feat: add notification channels with provider integrations and retry

Implement a channels system for notifying teams via external providers
(Discord, Slack, Teams, Google Chat, Telegram, Matrix, webhook) when
lifecycle events occur (capsule/template/host state changes).

- Channel CRUD API under /v1/channels (JWT-only auth)
- Test endpoint to verify config before saving (POST /v1/channels/test)
- Secret rotation endpoint (PUT /v1/channels/{id}/config)
- AES-256-GCM encryption for provider secrets (WRENN_ENCRYPTION_KEY)
- Redis stream event publishing from audit logger
- Background dispatcher with consumer group and retry (10s, 30s)
- Webhook delivery with HMAC-SHA256 signing (X-WRENN-SIGNATURE)
- shoutrrr integration for chat providers
- Secrets never exposed in API responses

db/queries/channels.sql

@@ -0,0 +1,29 @@
+-- name: InsertChannel :one
+INSERT INTO channels (id, team_id, name, provider, config, event_types)
+VALUES ($1, $2, $3, $4, $5, $6)
+RETURNING *;
+
+-- name: ListChannelsByTeam :many
+SELECT * FROM channels WHERE team_id = $1 ORDER BY created_at DESC;
+
+-- name: GetChannelByTeam :one
+SELECT * FROM channels WHERE id = $1 AND team_id = $2;
+
+-- name: UpdateChannel :one
+UPDATE channels SET name = $3, event_types = $4, updated_at = NOW()
+WHERE id = $1 AND team_id = $2
+RETURNING *;
+
+-- name: UpdateChannelConfig :one
+UPDATE channels SET config = $3, updated_at = NOW()
+WHERE id = $1 AND team_id = $2
+RETURNING *;
+
+-- name: DeleteChannelByTeam :exec
+DELETE FROM channels WHERE id = $1 AND team_id = $2;
+
+-- name: ListChannelsForEvent :many
+SELECT * FROM channels
+WHERE team_id = $1
+  AND sqlc.arg(event_type)::text = ANY(event_types)
+ORDER BY created_at;