bundis 0.1.0 → 0.2.0

package/src/connection.ts

@@ -12,9 +12,13 @@ import { serialize } from "./resp/serializer";
 import { RespParser } from "./resp/parser";
 import type { Command, Reply } from "./resp/types";
 import type { WatchSnapshot } from "./sidecar/watch";
+import type { MemoryGuard } from "./sidecar/memory-guard";
 
 export type ConnState = "HANDSHAKE" | "READY" | "SUBSCRIBED";
 
+/** Hard ceiling for bytes queued toward one slow-reading client. */
+const MAX_OUTBOX_BYTES = 32 * 1024 * 1024;
+
 /** A buffered MULTI transaction. */
 export interface TxnState {
   queued: Command[];
@@ -44,9 +48,16 @@ export class Connection {
 
   /** Bytes awaiting a `drain` event when the socket buffer was full. */
   #outbox: Uint8Array[] = [];
+  #outboxBytes = 0;
   #closed = false;
+  readonly #guard: MemoryGuard;
 
-  constructor(readonly socket: Socket<Connection>) {}
+  constructor(
+    readonly socket: Socket<Connection>,
+    guard: MemoryGuard,
+  ) {
+    this.#guard = guard;
+  }
 
   /** Total active (P)SUBSCRIBE count, used in reply frames. */
   subscriptionCount(): number {
@@ -68,13 +79,29 @@ export class Connection {
     if (this.#closed) return;
     if (this.#outbox.length > 0) {
       // Preserve ordering: once we're behind, everything queues.
-      this.#outbox.push(bytes);
+      this.#queue(bytes);
       return;
     }
     const written = this.socket.write(bytes);
     if (written < bytes.length) {
-      this.#outbox.push(bytes.subarray(written));
+      this.#queue(bytes.subarray(written));
+    }
+  }
+
+  /**
+   * Queue backpressured bytes; a consumer that stops reading (e.g. a stalled
+   * subscriber under PUBLISH load) is disconnected at the cap rather than
+   * letting its outbox grow until the process OOMs.
+   */
+  #queue(bytes: Uint8Array): void {
+    this.#outboxBytes += bytes.length;
+    this.#guard.add(bytes.length);
+    if (this.#outboxBytes > MAX_OUTBOX_BYTES || this.#guard.overLimit) {
+      this.markClosed();
+      this.socket.end();
+      return;
     }
+    this.#outbox.push(bytes);
   }
 
   /** Called from the socket `drain` handler: flush what we can, in order. */
@@ -82,6 +109,8 @@ export class Connection {
     while (this.#outbox.length > 0 && !this.#closed) {
       const chunk = this.#outbox[0]!;
       const written = this.socket.write(chunk);
+      this.#outboxBytes -= written;
+      this.#guard.sub(written);
       if (written < chunk.length) {
         this.#outbox[0] = chunk.subarray(written);
         return; // still backpressured
@@ -92,6 +121,8 @@ export class Connection {
 
   markClosed(): void {
     this.#closed = true;
+    this.#guard.sub(this.#outboxBytes);
     this.#outbox.length = 0;
+    this.#outboxBytes = 0;
   }
 }

package/src/dispatcher.ts

@@ -22,6 +22,7 @@ import * as hash from "./commands/hash";
 import * as set from "./commands/set";
 import * as pubsub from "./commands/pubsub";
 import * as txn from "./commands/transaction";
+import * as admin from "./commands/admin";
 
 /** A command handler. Returns the reply, or null if it wrote its own output. */
 export type Handler = (ctx: CommandContext) => Reply | null;
@@ -109,8 +110,21 @@ const TABLE: Record<string, Handler> = {
   WATCH: txn.watch,
   UNWATCH: txn.unwatch,
   RESET: txn.reset,
+
+  // server / admin
+  TYPE: admin.type,
+  DBSIZE: admin.dbsize,
+  FLUSHDB: admin.flushall, // single DB: FLUSHDB == FLUSHALL
+  FLUSHALL: admin.flushall,
+  CONFIG: admin.config,
+  COMMAND: admin.command,
 };
 
