fix: use constant-time Sophia inbox admin checks

[cerredz]

Summary

Fixes #4207 by replacing the Sophia governor inbox admin-key equality check with hmac.compare_digest().

Root cause

node/sophia_governor_inbox.py allowed admin-gated inbox requests when provided_admin == required_admin. That rejects bad keys functionally, but normal string equality can short-circuit based on matching prefix length. Other RustChain admin-key paths are moving to hmac.compare_digest() for this same timing-hardening class.

Changes

• Imports hmac in node/sophia_governor_inbox.py.
• Uses hmac.compare_digest(provided_admin, required_admin) for the configured RC_ADMIN_KEY check.
• Adds a regression test that exercises an actual admin-gated inbox endpoint with invalid and valid keys, and asserts the comparison goes through hmac.compare_digest().
• Makes the inbox test temp-DB cleanup tolerant of Windows SQLite handle release timing, which was causing teardown errors after assertions passed locally.

Validation

Passed:

python -m pytest node\tests\test_sophia_governor_inbox.py::test_admin_auth_uses_constant_time_compare -q
python -m pytest node\tests\test_sophia_governor_inbox.py -q
python -m py_compile node\sophia_governor_inbox.py node\tests\test_sophia_governor_inbox.py
git diff --check

Note: local pytest emits the existing pytest_asyncio default loop-scope deprecation warning, but tests pass.

Bounty

Claiming bug bounty consideration for #4207. Payout details can be provided privately if accepted.

[Scottcjn]

💰 PAID — 10 RTC pending, will confirm in 24h.

• tx hash: cffb8f9bffe6f27ab2884e5cab6672a2
• Pending ID: 1405

What worked

Sophia inbox admin auth properly constant-time + regression exercises a real admin-gated endpoint. Four PRs in one batch, all pay-worthy — this is your star-contributor day.

— auto-triage 2026-05-10