feat(webhook): HMAC-SHA256 signature verification on inbound webhooks

Adds an opt-in inbound HMAC scheme so a leaked URL alone is not enough
to forge deploy/sync requests — the caller must also know a separate
signing secret. Header format is X-Hub-Signature-256, matching the
Gitea/GitHub/GitLab convention so existing CI integrations work without
custom code.

Behaviour:
- per-project / per-site signing_secret is independent of the URL secret
- require_signature flag does a hard 401 on missing/invalid signatures
- even when require_signature is off, an *invalid* submitted signature
  returns 401 — surfaces CI misconfiguration instead of silently passing
- comparison uses subtle/hmac.Equal (constant time)

Backend:
- store: webhook_signing_secret + webhook_require_signature columns on
  projects + static_sites; scanProject helper, scan helpers updated; new
  Set* helpers for both fields
- webhook/handler: verifyHMAC helper, body read once, integrated into
  both project and site handlers
- api: per-entity signing-secret rotate / disable / require-toggle
  endpoints under /api/{projects,sites}/{id}/webhook/...

Frontend:
- WebhookPanel gains optional signing handlers (no breaking change for
  existing callers; signing UI hides when handlers aren't wired)
- one-shot reveal of the issued secret with copy + dismiss
- ToggleSwitch for require-signature, disabled until a secret is issued
- en/ru i18n strings

Tests:
- HMACRequiredAndValid (200 + deploy fires)
- HMACRequiredButMissing (401, no deploy)
- HMACPresentButWrong (401 even when require_signature=false)
- HMACOptionalUnsignedAccepted (200 when neither configured)

internal/store/models.go

@@ -11,7 +11,9 @@ type Project struct {
 	Env              string `json:"env"`     // JSON-encoded map
 	Volumes          string `json:"volumes"` // JSON-encoded map
 	NpmAccessListID     int    `json:"npm_access_list_id"` // per-project override, 0 = use global
-	WebhookSecret       string `json:"-"`                  // per-project webhook secret; never serialized directly
+	WebhookSecret       string `json:"-"`                  // per-project webhook secret (URL identifier); never serialized
+	WebhookSigningSecret    string `json:"-"`                       // HMAC-SHA256 key for inbound webhook signature verification; never serialized
+	WebhookRequireSignature bool   `json:"webhook_require_signature"` // if true, reject unsigned/invalid-sig webhook requests
 	NotificationURL     string `json:"notification_url"`    // outgoing webhook target; empty = inherit from settings
 	NotificationSecret  string `json:"-"`                  // outgoing-webhook signing secret; never serialized directly
 	CreatedAt        string `json:"created_at"`
@@ -258,7 +260,9 @@ type StaticSite struct {
 	Error          string `json:"error"`
 	StorageEnabled bool   `json:"storage_enabled"`
 	StorageLimitMB int    `json:"storage_limit_mb"` // 0 = unlimited
-	WebhookSecret      string `json:"-"`                 // per-site webhook secret; never serialized directly
+	WebhookSecret      string `json:"-"`                 // per-site webhook secret (URL identifier); never serialized
+	WebhookSigningSecret    string `json:"-"`                       // HMAC-SHA256 key for inbound webhook signature verification; never serialized
+	WebhookRequireSignature bool   `json:"webhook_require_signature"` // if true, reject unsigned/invalid-sig webhook requests
 	NotificationURL    string `json:"notification_url"`   // outgoing webhook target; empty = inherit from settings
 	NotificationSecret string `json:"-"`                 // outgoing-webhook signing secret; never serialized directly
 	CreatedAt      string `json:"created_at"`

internal/store/projects.go

@@ -31,7 +31,27 @@ func generateWebhookSecret() string {
 
 // projectCols is the canonical column list for projects queries.
 const projectCols = `id, name, registry, image, port, healthcheck, env, volumes,
-	npm_access_list_id, webhook_secret, notification_url, notification_secret, created_at, updated_at`
+	npm_access_list_id, webhook_secret, webhook_signing_secret, webhook_require_signature,
+	notification_url, notification_secret, created_at, updated_at`
+
+// rowScanner is the subset of *sql.Row / *sql.Rows used by scanProject.
+type rowScanner interface {
+	Scan(dest ...any) error
+}
+
+// scanProject reads one row in projectCols order. webhook_require_signature
+// is stored as INTEGER and converted to bool here.
+func scanProject(r rowScanner) (Project, error) {
+	var p Project
+	var requireSig int
+	if err := r.Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes,
+		&p.NpmAccessListID, &p.WebhookSecret, &p.WebhookSigningSecret, &requireSig,
+		&p.NotificationURL, &p.NotificationSecret, &p.CreatedAt, &p.UpdatedAt); err != nil {
+		return Project{}, err
+	}
+	p.WebhookRequireSignature = requireSig != 0
+	return p, nil
+}
 
