4d1dbb4098
Webhook ingest endpoint was completely unauthenticated. Add an optional `secret` field to BoardWebhook. When configured, inbound requests must include a valid HMAC-SHA256 signature in X-Hub-Signature-256 or X-Webhook-Signature headers. Uses hmac.compare_digest for timing safety. Includes migration to add the secret column. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>