fix(sdk): use sender's protocol version for HTTP signature verification (#171)

## Summary

`verifyHttpRequestHeaders` and `verifyHttpResponseHeaders` hardcoded the
local `PROTOCOL_VERSION` (derived from the SDK's own semver) when
reconstructing the signing input for verification. When the gateway (SDK
1.6, `v: "1.6"`) verified requests from worlds running SDK 1.5 (`v:
"1.5"`), the `v:` field in the reconstructed signing input mismatched
the one the sender actually signed, causing **every signature to fail
with 403**.

## Root Cause

`buildRequestSigningInput` and `buildResponseSigningInput` always used:
```ts
v: PROTOCOL_VERSION  // local SDK version, e.g. "1.6"
```

But the sender signed with their own version (e.g. `"1.5"`), sent via
the `X-AgentWorld-Version` header. The verifier ignored that header.

## Fix

Both verify functions now:
1. Extract `X-AgentWorld-Version` from incoming headers
2. Pass it to the signing input builder as `v:`
3. Fall back to local `PROTOCOL_VERSION` when the header is absent

This ensures cross-version compatibility: a gateway on SDK 1.6 can
verify requests from worlds on SDK 1.5 (or any other version).

## Testing

- 203/203 tests pass
- Build succeeds for both root and SDK packages

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

Author: Jing-yilin

.changeset/fix-cross-version-sig-verify.md

@@ -0,0 +1,5 @@
+---
+"@resciencelab/agent-world-sdk": patch
+---
+
+Fix cross-version HTTP signature verification: use sender's X-AgentWorld-Version header instead of local PROTOCOL_VERSION when reconstructing signing input, so gateway and peers running different SDK minor versions can still verify each other's signatures.

packages/agent-world-sdk/src/crypto.ts

@@ -160,9 +160,10 @@ function buildRequestSigningInput(opts: {
   authority: string;
   path: string;
   contentDigest: string;
+  v?: string;
 }): Record<string, string> {
   return {
-    v: PROTOCOL_VERSION,
+    v: opts.v ?? PROTOCOL_VERSION,
     from: opts.from,
     kid: opts.kid,
     ts: opts.ts,
@@ -232,6 +233,7 @@ export function verifyHttpRequestHeaders(
   const kid = h["x-agentworld-keyid"] as string | undefined;
   const ts = h["x-agentworld-timestamp"] as string | undefined;
   const cd = h["content-digest"] as string | undefined;
+  const senderVersion = h["x-agentworld-version"] as string | undefined;
 
   if (!sig || !from || !kid || !ts || !cd) {
     return { ok: false, error: "Missing required AgentWorld headers" };
@@ -258,6 +260,7 @@ export function verifyHttpRequestHeaders(
     authority,
     path,
     contentDigest: cd,
+    v: senderVersion,
   });
   const ok = verifyWithDomainSeparator(
     DOMAIN_SEPARATORS.HTTP_REQUEST,
@@ -287,9 +290,10 @@ function buildResponseSigningInput(opts: {
   ts: string;
   status: number;
   contentDigest: string;
+  v?: string;
 }): Record<string, unknown> {
   return {
-    v: PROTOCOL_VERSION,
+    v: opts.v ?? PROTOCOL_VERSION,
     from: opts.from,
     kid: opts.kid,
     ts: opts.ts,
@@ -351,6 +355,7 @@ export function verifyHttpResponseHeaders(
   const kid = h["x-agentworld-keyid"];
   const ts = h["x-agentworld-timestamp"];
   const cd = h["content-digest"];
+  const senderVersion = h["x-agentworld-version"];
 
   if (!sig || !from || !kid || !ts || !cd) {
     return { ok: false, error: "Missing required AgentWorld response headers" };
@@ -375,6 +380,7 @@ export function verifyHttpResponseHeaders(
     ts,
     status,
     contentDigest: cd,
+    v: senderVersion ?? undefined,
   });
   const ok = verifyWithDomainSeparator(
     DOMAIN_SEPARATORS.HTTP_RESPONSE,