feat(pki): add webhooks to alerts

[saifsmailbox98]

Context

This adds webhook support for PKI alerts, allowing users to receive notifications before their certificates expire based on custom time thresholds.

Screenshots

Steps to verify the change

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds webhook support to PKI certificate alerts, allowing users to receive notifications via HTTP POST requests when certificates are approaching expiration. The implementation uses CloudEvents-compliant payloads with optional HMAC-SHA256 signature verification.

Key Changes:

• Added encryptedConfig column to store webhook configs securely using KMS encryption
• Implemented webhook notifications with SSRF protection via verifyHostInputValidity
• Webhook payloads follow CloudEvents specification with structured certificate data
• Optional signing secret support for webhook payload verification using HMAC-SHA256
• Added test webhook endpoint (POST /test-webhook) to verify connectivity before saving
• Frontend refactored to support multiple channel types (email/webhook) with accordion UI
• Comprehensive documentation added covering payload format and signature verification

Security Highlights:

• Webhook URLs are validated to prevent SSRF attacks (can't target internal networks)
• Signing secrets are encrypted at rest using KMS
• Migration is idempotent with proper hasColumn checks
• Frontend performs client-side URL validation before API calls

Implementation Quality:

• Clean separation between email and webhook notification logic
• Proper error handling with detailed context for failed notifications
• Signing secret preservation during updates (undefined=keep, null=clear, value=update)
• Last run status tracking added for notification debugging

Confidence Score: 4/5

• This PR is safe to merge with minimal risk - security measures are properly implemented
• Score reflects strong security implementation (SSRF protection, encryption) and thorough testing infrastructure. Minor deduction due to complexity of signing secret preservation logic that warrants careful testing in production.
• Pay close attention to backend/src/services/pki-alert-v2/pki-alert-v2-service.ts (signing secret update logic) and verify webhook delivery works correctly with all notification channels

Important Files Changed

Filename	Overview
backend/src/db/migrations/20260129181800_add-encrypted-config-to-pki-alert-channels.ts	Adds encryptedConfig column with proper idempotency checks
backend/src/services/pki-alert-v2/pki-alert-v2-service.ts	Adds webhook support with encryption, SSRF protection, and signing secret handling
backend/src/services/pki-alert-v2/pki-alert-v2-notification-fns.ts	New file implementing CloudEvents-compliant webhook payloads with HMAC signatures
backend/src/server/routes/v2/pki-alert-router.ts	Adds POST /test-webhook endpoint with proper validation and rate limiting
frontend/src/views/PkiAlertsV2Page/components/CreatePkiAlertV2FormSteps.tsx	Refactored to support multiple channel types (email/webhook) with accordion UI
docs/documentation/platform/pki/alerting.mdx	Documents webhook channels, CloudEvents payload format, and signature verification

[saifsmailbox98]

@carlosmonastyrski

Addressed the changes requested:

1. Made having atleast one channel mandatory.
2. Added retries.

Also refactored the code a bit.