feat: merge Gitea webhook security into setup wizard (issue #2)

Integrates the 5-layer Gitea webhook security system from
sol/clawgravity-hook-security (v2.0) into the setup wizard.

## What's added

### New files (from clawgravity-hook-security v2.0)
- scripts/webhook-security/gitea-hmac-verify.js    -- njs HMAC-SHA256 module
- scripts/webhook-security/gitea-approve-repo       -- allowlist helper
- scripts/webhook-security/rotate-webhook-secret.sh -- monthly secret rotation (templated)
- scripts/webhook-security/webhook-audit-alert.sh   -- daily audit summaries (templated)
- scripts/webhook-security/ntfy-blocked-pickup.sh   -- blocked webhook alerts (templated)
- templates/webhook-security/nginx-site.conf.example
- templates/webhook-security/nginx.conf.example
- templates/webhook-security/gitea-repo-allowlist.json.example
- docs/WEBHOOK-SECURITY.md   -- full documentation
- docs/SECURITY-AUDIT.md     -- 35-case test matrix
- tests/test-webhook-security.sh  -- 48 offline tests

### Modified files
- setup.sh: Step 11 (webhook security wizard with 6 sub-sections)
- scripts/uninstall.sh: webhook security cleanup section
- README.md: Webhook Security section after Quick Start
- Makefile: test target now runs test-webhook-security.sh
- .secret-scan-allowlist: allowlist docs/SECURITY-AUDIT.md (test fixture)

## Security layers
1. IP allowlisting (nginx)
2. Rate limiting 10 req/s burst 20 (nginx)
3. Payload size 1MB (nginx)
4. HMAC-SHA256 signature verification (njs)
5. Per-repository allowlist (njs)

## make check
- prettier: PASS
- secret-scan: PASS
- tests: 48/48 PASS

Closes #2

scripts/uninstall.sh

@@ -37,6 +37,74 @@ for script in /usr/local/bin/sync-oauth-token.sh /usr/local/bin/refresh-claude-t
     fi
 done
 
+# ============================================================================
+# Webhook Security Cleanup (if installed)
+# ============================================================================
+WH_INSTALLED=false
+
+for wh_file in /etc/nginx/njs/gitea-hmac-verify.js /etc/nginx/gitea-webhook-secret /etc/nginx/gitea-repo-allowlist.json /opt/webhook-security /usr/local/bin/gitea-approve-repo; do
+    if [ -e "$wh_file" ]; then
+        WH_INSTALLED=true
+        break
+    fi
+done
+
+if $WH_INSTALLED; then
+    echo ""
+    echo "Webhook security files detected."
+    read -rp "[uninstall] Remove webhook security files? [y/N]: " WH_CONFIRM
+    WH_CONFIRM="${WH_CONFIRM:-N}"
+    if [[ "$WH_CONFIRM" =~ ^[Yy] ]]; then
+        # Remove njs module
+        if [ -f /etc/nginx/njs/gitea-hmac-verify.js ]; then
+            log "Removing /etc/nginx/njs/gitea-hmac-verify.js"
+            rm -f /etc/nginx/njs/gitea-hmac-verify.js
+        fi
+
+        # Remove secret file
+        if [ -f /etc/nginx/gitea-webhook-secret ]; then
+            log "Removing /etc/nginx/gitea-webhook-secret"
+            rm -f /etc/nginx/gitea-webhook-secret
+        fi
+
+        # Remove allowlist
+        if [ -f /etc/nginx/gitea-repo-allowlist.json ]; then
+            log "Removing /etc/nginx/gitea-repo-allowlist.json"
+            rm -f /etc/nginx/gitea-repo-allowlist.json
+        fi
+
+        # Remove scripts directory
+        if [ -d /opt/webhook-security ]; then
+            log "Removing /opt/webhook-security/"
+            rm -rf /opt/webhook-security
+        fi
+
+        # Remove gitea-approve-repo helper
+        if [ -f /usr/local/bin/gitea-approve-repo ]; then
+            log "Removing /usr/local/bin/gitea-approve-repo"
+            rm -f /usr/local/bin/gitea-approve-repo
+        fi
+
+        # Remove webhook-security cron entries
+        if crontab -l 2>/dev/null | grep -q 'webhook-security\|ntfy-blocked-pickup\|rotate-webhook-secret\|webhook-audit-alert'; then
+            log "Removing webhook-security cron entries..."
+            crontab -l 2>/dev/null | grep -v 'webhook-security\|ntfy-blocked-pickup\|rotate-webhook-secret\|webhook-audit-alert' | crontab -
+            log "Cron entries removed"
+        fi
+
+        log "Webhook security files removed."
+        echo ""
+        log "IMPORTANT: You must also remove the webhook security configuration"
+        log "from your nginx config manually:"
+        log "  - Remove js_path, js_import, and limit_req_zone from nginx.conf http block"
+        log "  - Remove the 'location = /hooks/gitea' block from your site config"
+        log "  - Remove the 'location /hooks/gitea-upstream' block from your site config"
+        log "  - Run: nginx -t && nginx -s reload"
+    else
+        log "Skipping webhook security cleanup."
+    fi
+fi
+
 echo ""
 log "Done. The following files were NOT removed (contain your credentials):"
 log "  - /root/.openclaw/credentials/oauth.json"