refactor(rivetkit-core): use subtle::ConstantTimeEq for inspector token verify

[NathanFlurry]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[NathanFlurry]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• fix(rivetkit-core): gate startup until runtime is ready #4736 : 2 dependent PRs (#4737 , #4739 )
• fix(rivetkit-sqlite): preserve text with embedded nul bytes #4735
• chore(rivetkit): add child spans for logging #4734
• fix(rivetkit-core): orphan engine process and detect crashes #4733
• fix(rivetkit-core): return None for empty inspector state to avoid frontend CBOR decode error #4732
• fix(rivetkit-core): don't install tokio::signal::ctrl_c() handler inside serve_with_config #4731
• refactor(rivetkit-core): use subtle::ConstantTimeEq for inspector token verify #4730 👈 (View in Graphite)
• fix(rivetkit): drop is_read_only_sql classifier, surface RETURNING rows #4728
• docs: require close-code rejection for websocket auth/policy failures #4727
• fix(rivetkit): inspector reports actual config state + real queue messages #4726
• fix(rivetkit-napi): plumb ctx through serializeState TSF and stop panicking on runtime_state Ref drop #4725
• chore(rivetkit): remove legacy metrics & prometheus auth #4724
• chore(rivetkit): remove legacy metrics #4723
• chore(rivetkit): impl inspector token #4722
• chore: disable auth on serverless #4721
• chore: fix cors for envoys #4720
• chore: fix serverless in rivetkit-core #4719
• chore(rivetkit): impl follow up review #4711
• chore: rivetkit core/napi/typescript follow up review #4702
• chore: fix remaining issues with rivetkit-core #4701
• chore: sqlite v1 to v2 data migration #4692 : 1 other dependent PR (#4640 )
• chore: move rivetkit to task model #4680
• chore: rivetkit to rust #4679
• feat(rivetkit): sqlite vfs v2 #4673
• chore: rename sandbox -> kitchen sink #4671 : 1 other dependent PR (#4672 )
• chore: configure TLS trust roots for rustls clients #4667
• fix(rivetkit): update config to match envoys & remove manager references #4663
• chore(publish): pin docker base image refs #4652
• chore(engine): publish engine bases in ci #4649 : 2 other dependent PRs (#4650 , #4666 )
• chore: lockfile lefthook #4647
• fix(rivetkit): surface native sqlite kv errors to callers #4645
• fix(rivetkit): prevent sleep races during disconnect and db work #4644
• fix(rivetkit): isolate engine envoys and propagate startup failures #4643
• test(rivetkit): remove wasm sqlite-only fixtures and coverage #4642
• chore(sqlite-vfs): remove wasm sqlite packages and workspace wiring #4641
• chore(rivetkit): remove wasm sqlite runtime #4614
• fix(sqlite-native): restore native startup kv preload #4639
• fix(sqlite-native): delete metadata before chunk range #4638
• fix(sqlite-native): keep truncate cache coherent #4637
• fix(sqlite-vfs): use delete range for truncate cleanup #4636
• fix(sqlite-native): restore kv error hook #4635
• perf(sqlite-native): avoid cloning cached read chunks #4634
• perf(sqlite-native): gate kv operation labels #4633
• perf(sqlite-native): reuse read cache for partial writes #4632
• perf(sqlite-native): remove delete file existence probe #4631
• fix(sqlite-native): gate native read cache behind env var #4630
• fix(pegboard): isolate runner config dc lookup failures #4625 : 1 other dependent PR (#4626 )
• docs(pegboard): note runner config upsert split write risk #4624
• fix(pegboard): unpack global runner config keys correctly #4623
• fix(pegboard-gateway): enforce tunnel message state #4622
• fix(pegboard-runner): clear terminal tunnel routes #4621
• fix(pegboard): skip protocol version keys in runner pool backfill #4620
• fix(pegboard): create missing normal runner configs #4619
• fix(epoxy): reuse cached optimistic value #4618
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

Code Review: refactor(rivetkit-core): use subtle::ConstantTimeEq for inspector token verify

Overview

This PR replaces the hand-rolled timing_safe_equal function with the battle-tested subtle::ConstantTimeEq trait. Small but meaningful security improvement.

---

What the PR Does

• Removes the custom timing_safe_equal implementation in inspector/auth.rs
• Adds subtle as a workspace dependency in rivetkit-core
• Uses ct_eq(...).into() from subtle::ConstantTimeEq directly on byte slices

---

Analysis

Security — Correct Direction

The custom timing_safe_equal was a reasonable attempt, but hand-rolled constant-time comparisons are notoriously fragile. Compilers and CPUs can optimize them in unexpected ways (short-circuit evaluation, instruction reordering, etc.). The subtle crate is specifically designed to resist these optimizations and is widely used in the Rust cryptography ecosystem. This is the right choice.

Behavior Change — Important Nuance

The old timing_safe_equal padded both slices to max_len before comparing, meaning mismatched lengths still XOR through all bytes. subtle::ConstantTimeEq for [u8] short-circuits to false immediately if lengths differ (the default trait impl checks self.len() == other.len() first). This is technically a length leak — an attacker could learn the expected token length by timing the response.

In this specific context, the token is always generated as a fixed-length base64 string from generate_inspector_token() (specifically TOKEN_LENGTH bytes encoded with URL_SAFE_NO_PAD). Since the expected token is always the same fixed length, the length leak is not exploitable in practice. Still worth documenting.

Dependency — Already a Workspace Dep

subtle = "2" is already declared in the root Cargo.toml workspace dependencies, so adding it to rivetkit-core is clean with no version churn.

Code Quality

The diff is minimal and correct. The import is added, the call site is clean (candidate.ct_eq(expected).into()), and the hand-rolled function is fully removed with no leftover dead code.

---

Suggestions

1. Minor: Add a one-line comment near verify_token_bytes noting that the token is always fixed-length (TOKEN_LENGTH bytes base64-encoded), so future maintainers understand why ct_eq (which leaks length on mismatch) is acceptable here.

2. Optional: Fill out the PR description checklist before merging.

---

Summary

Good, focused security improvement. Replacing a hand-rolled constant-time comparison with the audited subtle crate is clearly correct. The one nuance (length-leak behavior of ct_eq vs. the old padding approach) is not exploitable given fixed-length tokens. Clean diff, correct dependency wiring.

[NathanFlurry]

Landed in main via stack-merge fast-forward push. Commits are in main; closing to match.