feat(api): outbound webhooks — server_down + player_banned events
Roadmap 'Webhook events': per-license outbound webhooks with HMAC-SHA256
signatures (X-Corrosion-Signature), 5s timeout, fire-and-forget (a webhook
failure never breaks the triggering action), last_delivery_at/last_status
tracked.
- migration 024_webhooks; Webhook entity (events as simple-array);
WebhooksModule (@Global, exports WebhooksService) wired into app.module;
CRUD controller (license-scoped, webhooks.view/manage).
- Hooked events: players.performAction ban -> 'player_banned';
host-agent-consumer going-offline + staleness sweep -> 'server_down'.
- 'wipe_completed' event lands next (needs wipe status from the agent reply).
Backend tsc green. Migration applies on a fresh DB (Saturday).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
0effaaf86c