Webhook and ack security (NR6)

Webhooks must use HMAC-SHA256 with per-tenant rotating secrets or mTLS/DPoP. hmac_id maps to secret material.
Ack URLs carry signed tokens (nonce, audience, tenant_id, delivery_id, expires_at) and are single-use. Reject replay or expired tokens.
Enforce allowlists for domains and paths per tenant; deny wildcards.
Capture failures in observability pipeline and DLQ with redrive after investigation.