#7317: fix(security): harden zip extraction and hook token comparison

## Summary Two security hardening improvements identified during code review. ### 1. Zip Extraction Path Boundary Fix **Issue:** The existing `startsWith()` check for zip entry paths can be bypassed by sibling directories: - `destDir` = `/tmp/extract` - `outPath` = `/tmp/extract2/malicious.txt` - `outPath.startsWith(destDir)` = `true` ❌ **Fix:** Use `path.relative()` to properly check containment. A path escapes if the relative path starts with `..` or is absolute. ### 2. Hook Token Timing-Safe Comparison **Issue:** JavaScript `!==` for string comparison returns early on first character mismatch, creating a timing oracle. **Fix:** Use `crypto.timingSafeEqual()` for constant-time comparison, preventing timing attacks on hook authentication tokens. ## Testing Added two test cases for zip path traversal scenarios: - Basic `../` traversal rejection - Sibling directory prefix bypass rejection ## Risk Low — both changes are defensive hardening with minimal behavior change for legitimate use cases.