fix: harden Coinbase popup handling and refresh checkout order

[broody]

Summary

• parse Coinbase popup postMessage payloads more robustly (string/object/nested payload variants) and handle additional Coinbase event names without incorrectly ignoring valid events
• keep the Coinbase popup loading state tied to Coinbase load events instead of iframe load
• force creation of a fresh Coinbase order/payment link when the user retries checkout after canceling, to avoid reusing stale links

Test plan

• Run pnpm format
• In checkout, cancel Coinbase popup, go back, click Buy/Continue again, verify a new order/payment link is used
• Confirm popup handles onramp_api.polling_success, onramp_api.polling_error, and onramp_api.cancel events without being ignored
• Confirm popup shows loading until Coinbase load_success event arrives

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
controller-example-next	Building	Preview	Feb 26, 2026 2:16am
keychain	Building	Preview	Feb 26, 2026 2:16am
keychain-storybook	Building	Preview	Feb 26, 2026 2:16am

[claude]

Claude finished @broody's task —— View job

---

Documentation Assessment

Analyzing PR #2449 to determine if documentation updates are needed...

Todo List:

• Analyze changes for user-facing behavior modifications
• Determine if docs updates are required
• Update docs if necessary

---

Analysis Summary

PR #2449 Changes:

• More robust postMessage parsing for Coinbase popup events (handles string/object/nested variants)
• Additional Coinbase event handling (onramp_api.pending_payment_auth, onramp_api.payment_authorized, onramp_api.apple_pay_button_pressed)
• Loading state now tied to Coinbase load_success event instead of iframe onLoad
• Forces creation of fresh Coinbase order/payment link when user retries after canceling

Documentation Assessment:

✅ No documentation updates needed

Rationale:
All changes in this PR are internal implementation improvements and bug fixes:

1. Robust postMessage parsing - Internal error handling improvement
2. Additional event handlers - Internal state management for existing flow
3. Loading state timing - Internal UI state refinement
4. Fresh order on retry - Bug fix to prevent stale links (not a new feature or API change)

From the user's perspective, the Coinbase checkout flow works exactly the same way - it just works more reliably now. There are:

• ❌ No new APIs or public interfaces
• ❌ No changed user-facing behavior requiring documentation
• ❌ No new features to explain
• ❌ No removed functionality
• ❌ No configuration changes

Per the documentation rules: "DEFAULT TO NO CHANGES. Most code PRs do not need docs updates. Internal refactors, test changes, CI changes, and dependency bumps need nothing."

This PR is a textbook example of internal refactoring and bug hardening that requires no documentation changes.