feat: add optional bearer token support for webhook subscriptions

Token is stored in the DB but never returned in API responses (write-only).
fireWebhooks() sends Authorization: Bearer <token> header when present.

src/data/db.ts

@@ -89,20 +89,23 @@ type WebhookSubscriptionRow = {
   did: string;
   method: string;
   url: string;
+  token?: string;
 };
 
 export const addWebhookSubscription = (
-  { did, method, url }: Omit<WebhookSubscriptionRow, "id">,
+  { did, method, url, token }: Omit<WebhookSubscriptionRow, "id">,
 ): WebhookSubscriptionRow => {
   db.exec(
-    "INSERT INTO webhook_subscription (did, method, url) VALUES (?, ?, ?)",
+    "INSERT INTO webhook_subscription (did, method, url, token) VALUES (?, ?, ?, ?)",
     did,
     method,
     url,
+    token ?? null,
   );
   return db.prepare(
     "SELECT id, did, method, url FROM webhook_subscription WHERE id = last_insert_rowid()",
   ).get<WebhookSubscriptionRow>()!;
+  // Note: token is intentionally excluded from the SELECT (write-only)
 };
 
 export const deleteWebhooksByDid = (did: string): void => {
@@ -111,7 +114,7 @@ export const deleteWebhooksByDid = (did: string): void => {
 
 export const getWebhooksByDid = (did: string): WebhookSubscriptionRow[] => {
   return db.prepare(
-    "SELECT id, did, method, url FROM webhook_subscription WHERE did = ? ORDER BY id DESC LIMIT 10",
+    "SELECT id, did, method, url, token FROM webhook_subscription WHERE did = ? ORDER BY id DESC LIMIT 10",
   ).all<WebhookSubscriptionRow>(did);
 };
 

src/migrations/init.ts

@@ -55,4 +55,10 @@ db.exec(`
     ON webhook_subscription(did);
 `);
 
+try {
+  db.exec(`ALTER TABLE webhook_subscription ADD COLUMN token TEXT;`);
+} catch {
+  // Column already exists — no-op
+}
+
 db.close();