fix(orb): authenticate relay registration before body parse

[JSONbored]

Motivation

• Close a security-relevant DoS vector where /v1/orb/relay/register parsed an unbounded JSON body before validating the caller's enrollment secret.
• Authenticate the enrollment secret before any body read and add a small hard body cap to limit per-request parsing cost (defense-in-depth consistent with other orb ingress paths).

Description

• Add MAX_ORB_RELAY_REGISTER_BODY_BYTES and readOrbRelayRegisterBody in src/orb/relay.ts to enforce a 4 KiB streamed body ceiling and a Content-Length pre-check.
• Introduce validateOrbRelayEnrollment and registerValidatedOrbRelay in src/orb/relay.ts, and refactor registerOrbRelay to reuse them so enrollment validation can be done independently of body parsing.
• Update the route handler in src/api/routes.ts to validate the enrollment secret first, short-circuit with 401/403 on invalid secrets, call readOrbRelayRegisterBody to enforce the size cap (returning 413 on overflow), and only then parse JSON and persist the relay URL.
• Add/adjust integration tests in test/integration/orb-relay.test.ts to cover oversized registration payloads (413) and to assert that an invalid enrollment is rejected before any request-body access.

Testing

• Ran npx vitest run test/integration/orb-relay.test.ts and the integration suite for orb-relay passed (all tests in that file succeeded).
• Ran npm run typecheck and git diff --check which succeeded with no type or diff errors.
• Ran npm run ui:openapi:check which completed successfully.
• Attempted the full local gate via npm run test:ci, but the run failed during coverage generation with an unrelated Vitest coverage provider error (TypeError: jsTokens is not a function), so the full CI/gate could not be completed locally; npm audit --audit-level=moderate also failed due to an npm registry 403 Forbidden during the audit request.

---

Codex Task

[codecov]

Codecov Report

❌ Patch coverage is 85.29412% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 95.35%. Comparing base (314ad9d) to head (a0ea6a4).
⚠️ Report is 7 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/orb/relay.ts	80.76%	2 Missing and 3 partials ⚠️

❌ Your patch check has failed because the patch coverage (85.29%) is below the target coverage (97.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1397      +/-   ##
==========================================
- Coverage   95.37%   95.35%   -0.03%     
==========================================
  Files         192      192              
  Lines       20852    20883      +31     
  Branches     7540     7549       +9     
==========================================
+ Hits        19887    19912      +25     
- Misses        383      385       +2     
- Partials      582      586       +4     

Files with missing lines	Coverage Δ
src/api/routes.ts	94.56% <100.00%> (-0.04%)	⬇️
src/orb/relay.ts	93.05% <80.76%> (-6.95%)	⬇️

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	gittensory-ui	63d377c	Commit Preview URL Branch Preview URL	Jun 25 2026, 11:03 PM

[superagent-security]

Superagent didn't find any vulnerabilities or security issues in this PR.