Add CI, strengthen verification logic, raw-body checks, QStash loading, and test harness

[Prateek32177]

Motivation

• Add continuous integration and tighten developer tooling to ensure builds, linting and tests run on PRs and pushes to main.
• Harden webhook verification around timing-safe string comparisons and parallel multi-platform verification to improve security and diagnostics.
• Prevent mis-configuration when Express has already parsed request bodies and make Upstash QStash integration more resilient across package shapes.
• Improve the local test harness and TypeScript configuration to exclude test artifacts from builds.

Description

• Added a GitHub Actions workflow CI that runs npm ci, npm run build, npm run lint, and npm test on PRs and pushes to main.
• Modified package.json to run the TypeScript test harness via ts-node using npm test and added an .npmignore to exclude compiled test artifacts from packages.
• Express adapter changes: added strictRawBody option (default true) and a check using a new helper to reject parsed JSON bodies early with a 400 response and guidance to use express.raw.
• Shared adapter changes: introduced hasParsedBody and updated extractRawBody to.warn and handle already-parsed JSON bodies consistently.
• Verification core (src/index.ts): parallelized verifyAny across provided secrets and aggregate diagnostics, added a timing-safe safeCompare using Node's timingSafeEqual, and switched token comparison in verifyTokenAuth to use the safe comparator; also small metadata key access fix for Sanity payloads.
• Upstash queue (src/upstash/queue.ts): made dynamic module loading robust by using native import(...), added typed constructor resolution for Receiver/Client, improved export resolution to support different package shapes, and minor header destructuring fixes.
• Verifiers (src/verifiers/algorithms.ts): added requiresTimestamp logic to enforce timestamp presence when needed, tightened fal.ai timestamp handling, added fetch timeout for JWKS retrieval, and cleaned up public key resolution for ED25519 verifications.
• Test harness (src/test.ts): improved signature helpers, added a trackCheck collector to aggregate failing checks and cause a non-zero exit when failures occur, improved logging and process exit handling, and adjusted a number of test expectations to match verification changes.
• TypeScript config (tsconfig.json): formatted lib entries and added exclusions for test files so they are not included in published builds.

Testing

• Added CI workflow (.github/workflows/ci.yml) to run npm ci, npm run build, npm run lint, and npm test for PRs and pushes to main (automated pipeline added but not yet observed in this PR run).
• Locally executed npm run build (TypeScript compile) which completed successfully.
• Ran the test harness via npm test (ts-node src/test.ts) which executed the verification checks; the harness aggregates failures and returns non-zero on failure and the local run completed successfully.

---

Codex Task

In general, the fix is to explicitly add a permissions block to the workflow (or individual jobs) to limit the GITHUB_TOKEN to the least privileges necessary. For a standard CI pipeline that only checks out code and runs build/test/lint locally, contents: read is typically sufficient. Defining permissions at the top level applies them to all jobs unless overridden.

For this specific file, the best fix without changing behavior is to add a root-level permissions block after the workflow name: and before the on: section:

name: CI
permissions:
  contents: read

This leaves all existing steps unchanged while ensuring the GITHUB_TOKEN is restricted to read-only access to repository contents, which is enough for actions/checkout and the subsequent commands. No imports, methods, or additional definitions are needed.