security: harden mock webhook Lambda permissions and API key comparison

[Copilot]

Comprehensive security review surfaced three actionable findings. All other areas (supply chain, IAM, encryption, CI/CD, secrets management) passed review.

Fixes

• Remove wildcard lambda:InvokeFunction permission on mock webhook — aws_lambda_permission.mock_webhook_function_invoke granted principal = "*" for direct SDK invocation, bypassing function URL auth. The InvokeFunctionUrl permission is sufficient.

• Timing-safe API key comparison — Replaced direct !== string comparison with timingSafeEqual over SHA-256 digests to eliminate timing side-channel on key validation:

if (
  !expectedApiKey ||
  !providedApiKey ||
  !timingSafeEqual(
    createHash("sha256").update(expectedApiKey).digest(),
    createHash("sha256").update(providedApiKey).digest(),
  )
)

• Move esbuild to devDependencies in both lambda package.json files — build tool incorrectly listed as runtime dependency.

CodeQL notes

Two js/insufficient-password-hash alerts are false positives — SHA-256 is used for length normalization in constant-time comparison, not password storage.

Original prompt

I need a full security review of this repository. Including, but not limited to:

The application code including skds, servers, apis, contracts, scripts Terraform, IAC, AWS usage Pipelines, workflows and actions Secrets, variables and github use dependencies tests

We are looking for all standard vulnerabilities, looking for weaknesses in the supply chain, deployment as well as the running code

You must be though and think about all possibilities and scenarios a bad actor may take

The user has attached the following file paths as relevant context:

• AGENTS.md

Created from VS Code.