+/** Number of dispatchable commands (COMMAND COUNT). */
+export function commandCount(): number {
+  return Object.keys(TABLE).length;
+}
+
 /** Commands permitted while in SUBSCRIBED mode (§6.1). */
 const SUBSCRIBE_ALLOWED = new Set([
   "SUBSCRIBE",
@@ -163,6 +177,16 @@ export function dispatch(
       conn.send(errReply(Errors.unknownCmd(command.name, argStrings(command))));
       return;
     }
+    if (SUBSCRIBE_ALLOWED.has(command.name) && command.name !== "PING" && command.name !== "QUIT") {
+      // (P)SUBSCRIBE/(P)UNSUBSCRIBE inside MULTI would flip the connection
+      // mode mid-EXEC and desync the client's reply matching (Redis rejects).
+      conn.txn.error = true;
+      conn.send(errReply({
+        code: "ERR",
+        message: `${command.name} is not allowed in transactions`,
+      }));
+      return;
+    }
     conn.txn.queued.push(command);
     conn.send(R.simple("QUEUED"));
     return;

package/src/engine/errors.ts

@@ -61,6 +61,8 @@ export const Errors = {
   syntax: () => new RespError("ERR", "syntax error"),
   notInt: () => new RespError("ERR", "value is not an integer or out of range"),
   notFloat: () => new RespError("ERR", "value is not a valid float"),
+  invalidExpire: (cmd: string) =>
+    new RespError("ERR", `invalid expire time in '${cmd}' command`),
   wrongArgs: (cmd: string) =>
     new RespError("ERR", `wrong number of arguments for '${cmd.toLowerCase()}' command`),
   unknownCmd: (cmd: string, args: string[]) =>
@@ -88,6 +90,8 @@ export function toRespError(err: unknown): RespError {
   if (err instanceof TypeMismatchError) return Errors.wrongType();
   if (err instanceof NotIntegerError) return Errors.notInt();
   if (err instanceof NotFloatError) return Errors.notFloat();
-  const msg = err instanceof Error ? err.message : String(err);
-  return new RespError("ERR", msg);
+  // Unknown internals (SQLite/IO/runtime): log server-side for the operator,
+  // never echo raw messages (paths, engine state) over the wire.
+  console.error("bundis: internal command error:", err);
+  return new RespError("ERR", "internal error");
 }

package/src/launch.ts

@@ -28,6 +28,15 @@ export interface LaunchOptions {
   password?: string;
   /** Active-expiry sweep interval in ms (default 100). */
   reaperIntervalMs?: number;
+  /**
+   * Overall memory budget in MB (default 256). Sizes the SQLite page cache
+   * (50%) and the hot cache default (25%). A budget, not a hard OS limit.
+   */
+  maxMemoryMb?: number;
+  /** Hot-cache ceiling in MB (default: maxMemoryMb/4; 0 disables the cache). */
+  cacheMb?: number;
+  /** Hot-cache base time-to-idle in seconds (default 300). */
+  cacheIdleSec?: number;
 }
 
 export interface EmbeddedServer {
@@ -77,6 +86,11 @@ export interface SpawnServerOptions extends LaunchOptions {
 export async function spawnServer(opts: SpawnServerOptions = {}): Promise<SpawnedServer> {
   const config = resolveConfig(opts);
   const cliPath = Bun.fileURLToPath(new URL("./cli.ts", import.meta.url));
+  // The password travels via environment, never argv — argv is visible to
+  // every local user in `ps` for the lifetime of the child.
+  const env: Record<string, string | undefined> = { ...process.env };
+  delete env.REDIS_PASSWORD;
+  if (config.password !== null) env.REDIS_PASSWORD = config.password;
   const proc = Bun.spawn(
     [
       opts.bunPath ?? process.execPath,
@@ -84,10 +98,12 @@ export async function spawnServer(opts: SpawnServerOptions = {}): Promise<Spawne
       "--host", config.host,
       "--port", String(config.port),
       "--db", config.dbPath,
-      ...(config.password !== null ? ["--password", config.password] : []),
       "--reaper", String(config.reaperIntervalMs),
+      "--max-memory-mb", String(Math.floor(config.maxMemoryBytes / (1024 * 1024))),
+      "--cache-mb", String(Math.floor(config.cacheMaxBytes / (1024 * 1024))),
+      "--cache-idle", String(Math.floor(config.cacheIdleMs / 1000)),
     ],
-    { stdout: "pipe", stderr: "inherit" },
+    { stdout: "pipe", stderr: "inherit", env },
   );
 