 // CreateProject inserts a new project and returns it. A webhook secret is
 // generated automatically if one is not already set on the input.
@@ -45,11 +65,16 @@ func (s *Store) CreateProject(p Project) (Project, error) {
 		return Project{}, fmt.Errorf("webhook_secret must be at least %d characters", minWebhookSecretLength)
 	}
 
+	requireSig := 0
+	if p.WebhookRequireSignature {
+		requireSig = 1
+	}
 	_, err := s.db.Exec(
 		`INSERT INTO projects (`+projectCols+`)
-		 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+		 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
 		p.ID, p.Name, p.Registry, p.Image, p.Port, p.Healthcheck, p.Env, p.Volumes,
-		p.NpmAccessListID, p.WebhookSecret, p.NotificationURL, p.NotificationSecret, p.CreatedAt, p.UpdatedAt,
+		p.NpmAccessListID, p.WebhookSecret, p.WebhookSigningSecret, requireSig,
+		p.NotificationURL, p.NotificationSecret, p.CreatedAt, p.UpdatedAt,
 	)
 	if err != nil {
 		return Project{}, fmt.Errorf("insert project: %w", err)
@@ -59,11 +84,8 @@ func (s *Store) CreateProject(p Project) (Project, error) {
 
 // GetProjectByID returns a single project by its ID.
 func (s *Store) GetProjectByID(id string) (Project, error) {
-	var p Project
-	err := s.db.QueryRow(
-		`SELECT `+projectCols+` FROM projects WHERE id = ?`, id,
-	).Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes,
-		&p.NpmAccessListID, &p.WebhookSecret, &p.NotificationURL, &p.NotificationSecret, &p.CreatedAt, &p.UpdatedAt)
+	row := s.db.QueryRow(`SELECT `+projectCols+` FROM projects WHERE id = ?`, id)
+	p, err := scanProject(row)
 	if errors.Is(err, sql.ErrNoRows) {
 		return Project{}, fmt.Errorf("project %s: %w", id, ErrNotFound)
 	}
@@ -79,11 +101,8 @@ func (s *Store) GetProjectByWebhookSecret(secret string) (Project, error) {
 	if secret == "" {
 		return Project{}, ErrNotFound
 	}
-	var p Project
-	err := s.db.QueryRow(
-		`SELECT `+projectCols+` FROM projects WHERE webhook_secret = ?`, secret,
-	).Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes,
-		&p.NpmAccessListID, &p.WebhookSecret, &p.NotificationURL, &p.NotificationSecret, &p.CreatedAt, &p.UpdatedAt)
+	row := s.db.QueryRow(`SELECT `+projectCols+` FROM projects WHERE webhook_secret = ?`, secret)
+	p, err := scanProject(row)
 	if errors.Is(err, sql.ErrNoRows) {
 		return Project{}, ErrNotFound
 	}
@@ -105,9 +124,8 @@ func (s *Store) GetAllProjects() ([]Project, error) {
 
 	projects := []Project{}
 	for rows.Next() {
-		var p Project
-		if err := rows.Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes,
-			&p.NpmAccessListID, &p.WebhookSecret, &p.NotificationURL, &p.NotificationSecret, &p.CreatedAt, &p.UpdatedAt); err != nil {
+		p, err := scanProject(rows)
+		if err != nil {
 			return nil, fmt.Errorf("scan project: %w", err)
 		}
 		projects = append(projects, p)
@@ -127,9 +145,8 @@ func (s *Store) GetProjectsByImage(image string) ([]Project, error) {
 
 	projects := []Project{}
 	for rows.Next() {
-		var p Project
-		if err := rows.Scan(&p.ID, &p.Name, &p.Registry, &p.Image, &p.Port, &p.Healthcheck, &p.Env, &p.Volumes,
-			&p.NpmAccessListID, &p.WebhookSecret, &p.NotificationURL, &p.NotificationSecret, &p.CreatedAt, &p.UpdatedAt); err != nil {
+		p, err := scanProject(rows)
+		if err != nil {
 			return nil, fmt.Errorf("scan project: %w", err)
 		}
 		projects = append(projects, p)
@@ -176,6 +193,45 @@ func (s *Store) SetProjectWebhookSecret(id, secret string) error {
 	return nil
 }
 
