chore: inline 5 dependencies, removing external packages

[phoenix-server]

Summary

• Removed bech32, dotenv, helmet, and tor-control-ts from production dependencies (16 → 12)
• Each package was replaced by inlining its functionality directly into the codebase

Changes

• bech32 — ~75-line pure bech32 encode/decode inlined into src/utils/transform.ts
• tor-control-ts — replaced with a ~60-line TorClient class using Node.js net.Socket in src/tor/client.ts; tests updated to stub TorClient.prototype directly
• helmet — replaced with an inline CSP middleware in src/factories/web-app-factory.ts
• dotenv — replaced with Node.js --env-file-if-exists=.env flag in npm scripts (requires Node 22.9+; this project targets Node 24)

Test plan

• npm run build passes (TypeScript)
• npm test passes (all 623 unit tests)
• npm run lint passes (Biome)
• Manual smoke: relay connection, event publish, NIP-05 lookup

🤖 Generated with Claude Code

[coveralls]

Coverage is 68.308% — chore/inline-dependencies into main. No base build found for main.

[cameri]

@copilot resolve the merge conflicts in this pull request, make no mistakes

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​accepts@​1.3.7

View full report

[Copilot]

@copilot resolve the merge conflicts in this pull request, make no mistakes

Resolved in 353caca. Three files had conflicts:

• src/tor/client.ts — kept TorClient class name, fixed spacing
• src/utils/transform.ts — kept inlined bech32, adopted multi-line ramda import style from main
• test/unit/tor/onion.spec.ts — kept TorClient prototype stubs, removed unused mockModule helper from main's stale version

All 769 unit tests pass, build and lint are clean.

[cameri]

@copilot what's the size on disk of dependencies before/after? and what's the % relative change?

[Copilot]

@copilot what's the size on disk of dependencies before/after? and what's the % relative change?

Measured using du -sb (actual byte content, no block-size padding):

Package	Removed (bytes)
bech32	10,209
dotenv	36,605
helmet	90,584
tor-control-ts	13,520
Total removed	150,918

The inlined replacements added ~4,864 bytes to source files (transform.ts +2,443, client.ts +2,264, web-app-factory.ts +157), so the net reduction is ~146 KB of package code.

node_modules disk usage:

• Before: 280,707,677 bytes (267.7 MB)
• After: 280,562,512 bytes (267.5 MB)
• Reduction: 145,165 bytes (141.8 KB) — −0.05%

The small relative change is expected: these were lightweight packages against a 268 MB node_modules. The value here is fewer external supply-chain dependencies rather than a significant size win.

[Copilot]

Pull request overview

This PR reduces production dependencies by inlining functionality previously provided by bech32, tor-control-ts, helmet, and dotenv, updating the Tor client, CSP handling, and environment-variable loading accordingly.

Changes:

• Inlined bech32 encode/decode logic into src/utils/transform.ts.
• Replaced tor-control-ts with a custom TorClient over net.Socket, updating Tor-related unit tests.
• Replaced helmet CSP middleware with an inline CSP header builder and removed dotenv initialization in favor of Node’s --env-file-if-exists.

Reviewed changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
test/unit/tor/onion.spec.ts	Updates Tor tests to stub the new TorClient instead of tor-control-ts.
src/utils/transform.ts	Removes external bech32 dependency and adds inline bech32 encode/decode helpers.
src/tor/client.ts	Introduces TorClient based on net.Socket and updates onion creation flow.
src/scripts/export-events.ts	Removes dotenv startup loading.
src/index.ts	Removes dotenv startup loading.
src/import-events.ts	Removes dotenv startup loading.
src/handlers/request-handlers/root-request-handler.ts	Import ordering change.
src/factories/web-app-factory.ts	Replaces helmet CSP middleware with manual CSP header construction.
src/clean-db.ts	Removes dotenv startup loading.
package.json	Updates scripts to use --env-file-if-exists and removes several dependencies; adds @types/accepts.
package-lock.json	Reflects dependency removals/additions from package.json.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cameri]

@copilot address all inline comments

[Copilot]

@copilot address all inline comments

All addressed in 2ed81f5:

• src/tor/client.ts: Added isCompleteTorReply for proper multi-line Tor reply parsing (handles 250- continuations, 250+ data blocks, and terminating 250 OK). sendCommand now uses it instead of the naive endsWith('\r\n') check, and attaches an error handler with cleanup on both resolve and reject.
• src/utils/transform.ts: bech32Convert now validates each input symbol is within the expected bit range and rejects non-zero leftover bits in the non-padded decode path. fromBech32 normalizes input to lowercase before the prefix check and rejects mixed-case inputs.
• package.json: @types/accepts moved to devDependencies; added "engines": { "node": ">=22.9" }.
• test/unit/tor/onion.spec.ts: All closeTorClient() calls are now await closeTorClient().
• test/unit/tor/client.spec.ts (new): 22 focused tests covering isCompleteTorReply (10 cases), sendCommand (8 cases including fragmented TCP chunks, listener cleanup, socket error mid-command), and connect (4 cases). All 791 unit tests pass.