Webhook secret rotation with dual-signature grace window

Webhook secret rotation was previously a breaking change — rotating meant every consumer had to update simultaneously. Now it’s a two-stage flow:

1. Call POST /api/webhooks/:id/rotate-secret. Rungate generates a new secret and enters a grace window (default 7 days, configurable).
2. During the grace window, outbound deliveries are signed with both secrets. Consumers can verify against either.
3. After the window closes, only the new secret signs. Consumers that haven’t updated fail verification.

API: POST /api/webhooks/:id/rotate-secret accepts { grace_period_days: number }. Returns the new secret in the response body (only time it’s visible).

Migration: existing webhooks are unaffected. Migration 035 adds the rotated_secret_hash and rotation_expires_at columns.

Closes issue #109.