3289f874ab
- Use hmac.compare_digest() in verify_pin() to prevent timing-based PIN oracle attacks - Redact entire [security] section (pin_hash, recovery_passphrase_hash) from /api/config response - Sunset sign fix was skipped: existing longitude - ha formula is correct per NOAA equations and verified by test_sunset_equator; longitude + ha produces sunrise, not sunset Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>