feat(webhooks): use WEBHOOK_CALLBACK_BASE_URL as server-side default for webhook management

[ada-evorada]

Summary

• New system tRPC router — exposes WEBHOOK_CALLBACK_BASE_URL as routerPublicUrl via a system.getPublicUrl query, giving CLI and frontend a single source of truth for the server-configured public URL
• Server-side URL fallback in webhooks tRPC — create and delete procedures now accept callbackBaseUrl as optional, falling back to WEBHOOK_CALLBACK_BASE_URL env var; throws BAD_REQUEST if neither is provided
• Frontend updates — PM wizard, SCM tab (GitHub + GitLab sections), and Alerting tab now query system.getPublicUrl and use the server-provided URL instead of deriving from the browser origin
• CLI updates — cascade webhooks create/delete fetch server public URL via system.getPublicUrl when --callback-url is not provided; cascade webhooks list uses server URL for Sentry URL display
• Documentation — CLAUDE.md updated to clarify the dual purpose of WEBHOOK_CALLBACK_BASE_URL and its requirement when deployed behind NAT/reverse proxy
• Pre-existing test fix — credential-scoping.test.ts fixed to properly delete env vars instead of setting to undefined

Fixes the issue where webhook creation/deletion would use the local internal URL instead of the public URL when CASCADE is deployed behind NAT/reverse proxy.

Card: https://trello.com/c/c2DxzsJC/14-the-scm-and-pm-integrations-are-configuring-webhooks-but-they-are-using-the-local-url-of-cascade-which-wont-work-if-its-behind-n

Test plan

• Unit tests for system.getPublicUrl — returns env var when set, null when not set, throws UNAUTHORIZED for unauthenticated requests
• Unit tests for webhooks.create and webhooks.delete with no callbackBaseUrl — uses env var when set, throws BAD_REQUEST when neither is provided
• Updated existing CLI webhook tests to mock system.getPublicUrl and verify new fallback behavior
• All 7361 unit tests passing
• Manual: Deploy with WEBHOOK_CALLBACK_BASE_URL=https://cascade.example.com and verify cascade webhooks create <project-id> (without --callback-url) registers webhooks pointing to the public URL
• Manual: Verify the Dashboard webhook management UI shows the correct URL when WEBHOOK_CALLBACK_BASE_URL is set

🤖 Generated with Claude Code

[ada-evorada]

CI Failures Resolved

Fixes Applied

• Ran npm audit fix to update vulnerable production dependencies:
  • axios 1.13.5 → 1.15.0 (fixes critical SSRF vulnerability GHSA-3p68-rc4w-qgx5)
  • hono 4.12.9 → 4.12.12 (fixes moderate cookie/IP matching vulnerabilities)
  • @hono/node-server 1.19.12 → 1.19.13 (fixes moderate middleware bypass)

Verification

• npm audit --omit=dev --audit-level=high exits 0 (only 2 moderate vulnerabilities remain, which are unfixable without breaking changes)
• All 7361 unit tests passing
• Lint and typecheck clean
• Changes pushed to branch

[suda]

Summary

Clean, well-structured implementation. The server-side fallback chain (explicit param -> WEBHOOK_CALLBACK_BASE_URL -> BAD_REQUEST) is consistent across create, delete, and list. Frontend gracefully handles the loading state by falling back to API_URL then window.location.origin. All 7361 unit tests pass and CI is green.

Minor Observation

tests/unit/api/routers/system.test.ts: beforeEach is imported from vitest but never used in the file. No functional impact, just a stale import.