feat: add notification channels with provider integrations and retry

Implement a channels system for notifying teams via external providers
(Discord, Slack, Teams, Google Chat, Telegram, Matrix, webhook) when
lifecycle events occur (capsule/template/host state changes).

- Channel CRUD API under /v1/channels (JWT-only auth)
- Test endpoint to verify config before saving (POST /v1/channels/test)
- Secret rotation endpoint (PUT /v1/channels/{id}/config)
- AES-256-GCM encryption for provider secrets (WRENN_ENCRYPTION_KEY)
- Redis stream event publishing from audit logger
- Background dispatcher with consumer group and retry (10s, 30s)
- Webhook delivery with HMAC-SHA256 signing (X-WRENN-SIGNATURE)
- shoutrrr integration for chat providers
- Secrets never exposed in API responses

internal/channels/publisher.go

@@ -0,0 +1,44 @@
+package channels
+
+import (
+	"context"
+	"encoding/json"
+	"log/slog"
+
+	"github.com/redis/go-redis/v9"
+
+	"git.omukk.dev/wrenn/sandbox/internal/events"
+)
+
+const streamKey = "wrenn:events"
+
+// Publisher pushes events onto the Redis stream for the dispatcher to consume.
+type Publisher struct {
+	rdb *redis.Client
+}
+
+// NewPublisher constructs an event publisher.
+func NewPublisher(rdb *redis.Client) *Publisher {
+	return &Publisher{rdb: rdb}
+}
+
+// Publish serializes the event and appends it to the global stream.
+// Fire-and-forget: failures are logged, never propagated.
+func (p *Publisher) Publish(ctx context.Context, e events.Event) {
+	payload, err := json.Marshal(e)
+	if err != nil {
+		slog.Warn("channels: failed to marshal event", "event", e.Event, "error", err)
+		return
+	}
+
+	if err := p.rdb.XAdd(ctx, &redis.XAddArgs{
+		Stream: streamKey,
+		MaxLen: 10000,
+		Approx: true,
+		Values: map[string]interface{}{
+			"payload": string(payload),
+		},
+	}).Err(); err != nil {
+		slog.Warn("channels: failed to publish event", "event", e.Event, "error", err)
+	}
+}