feat: add standalone verifyWebhookSignature helper to SDK

[dinahmaccodes]

Closes #331
Closes #305

Changes:

Added a standalone verifyWebhookSignature(rawBody, signature, timestamp, secret, options?) function to the SDK that matches the backend's HMAC-SHA256 signing format exactly (${timestamp}.${rawBody}). It includes replay-protection via a configurable tolerance window, constant-time comparison, and returns a typed { valid, error? } result. The existing client.webhooks.verify() method now delegates to it. The function is exported directly from @fluxapay/sdk.

For #305, added SorobanQueueService — an in-process queue that serializes Soroban contract submissions and retries with exponential back-off (up to 3 attempts). PaymentService.verifyPayment now enqueues the on-chain call non-blocking instead of awaiting it directly, so the payment confirmation flow is no longer blocked by RPC latency.

Also fixed a pre-existing file corruption in paymentMonitor.streaming.minimal.ts (literal \n strings instead of real newlines) that was breaking the TypeScript build.

Checklist:

• verifyWebhookSignature standalone helper implemented
• HMAC signing format matches backend (${timestamp}.${rawBody})
• Replay-protection with configurable tolerance window
• Exported from @fluxapay/sdk package entry
• Unit tests with deterministic fixtures (15 cases)
• Soroban queue with retry + exponential back-off
• PaymentService.verifyPayment uses queue (non-blocking)
• Queue tests passing (4 cases)
• Pre-existing file corruption fixed
• All tests passing, pushed to issue-something

[drips-wave]

@dinahmaccodes Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits