feat(notify): HMAC-signed outgoing webhooks with per-tier secrets and test sender

Outgoing notifications were bare POSTs with no auth and no way to verify
they came from Tinyforge. They also went out from one global URL only,
even though stages had a notification_url field, and static-site sync
emitted no events at all.

Schema: add notification_url + notification_secret (lazy-generated) to
settings, projects, stages and static_sites. Migrations are additive.

Notifier: SendSigned computes HMAC-SHA256 over the exact body bytes and
sends X-Hub-Signature-256 (GitHub-compatible — receivers built for
GitHub/Gitea/Forgejo verify out of the box). Aux headers
X-Tinyforge-Event/Delivery/Timestamp/Tier are advisory and not signed.
Empty secret => unsigned send for back-compat.

Resolution: deploys fall through stage > project > settings, sites fall
through site > settings. The secret travels with the URL that sourced
it, so any tier can sign even when its parents are unsigned. Site sync
events now actually emit (site_sync_success / site_sync_failure).

API: 12 new endpoints — {GET secret, POST regenerate, POST disable,
POST test} for each of the 4 tiers. SendSyncForTest returns
status_code/latency_ms/signature_sent/delivery_id/response_snippet so
the UI surfaces receiver feedback inline.

UI: shared OutgoingWebhookPanel.svelte fits the existing card aesthetic.
Signing-state pill, secret reveal-on-demand, regenerate/disable behind
ConfirmDialog modals (not inline strips — too easy to misclick), send-
test result card with colour-coded status. Wired into Settings →
Integrations, project edit form, per-stage edit, and per-site detail.
EN + RU i18n.

Tests: round-trip (sender signs, receiver verifies), tampered-body and
wrong-secret rejection, unsigned-send omits header, send-test surfaces
4xx, concurrent fan-out via Drain. Resolver precedence locked for both
deploy and site paths.

Docs: docs/webhooks.md with header reference, verifier snippets in
Node/Python/Go, and a recipe for the service-to-notification-bridge
generic webhook provider.

internal/deployer/deployer.go

@@ -181,7 +181,8 @@ func (d *Deployer) runDeploy(ctx context.Context, project store.Project, stage s
 		d.publishDeployStatus(deployID, project.ID, stage.ID, imageTag, "failed", deployErr.Error())
 		d.rollback(ctx, deployID, containerID, proxyRouteID, instanceID)
 
-		d.notifier.Send(settings.NotificationURL, notify.Event{
+		url, secret, tier := resolveDeployTarget(stage, project, settings)
+		d.notifier.SendSigned(url, secret, tier, notify.Event{
 			Type:     "deploy_failure",
 			Project:  project.Name,
 			Stage:    stage.Name,
@@ -202,7 +203,8 @@ func (d *Deployer) runDeploy(ctx context.Context, project store.Project, stage s
 
 	d.logDeploy(deployID, fmt.Sprintf("Deploy successful: %s", fullURL), "info")
 
-	d.notifier.Send(settings.NotificationURL, notify.Event{
+	url, secret, tier := resolveDeployTarget(stage, project, settings)
+	d.notifier.SendSigned(url, secret, tier, notify.Event{
 		Type:      "deploy_success",
 		Project:   project.Name,
 		Stage:     stage.Name,
@@ -214,6 +216,21 @@ func (d *Deployer) runDeploy(ctx context.Context, project store.Project, stage s
 	return nil
 }
 
