#6128: Fail closed when Telnyx webhook public key is missing (voice-call provider)

## Summary The voice-call Telnyx provider currently **skips webhook signature verification** when `telnyx.publicKey` is not configured. This PR changes Telnyx webhook verification to **fail closed by default** and adds config validation to require `telnyx.publicKey` unless `skipSignatureVerification` is explicitly enabled for dev. ## Why this change (security impact) - **Prevents forged Telnyx webhooks** when the webhook URL is public and the public key is accidentally unset/misconfigured. - Makes insecure setups **fail fast** with a clear config error instead of silently running without verification. ## Changes - `TelnyxProvider.verifyWebhook()` now rejects when `publicKey` is missing (unless `skipVerification` is enabled) - Also rejects invalid (non-numeric) timestamps instead of accidentally passing the age check - Config validation requires `telnyx.publicKey` when using Telnyx (unless `skipSignatureVerification` is true) - Docs updated to mention the `telnyx.publicKey` requirement ## Test plan - [x] `pnpm build` passes - [x] `pnpm test` passes - [x] New tests added in `extensions/voice-call/src/providers/telnyx.test.ts` - [x] Config validation tests updated in `extensions/voice-call/src/config.test.ts` <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> Telnyx voice-call webhook verification is now fail-closed: `TelnyxProvider.verifyWebhook()` rejects when `telnyx.publicKey` is missing unless `skipSignatureVerification` is explicitly enabled for dev. Config resolution/validation was updated to require `TELNYX_PUBLIC_KEY`/`telnyx.publicKey` for Telnyx, and new unit tests cover missing public key, valid Ed25519 signatures, and invalid/old timestamps. Runtime wiring now passes the global `skipSignatureVerification` flag into the Telnyx provider. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk. - Changes are narrowly scoped to Telnyx webhook verification behavior and config validation; behavior is well-covered by new/updated tests and follows a security hardening direction (fail closed). No broad refactors or risky dependencies were introduced. - No files require special attention <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->