feat(webhooks): implement webhook management routes and validation sc…

[oyinade247]

Closes #651

✅ Webhook management routes are now implemented

The backend now exposes organization-scoped webhook subscription management through the API:

• POST /api/webhooks
• GET /api/webhooks
• GET /api/webhooks/:id
• POST /api/webhooks/:id/rotate-secret
• DELETE /api/webhooks/:id

What changed

• Added a new router in webhooks.ts
• Added shared Zod schemas in webhook.ts
• Extended the webhook service in webhooks.ts to support:
  • org-scoped storage
  • secret rotation
  • org-aware deletion and lookup
• Updated org access handling in orgAuth.ts to use the shared AppError envelope
• Added regression tests in webhooks.routes.test.ts
• Documented the endpoint contract in webhooks.md

Behavior covered

• Create/list/read/delete subscriptions
• Secret rotation returns the new secret only once
• SSRF-style URLs are rejected
• Validation errors use the shared error envelope
• Cross-organization access is isolated

Made changes.

[drips-wave]

@oyinade247 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[1nonlypiece]

hey — holding this one for now. #699 already landed and moved webhook subscribers into postgres (async, org-scoped repo), and this branch reintroduces the in-memory subscriber map with sync add/remove/list, so the two rewrite the same service functions in incompatible ways and would revert the persistence work. the management routes + validation idea here is great though — could you rebase onto main and rework addSubscriber/removeSubscriber/listSubscribers/updateSubscriberSecret against the repository api (db-backed, returning promises)? happy to merge once it sits on top of the postgres model.

[1nonlypiece]

heads up, this swaps the async postgres-backed subscriber store back to an in-memory map in src/services/webhooks.ts, which would undo the persistent repo already on main. can you rebase onto main and keep the async repo (addSubscriber/removeSubscriber/listSubscribers staying on repo/db) while layering the org-scoping on top? happy to take another look after https://discord.gg/xvNAvMJf

[1nonlypiece]

this swaps the webhook subscriber store back to the in-memory map and undoes the postgres-backed persistence in services/webhooks.ts, which would lose subscribers across restarts. can you rebase on main and keep the db-backed store? happy to take the org-scoping additions on top of it. https://discord.gg/xvNAvMJf