Webhooks (Keycloak)

Inbound webhook from Keycloak's SPI event listener. Authentication is performed via the X-Keycloak-Signature header (sha256=<hex> HMAC-SHA256 of the raw body using KONTORION_KEYCLOAK_WEBHOOK_SECRET); this endpoint does NOT use BearerAuth - events arrive before any org context is selected. Body is capped at 128 KiB. Every event payload is translated into the local audit-event stream so the History tab merges identity + billing context. Only IDENTITY_PROVIDER_FIRST_LOGIN additionally triggers logic on this side (JIT auto-enrollment); all other event types (LOGIN, LOGOUT, REGISTER, UPDATE_PROFILE, etc.) are audit-only. Returns 503 when the handler is not configured (missing secret or audit sink).