Require WhatsApp callback authentication

[pmbstyle]

Motivation

• The WhatsApp inbound route accepted requests when the configured callback token was empty, allowing unauthenticated clients to submit attacker-controlled sender and text payloads that could drive the agent runtime.
• The default configuration and examples left the callback token blank, making the endpoint network-reachable and exploitable by default.

Description

• Require a non-empty callback token in register_whatsapp_routes before accepting inbound payloads and validate every request using secrets.compare_digest to prevent bypasses via an empty token.
• Add _ensure_callback_token to WhatsAppRuntime and call it from WhatsAppRuntime.start() to generate an ephemeral token with secrets.token_urlsafe(32) when no stable token is configured, and log a warning recommending configuration for persistence.
• Add regression tests that assert the inbound route rejects when the runtime token is missing and that the runtime generates a token prior to bridge startup in tests/test_whatsapp_bridge_routes.py and tests/test_whatsapp_runtime.py.
• Minor import/formatting adjustments to keep code consistent with project tooling.

Testing

• Ran formatting and lint checks with uv run black --check and uv run ruff check on the modified files and they passed.
• Executed the FastAPI route/runtime smoke script (uv run python - <<'PY' ... PY) that verifies route behavior and runtime token generation and it succeeded.
• Ran the unit tests tests/test_whatsapp_bridge_routes.py and tests/test_whatsapp_runtime.py under the project PYTHONPATH with pytest and all tests passed (12 passed, 16 warnings).

---

Codex Task