   let ready: { host: string; port: number };
@@ -114,12 +130,20 @@ export async function spawnServer(opts: SpawnServerOptions = {}): Promise<Spawne
 // ── helpers ──────────────────────────────────────────────────────────────---
 
 function resolveConfig(opts: LaunchOptions): ServerConfig {
+  const MB = 1024 * 1024;
+  const maxMemoryMb = opts.maxMemoryMb ?? 256;
   return {
     host: opts.host ?? "127.0.0.1",
     port: opts.port ?? 6379,
     dbPath: opts.dbPath ?? "./data.db",
-    password: opts.password ?? null,
+    // Honor flag > env > none, so an env-configured password is not silently
+    // dropped (which would launch an open server — fail-open regression).
+    password: opts.password ?? Bun.env.REDIS_PASSWORD ?? null,
     reaperIntervalMs: opts.reaperIntervalMs ?? 100,
+    maxClients: 10_000,
+    maxMemoryBytes: maxMemoryMb * MB,
+    cacheMaxBytes: (opts.cacheMb ?? Math.floor(maxMemoryMb / 4)) * MB,
+    cacheIdleMs: (opts.cacheIdleSec ?? 300) * 1000,
   };
 }
 

package/src/resp/parser.ts

@@ -9,6 +9,10 @@
  * The stock `Bun.RedisClient` always sends commands as a RESP Array of Bulk
  * Strings (`*N\r\n($len\r\n<bytes>\r\n)*`). We parse that shape, plus inline
  * commands as a tolerant fallback. Argument bytes are preserved verbatim.
+ *
+ * Input caps (defense against pre-auth memory exhaustion — ProtocolError closes
+ * the connection): declared bulk length ≤ 512MB (Redis proto-max-bulk-len),
+ * multibulk count ≤ 1M, inline line ≤ 64KB, total pending buffer ≤ 768MB.
  */
 
 import type { Command } from "./types";
@@ -18,20 +22,39 @@ const LF = 10;
 const STAR = 42; // '*'
 const DOLLAR = 36; // '$'
 
+const MAX_BULK_LEN = 512 * 1024 * 1024;
+const MAX_MULTIBULK = 1024 * 1024;
+const MAX_INLINE_LEN = 64 * 1024;
+const MAX_PENDING = 768 * 1024 * 1024;
+
+const EMPTY = new Uint8Array(0);
+
 export class RespParser {
   /** Pending bytes not yet consumed into a full command. */
-  #buf: Uint8Array = new Uint8Array(0);
+  #buf: Uint8Array = EMPTY;
+  /** True while #buf aliases an externally-owned chunk (no copy taken yet). */
+  #aliased = false;
+
+  /** Bytes currently held pending a complete command. */
+  get bufferedBytes(): number {
+    return this.#buf.length;
+  }
 
   /** Append a freshly received chunk to the internal buffer. */
   push(chunk: Uint8Array): void {
+    if (this.#buf.length + chunk.length > MAX_PENDING) {
+      throw new ProtocolError("query buffer exceeds limit");
+    }
     if (this.#buf.length === 0) {
       this.#buf = chunk;
+      this.#aliased = true; // zero-copy fast path; drain() copies any leftover
       return;
     }
     const merged = new Uint8Array(this.#buf.length + chunk.length);
     merged.set(this.#buf, 0);
     merged.set(chunk, this.#buf.length);
     this.#buf = merged;
+    this.#aliased = false;
   }
 
