GHL signs x-wh-signature webhooks with an Ed25519 key from the
Marketplace app settings, not RSA. The previous RSA implementation
caused all webhook signature checks to fail, blocking every outbound
SMS send.
Changes:
- Replace parseRSAPublicKey + RSA verification with parseEd25519PublicKey
+ ed25519.Verify for x-wh-signature
- Both x-wh-signature (current) and X-GHL-Signature (July 2026) now
use the same Ed25519 key from GHL_WEBHOOK_PUBLIC_KEY
- Remove unused crypto/rsa, crypto/sha256, crypto imports
- Update webhook_test.go to generate/sign with Ed25519 instead of RSA
Co-Authored-By: Paperclip <noreply@paperclip.ing>
GHL uses RSA + SHA-256 for x-wh-signature, not ECDSA P-256 as documented
in the original task files. Also adds forward-compatible Ed25519 support
for X-GHL-Signature (GHL migration scheduled July 2026): handler checks
X-GHL-Signature first, falls back to x-wh-signature.
- webhook.go: replace ecdsa.VerifyASN1 with rsa.VerifyPKCS1v15; add
verifyEd25519 + verifyIncomingSignature dispatch; update struct fields
- webhook_test.go: regenerate test keys as RSA-2048, sign with PKCS1v15
- CLAUDE.md: correct crypto stack and key implementation notes
- .env.example: clarify GHL_WEBHOOK_PUBLIC_KEY is a static RSA key from docs
Co-Authored-By: SideKx <sidekx.ai@sds.dev>
Complete MVP implementation of the Cast GHL Conversation Provider bridge:
- Go module setup with chi router and mongo-driver dependencies
- Config loading with env var validation and defaults
- MongoDB token store with upsert, get, update, delete operations
- Cast.ph SMS client with 429 retry logic and typed errors
- Phone number normalization (E.164 ↔ Philippine local format)
- GHL OAuth 2.0 install/callback/refresh flow
- GHL webhook handler with ECDSA signature verification (async dispatch)
- GHL API client for message status updates and inbound message stubs
- Multi-stage Dockerfile, docker-compose with MongoDB, Woodpecker CI pipeline
- Unit tests for phone normalization, Cast client, GHL webhook, and OAuth handlers
Co-Authored-By: SideKx <sidekx.ai@sds.dev>