+// SetProjectWebhookSigningSecret assigns the HMAC signing secret used to
+// verify inbound webhook payloads. Pass an empty string to clear it (which
+// also implicitly disables signature enforcement on the next request).
+func (s *Store) SetProjectWebhookSigningSecret(id, secret string) error {
+	result, err := s.db.Exec(
+		`UPDATE projects SET webhook_signing_secret=?, updated_at=? WHERE id=?`,
+		secret, Now(), id,
+	)
+	if err != nil {
+		return fmt.Errorf("set project webhook signing secret: %w", err)
+	}
+	n, _ := result.RowsAffected()
+	if n == 0 {
+		return fmt.Errorf("project %s: %w", id, ErrNotFound)
+	}
+	return nil
+}
+
+// SetProjectWebhookRequireSignature toggles whether unsigned (or
+// invalidly-signed) webhook requests are rejected with 401.
+func (s *Store) SetProjectWebhookRequireSignature(id string, require bool) error {
+	v := 0
+	if require {
+		v = 1
+	}
+	result, err := s.db.Exec(
+		`UPDATE projects SET webhook_require_signature=?, updated_at=? WHERE id=?`,
+		v, Now(), id,
+	)
+	if err != nil {
+		return fmt.Errorf("set project webhook require_signature: %w", err)
+	}
+	n, _ := result.RowsAffected()
+	if n == 0 {
+		return fmt.Errorf("project %s: %w", id, ErrNotFound)
+	}
+	return nil
+}
+
 // EnsureProjectWebhookSecret returns the current webhook secret for a project,
 // generating one on the fly if the stored value is empty (lazy backfill for
 // projects created before the per-project webhook migration).

internal/store/static_sites.go

@@ -13,7 +13,8 @@ import (
 const staticSiteCols = `id, name, provider, gitea_url, repo_owner, repo_name, branch, folder_path,
 	access_token, domain, mode, render_markdown, sync_trigger, tag_pattern,
 	container_id, proxy_route_id, status, last_sync_at, last_commit_sha, error,
-	storage_enabled, storage_limit_mb, webhook_secret,
+	storage_enabled, storage_limit_mb,
+	webhook_secret, webhook_signing_secret, webhook_require_signature,
 	notification_url, notification_secret,
 	created_at, updated_at`
 
@@ -31,13 +32,13 @@ func (s *Store) CreateStaticSite(site StaticSite) (StaticSite, error) {
 
 	_, err := s.db.Exec(
 		`INSERT INTO static_sites (`+staticSiteCols+`)
-		 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+		 VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
 		site.ID, site.Name, site.Provider, site.GiteaURL, site.RepoOwner, site.RepoName,
 		site.Branch, site.FolderPath, site.AccessToken, site.Domain, site.Mode,
 		BoolToInt(site.RenderMarkdown), site.SyncTrigger, site.TagPattern,
 		site.ContainerID, site.ProxyRouteID, site.Status, site.LastSyncAt,
 		site.LastCommitSHA, site.Error, BoolToInt(site.StorageEnabled), site.StorageLimitMB,
-		site.WebhookSecret,
+		site.WebhookSecret, site.WebhookSigningSecret, BoolToInt(site.WebhookRequireSignature),
 		site.NotificationURL, site.NotificationSecret,
 		site.CreatedAt, site.UpdatedAt,
 	)
@@ -228,14 +229,14 @@ func (s *Store) DeleteStaticSite(id string) error {
 // scanStaticSiteRow scans a static site from a *sql.Row.
 func scanStaticSiteRow(row *sql.Row) (StaticSite, error) {
 	var site StaticSite
-	var renderMarkdown, storageEnabled int
+	var renderMarkdown, storageEnabled, requireSig int
 	err := row.Scan(
 		&site.ID, &site.Name, &site.Provider, &site.GiteaURL, &site.RepoOwner, &site.RepoName,
 		&site.Branch, &site.FolderPath, &site.AccessToken, &site.Domain, &site.Mode,
 		&renderMarkdown, &site.SyncTrigger, &site.TagPattern,
 		&site.ContainerID, &site.ProxyRouteID, &site.Status, &site.LastSyncAt,
 		&site.LastCommitSHA, &site.Error, &storageEnabled, &site.StorageLimitMB,
-		&site.WebhookSecret,
+		&site.WebhookSecret, &site.WebhookSigningSecret, &requireSig,
 		&site.NotificationURL, &site.NotificationSecret,
 		&site.CreatedAt, &site.UpdatedAt,
 	)
@@ -244,20 +245,21 @@ func scanStaticSiteRow(row *sql.Row) (StaticSite, error) {
 	}
 	site.RenderMarkdown = renderMarkdown != 0
 	site.StorageEnabled = storageEnabled != 0
+	site.WebhookRequireSignature = requireSig != 0
 	return site, nil
 }
 
