fix: align agent-sdk receipt APIs with runtime-core 1.2.0

[GsCommand]

Motivation

• The SDK previously used type shapes and call signatures that no longer exist in @commandlayer/runtime-core 1.2.0, causing TypeScript build errors and broken signing/verification flows.

Description

• Updated src/receipt.ts to remove non-existent type imports, stop treating CommandLayerReceipt as a generic, and call the runtime-core signer as signCommandLayerReceipt(receipt, { privateKeyPem, kid }) instead of the old object-shaped param; this adapts the SDK to the runtime-core 1.2 signing API.
• Added DEFAULT_CANONICALIZATION and validation in src/index.ts to accept the SDK constructor canonicalization for compatibility but enforce that it equals "json.sorted_keys.v1", rejecting other values.
• Adjusted test/receipt.test.ts to export the generated key's SPKI PEM and call verifyCommandLayerReceipt(receipt, { publicKeyPemOrDer }), and updated the expected verification status to "VERIFIED" for a valid receipt.
• Files changed: src/receipt.ts, src/index.ts, and test/receipt.test.ts; runtime-core API shapes used include signCommandLayerReceipt(receipt, options) and verifyCommandLayerReceipt(receipt, { publicKeyPemOrDer }), and CommandLayerReceipt is consumed as a non-generic type.

Testing

• Ran npm install, which failed in the current environment due to 403 Forbidden when fetching @commandlayer/runtime-core, so dependency installation did not complete.
• Ran npm run build, which failed because dependencies and type declarations were unavailable after the install failure, producing TypeScript errors for missing modules and node types.
• Ran npm test, which also failed because pretest runs the build step that failed for the same dependency/type availability reason.

---

Codex Task