   /**
@@ -49,8 +72,15 @@ export class RespParser {
       out.push(res.command);
       offset = res.next;
     }
-    if (offset > 0) {
-      this.#buf = this.#buf.subarray(offset);
+    if (offset >= this.#buf.length) {
+      this.#buf = EMPTY;
+      this.#aliased = false;
+    } else if (offset > 0 || this.#aliased) {
+      // Copy the remainder: the caller's chunk buffer may be reused by the
+      // runtime after this callback returns, so we must never retain a view
+      // of it across data() events.
+      this.#buf = this.#buf.slice(offset);
+      this.#aliased = false;
     }
     return out;
   }
@@ -70,7 +100,9 @@ export class RespParser {
     const header = this.#readLine(start);
     if (header === null) return null;
     const count = parseInt(decodeAscii(buf.subarray(start + 1, header.end)), 10);
-    if (Number.isNaN(count)) throw new ProtocolError("invalid multibulk length");
+    if (Number.isNaN(count) || count > MAX_MULTIBULK) {
+      throw new ProtocolError("invalid multibulk length");
+    }
     if (count <= 0) {
       // Empty/negative multibulk: skip, no command produced. Represent as empty.
       return { command: { name: "", args: [] }, next: header.next };
@@ -83,7 +115,9 @@ export class RespParser {
       const lenLine = this.#readLine(offset);
       if (lenLine === null) return null;
       const len = parseInt(decodeAscii(buf.subarray(offset + 1, lenLine.end)), 10);
-      if (Number.isNaN(len) || len < 0) throw new ProtocolError("invalid bulk length");
+      if (Number.isNaN(len) || len < 0 || len > MAX_BULK_LEN) {
+        throw new ProtocolError("invalid bulk length");
+      }
       const dataStart = lenLine.next;
       const dataEnd = dataStart + len;
       if (dataEnd + 2 > buf.length) return null; // data + trailing CRLF not all here yet
@@ -96,8 +130,14 @@ export class RespParser {
 
   #parseInline(start: number): { command: Command; next: number } | null {
     const line = this.#readLine(start);
-    if (line === null) return null;
+    if (line === null) {
+      if (this.#buf.length - start > MAX_INLINE_LEN) {
+        throw new ProtocolError("too big inline request");
+      }
+      return null;
+    }
     const raw = this.#buf.subarray(start, line.end);
+    if (raw.length > MAX_INLINE_LEN) throw new ProtocolError("too big inline request");
     const text = decodeAscii(raw).trim();
     if (text.length === 0) {
       return { command: { name: "", args: [] }, next: line.next };

package/src/resp/serializer.ts

@@ -4,6 +4,9 @@
  * Walks a {@link Reply} tree and produces wire bytes. Bulk/verbatim lengths are
  * computed in **bytes** (not characters) so binary-safe values and multi-byte
  * UTF-8 are framed correctly. This is the only place RESP3 type bytes are chosen.
+ *
+ * RESP3 only by design: the sole supported client is the stock `Bun.RedisClient`,
+ * which always negotiates `HELLO 3` (§2.1). No RESP2 downgrade path exists.
  */
 
 import type { Reply } from "./types";

package/src/server.ts

@@ -13,8 +13,11 @@ import { dispatch } from "./dispatcher";
 import { ProtocolError } from "./resp/parser";
 import { R } from "./resp/types";
 import { SqliteStorage } from "./storage/sqlite";
+import { HotCacheStorage } from "./storage/cache";
+import type { StorageEngine } from "./storage/types";
 import { PubSubHub } from "./sidecar/pubsub";
-import { WatchRegistry } from "./sidecar/watch";
+import { releaseSnapshot, WatchRegistry } from "./sidecar/watch";
+import { MemoryGuard } from "./sidecar/memory-guard";
 import { ExpiryReaper } from "./sidecar/reaper";
 import type { ServerConfig } from "./config";
 import type { ServerContext } from "./engine/context";
@@ -30,37 +33,75 @@ export interface RunningServer {
 
 export function startServer(config: ServerConfig): RunningServer {
   const watch = new WatchRegistry();
-  const storage = new SqliteStorage(config.dbPath, { onWrite: watch.bump });
+  let cache: HotCacheStorage | null = null;
+  const sqlite = new SqliteStorage(config.dbPath, {
+    onWrite: (key) => {
+      watch.bump(key);
+      cache?.invalidate(key); // every mutation evicts its stale cache entry
+    },
+    onFlushAll: () => {
+      watch.bumpAll();
+      cache?.invalidateAll();
+    },
+    // 50% of the overall memory budget goes to the SQLite page cache.
+    pageCacheKb: Math.floor(config.maxMemoryBytes / 2 / 1024),
+  });
+  const storage: StorageEngine =
+    config.cacheMaxBytes > 0
+      ? (cache = new HotCacheStorage(sqlite, {
+          maxBytes: config.cacheMaxBytes,
+          baseIdleMs: config.cacheIdleMs,
+        }))
+      : sqlite;
   const hub = new PubSubHub();
   const ctx: ServerContext = { storage, hub, watch, config };
 
   const reaper = new ExpiryReaper(storage, config.reaperIntervalMs);
   reaper.start();
 