 // scanStaticSiteRows scans a static site from a *sql.Rows cursor.
 func scanStaticSiteRows(rows *sql.Rows) (StaticSite, error) {
 	var site StaticSite
-	var renderMarkdown, storageEnabled int
+	var renderMarkdown, storageEnabled, requireSig int
 	err := rows.Scan(
 		&site.ID, &site.Name, &site.Provider, &site.GiteaURL, &site.RepoOwner, &site.RepoName,
 		&site.Branch, &site.FolderPath, &site.AccessToken, &site.Domain, &site.Mode,
 		&renderMarkdown, &site.SyncTrigger, &site.TagPattern,
 		&site.ContainerID, &site.ProxyRouteID, &site.Status, &site.LastSyncAt,
 		&site.LastCommitSHA, &site.Error, &storageEnabled, &site.StorageLimitMB,
-		&site.WebhookSecret,
+		&site.WebhookSecret, &site.WebhookSigningSecret, &requireSig,
 		&site.NotificationURL, &site.NotificationSecret,
 		&site.CreatedAt, &site.UpdatedAt,
 	)
@@ -266,9 +268,48 @@ func scanStaticSiteRows(rows *sql.Rows) (StaticSite, error) {
 	}
 	site.RenderMarkdown = renderMarkdown != 0
 	site.StorageEnabled = storageEnabled != 0
+	site.WebhookRequireSignature = requireSig != 0
 	return site, nil
 }
 
+// SetStaticSiteWebhookSigningSecret assigns the inbound HMAC signing secret.
+// Pass an empty string to clear it (also implicitly disables enforcement).
+func (s *Store) SetStaticSiteWebhookSigningSecret(id, secret string) error {
+	result, err := s.db.Exec(
+		`UPDATE static_sites SET webhook_signing_secret=?, updated_at=? WHERE id=?`,
+		secret, Now(), id,
+	)
+	if err != nil {
+		return fmt.Errorf("set static site webhook signing secret: %w", err)
+	}
+	n, _ := result.RowsAffected()
+	if n == 0 {
+		return fmt.Errorf("static site %s: %w", id, ErrNotFound)
+	}
+	return nil
+}
+
+// SetStaticSiteWebhookRequireSignature toggles whether unsigned (or
+// invalidly-signed) inbound webhook requests are rejected with 401.
+func (s *Store) SetStaticSiteWebhookRequireSignature(id string, require bool) error {
+	v := 0
+	if require {
+		v = 1
+	}
+	result, err := s.db.Exec(
+		`UPDATE static_sites SET webhook_require_signature=?, updated_at=? WHERE id=?`,
+		v, Now(), id,
+	)
+	if err != nil {
+		return fmt.Errorf("set static site webhook require_signature: %w", err)
+	}
+	n, _ := result.RowsAffected()
+	if n == 0 {
+		return fmt.Errorf("static site %s: %w", id, ErrNotFound)
+	}
+	return nil
+}
+
 // SetStaticSiteNotificationSecret rotates the static site's outgoing-webhook
 // signing secret. Empty string disables HMAC signing for this site
 // (notifications still send unsigned, falling through to global resolution).

internal/store/store.go

@@ -151,6 +151,14 @@ func (s *Store) runMigrations() error {
 		// triggers a "pre-deploy" Tinyforge DB backup before any project deploy
 		// so a corrupted deploy is recoverable without data loss.
 		`ALTER TABLE settings ADD COLUMN auto_backup_before_deploy INTEGER NOT NULL DEFAULT 0`,
+		// Per-entity inbound HMAC signing (2026-05-07). webhook_signing_secret
+		// is the HMAC-SHA256 key separate from the URL secret so a leaked URL
+		// alone is not sufficient to forge a valid request. require_signature
+		// rejects unsigned requests when set (defense-in-depth opt-in).
+		`ALTER TABLE projects ADD COLUMN webhook_signing_secret TEXT NOT NULL DEFAULT ''`,
+		`ALTER TABLE projects ADD COLUMN webhook_require_signature INTEGER NOT NULL DEFAULT 0`,
+		`ALTER TABLE static_sites ADD COLUMN webhook_signing_secret TEXT NOT NULL DEFAULT ''`,
+		`ALTER TABLE static_sites ADD COLUMN webhook_require_signature INTEGER NOT NULL DEFAULT 0`,
 	}
 
 	// Additive stack tables (2026-04-16). Created here rather than in the