+// resolveDeployTarget picks the most-specific (URL, secret, tier) for a
+// deploy notification: stage > project > global. An empty URL at a tier
+// means "fall through to the next" — never "send unsigned to nowhere". The
+// secret is always paired with the URL that sourced it, so a stage can sign
+// even when project and global are unsigned (and vice versa).
+func resolveDeployTarget(stage store.Stage, project store.Project, settings store.Settings) (string, string, notify.Tier) {
+	if stage.NotificationURL != "" {
+		return stage.NotificationURL, stage.NotificationSecret, notify.TierStage
+	}
+	if project.NotificationURL != "" {
+		return project.NotificationURL, project.NotificationSecret, notify.TierProject
+	}
+	return settings.NotificationURL, settings.NotificationSecret, notify.TierSettings
+}
+
 // TriggerDeploy is the synchronous entry point for deployments (used by poller and webhook).
 // It validates inputs, creates a deploy record, and delegates to runDeploy.
 func (d *Deployer) TriggerDeploy(ctx context.Context, projectID, stageID, imageTag string) error {

internal/deployer/resolver_test.go

@@ -0,0 +1,89 @@
+package deployer
+
+import (
+	"testing"
+
+	"github.com/alexei/tinyforge/internal/notify"
+	"github.com/alexei/tinyforge/internal/store"
+)
+
+// TestResolveDeployTarget locks the stage→project→global precedence. The
+// most-specific tier with a non-empty URL wins, and the secret travels
+// with the URL that sourced it (so a stage can sign even when project and
+// global are unsigned). A regression here misroutes notifications and
+// silently leaks events to the wrong receiver — worth catching.
+func TestResolveDeployTarget(t *testing.T) {
+	cases := []struct {
+		name      string
+		stage     store.Stage
+		project   store.Project
+		settings  store.Settings
+		wantURL   string
+		wantSec   string
+		wantTier  notify.Tier
+	}{
+		{
+			name:     "stage wins when set",
+			stage:    store.Stage{NotificationURL: "https://stage.example/wh", NotificationSecret: "stage-key"},
+			project:  store.Project{NotificationURL: "https://project.example/wh", NotificationSecret: "project-key"},
+			settings: store.Settings{NotificationURL: "https://global.example/wh", NotificationSecret: "global-key"},
+			wantURL:  "https://stage.example/wh",
+			wantSec:  "stage-key",
+			wantTier: notify.TierStage,
+		},
+		{
+			name:     "stage URL empty → project wins",
+			stage:    store.Stage{NotificationURL: "", NotificationSecret: "stage-key"}, // secret without URL ignored
+			project:  store.Project{NotificationURL: "https://project.example/wh", NotificationSecret: "project-key"},
+			settings: store.Settings{NotificationURL: "https://global.example/wh", NotificationSecret: "global-key"},
+			wantURL:  "https://project.example/wh",
+			wantSec:  "project-key",
+			wantTier: notify.TierProject,
+		},
+		{
+			name:     "stage and project empty → global wins",
+			stage:    store.Stage{},
+			project:  store.Project{},
+			settings: store.Settings{NotificationURL: "https://global.example/wh", NotificationSecret: "global-key"},
+			wantURL:  "https://global.example/wh",
+			wantSec:  "global-key",
+			wantTier: notify.TierSettings,
+		},
+		{
+			name:     "all empty → returns settings tier with empty URL (caller skips)",
+			stage:    store.Stage{},
+			project:  store.Project{},
+			settings: store.Settings{},
+			wantURL:  "",
+			wantSec:  "",
+			wantTier: notify.TierSettings,
+		},
+		{
+			name: "stage signs even when global is unsigned",
+			stage: store.Stage{
+				NotificationURL:    "https://stage.example/wh",
+				NotificationSecret: "stage-only-key",
+			},
+			project:  store.Project{},
+			settings: store.Settings{NotificationURL: "https://global.example/wh"},
+			wantURL:  "https://stage.example/wh",
+			wantSec:  "stage-only-key",
+			wantTier: notify.TierStage,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			gotURL, gotSec, gotTier := resolveDeployTarget(tc.stage, tc.project, tc.settings)
+			if gotURL != tc.wantURL {
+				t.Errorf("url = %q, want %q", gotURL, tc.wantURL)
+			}
+			if gotSec != tc.wantSec {
+				t.Errorf("secret = %q, want %q", gotSec, tc.wantSec)
+			}
+			if gotTier != tc.wantTier {
+				t.Errorf("tier = %q, want %q", gotTier, tc.wantTier)
+			}
+		})
+	}
+}