#8779: fix(security): use constant-time comparison for token validation

Fixes #6021 ## Summary Replaces insecure `===` / `!==` string comparisons with constant-time comparison `timingSafeEqual` (via a helper) for sensitive token validation. ## Changes - Export `safeEqual` from `src/gateway/auth.ts`. - Use `safeEqual` in `src/gateway/server-http.ts` (hook tokens). - Use `safeEqual` (local copy) in `src/infra/node-pairing.ts` (node tokens). - Use `safeEqual` (local copy) in `src/infra/device-pairing.ts` (device tokens). ## Security Prevents timing side-channel attacks that could allow attackers to guess tokens character-by-character. <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR introduces a `safeEqual` helper based on `crypto.timingSafeEqual` and replaces `===`/`!==` comparisons for gateway/password tokens and hook tokens, plus similar changes for node/device pairing token verification. The overall direction is good (mitigates character-by-character timing attacks on secret comparisons), and the change is localized to the existing auth and pairing verification paths (`src/gateway/*` and `src/infra/*`). <h3>Confidence Score: 4/5</h3> - This PR is largely safe to merge and improves secret comparison security, with a small edge-case risk around input length/encoding handling. - Changes are narrowly scoped to token comparisons and rely on a standard primitive (`timingSafeEqual`). The main concern is the helper’s early-return on string length and UTF-16 vs UTF-8 length mismatch potentially causing a throw for non-ASCII inputs; if tokens are guaranteed ASCII/UUIDs this is likely fine. - src/gateway/auth.ts, src/infra/node-pairing.ts, src/infra/device-pairing.ts <!-- greptile_other_comments_section --> _{(3/5) Reply to the agent's comments like "Can you suggest a fix for this @greptileai?" or ask follow-up questions!} <!-- /greptile_comment -->