Skip to content

Support runtime signing env aliases for Coinbase webhook receipt signing#298

Merged
GsCommand merged 1 commit into
mainfrom
codex/update-coinbase-webhook-signing-aliases
May 23, 2026
Merged

Support runtime signing env aliases for Coinbase webhook receipt signing#298
GsCommand merged 1 commit into
mainfrom
codex/update-coinbase-webhook-signing-aliases

Conversation

@GsCommand
Copy link
Copy Markdown
Contributor

@GsCommand GsCommand commented May 23, 2026

Motivation

  • Accept existing runtime-compatible environment aliases for receipt signing so the Coinbase webhook example works with alternative deployments and tooling.
  • Allow PEM values provided as base64 (*_PEM_B64) and convert literal \n sequences to real newlines to support common CI/runtime secret encodings.
  • Preserve existing endpoint semantics and never expose or log private key material; missing/invalid signing config should continue to produce signing_unavailable.

Description

  • Add PEM normalization and environment-resolution helpers (normalizePemValue, resolveFirstEnv, resolveReceiptSigningConfigFromEnv, hasValidSigningConfig) and export them from lib/receiptSigning.js.
  • Resolve signing config from the first matching alias for signer id, kid, and private key (supporting both raw PEM and base64-encoded PEM) and pass the resolved config into signReceipt rather than reading specific env vars directly.
  • Update the Coinbase example handler (api/examples/coinbase-webhook.js) to use the resolved signing config and to inject the resolved signer id into normalized receipts.
  • Add an automated test proving RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64 works and update docs to list RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64 as a supported runtime-compatible alias; files changed: lib/receiptSigning.js, api/examples/coinbase-webhook.js, tests/api-coinbase-webhook.test.js, docs/integrations/coinbase-cdp-webhook-receipts.md.
  • Aliases supported: signer id CL_RECEIPT_SIGNER_ID, RECEIPT_SIGNER_ID, CL_RECEIPT_SIGNER; kid CL_RECEIPT_SIGNING_KID, RECEIPT_SIGNING_KID, CL_RECEIPT_SIGNING_KEY_ID, CL_KEY_ID; private key CL_RECEIPT_SIGNING_PRIVATE_KEY_PEM, RECEIPT_SIGNING_PRIVATE_KEY_PEM, CL_PRIVATE_KEY_PEM, and base64 aliases CL_RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64, RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64, RECEIPT_SIGNING_PRIVATE_KEY_B64, CL_PRIVATE_KEY_PEM_B64.

Testing

  • Ran the full test suite with npm test, and all tests passed (63 passed, 0 failed), including the new test runtime-compatible alias RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64 signs successfully.
  • Existing behavior around signing_unavailable for missing/invalid signing configuration remains covered by tests and continues to pass.

Codex Task

@vercel
Copy link
Copy Markdown

vercel Bot commented May 23, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
commandlayer-commandlayer-org Ready Ready Preview, Comment May 23, 2026 1:49am
commandlayer-org Ready Ready Preview, Comment May 23, 2026 1:49am
commandlayer-org111 Ready Ready Preview, Comment May 23, 2026 1:49am

Request Review

@GsCommand GsCommand merged commit d5227ca into main May 23, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GsCommand