Add docs for webhook security model and how creators should verify incoming requests

[chiscookeke11]

Summary

• Added comprehensive documentation for verifying AccessLayer webhook signatures.
• Documented the required x-accesslayer-signature and x-accesslayer-timestamp headers.
• Specified the HMAC-SHA256 signing scheme and the signed message format: <timestamp>.<raw-request-body>.
• Included a step-by-step verification guide, pseudocode example, and constant-time comparison recommendation.
• Documented replay protection best practices, optional idempotency checks, and the expected 400 Bad Request response for failed signature verification.
• Cleaned up webhook documentation formatting for improved consistency and readability.

Testing

• pnpm lint
• pnpm build
• pnpm exec prisma generate when schema or generated types changed

Checklist

• Linked issue or backlog item
• No secrets or live credentials added
• Docs updated if setup or env changed
• Change is scoped to one problem

closes #554

[drips-wave]

@chiscookeke11 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits