feat: add configurable signature_header for webhook HMAC verification

Not all webhook providers use X-Hub-Signature-256 or X-Webhook-Signature.
Add an optional signature_header field so users can specify which header
carries the HMAC signature. When set, that exact header is checked;
when unset, the existing auto-detect fallback is preserved. The custom
header is also excluded from stored/exposed payload headers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/migrations/versions/a1b2c3d4e5f6_add_webhook_secret.py

@@ -1,4 +1,4 @@
-"""Add optional secret column to board_webhooks for HMAC signature verification.
+"""Add secret and signature_header columns to board_webhooks for HMAC verification.
 
 Revision ID: a1b2c3d4e5f6
 Revises: f1b2c3d4e5a6
@@ -19,7 +19,7 @@ depends_on = None
 
 
 def upgrade() -> None:
-    """Add secret column to board_webhooks table."""
+    """Add secret and signature_header columns to board_webhooks table."""
     bind = op.get_bind()
     inspector = sa.inspect(bind)
     columns = {c["name"] for c in inspector.get_columns("board_webhooks")}
@@ -28,12 +28,19 @@ def upgrade() -> None:
             "board_webhooks",
             sa.Column("secret", sa.String(), nullable=True),
         )
+    if "signature_header" not in columns:
+        op.add_column(
+            "board_webhooks",
+            sa.Column("signature_header", sa.String(), nullable=True),
+        )
 
 
 def downgrade() -> None:
-    """Remove secret column from board_webhooks table."""
+    """Remove secret and signature_header columns from board_webhooks table."""
     bind = op.get_bind()
     inspector = sa.inspect(bind)
     columns = {c["name"] for c in inspector.get_columns("board_webhooks")}
+    if "signature_header" in columns:
+        op.drop_column("board_webhooks", "signature_header")
     if "secret" in columns:
         op.drop_column("board_webhooks", "secret")