+  // Aggregate buffer ceiling across all connections (inbound parser + outbound
+  // backpressure), independent of per-connection caps.
+  const guard = new MemoryGuard(config.maxMemoryBytes);
+  let liveClients = 0;
   const listener: TCPSocketListener<Connection> = Bun.listen<Connection>({
     hostname: config.host,
     port: config.port,
     socket: {
       open(socket: Socket<Connection>) {
-        socket.data = new Connection(socket);
+        if (liveClients >= config.maxClients) {
+          socket.write("-ERR max number of clients reached\r\n");
+          socket.end();
+          return; // socket.data stays unset; close() skips it
+        }
+        liveClients++;
+        // Nagle interacts badly with small request/reply round-trips.
+        (socket as unknown as { setNoDelay?: (on: boolean) => void }).setNoDelay?.(true);
+        socket.data = new Connection(socket, guard);
       },
       data(socket: Socket<Connection>, chunk: Buffer) {
         const conn = socket.data;
-        conn.parser.push(new Uint8Array(chunk.buffer, chunk.byteOffset, chunk.byteLength));
-        let commands;
         try {
-          commands = conn.parser.drain();
+          const before = conn.parser.bufferedBytes;
+          conn.parser.push(new Uint8Array(chunk.buffer, chunk.byteOffset, chunk.byteLength));
+          const commands = conn.parser.drain();
+          // Account the net change in the inbound buffer against the global cap.
+          guard.add(conn.parser.bufferedBytes - before);
+          if (guard.overLimit) throw new ProtocolError("server memory limit reached");
+          const now = Date.now();
+          for (const command of commands) {
+            dispatch(conn, command, ctx, now);
+          }
         } catch (err) {
           if (err instanceof ProtocolError) {
             conn.send(R.error("ERR", `Protocol error: ${err.message}`));
-            socket.end();
-            return;
+          } else {
+            // Contain the blast radius to this connection — one bad socket
+            // must never take down the whole server.
+            console.error(`bundis: connection #${conn.id} error:`, err);
+            conn.send(R.error("ERR", "internal error"));
           }
-          throw err;
-        }
-        const now = Date.now();
-        for (const command of commands) {
-          dispatch(conn, command, ctx, now);
+          guard.sub(conn.parser.bufferedBytes); // releasing this connection's inbound bytes
+          socket.end();
         }
       },
       drain(socket: Socket<Connection>) {
@@ -69,8 +110,14 @@ export function startServer(config: ServerConfig): RunningServer {
       close(socket: Socket<Connection>) {
         const conn = socket.data;
         if (conn) {
+          liveClients--;
+          guard.sub(conn.parser.bufferedBytes); // release inbound bytes (markClosed releases outbound)
           conn.markClosed();
           hub.drop(conn);
+          if (conn.watch) {
+            releaseSnapshot(watch, conn.watch); // refcounted registry interest
+            conn.watch = null;
+          }
         }
       },
       error(socket: Socket<Connection>) {

package/src/sidecar/memory-guard.ts

@@ -0,0 +1,31 @@
+/**
+ * MemoryGuard — process-global ceiling on bytes buffered across ALL connections
+ * (inbound parser buffers + outbound backpressure queues).
+ *
+ * Per-connection caps alone don't bound aggregate memory: maxClients × the
+ * per-connection limit can dwarf the configured budget. This single counter is
+ * the backstop — once the aggregate crosses the limit, the connection that
+ * pushed it over is closed by its caller.
+ */
+export class MemoryGuard {
+  #used = 0;
+
+  constructor(private readonly limit: number) {}
+
+  add(n: number): void {
+    this.#used += n;
+  }
+
+  sub(n: number): void {
+    this.#used -= n;
+    if (this.#used < 0) this.#used = 0;
+  }
+
+  get used(): number {
+    return this.#used;
+  }
+
+  get overLimit(): boolean {
+    return this.#used > this.limit;
+  }
+}

package/src/sidecar/pubsub.ts

@@ -79,6 +79,13 @@ export class PubSubHub {
   numSub(channel: string): number {
     return this.#channels.get(channel)?.size ?? 0;
   }
+
+  /** Count of distinct patterns with at least one subscriber. */
+  numPat(): number {
+    let n = 0;
+    for (const conns of this.#patterns.values()) if (conns.size > 0) n++;
+    return n;
+  }
 }
 
