Webhooks: constant-time HMAC signature verification

[OmarAlJarrah]

Summary

Implements the webhook package: constant-time HMAC-SHA256 verification of
inbound webhook signatures, with a timestamp-tolerance window to defeat replay.
This completes the package set — no placeholder packages remain.

What's included

• Sign(secret, payload) — lowercase hex HMAC-SHA256 (locked against the
  canonical published test vector).
• Verifier (NewVerifier(secret, WithTolerance(d))) —
  • Verify(payload, sigHex) compares with hmac.Equal on the raw MAC bytes
    (constant-time); invalid hex maps to a mismatch with no information leak.
  • VerifyTimestamp(body, timestamp, now, sigHex) implements the common
    "<unix>.<body>" scheme, rejecting timestamps outside the tolerance window in
    either direction before checking the signature. now is injected for
    deterministic verification.
• Typed sentinels ErrSignatureMismatch and ErrTimestampOutsideTolerance for
  errors.Is.

VerifyTimestamp streams the HMAC over the timestamp/body parts (no payload copy).
A tolerance of <= 0 disables the window — clearly warned in the GoDoc.

Behavior changes

None — new package only (webhook was a placeholder).

Deferred (not in this PR)

• Provider-specific signature-header parsing (callers pass the timestamp +
  signature they extracted).
• Non-HMAC-SHA256 schemes (e.g. Ed25519).

Test plan

• go build ./...
• go vet ./...
• gofmt -l . (clean)
• go test -race ./... (all 18 packages pass)
• Covered: Sign/Verify round-trip; tampered payload, wrong secret, invalid hex →
  mismatch; timestamp within/outside (stale and future) tolerance; tolerance
  disabled; a known-answer HMAC golden vector; and the hex output format.

🤖 Generated with Claude Code