ENG-2804 add webflow changelog webhook handler to api server (#4189)

<img width="1156" height="155" alt="Screenshot 2026-03-09 at 12 56 47"
src="https://github.com/user-attachments/assets/74add57d-2df6-429c-b620-4114bf2fb60e"
/>
<img width="1446" height="1638" alt="image"
src="https://github.com/user-attachments/assets/e457e9c3-711f-4f4e-98d3-bdbf6ef7ec5c"
/>

Verified the full flow end-to-end via cURL — sending a signed Webflow
webhook payload to a local api-server successfully enqueues the River
job and sends a broadcast email via Resend as expected.

The feature is gated by config: if `WEBFLOW_WEBHOOK_SECRET` and
`RESEND_API_KEY` are not set, the handler and worker simply don't
register. This means the code can ship safely now. To go live we need:

- Add Webflow + Resend credentials to 1Password
([ENG-3043](https://linear.app/overmind/issue/ENG-3043/add-webflow-webhook-credentials-to-1password-global-vault),
[ENG-3044](https://linear.app/overmind/issue/ENG-3043/add-webflow-webhook-credentials-to-1password-global-vault))
- Configure the Webflow webhook URL to point at the production
api-server
- Import verified user emails into the Resend
[segment](https://resend.com/audience?segmentId=e562dcde-600f-4535-bdfc-5e72c5a16c3d)
([ENG-2957](https://linear.app/overmind/issue/ENG-2957/manual-csv-sync-of-verified-user-emails-to-resend))
- Automate adding new users to changelog notify [segment in
resend](https://resend.com/audience?segmentId=e562dcde-600f-4535-bdfc-5e72c5a16c3d)
[ENG-2958](https://linear.app/overmind/issue/ENG-2958/add-resend-contact-creation-to-user-signup-flow)
- Once those are done, changelog publishes in Webflow will automatically
trigger broadcast emails.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Introduces a new externally reachable webhook endpoint and outbound
email-sending worker; while gated by config and protected with HMAC +
timestamp checks, mistakes could lead to unwanted job enqueues or email
broadcasts.
>
> **Overview**
> Adds a Webflow webhook integration that, when enabled via config,
verifies `X-Webflow-Signature` (HMAC-SHA256) and timestamp tolerance,
filters events by CMS collection ID, and enqueues a River
`ChangelogEmail` job.
>
> Adds a River worker that renders a new embedded HTML template and uses
the `resend-go` client to send a broadcast email to a configured Resend
segment; wiring includes new CLI/env config fields with secret redaction
and new ExternalSecret entries for Webflow/Resend credentials.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
b1ac7f7b0e9605a99f8828d52942cd127515a8f2. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

GitOrigin-RevId: 782a27f26097b36ae2b053b9949ef49a962df666

Author: getinnocuous