Gap Source

Goose v1.28.0 (March 18, 2026) added constant-time token comparison. Competitive parity scan CI-307.

What Is Missing

Zeph's ACP HTTP transport auth uses standard string equality (==) for bearer token validation. Standard string comparison short-circuits on first mismatch — a timing oracle that allows remote attackers to enumerate valid token prefixes.

Fix

Replace string equality with constant-time comparison using the subtle crate (ConstantTimeEq) or ring::constant_time::verify_slices_are_equal.

Location: ACP HTTP auth middleware in crates/zeph-acp/src/ (HTTP transport bearer validation).

Priority

P2 — security correctness. One-line fix with the subtle crate. ACP HTTP transport ships in production builds — this is an exploitable side-channel for any deployment with bearer auth enabled.