fix(sms): enforce X-Twilio-Signature verification for inbound webhooks

[WAXLYY]

Summary

This PR fixes a critical security vulnerability in the SMS platform adapter where inbound Twilio webhooks were processed without authenticity verification.

Vulnerability Details

• Risk: Unauthorized agent command execution via 'From' number spoofing.
• Root Cause: The /webhooks/twilio endpoint lacked signature validation, allowing anyone with the webhook URL to inject forged SMS messages into the agent's loop.
• Impact: Attackers could impersonate allowed users and execute arbitrary tools, potentially leading to data exfiltration or credential exhaustion.

Changes

• Signature Enforcement: Integrated X-Twilio-Signature validation using Twilio's HMAC-SHA1/Base64 algorithm.
• Proxy Awareness: Added logic to reconstruct the public URL candidates by honoring X-Forwarded-Proto, X-Forwarded-Host, and X-Forwarded-Port headers, ensuring compatibility with reverse proxies.
• Secure Default: Unauthorized requests are now immediately rejected with a 403 Forbidden status.

Verification ✅

• Tested Module: gateway/platforms/sms.py
• Regression Tests: 24 tests passed in tests/gateway/test_sms.py.
• Scenarios Covered:
  • Unsigned requests (Rejected)
  • Validly signed requests (Accepted)
  • Requests behind reverse proxies (Verified candidate URL logic)

[teknium1]

This vulnerability has been fixed in PR #7933 (merged). Thanks for the contribution, @WAXLYY.