feat: add webhook endpoints for external trigger integrations

[Heazzy500]

• Add webhook service with file and database storage
• Add HMAC signature verification for secure webhook delivery
• Add endpoints: POST/GET/DELETE /api/webhooks, PATCH /api/webhooks/:id
• Add /api/webhooks/events to list valid event types
• Add /api/webhooks/:id/test to send test events
• Add /api/webhooks/trigger for manual event triggering
• Add 22 comprehensive tests for webhook functionality
• Support 7 event types: action.login/interact/dm/post/error, schedule.completed/failed

Summary

• Add webhook service for registering external webhook endpoints
• Add HMAC-SHA256 signature verification for secure webhook delivery
• Add 7 webhook event types for action and schedule notifications
• Add comprehensive webhook management API endpoints
• Add 22 tests for webhook functionality

Roadmap Alignment

This PR implements the roadmap item under API and Dashboard:

• [ ] Webhook endpoints for external triggers

New Endpoints

Endpoint	Method	Description
/api/webhooks/events	GET	List available event types
/api/webhooks	POST	Register a new webhook
/api/webhooks	GET	List webhooks for current account
/api/webhooks/:id	DELETE	Delete a webhook
/api/webhooks/:id	PATCH	Pause/resume a webhook
/api/webhooks/:id/test	POST	Send a test event to webhook
/api/webhooks/trigger	POST	Manually trigger webhook events

Event Types

• action.login - User login events
• action.interact - Post interaction events
• action.dm - Direct message events
• action.post - New post events
• action.error - Error events
• schedule.completed - Scheduled post completed
• schedule.failed - Scheduled post failed

Security

• HMAC-SHA256 signature verification
• Timestamp validation with 5-minute tolerance
• Secrets shown only once at creation time
• Account-scoped webhook access

Test plan

• All 105 tests pass (22 new webhook tests)
• Lint passes
• Format check passes
• Manual test: Register webhook with POST /api/webhooks
• Manual test: List webhooks with GET /api/webhooks
• Manual test: Test webhook with POST /api/webhooks/:id/test
• Manual test: Delete webhook with DELETE /api/webhooks/:id

[David-patrick-chuks]

Thanks @Heazzy500 — great follow-up to #113. This directly hits the roadmap item for webhook endpoints for external triggers.

What looks good:

• Full webhook CRUD + test/trigger endpoints
• HMAC-SHA256 signatures with timestamp tolerance
• Account-scoped access + 22 tests
• CI green ✅

Merging now. Small follow-up for a future PR: add a webhooks table to schema.sql so Postgres users get DB persistence (file fallback works fine for local use in the meantime).

Appreciate the contribution!