fix(github): handle raw DER keys and fix JSON-wrapped key parsing

[tlgimenes]

Summary

• Fix NO_START_LINE PEM error by handling raw base64 DER keys (without -----BEGIN/END----- headers) — wraps them with PEM headers and validates using both PKCS#8 and PKCS#1
• Fix JSON-wrapped key parsing by moving JSON extraction before \n replacement, which was corrupting valid JSON strings
• Handle PEM keys with stripped newlines between headers and base64 data
• Improve error diagnostics with key length and PEM header presence

Test plan

• Verified all key formats parse correctly: raw PEM, escaped \n, base64 PEM, raw base64 DER, no-newline PEM, JSON-wrapped, quoted PEM, PKCS#1 DER, base64url DER
• Deploy and verify the GitHub MCP starts without NO_START_LINE error

🤖 Generated with Claude Code

---

Summary by cubic

Fixes GitHub App private key parsing to accept raw DER and JSON‑wrapped keys, preventing NO_START_LINE errors. Improves reliability of JWT creation across different secret formats.

• Bug Fixes
  • Extract JSON‑wrapped keys before replacing escaped newlines.
  • Detect base64 DER without headers; wrap with PEM headers (PKCS#8/PKCS#1) and validate.
  • Restore missing newlines between PEM headers and base64 data.
  • Improve errors with key length and PEM header presence.

^{Written for commit f243c81. Summary will update on new commits.}