fix(security): harden hook and device token auth

src/security/secret-equal.ts

@@ -0,0 +1,16 @@
+import { timingSafeEqual } from "node:crypto";
+
+export function safeEqualSecret(
+  provided: string | undefined | null,
+  expected: string | undefined | null,
+): boolean {
+  if (typeof provided !== "string" || typeof expected !== "string") {
+    return false;
+  }
+  const providedBuffer = Buffer.from(provided);
+  const expectedBuffer = Buffer.from(expected);
+  if (providedBuffer.length !== expectedBuffer.length) {
+    return false;
+  }
+  return timingSafeEqual(providedBuffer, expectedBuffer);
+}