security: add HMAC signature verification to webhook ingest

Webhook ingest endpoint was completely unauthenticated. Add an optional
`secret` field to BoardWebhook. When configured, inbound requests must
include a valid HMAC-SHA256 signature in X-Hub-Signature-256 or
X-Webhook-Signature headers. Uses hmac.compare_digest for timing safety.
Includes migration to add the secret column.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/migrations/versions/a1b2c3d4e5f6_add_webhook_secret.py

@@ -0,0 +1,39 @@
+"""Add optional secret column to board_webhooks for HMAC signature verification.
+
+Revision ID: a1b2c3d4e5f6
+Revises: fa6e83f8d9a1
+Create Date: 2026-03-03 00:00:00.000000
+
+"""
+
+from __future__ import annotations
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "a1b2c3d4e5f6"
+down_revision = "f1b2c3d4e5a6"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    """Add secret column to board_webhooks table."""
+    bind = op.get_bind()
+    inspector = sa.inspect(bind)
+    columns = {c["name"] for c in inspector.get_columns("board_webhooks")}
+    if "secret" not in columns:
+        op.add_column(
+            "board_webhooks",
+            sa.Column("secret", sa.String(), nullable=True),
+        )
+
+
+def downgrade() -> None:
+    """Remove secret column from board_webhooks table."""
+    bind = op.get_bind()
+    inspector = sa.inspect(bind)
+    columns = {c["name"] for c in inspector.get_columns("board_webhooks")}
+    if "secret" in columns:
+        op.drop_column("board_webhooks", "secret")