fix: address inline review comments — multi-line Tor parsing, bech32 validation, type deps, engines, await closeTorClient, TorClient tests

Agent-Logs-Url: https://github.com/cameri/nostream/sessions/f56791f2-7216-4d11-b88a-63b5d2c432e5

Co-authored-by: cameri <378886+cameri@users.noreply.github.com>

Author: Copilot

package-lock.json

@@ -90,6 +90,7 @@
     "@semantic-release/github": "8.1.0",
     "@semantic-release/npm": "13.1.5",
     "@semantic-release/release-notes-generator": "10.0.3",
+    "@types/accepts": "^1.3.7",
     "@types/chai": "^4.3.1",
     "@types/chai-as-promised": "^7.1.5",
     "@types/debug": "4.1.7",
@@ -123,9 +124,11 @@
     "typescript": "~5.7.3",
     "uuid": "^8.3.2"
   },
+  "engines": {
+    "node": ">=22.9"
+  },
   "dependencies": {
     "@noble/secp256k1": "1.7.1",
-    "@types/accepts": "^1.3.7",
     "accepts": "^1.3.8",
     "axios": "^1.15.0",
     "debug": "4.3.4",

package.json

@@ -46,23 +46,89 @@ export class TorClient {
     })
   }
 
+  private isCompleteTorReply(buffer: string): boolean {
+    if (!buffer.endsWith('\r\n')) {
+      return false
+    }
+
+    const lines = buffer.split('\r\n')
+    if (lines[lines.length - 1] === '') {
+      lines.pop()
+    }
+
+    if (lines.length === 0) {
+      return false
+    }
+
+    const firstLine = lines[0].match(/^(\d{3})([\s\-+])/)
+    if (!firstLine) {
+      return false
+    }
+
+    const statusCode = firstLine[1]
+    let inDataBlock = false
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i]
+
+      if (inDataBlock) {
+        if (line === '.') {
+          inDataBlock = false
+        }
+        continue
+      }
+
+      const match = line.match(/^(\d{3})([\s\-+])/)
+      if (!match || match[1] !== statusCode) {
+        return false
+      }
+
+      if (match[2] === ' ') {
+        return i === lines.length - 1
+      }
+
+      if (match[2] === '+') {
+        inDataBlock = true
+      }
+    }
+
+    return false
+  }
+
   private sendCommand(command: string): Promise<string> {
     return new Promise((resolve, reject) => {
       if (!this.socket) {
         reject(new Error('Not connected to Tor control port'))
         return
       }
+
+      const socket = this.socket
       let buf = ''
+
+      const cleanup = () => {
+        socket.off('data', onData)
+        socket.off('error', onError)
+      }
+
+      const onError = (error: Error) => {
+        cleanup()
+        reject(error)
+      }
+
       const onData = (data: Buffer) => {
         buf += data.toString()
-        if (buf.endsWith('\r\n')) {
-          this.socket!.off('data', onData)
-          if (/^250/.test(buf)) { resolve(buf) }
-          else { reject(new Error(buf.trim())) }
+        if (!this.isCompleteTorReply(buf)) {
+          return
         }
+
+        cleanup()
+        if (/^250/.test(buf)) { resolve(buf) }
+        else { reject(new Error(buf.trim())) }
       }
-      this.socket.on('data', onData)
-      this.socket.write(`${command}\r\n`)
+
+      socket.on('data', onData)
+      socket.on('error', onError)
+      socket.write(`${command}\r\n`)
     })
   }
 

src/tor/client.ts

@@ -48,16 +48,25 @@ function bech32PrefixChk(prefix: string): number {
 function bech32Convert(data: number[], inBits: number, outBits: number, pad: boolean): number[] {
   let value = 0, bits = 0
   const maxV = (1 << outBits) - 1
+  const maxAcc = (1 << (inBits + outBits - 1)) - 1
+  const maxInput = (1 << inBits) - 1
   const result: number[] = []
   for (const byte of data) {
-    value = (value << inBits) | byte
+    if (!Number.isInteger(byte) || byte < 0 || byte > maxInput) {
+      throw new Error(`Invalid value for ${inBits}-bit input: ${byte}`)
+    }
+    value = ((value << inBits) | byte) & maxAcc
     bits += inBits
     while (bits >= outBits) {
       bits -= outBits
       result.push((value >> bits) & maxV)
     }
   }
-  if (pad && bits > 0) { result.push((value << (outBits - bits)) & maxV) }
+  if (pad) {
+    if (bits > 0) { result.push((value << (outBits - bits)) & maxV) }
+  } else if (bits >= inBits || ((value << (outBits - bits)) & maxV) !== 0) {
+    throw new Error('Invalid bech32 padding')
+  }
   return result
 }
 
@@ -135,8 +144,14 @@ export const fromDBUser = applySpec<User>({
 })
 
 export const fromBech32 = (input: string) => {
+  const normalizedInput = input.toLowerCase()
+
+  if (input !== normalizedInput && input !== input.toUpperCase()) {
+    throw new Error('Bech32 mixed-case input is invalid')
+  }
+
   const { prefix, words } = bech32Decode(input)
-  if (!input.startsWith(prefix)) {
+  if (!normalizedInput.startsWith(prefix)) {
     throw new Error(`Bech32 invalid prefix: ${prefix}`)
   }