Handle Managed Connection Status Webhooks

[cuevaio]

Parent

Parent: #169

What to build

Implement managed WhatsApp Connection webhook handling once the provider webhook signature header and verification algorithm are confirmed. Normal should verify incoming provider deliveries using the per-connection provider webhook secret, update cached WhatsApp Connection status from status events, and continue routing message events through the existing webhook ingestion boundary without exposing provider mechanics to users.

This slice is HITL because provider webhook signature documentation is required before verification can be implemented safely. Persisting the webhook secret hash is covered by the initial managed connection slice; this issue should not implement fake verification.

Acceptance criteria

• The provider webhook signature header and algorithm are confirmed before implementation.
• Managed provider webhooks are verified using the WhatsApp Connection's per-connection provider webhook secret.
• Session/status webhook events update the cached WhatsApp Connection status using Normal-normalized statuses.
• Message-related webhook events continue through Normal's existing webhook ingestion, Message Store, WhatsApp Group Activity Store, and Run Intent boundaries.
• Unsupported channel and broadcast events are ignored according to the managed connection defaults.
• Webhook tests cover valid signatures, invalid signatures, status updates, and no raw provider secrets in persisted/debuggable data.

Blocked by

• Create Minimal Managed WhatsApp Connections #170
• Human confirmation of provider webhook signature documentation