feat: add webhook verifier and register verifier bindings

Add AltumWebhookVerifier that validates inbound webhooks by checking
the User-Agent header (AltumCode sends unsigned webhooks via fire_and_forget).
Register verifier instances for all 4 product sources in AltumServiceProvider.

Co-Authored-By: Virgil <virgil@lethean.io>

src/AltumServiceProvider.php

@@ -13,5 +13,11 @@ class AltumServiceProvider extends ServiceProvider
         $this->app->singleton(AltumManager::class, function ($app) {
             return new AltumManager($app['config']['services.altum'] ?? []);
         });
+
+        // Register webhook verifiers for each AltumCode product source
+        $verifier = new AltumWebhookVerifier();
+        foreach (['altum-biolinks', 'altum-analytics', 'altum-pusher', 'altum-socialproof'] as $source) {
+            $this->app->instance("webhook.verifier.{$source}", $verifier);
+        }
     }
 }

src/AltumWebhookVerifier.php

@@ -0,0 +1,35 @@
+<?php
+
+/*
+ * Core PHP Framework — AltumCode Plugin
+ *
+ * Licensed under the European Union Public Licence (EUPL) v1.2.
+ * See LICENSE file for details.
+ */
+
+declare(strict_types=1);
+
+namespace Core\Plug\Altum;
+
+use Core\Webhook\WebhookVerifier;
+use Illuminate\Http\Request;
+
+/**
+ * Verifies inbound webhooks from AltumCode products.
+ *
+ * AltumCode currently sends unsigned webhooks (plain HTTP POST via fire_and_forget).
+ * Verification is limited to checking the User-Agent header.
+ *
+ * The admin UI generates whsec_ secrets and documents webhook-id/webhook-timestamp/
+ * webhook-signature headers, but the sending code does not use them yet. When AltumCode
+ * adds Standard Webhooks support, this verifier should be updated to validate HMAC-SHA256.
+ */
+class AltumWebhookVerifier implements WebhookVerifier
+{
+    public function verify(Request $request, string $secret): bool
+    {
+        $userAgent = $request->userAgent() ?? '';
+
+        return str_starts_with($userAgent, 'AltumCode');
+    }
+}