* fix: use ES256 instead of EdDSA for Coinbase CDP JWT signing
Coinbase Developer Platform issues EC P-256 keys, not Ed25519.
The previous EdDSA implementation would always return Unauthorized
for any key generated via portal.cdp.coinbase.com.
Switch to ES256 (ECDSA SHA-256) using OpenSSL, and convert the
DER-encoded signature to the raw r||s format required by the JWT spec.
API Secret field now accepts the full PEM private key directly
(including BEGIN/END headers) as provided by Coinbase.
* fix(coinbase): address PR review comments
- Normalize escaped \n in PEM key before parsing (fixes pasting directly
from the Coinbase CDP JSON download file where newlines are \n literals)
- Extract parse_ec_private_key helper with docstring explaining both
accepted PEM formats
- Fix double-space style nit on encoded_header assignment
- Remove ed25519 gem from Gemfile (no longer used after ES256 migration)
- Add Provider::CoinbaseTest covering: JWT 3-part structure, ES256 alg
header, kid claim, CDP payload claims, 64-byte raw r||s signature,
escaped-newline key acceptance, and cryptographic signature verification
* test(coinbase): fix base64url padding in JWT test assertions
* chore: update Gemfile.lock to remove ed25519 gem
* Sample credential in test
* Comments field, not real key use
* test(coinbase): generate EC key dynamically; drop scanner exclusions
Generate a fresh P-256 key per test run with OpenSSL::PKey::EC.generate
instead of hardcoding a PEM private key. This removes committed key
material and the need to exclude the provider and test files from the
pipelock secret scan, so those exclusions are removed too.
Addresses review findings on hardcoded test key + scan exclusions.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---------
Co-authored-by: Juan José Mata <jjmata@jjmata.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>