fix(sms): validate X-Twilio-Signature on inbound webhooks

[enjoykumawat]

Summary

Fixes the unauthenticated RCE vulnerability reported in #7089.

The SMS webhook endpoint was accepting any HTTP POST without validating the X-Twilio-Signature header, allowing an attacker to spoof any authorized phone number and drive the agent to execute arbitrary tools with full OS privileges.

Changes:

• Added _validate_twilio_signature() — implements Twilio's HMAC-SHA1 validation (URL + sorted POST params → HMAC-SHA1 with Auth Token → base64 → hmac.compare_digest)
• _handle_webhook now rejects requests with missing or invalid signatures with HTTP 403
• Invalid requests are logged as warnings for security auditing

Attack vector closed:

# Before: any POST was accepted
# After: missing/invalid X-Twilio-Signature → 403 Forbidden

Test plan

• Valid Twilio request with correct signature → accepted (200)
• Request with missing X-Twilio-Signature → rejected (403)
• Request with wrong signature → rejected (403)
• Signature computed with wrong auth token → rejected (403)

Closes #7089

[teknium1]

This vulnerability has been fixed in PR #7933 (merged). Thanks for the contribution, @enjoykumawat.