feat(sdk): add WebBotAuthResource for Web Bot Auth header minting

[nvp-stripe]

r? @kreese-stripe @danhill-stripe @bendavis-stripe

Summary and motivation

Adds WebBotAuthResource to @stripe/link-sdk the SDK component that fetches pre-signed Web Bot Auth headers from the Link backend so AI agents can prove their identity to merchant sites protected by Cloudflare bot filtering.

What this adds:

• New WebBotAuthBlock type in mirroring the backend response shape:
  { signature, signature_input, signature_agent, authority, expires_at }.
• New IWebBotAuthResource interface with a single method: getHeaders(url: string): Promise<WebBotAuthBlock>.
• WebBotAuthResource class implementing the interface. On getHeaders(url):
  1. Extracts the authority (hostname) from the URL.
  2. Checks an in-memory per-authority cache; returns the cached block if it expires
     more than 30 seconds in the future.
  3. Otherwise POSTs to POST /v1/agent_identity/credentials (authenticated with the
     user's Link OAuth bearer token) with { url } as the JSON body.
  4. Extracts the web_bot_auth block from the response, caches it keyed by hostname,
     and returns it.
  5. On 401, refreshes the access token once and retries (same pattern as all other SDK resources).
• WebBotAuthResource wired into ResourceFactory in the CLI package with lazy caching,
  same as SpendRequestResource, PaymentMethodsResource, etc.

Why:

AI agents using Link CLI to complete checkout on merchant sites get blocked by Cloudflare and Vercel's automated bot detection: their traffic is indistinguishable from scraper traffic.
Web Bot Auth is an IETF-draft protocol where registered bots attach a cryptographic signature to every request, allowing CDN/WAF managed rulesets to bypass bot challenges without user interaction.

Signatures are valid for 10 minutes. The per-authority cache avoids a round-trip to api.link.com on every request to the same merchant domain within that window.

Test plan

• packages/sdk/src/resources/__tests__/web-bot-auth.test.ts (11 new unit tests).

• packages/cli/src/utils/__tests__/resource-factory.test.ts updated:

  • createWebBotAuthResource() returns cached instance on repeated calls
  • Returns instanceof WebBotAuthResource

[danhill-stripe]

looks good! couple small comments.

[danhill-stripe]

also defaultHeaders?

[nvp-stripe]

defaultHeaders is already applied by resolveLinkSdkConfig via reateDefaultHeadersFetch. added a comment.

[danhill-stripe]

handle if expires_at is bad/malformed?

[nvp-stripe]

added explicit NaN check after Date.parse. Previously a bad expires_at would produce NaN as expiresAt, causing the cache condition Date.now() < NaN to silently always be false; every subsequent call would re-fetch. Now throws a LinkSdkError with the bad value in the message. Added a test for this case.