hanging for an hour completed instantly. I sat there feeling slightly foolish, because it is always the MTU, and I always spend an hour rediscovering that fact. The lesson, written here mostly so future me reads it: when small works and large hangs, stop reading application logs and start counting bytes.