Add scheme-based webhook signature verification (HMAC-SHA1, secret_from, URL reconstruction) (#192)

* Initial plan

* Add scheme-based webhook signature verification with HMAC-SHA1, secret_from, url_reconstruction, include_form_params, and error_status support

Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>

* Fix security and correctness issues in resolveSecret and reconstructURL

Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>

Author: Copilot

cmd/wfctl/type_registry.go

@@ -598,7 +598,7 @@ func KnownStepTypes() map[string]StepTypeInfo {
 		"step.webhook_verify": {
 			Type:       "step.webhook_verify",
 			Plugin:     "pipelinesteps",
-			ConfigKeys: []string{"secret", "header", "algorithm"},
+			ConfigKeys: []string{"provider", "scheme", "secret", "secret_from", "header", "signature_header", "url_reconstruction", "include_form_params", "error_status"},
 		},
 		"step.cache_get": {
 			Type:       "step.cache_get",