refactor: replace Peek with ReadFull in TLS ClientHello parsing to prevent buffering issues

Replace bufio.Reader.Peek calls with io.ReadFull for header and record body reading. Allocate header and full buffers explicitly and copy header into full buffer before reading remaining bytes. Remove redundant byte slice copy when returning full ClientHello data.

deploy/access-proxy/main.go

@@ -166,23 +166,24 @@ func proxyCopy(errCh chan<- error, dst io.Writer, src io.Reader) {
 }
 
 func readClientHello(reader *bufio.Reader) ([]byte, string, error) {
-	header, err := reader.Peek(5)
+	header := make([]byte, 5)
-	if err != nil {
+	if _, err := io.ReadFull(reader, header); err != nil {
 		return nil, "", err
 	}
 	if header[0] != 22 {
 		return nil, "", errors.New("not a tls client hello")
 	}
 	recordLen := int(header[3])<<8 | int(header[4])
-	full, err := reader.Peek(5 + recordLen)
+	full := make([]byte, 5+recordLen)
-	if err != nil {
+	copy(full, header)
+	if _, err := io.ReadFull(reader, full[5:]); err != nil {
 		return nil, "", err
 	}
 	host, err := extractSNI(full)
 	if err != nil {
 		return nil, "", err
 	}
-	return append([]byte(nil), full...), host, nil
+	return full, host, nil
 }
 
 func extractSNI(packet []byte) (string, error) {