GitHub webhooks

When you install the EDITH GitHub App, a webhook fires on every push and pull_request event. The flow:

1. GitHub sends the event to /api/github/webhook
2. EDITH verifies the signature (x-hub-signature-256)
3. We enqueue an Inngest scan event
4. A worker picks it up, runs the scan, posts a PR comment with findings + score

Every webhook is signed with HMAC-SHA256 using your installation's secret. EDITH rejects any request that fails verification with HTTP 401 and logs the attempt to the audit log.

On every PR, EDITH posts (or updates) a single comment with:

• Headline score
• Findings grouped by severity
• Drift vs the base branch (newly introduced issues)
• One Copy fix prompt button per finding

The comment updates in-place on every new commit to the PR.