feat(autopilots): support header-auth webhooks

[YOMXXX]

What does this PR do?

Adds a non-secret webhook ingress URL for autopilot webhook triggers so integrations can keep credentials out of the path.

The existing token-in-path URL remains backward compatible. New webhook_header_path / webhook_header_url fields expose a trigger-ID path, and callers authenticate that path with either Authorization: Bearer <webhook_token>, X-Multica-Webhook-Secret, or a valid HMAC signature.

HMAC support uses X-Multica-Timestamp plus X-Multica-Signature: sha256=<hmac(timestamp + "." + raw_body, signing_secret)> with a five-minute skew window. Existing provider signatures such as X-Hub-Signature-256 continue to work.

Thinking path: issue #2883 asked to remove URL-embedded credentials from webhook use; the smallest compatible path is to keep existing token URLs stable, add a trigger-ID URL as the non-secret address, and reuse the existing token/signing-secret storage for header and HMAC authentication.

Risk: when a signing secret is configured, webhook delivery still requires a valid signature; static header auth is only accepted for trigger-ID paths where signature verification is not required. Delivery header persistence stores only presence flags for secret-bearing headers.

Related Issue

Closes #2883

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Refactor / code improvement (no behavior change)
• Documentation update
• Tests (adding or improving test coverage)
• CI / infrastructure

Changes Made

• server/internal/handler/autopilot_webhook.go: support token-path and trigger-ID credential lookup, header secret auth, timestamped Multica HMAC auth, and safe header persistence.
• server/internal/handler/autopilot.go: expose webhook_header_path and webhook_header_url for webhook triggers.
• packages/core/types/autopilot.ts: add webhook header URL fields and signing/provider metadata to the trigger type.
• server/internal/handler/autopilot_webhook_test.go: cover Multica timestamped HMAC validation and stale timestamp rejection.
• server/internal/handler/autopilot_webhook_handler_test.go: cover trigger-ID path success with static header auth, rejection without header auth, and success with Multica HMAC.

How to Test

1. cd server && go test ./internal/handler -run 'TestVerifyMulticaSignature|TestGenerateWebhookToken|TestNormalizeWebhookPayload'
2. cd server && go test ./internal/handler
3. cd server && go test ./...
4. pnpm --filter @multica/core exec vitest run autopilots/webhook.test.ts
5. pnpm --filter @multica/core typecheck
6. pnpm typecheck
7. git diff --check
8. make test was attempted but could not start the required local Postgres container because Docker daemon was unavailable: failed to connect to the docker API at unix:///Users/liguanchen/.docker/run/docker.sock.

Checklist

• I have included a thinking path that traces from project context to this change
• I have run tests locally and they pass
• I have added or updated tests where applicable
• If this change affects the UI, I have included before/after screenshots
• I have updated relevant documentation to reflect my changes
• If I added a new runtime / coding tool / UI tab, I synced the change to landing copy (apps/web/features/landing/i18n/) and relevant docs (apps/docs/content/docs/)
• If this PR touches Chinese product copy, I checked it against apps/docs/content/docs/developers/conventions.zh.mdx (terminology, mixed-rule for task / issue / skill)
• I have considered and documented any risks above
• I will address all reviewer comments before requesting merge

AI Disclosure

AI tool used: Codex

Prompt / approach: Used Codex to inspect the webhook trigger implementation, identify the credential-in-URL gap from issue #2883, implement a backward-compatible trigger-ID ingress path with header/HMAC authentication, and verify with focused handler tests plus repository typechecks.

Screenshots (optional)

N/A: API/backend behavior change.

[YOMXXX]

Reviewer note: this PR is ready for review. CI is green, merge state is clean, and there are no human review threads yet.

Why it matters:

• Fixes the credential-in-URL webhook issue from [Feature]: Support header/HMAC auth for autopilot webhooks #2883 without breaking existing token-path webhook URLs.
• Adds a new trigger-ID webhook path authenticated by headers or timestamped HMAC.
• Keeps secret-bearing delivery headers out of persisted payload data; only presence flags are stored.

Suggested review focus:

• server/internal/handler/autopilot_webhook.go: credential lookup order, static header auth vs required signature behavior, timestamp skew handling, and raw-body HMAC construction.
• server/internal/handler/autopilot.go: exposure of webhook_header_path / webhook_header_url.
• Handler tests for unauthenticated trigger-ID rejection and HMAC success/stale timestamp rejection.

Validation already run: focused webhook tests, full handler tests, go test ./..., core webhook Vitest, core typecheck, repo typecheck, and git diff --check. make test was attempted but local Docker was unavailable; direct Go/TS suites passed.