Normalize Coinbase receipt signing key parsing to support existing runtime formats

[GsCommand]

Motivation

• The Coinbase webhook endpoint returned signing_unavailable because the runtime signing key stored in RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64 used an existing runtime encoding that the signer code did not normalize.
• The change ensures the webhook signing code accepts the runtime key format without requiring env var renames or exposing private key material.

Description

• Added PEM normalization helpers in lib/receiptSigning.js to accept raw full PEM, base64(full PEM), raw PEM body only, base64(PEM body), and literal "\n" sequences and to wrap bare bodies into 64-char PEM lines.
• Normalization implements the rule: if a candidate already contains BEGIN PRIVATE KEY/END PRIVATE KEY use it, otherwise wrap the body without mutating environment variables.
• Preserved existing env-var resolution order and aliases (including RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64) and did not change Coinbase HMAC verification or other unrelated files.
• Files changed: lib/receiptSigning.js (normalization logic) and tests/receiptSigning.test.js (new tests).

Testing

• Added tests/receiptSigning.test.js which verifies the existing runtime-compatible RECEIPT_SIGNING_PRIVATE_KEY_PEM_B64 style, base64(full PEM), raw PEM body handling, and the invalid-key safe path.
• Ran the full test suite with npm test and all tests passed (76 tests, 0 failures).

---

Codex Task

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
commandlayer-commandlayer-org	Ready	Preview, Comment	May 23, 2026 8:36pm
commandlayer-org	Ready	Preview, Comment	May 23, 2026 8:36pm
commandlayer-org111	Ready	Preview, Comment	May 23, 2026 8:36pm