fix(security): use constant-time admin key checks

[Ayush-Raj-Chourasia]

Summary

This PR hardens admin API key validation by using constant-time comparison.

Changes made

• Replaced direct string equality with
• Applied the same comparison approach to both admin and telemetry admin key checks
• Added regression tests covering the admin and telemetry key paths

Security impact

This reduces the risk of timing-based key disclosure attacks against privileged endpoints.

Testing

• PYTHONPATH=src python -m pytest -q tests/api/test_admin_endpoints.py -k 'constant_time_key_compare or telemetry_summary_with_telemetry_key_succeeds or delete_scan_with_correct_admin_key_succeeds'
• Result: 4 passed

[Copilot]

Pull request overview

This PR hardens privileged endpoint authentication by switching admin/telemetry API key validation to a constant-time comparison to reduce timing-attack exposure in extension_shield’s FastAPI layer.

Changes:

• Replaced direct string equality checks with hmac.compare_digest for admin key validation.
• Applied the same constant-time comparison logic to the telemetry admin key path.
• Added regression tests to ensure both DELETE scan and telemetry summary endpoints go through compare_digest.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
src/extension_shield/api/main.py	Uses hmac.compare_digest for admin and telemetry key verification in request guards.
tests/api/test_admin_endpoints.py	Adds tests that patch hmac.compare_digest to assert constant-time compare is exercised for both relevant endpoints.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.