refactor: move timingSafeEqual out of worker-utils to encryption follow-up PR

Restore local timingSafeEqual implementations in cloudflare-db-proxy,
cloudflare-webhook-agent-ingest, and kiloclaw to keep this PR focused
on non-crypto utilities. The shared extraction will land in PR #697.

Author: iscekic

cloudflare-db-proxy/src/utils/auth.ts

@@ -1,6 +1,5 @@
 import type { Context } from 'hono';
 import type { ContentfulStatusCode } from 'hono/utils/http-status';
-import { timingSafeEqual } from '@kilocode/worker-utils';
 import type { Env, ErrorCode } from '../types';
 
 /**
@@ -49,6 +48,21 @@ export function verifyToken(providedToken: string, storedToken: string): boolean
   return timingSafeEqual(providedToken, storedToken);
 }
 
+/**
+ * Timing-safe string comparison using crypto.subtle.timingSafeEqual
+ */
+function timingSafeEqual(a: string, b: string): boolean {
+  const encoder = new TextEncoder();
+  const aBytes = encoder.encode(a);
+  const bBytes = encoder.encode(b);
+
+  if (aBytes.length !== bBytes.length) {
+    crypto.subtle.timingSafeEqual(aBytes, aBytes);
+    return false;
+  }
+  return crypto.subtle.timingSafeEqual(aBytes, bBytes);
+}
+
 /**
  * Create an error response with standard format
  */

cloudflare-webhook-agent-ingest/src/util/webhook-auth.ts

@@ -1,5 +1,3 @@
-import { timingSafeEqual } from '@kilocode/worker-utils';
-
 export type WebhookAuthInput = {
   header: string;
   secret: string;
@@ -33,6 +31,17 @@ export async function compareWebhookSecret(hash: string, secret: string): Promis
   return timingSafeEqual(hash, candidateHash);
 }
 
+export function timingSafeEqual(a: string, b: string): boolean {
+  if (a.length !== b.length) {
+    return false;
+  }
+  let result = 0;
+  for (let index = 0; index < a.length; index += 1) {
+    result |= a.charCodeAt(index) ^ b.charCodeAt(index);
+  }
+  return result === 0;
+}
+
 export function sanitizeWebhookAuth(auth: StoredWebhookAuth | null): {
   webhookAuthHeader: string | undefined;
   webhookAuthConfigured: boolean;

kiloclaw/src/auth/middleware.ts

@@ -1,6 +1,5 @@
 import type { Context, Next } from 'hono';
 import { getCookie } from 'hono/cookie';
-import { timingSafeEqual } from '@kilocode/worker-utils';
 import type { AppEnv } from '../types';
 import { KILOCLAW_AUTH_COOKIE } from '../config';
 import { validateKiloToken } from './jwt';
@@ -102,3 +101,16 @@ export async function internalApiMiddleware(c: Context<AppEnv>, next: Next) {
 
   return next();
 }
+
+function timingSafeEqual(a: string, b: string): boolean {
+  const encoder = new TextEncoder();
+  const aBytes = encoder.encode(a);
+  const bBytes = encoder.encode(b);
+
+  if (aBytes.length !== bBytes.length) {
+    // Compare a against itself so the timing is constant regardless of length mismatch
+    crypto.subtle.timingSafeEqual(aBytes, aBytes);
+    return false;
+  }
+  return crypto.subtle.timingSafeEqual(aBytes, bBytes);
+}

packages/worker-utils/src/index.ts

@@ -1,38 +1,24 @@
-// 1. DO retry
 export { withDORetry, DEFAULT_DO_RETRY_CONFIG } from './do-retry.js';
 export type { DORetryConfig } from './do-retry.js';
 
-// 2. Backend auth middleware
 export { backendAuthMiddleware } from './backend-auth-middleware.js';
 
-// 3. Timeout
 export { withTimeout } from './timeout.js';
 
-// 4. R2 client
 export { createR2Client } from './r2-client.js';
 export type { R2Client, R2ClientConfig } from './r2-client.js';
 
-// 5. Response helpers
 export { resSuccess, resError } from './res.js';
 export type { SuccessResponse, ErrorResponse, ApiResponse } from './res.js';
 
-// 6. Zod JSON validator
 export { zodJsonValidator } from './zod-json-validator.js';
 
-// 7. Timing-safe equal
-export { timingSafeEqual } from './timing-safe-equal.js';
-
-// 8. Format error
 export { formatError } from './format-error.js';
 
-// 9. Extract bearer token
 export { extractBearerToken } from './extract-bearer-token.js';
 
-// 10. Error handler
 export { createErrorHandler } from './error-handler.js';
 
-// 11. Not-found handler
 export { createNotFoundHandler } from './not-found-handler.js';
 
-// 12-13. Shared types
 export type { Owner, MCPServerConfig } from './types.js';