[Bounty $5k] fix(webhook): add delivery audit store with monotonic sequence guard

[Karry2019web]

Closes #3586

Adds a webhook delivery audit module that prevents stale delivery status from overwriting newer results:

Changes

New: src/webhook/__init__.py

• Exports DeliveryAuditStore, DeliveryRejected, DeliveryRecord, WebhookEndpoint

New: src/webhook/delivery.py

• DeliveryAuditStore — webhook delivery audit with:
  • Endpoint registration with workspace scope and enable/disable
  • Monotonic sequence counter — each delivery gets an incrementing sequence number
  • Stale delivery guard — rejects delivery status that has a lower or equal sequence than the existing record
  • Internal field sanitization — strips authorization, debug, headers, internal_run_id, private, secret, token, trace_id from payloads
  • Workspace isolation — endpoints and records are scoped by workspace

New: tests/test_webhook_delivery.py

• Tests cover: valid delivery, rejected unregistered endpoint, rejected disabled endpoint, non-dict payload rejection, stale delivery rejection, internal field removal, delivery retrieval, workspace isolation, endpoint removal

Acceptance Criteria

• ✅ Tests cover valid delivery, rejected delivery, retry behavior, and workspace isolation
• ✅ Delivery records remain idempotent and do not expose internal-only fields
• ✅ Monotonic sequence guard prevents stale status overwrites