chore: project improvements

[willswire]

Summary

This PR modernizes the project’s CI/CD, testing setup, Wrangler configuration, and DeviceCheck request flow. It improves correctness (especially around Apple DeviceCheck), adds automated testing, and updates the toolchain to current versions.

---

CI/CD Changes

• Removed deploy-worker.yaml (release-triggered deploy).

• Added:

  • pull-request.yml – runs on PRs to main:

    • npm ci
    • npm run generate-types
    • npm test

  • push.yml – runs on push to main:

    • Uses release-please for automated versioning
    • Deploys only when a release is created

• Updated README badge to reflect new workflow.

This ensures tests run before merge and deployments only happen from formal releases.

---

Testing (Vitest)

• Added Vitest and coverage configuration.

• Added comprehensive tests for:

  • fetch handler
  • check logic
  • JWT generation
  • Payload construction
  • Upstream request behavior
  • Error handling paths

• Validates:

  • Correct production vs development endpoint selection
  • Proper Authorization header format
  • Device payload is not embedded in JWT claims
  • Correct behavior across various upstream status codes

---

DeviceCheck Fix: JWT and Payload Separation

Previously, device_token, transaction_id, and timestamp were embedded in the JWT.

Now:

• JWT contains only required auth claims (iss, iat, exp).
• Device data is sent in the POST body only.
• transaction_id uses crypto.randomUUID() instead of a timestamp-based value.

This aligns the implementation with Apple’s DeviceCheck API expectations and prevents leaking device payload fields into JWT claims.

---

Wrangler v4 Migration

• Migrated from wrangler.toml to wrangler.jsonc.
• Upgraded to wrangler@^4.68.1.
• Removed @cloudflare/workers-types.
• Added generate-types and type-check scripts.
• Removed committed worker-configuration.d.ts; types are now generated.
• Updated TypeScript config to include tests.

Observability is enabled and compatibility dates updated.

---

Dependency Updates

• wrangler → ^4.68.1
• typescript → ^5.9.3
• jose → ^6.1.3
• Added vitest and @vitest/coverage-v8

---

iOS Example Updates

• Improved development detection (simulator or sandbox receipt).
• Improved DeviceCheck error handling.
• Sends accurate X-Apple-Device-Development header.
• Minor state reset fix before fetch.

---

Miscellaneous

• Added .env.template.
• Updated README references from wrangler.toml to wrangler.jsonc.
• Updated .gitignore for generated type files.
• Removed legacy workflows and config files.