fix(security): critical security and stability fixes

ts/detection/detectors/http-detector.ts

@@ -11,6 +11,7 @@ import type { THttpMethod } from '../../protocols/http/index.js';
 import { QuickProtocolDetector } from './quick-detector.js';
 import { RoutingExtractor } from './routing-extractor.js';
 import { DetectionFragmentManager } from '../utils/fragment-manager.js';
+import { HttpParser } from '../../protocols/http/parser.js';
 
 /**
  * Simplified HTTP detector
@@ -56,6 +57,17 @@ export class HttpDetector implements IProtocolDetector {
     // Extract routing information
     const routing = RoutingExtractor.extract(buffer, 'http');
     
+    // Extract headers if requested and we have complete headers
+    let headers: Record<string, string> | undefined;
+    if (options?.extractFullHeaders && isComplete) {
+      const headerSection = buffer.slice(0, headersEnd).toString();
+      const lines = headerSection.split('\r\n');
+      if (lines.length > 1) {
+        // Skip the request line and parse headers
+        headers = HttpParser.parseHeaders(lines.slice(1));
+      }
+    }
+    
     // If we don't need full headers and we have complete headers, we can return early
     if (quickResult.confidence >= 95 && !options?.extractFullHeaders && isComplete) {
       return {
@@ -76,7 +88,8 @@ export class HttpDetector implements IProtocolDetector {
         protocol: 'http',
         domain: routing?.domain,
         path: routing?.path,
-        method: quickResult.metadata?.method as THttpMethod
+        method: quickResult.metadata?.method as THttpMethod,
+        headers: headers
       },
       isComplete,
       bytesNeeded: isComplete ? undefined : buffer.length + 512 // Need more for headers