fix: handle hex payloads whose first byte starts with 'A'

Previously, extractHex() would match the INSPECT_URL_RE pattern
(?:%20|\s|\+)A([0-9A-Fa-f]+) and strip the leading 'A', treating it as
the classic asset-ID prefix marker. When the actual XOR key byte happened
to encode as hex 'A' (i.e. 0xAx), this produced an odd-length hex string
(e.g. 47 chars) which caused hex2bin() to return false and throw
InvalidArgumentException.

Fix: add an even-length guard — if stripping 'A' yields an odd number of
hex characters, 'A' is part of the payload, not a prefix marker. Fall
through to the pure-masked regex which captures the full hex blob
(including the leading 'A').

Add regression tests for URL and bare-hex forms of a payload whose XOR
key byte is 0xA6, verifying defindex = 1377 after decryption.

Author: vlydev

src/InspectLink.php

@@ -109,12 +109,16 @@ private static function extractHex(string $input): string
             return $m[1];
         }
 
-        // Classic/market URL: A<hex> preceded by %20, space, or + (A is a prefix marker, not hex)
-        if (preg_match('/(?:%20|\s|\+)A([0-9A-Fa-f]+)/i', $stripped, $m)) {
+        // Classic/market URL: A<hex> preceded by %20, space, or + (A is a prefix marker, not hex).
+        // If stripping A yields odd-length hex, A is actually the first byte of the payload —
+        // fall through to the pure-masked check below which captures it with A included.
+        if (preg_match('/(?:%20|\s|\+)A([0-9A-Fa-f]+)/i', $stripped, $m)
+            && 0 === strlen($m[1]) % 2) {
             return $m[1];
         }
 
-        // Pure masked format: csgo_econ_action_preview%20<hexblob> (no S/A/M prefix)
+        // Pure masked format: csgo_econ_action_preview%20<hexblob> (no S/A/M prefix).
+        // Also handles payloads whose first hex character happens to be A.
         if (preg_match('/csgo_econ_action_preview(?:%20|\s|\+)([0-9A-Fa-f]{10,})$/i', $stripped, $m)) {
             return $m[1];
         }

tests/InspectLinkTest.php

@@ -339,6 +339,45 @@ public function testDeserializeHybridUrlReturnsCorrectItemid(): void
         $this->assertSame(50075495125, $item->itemid);
     }
 
+    // -----------------------------------------------------------------------
+    // Regression: hex payload starting with 'A' (key byte = 0xAx)
+    // -----------------------------------------------------------------------
+
+    /**
+     * A masked link whose proto payload begins with hex 'A6' (XOR key = 0xA6).
+     * Previously, extractHex() wrongly treated the 'A' as the classic asset-ID
+     * prefix marker and stripped it, producing 47 hex chars (odd length) which
+     * caused hex2bin to return false / an InvalidArgumentException.
+     */
+    private const A_START_HEX = 'A6B617190F659DBE47AC86A68EA096A2CEB4D6AFBFFA9FD2';
+
+    private const A_START_URL = 'steam://run/730//+csgo_econ_action_preview%20' . self::A_START_HEX;
+
+    public function testIsMaskedReturnsTrueForAStartingPayload(): void
+    {
+        $this->assertTrue(InspectLink::isMasked(self::A_START_URL));
+    }
+
+    public function testDeserializeAStartingPayloadDoesNotThrow(): void
+    {
+        $item = InspectLink::deserialize(self::A_START_URL);
+        // Payload has XOR key 0xA6; after decryption defindex decodes to 1377.
+        $this->assertSame(1377, $item->defindex);
+    }
+
+    public function testDeserializeAStartingBareHexDoesNotThrow(): void
+    {
+        $item = InspectLink::deserialize(self::A_START_HEX);
+        $this->assertSame(1377, $item->defindex);
+    }
+
+    public function testAStartingPayloadInsideSteamRunguameUrl(): void
+    {
+        $url = 'steam://rungame/730/76561202255233023/+csgo_econ_action_preview%20' . self::A_START_HEX;
+        $item = InspectLink::deserialize($url);
+        $this->assertSame(1377, $item->defindex);
+    }
+
     // -----------------------------------------------------------------------
     // Checksum correctness
     // -----------------------------------------------------------------------