fix: split Google Pay merchantId, add borderRadius, fix WebView sizing

[arstiefel]

Description

Splits the single merchantId field in GooglePayConfig into two distinct fields: gatewayMerchantId (Bolt merchant ID used for tokenization) and googleMerchantId (Google-assigned BCR2DN... ID for production). The previous API conflated these two identifiers, which could lead to OR_BIBED_06 errors when merchants incorrectly used their app ID or Google merchant ID as the gateway merchant ID. This PR also adds a borderRadius prop to the Google Pay button (Android) using ViewOutlineProvider clipping, and fixes WebView sizing in BoltPaymentWebView by extracting height-parsing logic into a robust tryExtractHeight callback that handles double-serialized messages and adds overflow: 'hidden' to the container style.

Testing

• Unit tests updated in GoogleWallet.test.tsx and WalletTypes.test.ts to reflect the new gatewayMerchantId / googleMerchantId split — both pass with the new config shape.
• Example app (example/src/App.tsx) updated to demonstrate the new config fields and borderRadius prop.
• Manual testing should verify:
  • Google Pay button renders with correct corner radius on Android when borderRadius is set and resets when omitted.
  • Google Pay payment flow still completes end-to-end with the new field mapping (gatewayMerchantId → tokenization spec, googleMerchantId → merchant info).
  • WebView-based payment flows correctly resize when receiving SetIFrameHeight messages, including double-serialized string payloads.

Security Review

Important

A security review is required for every PR in this repository to comply with PCI requirements.

• I have considered and reviewed security implications of this PR and included the summary below.

Security Impact Summary

The change to GooglePayModule.kt modifies which merchant ID values are sent in the Google Pay tokenization specification and merchant info payload. The gatewayMerchantId (Bolt merchant ID) is now correctly routed to the tokenization parameters, while the googleMerchantId is sent as the merchant identifier to Google. This is a correctness fix for the payment flow — previously misconfigured values could cause payment failures. No new external integrations, auth changes, or user data handling are introduced. The WebView changes do not alter message dispatch or payment data handling, only height-resize parsing.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.