feat(webhook): HMAC-SHA256 signature verification on inbound webhooks

Adds an opt-in inbound HMAC scheme so a leaked URL alone is not enough
to forge deploy/sync requests — the caller must also know a separate
signing secret. Header format is X-Hub-Signature-256, matching the
Gitea/GitHub/GitLab convention so existing CI integrations work without
custom code.

Behaviour:
- per-project / per-site signing_secret is independent of the URL secret
- require_signature flag does a hard 401 on missing/invalid signatures
- even when require_signature is off, an *invalid* submitted signature
  returns 401 — surfaces CI misconfiguration instead of silently passing
- comparison uses subtle/hmac.Equal (constant time)

Backend:
- store: webhook_signing_secret + webhook_require_signature columns on
  projects + static_sites; scanProject helper, scan helpers updated; new
  Set* helpers for both fields
- webhook/handler: verifyHMAC helper, body read once, integrated into
  both project and site handlers
- api: per-entity signing-secret rotate / disable / require-toggle
  endpoints under /api/{projects,sites}/{id}/webhook/...

Frontend:
- WebhookPanel gains optional signing handlers (no breaking change for
  existing callers; signing UI hides when handlers aren't wired)
- one-shot reveal of the issued secret with copy + dismiss
- ToggleSwitch for require-signature, disabled until a secret is issued
- en/ru i18n strings

Tests:
- HMACRequiredAndValid (200 + deploy fires)
- HMACRequiredButMissing (401, no deploy)
- HMACPresentButWrong (401 even when require_signature=false)
- HMACOptionalUnsignedAccepted (200 when neither configured)

web/src/lib/i18n/en.json

@@ -1184,7 +1184,26 @@
     "regenerateWarning": "Regenerating invalidates the current URL. Update any CI pipeline or Git webhook that uses it.",
     "confirmRegenerate": "Replace the current URL?",
     "confirmYes": "Regenerate",
-    "confirmNo": "Cancel"
+    "confirmNo": "Cancel",
+    "signingTitle": "Inbound HMAC signing",
+    "signingDesc": "Verify webhook payloads with an HMAC-SHA256 signature so a leaked URL alone cannot be used to forge requests. Compatible with Gitea/GitHub webhook secrets.",
+    "signingActive": "Signing secret configured.",
+    "signingInactive": "No signing secret — inbound requests are not authenticated beyond the URL.",
+    "signingIssue": "Issue signing secret",
+    "signingRotate": "Rotate signing secret",
+    "signingDisable": "Disable signing",
+    "signingDisableConfirm": "Disable signing",
+    "signingIssued": "New signing secret issued — copy it before leaving this page",
+    "signingIssueFailed": "Failed to issue signing secret",
+    "signingDisabled": "Signing disabled",
+    "signingDisableFailed": "Failed to disable signing",
+    "signingShownOnce": "Copy this secret now — it will not be shown again.",
+    "signingDismiss": "Dismiss",
+    "signingHint": "Set this as the webhook secret in Gitea/GitHub/GitLab. Tinyforge expects {header} on every request.",
+    "signingCopied": "Signing secret copied to clipboard",
+    "requireSignature": "Require signature",
+    "requireSignatureHelp": "Reject any request that lacks a valid signature. Issue a signing secret first.",
+    "signingRequireFailed": "Failed to update signature requirement"
   },
   "outgoingWebhook": {
     "signingOn": "Signed",