feat: make webhook payload size limit configurable

Add WEBHOOK_MAX_PAYLOAD_BYTES setting (default 1 MB) so deployments
with larger webhook payloads can raise the limit via environment
variable instead of being hard-blocked at 1 MB.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/app/api/board_webhooks.py

@@ -516,10 +516,10 @@ async def ingest_board_webhook(
             detail="Webhook is disabled.",
         )
 
-    # Enforce a 1 MB payload size limit to prevent memory exhaustion.
+    # Enforce payload size limit to prevent memory exhaustion.
     # Read the body in chunks via request.stream() so an attacker cannot
     # cause OOM by sending a huge body with a missing/spoofed Content-Length.
-    max_payload_bytes = 1_048_576
+    max_payload_bytes = settings.webhook_max_payload_bytes
     content_length = request.headers.get("content-length")
     try:
         cl = int(content_length) if content_length else 0

backend/app/core/config.py

@@ -57,6 +57,9 @@ class Settings(BaseSettings):
     security_header_referrer_policy: str = "strict-origin-when-cross-origin"
     security_header_permissions_policy: str = ""
 
+    # Webhook payload size limit in bytes (default 1 MB).
+    webhook_max_payload_bytes: int = 1_048_576
+
     # Database lifecycle
     db_auto_migrate: bool = False