callstack · thymikee · Jun 10, 2026 · Jun 10, 2026 · Jun 10, 2026
diff --git a/examples/test-app/pnpm-lock.yaml b/examples/test-app/pnpm-lock.yaml
diff --git a/examples/test-app/pnpm-workspace.yaml b/examples/test-app/pnpm-workspace.yaml
@@ -12,3 +12,4 @@ overrides:
   uuid: 14.0.0
   ws@8: ^8.20.1
   brace-expansion@5: ^5.0.6
+  shell-quote: '>=1.8.4'
diff --git a/src/daemon/http-server.ts b/src/daemon/http-server.ts
@@ -1,6 +1,7 @@
 import http, { type IncomingHttpHeaders } from 'node:http';
 import fs from 'node:fs';
 import { AppError, normalizeError, toAppErrorCode } from '../utils/errors.ts';
+import { timingSafeStringEqual } from '../utils/timing-safe-equal.ts';
 import type { JsonRpcId, JsonRpcRequestEnvelope, LeaseBackend } from '../contracts.ts';
 import type { DaemonInstallSource, DaemonRequest, DaemonResponse } from './types.ts';
 import { normalizeTenantId } from './config.ts';
@@ -818,6 +819,6 @@ function enforceDaemonToken(
   expectedToken: string | undefined,
 ): ReturnType<typeof normalizeError> | null {
   if (!expectedToken) return null;
-  if (requestToken === expectedToken) return null;
+  if (timingSafeStringEqual(requestToken, expectedToken)) return null;
   return normalizeError(new AppError('UNAUTHORIZED', 'Invalid token'));
 }
diff --git a/src/daemon/request-router.ts b/src/daemon/request-router.ts
@@ -3,6 +3,7 @@ import {
   withTargetDeviceResolutionScope,
 } from '../core/dispatch-resolve.ts';
 import { AppError, normalizeError } from '../utils/errors.ts';
+import { timingSafeStringEqual } from '../utils/timing-safe-equal.ts';
 import type { DaemonRequest, DaemonResponse } from './types.ts';
 import { SessionStore } from './session-store.ts';
 import {
@@ -83,7 +84,7 @@ export function createRequestHandler(
         logPath,
       },
       async () => {
-        if (req.token !== token) {
+        if (!timingSafeStringEqual(req.token, token)) {
           return unauthorizedResponse();
         }
 
@@ -178,7 +179,7 @@ export function createRequestHandler(
   ): (req: DaemonRequest) => Promise<DaemonResponse> {
     return async (req) => {
       if (!canRunReplayActionInCurrentScope(req, parentScope)) return await handleRequest(req);
-      if (req.token !== token) {
+      if (!timingSafeStringEqual(req.token, token)) {
         return unauthorizedResponse();
       }
 

diff --git a/src/daemon/server-lifecycle.ts b/src/daemon/server-lifecycle.ts
@@ -49,6 +49,8 @@ export function writeInfo(
       mode: 0o600,
     },
   );
+  // writeFileSync only applies mode on creation; tighten pre-existing files too.
+  fs.chmodSync(infoPath, 0o600);
 }
 
 export function removeInfo(infoPath: string): void {

diff --git a/src/utils/timing-safe-equal.ts b/src/utils/timing-safe-equal.ts
@@ -0,0 +1,12 @@
+import crypto from 'node:crypto';
+
+/**
+ * Compares two secret strings in constant time. Hashing both inputs first
+ * keeps the comparison length-independent, so unequal-length tokens neither
+ * throw nor leak length via timing.
+ */
+export function timingSafeStringEqual(a: string, b: string): boolean {
+  const hashA = crypto.createHash('sha256').update(a).digest();
+  const hashB = crypto.createHash('sha256').update(b).digest();
+  return crypto.timingSafeEqual(hashA, hashB);
+}