feat(msgraph): add webhook listener platform

[dlkakbs]

References PR #19815.

This is the second part of the Microsoft Teams meeting pipeline stack, split out in response to maintainer review on the original PR.

This slice is intentionally scoped to:

• the Microsoft Graph webhook listener platform
• gateway wiring for Graph change notifications
• bounded receipt dedupe behavior for webhook ingestion

The goal here is to keep the review surface small and land the webhook ingestion layer before the Teams pipeline runtime, outbound delivery, and docs follow-up PRs in the stack.

Review and merge in stack order.

[teknium1]

Leaving the same note on the other PRs in the stack for visibility.

Could you retarget this PR's base branch so diffs are incremental instead of cumulative? Full detail in #21408 (comment) but tl;dr:

• feat(msgraph): add webhook listener platform #21409 → base pr/msgraph-auth-client
• feat(teams-pipeline): add plugin runtime and operator cli #21410 → base pr/msgraph-webhook-listener
• feat(teams): add pipeline outbound delivery via existing adapter #21411 → base pr/teams-pipeline-plugin-runtime
• docs(teams): split meetings setup from operator runbook #21412 → base pr/teams-outbound-delivery

gh pr edit <N> --base <branch> does it in place — no close/reopen, comments and CI preserved. GitHub auto-retargets up the stack as each one merges.

Planning to review bottom-up from #21408. Thanks.

[teknium1]

Merged via PR #21969. Your three commits (feat(msgraph): add webhook listener platform, fix(msgraph): bound webhook receipt dedupe cache, fix(msgraph): normalize webhook dedupe and resource matching) landed on main with your authorship preserved via rebase-merge — see commits 46a6f3902, 2a215de9a, and 26a59e4f6.

Two follow-ups added on top during salvage:

1. fix(msgraph_webhook): harden auth surface + IP allowlisting + response hygiene — clientState comparison now uses hmac.compare_digest instead of == (defense-in-depth against timing leaks since client_state is a strong shared secret). Split GET/POST handlers so bare GET without validationToken returns 400 rather than falling through to the POST path. Empty 202 response body on success — internal counters are observable via /health, not the wire response. New optional allowed_source_cidrs extra + MSGRAPH_WEBHOOK_ALLOWED_SOURCE_CIDRS env var for restricting to Microsoft's published Graph webhook egress ranges in production. Tests extended from 40→52 covering these behaviors, including a spy test that verifies hmac.compare_digest is actually invoked.

2. docs(msgraph): webhook listener setup page + env var reference — new /docs/user-guide/messaging/msgraph-webhook page with quick-start config, full config table, security hardening guidance, status-code table, troubleshooting, and cross-links to the Azure app registration guide. Env var reference updated with all MSGRAPH_WEBHOOK_* vars.

Remaining PRs in the stack (#21410 pipeline runtime, #21411 outbound delivery, #21412 full setup docs + SKILL.md) are next. Thanks again!