GHL's x-wh-signature uses RSA-PKCS1v15 + SHA-256, not Ed25519.
The previous implementation parsed the wrong key type and would reject
all incoming webhooks in production.
Changes:
- webhook.go: switch x-wh-signature verification to RSA-PKCS1v15+SHA-256
- webhook.go: add optional Ed25519 path for X-GHL-Signature (July 2026+)
- config.go: add optional GHL_WEBHOOK_ED25519_KEY for future migration
- main.go: pass ed25519 key to NewWebhookHandler
- webhook_test.go: update test helpers to use RSA keys
Co-Authored-By: SideKx <sidekx.ai@sds.dev>
Complete MVP implementation of the Cast GHL Conversation Provider bridge:
- Go module setup with chi router and mongo-driver dependencies
- Config loading with env var validation and defaults
- MongoDB token store with upsert, get, update, delete operations
- Cast.ph SMS client with 429 retry logic and typed errors
- Phone number normalization (E.164 ↔ Philippine local format)
- GHL OAuth 2.0 install/callback/refresh flow
- GHL webhook handler with ECDSA signature verification (async dispatch)
- GHL API client for message status updates and inbound message stubs
- Multi-stage Dockerfile, docker-compose with MongoDB, Woodpecker CI pipeline
- Unit tests for phone normalization, Cast client, GHL webhook, and OAuth handlers
Co-Authored-By: SideKx <sidekx.ai@sds.dev>
