Harden signature parsing and verification edge cases

[Rexxyin]

Motivation

• Prevent signature verification edge-cases and parsing bugs that can lead to false negatives or unsafe behavior across frameworks and SDK adapters.
• Ensure timestamp handling is robust so non-finite values don't propagate into expiry checks.
• Avoid breaking variants of the Upstash/QStash integration by making the verification call compatible with multiple SDK shapes.

Description

• Use UTF-8 byte-length check before performing constant-time comparison in safeCompare to avoid multibyte-length mismatches (src/verifiers/base.ts).
• Make comma-separated signature header parsing delimiter-aware so signatures that contain commas (for example base64 variants) are not split incorrectly by changing the split regex in parseDelimitedHeader (src/verifiers/algorithms.ts).
• Harden timestamp parsing for both header and signature-embedded timestamps to return null for non-finite values instead of returning NaN and to explicitly parse ISO/unix/custom formats (src/verifiers/algorithms.ts).
• Improve Upstash QStash compatibility by removing the optional url property from the Receiver.verify invocation so it works with SDK variants that expect only signature and body (src/upstash/queue.ts).

Testing

• Ran npm test against the existing compiled output and the test harness executed; the suite completed and reported pre-existing failures for Sanity and Polar verification which are unrelated to these changes (tests otherwise passed for many platforms).
• Attempted npm run build which failed in this environment due to missing @upstash/qstash types (type resolution error during tsc).
• Attempted npm install to restore dependencies but it was blocked by the environment/registry (403 Forbidden fetching a transitive dependency), preventing a full local rebuild and end-to-end TypeScript verification.

---

Codex Task