test(webhooks): add property-based HMAC verification tests

[Jayking40]

test(webhooks): add property-based HMAC verification tests

Summary

Adds adversarial, deterministic fuzz coverage for inbound webhook HMAC-SHA256 verification. Verification now uses crypto.timingSafeEqual, normalizes sha256= headers, and routes failure messages through the safe-errors policy so malformed or forged inputs cannot bypass checks or leak secrets in API responses.

Changes

• Hardened signature verification with structured results, header normalization, and constant-time digest comparison
• Re-exported verification helpers from the webhook delivery module for consumers that already import that entry point
• Added a fixed-seed property/fuzz suite (400 iterations) covering truncated signatures, wrong-length digests, encoding mismatches, clock skew, and payload tampering
• Extended unit tests and documentation for the verification API and CI acceptance criteria
• Added invalid_webhook_signature to the safe client-facing error catalog

Testing

npm test -- --testPathPattern='webhook-signing|webhookDelivery.signature'
npm run test:ci -- --collectCoverageFrom='src/utils/webhook-signing.util.ts'

closes #277 

[drips-wave]

@Jayking40 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits