fix(domain-fronting): guard fallback JSON extraction

Reject malformed fallback relay responses where JSON brace positions are inverted instead of slicing with invalid bounds.

src/domain_fronter.rs

@@ -3036,6 +3036,12 @@ impl DomainFronter {
             let end = text.rfind('}').ok_or_else(|| {
                 FronterError::BadResponse("no json end in tunnel response".into())
             })?;
+            if start > end {
+                return Err(FronterError::BadResponse(format!(
+                    "no valid json object in: {}",
+                    &text.chars().take(200).collect::<String>()
+                )));
+            }
             &text[start..=end]
         };
         Ok(serde_json::from_str(json_str)?)
@@ -3204,6 +3210,12 @@ impl DomainFronter {
             let end = text.rfind('}').ok_or_else(|| {
                 FronterError::BadResponse("no json end in batch response".into())
             })?;
+            if start > end {
+                return Err(FronterError::BadResponse(format!(
+                    "no valid json object in: {}",
+                    &text.chars().take(200).collect::<String>()
+                )));
+            }
             &text[start..=end]
         };
         // Don't log payload content. Batch responses carry base64-encoded
@@ -4580,6 +4592,12 @@ fn parse_relay_json(body: &[u8]) -> Result<Vec<u8>, FronterError> {
                         &text.chars().take(200).collect::<String>()
                     ))
                 })?;
+                if start > end {
+                    return Err(FronterError::BadResponse(format!(
+                        "no valid json object in: {}",
+                        &text.chars().take(200).collect::<String>()
+                    )));
+                }
                 serde_json::from_str(&text[start..=end])?
             }
         }