fix(coolify): URL-token auth + test connection UI + IP allowlist for webhook ingest

[finedesignz]

Summary

Coolify's Notifications → Webhook UI only exposes a single URL field — no header configuration, no signing-secret support. Phase 06's original HMAC-header design was therefore unusable against real Coolify deployments (every test notification rejected at the signature check). This PR replaces it with a per-user token embedded in the URL path, and folds in two parallel-discovered fixes.

Part 1 — URL-token auth (primary)

• New primary route: POST /api/coolify/webhook/:user_id/:token. token IS the existing users.coolify_webhook_secret UUID. Constant-time compared. Enumeration-safe (identical 401 shape + timing for unknown user vs. wrong token).
• Legacy POST /api/coolify/webhook/:user_id (HMAC headers) kept for a 30-day grace period. Returns Deprecation: true + Sunset: + Link: rel=deprecation headers and logs a warning per hit.
• GET/POST /api/account/coolify-webhook-secret[/rotate] now return the full URL with the token embedded — that's the string the user pastes into Coolify.

Part 2 — Test-connection UI + audit log

• New table coolify_webhook_attempts (capped 100 rows/user via app-side delete-oldest). Every hit logged regardless of outcome.
• GET /api/account/coolify-webhook-attempts?limit=N (JWT).
• Settings → Supervisor → Coolify Webhook card now renders the last 10 attempts inline with status pill (success / auth_failed / ip_rejected / legacy_hmac / bad_payload), source IP, reason, relative timestamp, refresh button. Empty state explains the next step.

Part 3 — IP allowlist (defense in depth)

• Optional users.coolify_webhook_allowed_ips (CSV of IPv4 / IPv6 / CIDR). NULL/empty = allow all (back-compat).
• GET/PUT /api/account/coolify-webhook-allowed-ips (JWT). PUT validates each entry server-side; returns 400 with the offending entry on bad CIDR.
• Zero-dep CIDR helper at hub/src/lib/cidr.ts (IPv4 + IPv6 + CIDR via plain bigint math; matches the existing cf-connecting-ip → x-real-ip → x-forwarded-for source-IP precedence used elsewhere in the hub).
• Rejected requests get 403 + audit row with reason source_ip_not_in_allowlist.

Coolify event-name fix (discovered mid-flight from PR #42 investigation)

Coolify's SendWebhookJob emits underscore event names (deployment_success, deployment_failed), not the dotted form some docs imply. The Zod schema now accepts both at the wire and normalizes internally via EVENT_ALIAS to the dotted canonical (deployment.succeeded / deployment.failed) so the rest of the pipeline stays on one shape.

Test plan

• bun test hub/ — 132 pass, 0 fail (45 skipped, all REMO_E2E_DB_URL-gated)
• bun run build:web — green
• 34 new/updated tests cover: URL-token success + wrong-token + no-secret, underscore event aliasing, IP allowlist (exact / CIDR / x-forwarded-for fallback / mismatch → 403), legacy HMAC path (success + Deprecation header + missing sig + stale ts + wrong secret), CIDR helper unit tests
• After deploy: user re-rotates via Settings, pastes new URL into Coolify, hits "Send Test Notification", confirms a success row appears in the attempts log

User action post-deploy

1. Go to Settings → Supervisor → Coolify Webhook.
2. Click Rotate URL (or Generate URL if not configured). Copy the new URL.
3. In Coolify: Project → Notifications → Webhook. Paste the URL. Save.
4. Send a test notification from Coolify — the attempts log should show a fresh success row within seconds.
5. (Optional) Add 46.224.61.233 (Coolify server IP) to Allowed source IPs for defense in depth.

🤖 Generated with Claude Code