 function addTo(map: Map<string, Set<Connection>>, key: string, conn: Connection): void {

package/src/sidecar/reaper.ts

@@ -19,7 +19,13 @@ export class ExpiryReaper {
   start(): void {
     if (this.#timer !== null) return;
     this.#timer = setInterval(() => {
-      this.storage.sweepExpired(Date.now());
+      try {
+        this.storage.sweepExpired(Date.now());
+      } catch (err) {
+        // A transient storage error (SQLITE_BUSY, disk) must not kill the
+        // process; the next tick simply retries.
+        console.error("bundis: expiry sweep failed:", err);
+      }
     }, this.intervalMs);
     // Don't keep the process alive solely for the reaper.
     this.#timer.unref?.();

package/src/sidecar/watch.ts

@@ -2,32 +2,72 @@
  * WatchRegistry — optimistic-lock version tracking for MULTI/WATCH/EXEC.
  *
  * Under the single-writer assumption (§5.3), correctness only requires detecting
- * whether any watched key was modified between WATCH and EXEC. We keep an
- * in-process monotonic version per key, bumped on every write. WATCH snapshots
- * the current versions; EXEC compares. A missing key has version 0.
+ * whether any watched key was modified between WATCH and EXEC. The registry
+ * tracks versions ONLY for currently-watched keys (refcounted): bump() is a
+ * no-op when nobody watches, and entries die with their last watcher — so the
+ * per-write tax is one Map miss and the registry cannot grow without bound.
  */
 
 export class WatchRegistry {
-  #versions = new Map<string, number>();
+  #entries = new Map<string, { version: number; refs: number }>();
+  /** Whole-keyspace generation: bumped by FLUSHDB/FLUSHALL. */
+  #epoch = 0;
 
   /** Bump a key's version. Called by storage on every mutation. */
   bump = (key: Uint8Array): void => {
-    const k = hashKey(key);
-    this.#versions.set(k, (this.#versions.get(k) ?? 0) + 1);
+    if (this.#entries.size === 0) return; // nobody watches anything
+    const e = this.#entries.get(hashKey(key));
+    if (e) e.version++;
   };
 
-  /** Current version of a key (0 if never written). */
-  version(key: Uint8Array): number {
-    return this.#versions.get(hashKey(key)) ?? 0;
+  /** WATCH: register interest in a key and snapshot its current version. */
+  acquire(key: Uint8Array): number {
+    const k = hashKey(key);
+    let e = this.#entries.get(k);
+    if (!e) {
+      e = { version: 0, refs: 0 };
+      this.#entries.set(k, e);
+    }
+    e.refs++;
+    return e.version + this.#epoch;
+  }
+
+  /** Current version without registering interest (EXEC dirty check). */
+  peek(key: Uint8Array): number {
+    return (this.#entries.get(hashKey(key))?.version ?? 0) + this.#epoch;
+  }
+
+  /** Release interest registered by {@link acquire}. */
+  release(key: Uint8Array): void {
+    const k = hashKey(key);
+    const e = this.#entries.get(k);
+    if (!e) return;
+    if (--e.refs <= 0) this.#entries.delete(k);
+  }
+
+  /**
+   * FLUSHDB/FLUSHALL: every key changed. The epoch also covers keys whose
+   * writes predate this process (persisted DB) and so have no entry.
+   */
+  bumpAll(): void {
+    this.#epoch++;
+  }
+
+  /** Tracked-entry count (observability/tests). */
+  size(): number {
+    return this.#entries.size;
   }
 }
 
 /** A connection's WATCH snapshot: key (as hash) → version observed at WATCH. */
 export type WatchSnapshot = Map<string, { key: Uint8Array; version: number }>;
 
+/** Release every key in a snapshot (UNWATCH/EXEC/DISCARD/RESET/disconnect). */
+export function releaseSnapshot(registry: WatchRegistry, snap: WatchSnapshot): void {
+  for (const { key } of snap.values()) registry.release(key);
+}
+
 /** Stable map-key for a byte array (latin1 round-trips every byte). */
 export function hashKey(key: Uint8Array): string {
-  let s = "";
-  for (let i = 0; i < key.length; i++) s += String.fromCharCode(key[i]!);
-  return s;
+  return Buffer.from(key.buffer, key.byteOffset, key.byteLength).toString("latin1");
 }