GHL's x-wh-signature uses RSA-PKCS1v15 + SHA-256, not Ed25519.
The previous implementation parsed the wrong key type and would reject
all incoming webhooks in production.
Changes:
- webhook.go: switch x-wh-signature verification to RSA-PKCS1v15+SHA-256
- webhook.go: add optional Ed25519 path for X-GHL-Signature (July 2026+)
- config.go: add optional GHL_WEBHOOK_ED25519_KEY for future migration
- main.go: pass ed25519 key to NewWebhookHandler
- webhook_test.go: update test helpers to use RSA keys
Co-Authored-By: SideKx <sidekx.ai@sds.dev>
a3b14f8a2a