fix: add WhatsApp webhook signature verification (X-Hub-Signature-256)

Closes #51

- Add HMAC-SHA256 signature verification for WhatsApp webhooks
- Prevents message spoofing attacks (CWE-345)
- Add whatsapp_app_secret config field with ZEROCLAW_WHATSAPP_APP_SECRET env override
- Add 13 comprehensive unit tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Cargo.toml

@@ -43,8 +43,10 @@ uuid = { version = "1.11", default-features = false, features = ["v4", "std"] }
 # Authenticated encryption (AEAD) for secret store
 chacha20poly1305 = "0.10"
 
-# SHA-256 for bearer token hashing
+# HMAC for webhook signature verification
+hmac = "0.12"
 sha2 = "0.10"
+hex = "0.4"
 
 # Async traits
 async-trait = "0.1"