feat: Implement webhook support for event notifications

This PR adds a complete webhook system for event-driven integrations.

## Features

### Webhook Management
- Create/update/delete webhooks via REST API
- Subscribe to specific event types (server, alert, security, discovery)
- Custom headers support for authentication
- Secret rotation endpoint

### Event Types
- server.created, server.updated, server.deleted
- server.status.up, server.status.down
- alert.created, alert.resolved
- security.scan.started, security.scan.completed
- security.vulnerability.found
- discovery.started, discovery.completed, discovery.server.found

### Security
- HMAC-SHA256 signatures for payload verification
- Timestamp validation (5-minute window) for replay attack prevention
- Secrets never exposed after initial creation
- Timing-safe signature comparison

### Delivery
- Automatic retries with exponential backoff (1m, 5m, 15m, 1h, 2h)
- Maximum 5 retry attempts
- Delivery history tracking
- Success/failure statistics
- Test endpoint for webhook verification

### API Endpoints
- POST /api/v1/webhooks - Create webhook
- GET /api/v1/webhooks - List webhooks
- GET /api/v1/webhooks/:id - Get webhook
- PUT /api/v1/webhooks/:id - Update webhook
- DELETE /api/v1/webhooks/:id - Delete webhook
- POST /api/v1/webhooks/:id/rotate-secret - Rotate secret
- POST /api/v1/webhooks/:id/test - Test webhook
- GET /api/v1/webhooks/:id/deliveries - Get delivery history
- GET /api/v1/webhooks/:id/stats - Get delivery statistics
- GET /api/v1/webhook-events - List available events

### Files Added
- internal/webhook/models.go - Data models and types
- internal/webhook/repository.go - Database operations
- internal/webhook/service.go - Business logic
- internal/webhook/handler.go - HTTP handlers
- internal/webhook/client.go - Verification utilities
- internal/webhook/webhook_test.go - Unit tests
- migrations/003_add_webhooks.sql - Database migration

Closes #20

Author: bad-antics

backend/internal/webhook/INTEGRATION.md

@@ -0,0 +1,60 @@
+// Webhook Integration for main.go
+// 
+// Add this import to the imports section:
+//   "github.com/radhi1991/aran-mcp-sentinel/internal/webhook"
+//
+// Add this code after alertsHandler.RegisterRoutes(protected):
+
+// Webhook initialization code:
+/*
+	// Initialize webhook service
+	webhookRepo := webhook.NewRepository(dbConn.DB)
+	webhookService := webhook.NewService(webhookRepo, logger)
+	webhookHandler := webhook.NewHandler(webhookService, logger)
+	webhookHandler.RegisterRoutes(protected)
+
+	// Start webhook retry processor
+	webhookCtx, webhookCancel := context.WithCancel(context.Background())
+	defer webhookCancel()
+	go func() {
+		ticker := time.NewTicker(1 * time.Minute)
+		defer ticker.Stop()
+		for {
+			select {
+			case <-webhookCtx.Done():
+				return
+			case <-ticker.C:
+				if err := webhookService.ProcessRetries(webhookCtx); err != nil {
+					logger.Error("Failed to process webhook retries", zap.Error(err))
+				}
+			}
+		}
+	}()
+	logger.Info("Started webhook retry processor", zap.Duration("interval", 1*time.Minute))
+*/
+
+// Example usage from other services to trigger webhooks:
+/*
+	// In monitoring/alerts handler when an alert is created:
+	webhookService.TriggerEvent(ctx, orgID, webhook.EventAlertCreated, map[string]interface{}{
+		"alert_id": alert.ID,
+		"title":    alert.Title,
+		"severity": alert.Severity,
+		"message":  alert.Message,
+	})
+
+	// In MCP handler when a server status changes:
+	webhookService.TriggerEvent(ctx, orgID, webhook.EventServerStatusDown, map[string]interface{}{
+		"server_id":   server.ID,
+		"server_name": server.Name,
+		"status":      "down",
+		"error":       errorMsg,
+	})
+
+	// In security handler when a scan completes:
+	webhookService.TriggerEvent(ctx, orgID, webhook.EventSecurityScanCompleted, map[string]interface{}{
+		"scan_id":        scan.ID,
+		"vulnerabilities": vulnerabilityCount,
+		"score":          securityScore,
+	})
+*/

backend/internal/webhook/client.go

@@ -0,0 +1,140 @@
+package webhook
+
+import (
+	"bytes"
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strconv"
+	"time"
+)
+
+// Client provides methods for verifying incoming webhooks and sending webhook-style requests
+type Client struct {
+	secret string
+}
+
+// NewClient creates a new webhook client for verification
+func NewClient(secret string) *Client {
+	return &Client{secret: secret}
+}
+
+// VerifyRequest verifies an incoming webhook request
+func (c *Client) VerifyRequest(r *http.Request) error {
+	signature := r.Header.Get("X-Webhook-Signature")
+	timestampStr := r.Header.Get("X-Webhook-Timestamp")
+
+	if signature == "" || timestampStr == "" {
+		return fmt.Errorf("missing signature or timestamp headers")
+	}
+
+	timestamp, err := strconv.ParseInt(timestampStr, 10, 64)
+	if err != nil {
+		return fmt.Errorf("invalid timestamp: %w", err)
+	}
+
+	// Check timestamp is within 5 minutes (replay attack prevention)
+	age := time.Since(time.Unix(timestamp, 0))
+	if age > 5*time.Minute || age < -5*time.Minute {
+		return fmt.Errorf("timestamp too old or too far in the future: %v", age)
+	}
+
+	// Read body
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		return fmt.Errorf("failed to read body: %w", err)
+	}
+	// Restore body for downstream handlers
+	r.Body = io.NopCloser(bytes.NewReader(body))
+
+	// Verify signature
+	if !VerifySignature(c.secret, signature, timestamp, body) {
+		return fmt.Errorf("signature verification failed")
+	}
+
+	return nil
+}
+
+// VerifyMiddleware returns an HTTP middleware that verifies webhook signatures
+func (c *Client) VerifyMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if err := c.VerifyRequest(r); err != nil {
+			http.Error(w, fmt.Sprintf("Webhook verification failed: %v", err), http.StatusUnauthorized)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+// ParsePayload parses the webhook payload from the request
+func ParsePayload(r *http.Request) (*WebhookPayload, error) {
+	var payload WebhookPayload
+	if err := json.NewDecoder(r.Body).Decode(&payload); err != nil {
+		return nil, fmt.Errorf("failed to decode payload: %w", err)
+	}
+	return &payload, nil
+}
+
+// SignRequest signs an outgoing webhook request
+func SignRequest(secret string, req *http.Request, body []byte) {
+	timestamp := time.Now().Unix()
+	signature := GenerateSignature(secret, timestamp, body)
+
+	req.Header.Set("X-Webhook-Signature", signature)
+	req.Header.Set("X-Webhook-Timestamp", strconv.FormatInt(timestamp, 10))
+}
+
+// ComputeSignature computes a webhook signature for a payload
+// This is useful for implementing custom webhook sending
+func ComputeSignature(secret string, payload []byte) (signature string, timestamp int64) {
+	timestamp = time.Now().Unix()
+	data := fmt.Sprintf("%d.%s", timestamp, string(payload))
+	h := hmac.New(sha256.New, []byte(secret))
+	h.Write([]byte(data))
+	signature = "sha256=" + hex.EncodeToString(h.Sum(nil))
+	return
+}
+
+// Example verification code for webhook receivers:
+/*
+package main
+
+import (
+	"fmt"
+	"net/http"
+	
+	"github.com/radhi1991/aran-mcp-sentinel/internal/webhook"
+)
+
+func main() {
+	secret := "your-webhook-secret"
+	client := webhook.NewClient(secret)
+
+	http.HandleFunc("/webhook", func(w http.ResponseWriter, r *http.Request) {
+		// Verify the webhook signature
+		if err := client.VerifyRequest(r); err != nil {
+			http.Error(w, "Invalid signature", http.StatusUnauthorized)
+			return
+		}
+
+		// Parse the payload
+		payload, err := webhook.ParsePayload(r)
+		if err != nil {
+			http.Error(w, "Invalid payload", http.StatusBadRequest)
+			return
+		}
+
+		// Handle the event
+		fmt.Printf("Received event: %s\n", payload.Event)
+		fmt.Printf("Data: %+v\n", payload.Data)
+
+		w.WriteHeader(http.StatusOK)
+	})
+
+	http.ListenAndServe(":8080", nil)
+}
+*/