validation added to both go and ts implementations

[0xsnackbaker]

Description

Adds comprehensive validation for the payment signature header decoding in both Go and TypeScript implementations. This ensures that malformed, incomplete, or invalid payment headers are rejected early with descriptive error messages.

This implementation is for x402 v2 only.

Closes #800

Changes

 - Go: Added ValidateAndDecodePaymentHeader function in go/http/validation.go with validation for:
   - Empty header detection
   - Base64 format validation
   - JSON structure validation
   - Required field presence (x402Version, resource, accepted, payload)
   - Field type validation (resource.url, resource.description, resource.mimeType)
 - TypeScript: Enhanced decodePaymentSignatureHeader function in typescript/packages/core/src/http/index.ts with the same validation logic
 - Updated go/http/server.go to use the new validation function

Tests

Go Tests (go/http/validation_test.go):

 - 21 test cases covering:
   - Empty/invalid base64 inputs
   - Valid base64 but invalid JSON
   - Missing required fields (x402Version, resource, resource.url, resource.description, resource.mimeType, accepted, payload)
   - Invalid field types
   - Valid payload decoding

 cd /go && go test -v ./http/... -run TestValidateAndDecodePaymentHeader
 # All 21 tests pass

TypeScript Tests (typescript/packages/core/test/unit/http/decodePaymentSignatureHeader.test.ts):

 - 20 test cases covering same validation scenarios

 cd /typescript/packages/core && npm test -- decodePaymentSignatureHeader
 # All 20 tests pass

Checklist

 - [X]  I have formatted and linted my code
 - [X]  All new and existing tests pass
 - [X]  My commits are signed (required for merge)

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 0 Sum 1

[vercel]

@0xsnackbaker is attempting to deploy a commit to the Coinbase Team on Vercel.

A member of the Team first needs to authorize it.

[phdargen]

Thanks for the suggestions @0xsnackbaker! Before I review this in more detail could you please clarify what exact problem this is trying to address? Issue #800 frankly reads like generic AI slop. Unfortunately we get a lot of those recently.

Is the intention to provide clients with more actionable error messages to help debug invalid payloads? That could be useful but adding all these error logs server-side won't help in that regard.
As it stands, I feel this adds a lot of lines of codes without clear benefit.

Please also make sure to run format + lint before your commits

[0xsnackbaker]

Is the intention to provide clients with more actionable error messages to help debug invalid payloads?

Yes and it is painful to work with x402 without proper error handling. I spent one whole day a couple of days ago to figure out a simple validation error.

Please also make sure to run format + lint before your commits
✅