feat: add auto-deploy webhook handler

webhook.php

@@ -0,0 +1,41 @@
+<?php
+/**
+ * GitHub Auto-Deploy Webhook
+ * Verifies GitHub HMAC signature, then queues the repo for git pull.
+ * A root cron job (/usr/local/bin/web-dashboard-deploy.sh) processes the queue every minute.
+ *
+ * WEBHOOK_SECRET must be defined — set it as a constant in a gitignored config file,
+ * or define it directly here for single-site use.
+ */
+
+define('WEBHOOK_SECRET', '4c8805f0285214ff0a0602b5880270b935f36a896946c7f1');
+define('DEPLOY_QUEUE',   '/tmp/web-dashboard-deploy.txt');
+define('DEPLOY_LOG',     '/home/webacct/logs/deploy.log');
+define('REPO_PATH',      '/home/webacct/public_html');
+
+header('Content-Type: application/json');
+
+$payload  = file_get_contents('php://input');
+$sig      = $_SERVER['HTTP_X_HUB_SIGNATURE_256'] ?? '';
+$expected = 'sha256=' . hash_hmac('sha256', $payload, WEBHOOK_SECRET);
+
+if (!hash_equals($expected, $sig)) {
+    http_response_code(403);
+    echo json_encode(['error' => 'Invalid signature']);
+    exit;
+}
+
+$data   = json_decode($payload, true);
+$ref    = $data['ref'] ?? '';
+$pusher = $data['pusher']['name'] ?? 'unknown';
+
+if ($ref !== 'refs/heads/main') {
+    echo json_encode(['ok' => true, 'skipped' => "ref $ref is not main"]);
+    exit;
+}
+
+$ts = date('Y-m-d H:i:s');
+file_put_contents(DEPLOY_QUEUE, REPO_PATH . "\n", FILE_APPEND | LOCK_EX);
+file_put_contents(DEPLOY_LOG,   "[$ts] Queued deploy by $pusher\n", FILE_APPEND | LOCK_EX);
+
+echo json_encode(['ok' => true, 'queued' => 'web-dashboard']);