Rotate the HMAC signing secret on a customer-owned webhook

Mints a fresh whsec_* secret and writes it in place. Outbound deliveries pick up the new secret on the next worker tick — no grace window; the old secret stops signing immediately. The response returns BOTH plaintexts so the caller can update their server before deploying. The previous secret is shown ONCE — not persisted server-side anywhere after the response is sent.