Fixes #279

What was done

• WebhookController (backend/src/webhooks/webhook.controller.ts):
  • POST /webhooks/fiat — secure endpoint for payment provider webhooks
  • No JWT authentication — open to public (webhooks come from Stripe/SEP-24 servers)
  • X-Signature header validation: Rejects requests missing the signature with 401
  • Raw body parsing: Uses express.raw() middleware on this specific route so the raw request body is available for cryptographic HMAC signature verification
  • Handles event types:
    • PAYMENT_SUCCESS → extracts walletId + amount, logs via Winston
    • PAYMENT_FAILED → logs failure with reason
    • REFUND_PROCESSED → logs refund details
  • Signature verification scaffold (ready for real HMAC with webhook secret)
• main.ts updates:
  • Added rawBody: true to NestFactory options
  • Added express.raw({ type: 'application/json' }) body parser specifically for /webhooks/fiat
• WebhooksModule created and registered in AppModule

How to verify

1. Start server: cd backend && npm run start:dev
2. Test successful payment (with signature header):

   curl -X POST http://localhost:3000/webhooks/fiat \
     -H "Content-Type: application/json" \
     -H "X-Signature: a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2" \
     -d '{"event": "PAYMENT_SUCCESS", "walletId": "GABC...XYZ", "amount": "100.00"}'

   → Response: { status: "processed", event: "PAYMENT_SUCCESS", walletId: "GABC...XYZ", amount: "100.00" }
3. Test without signature → should get 401 Unauthorized
4. Test with invalid JSON → should get 400/401
5. Check server logs — each webhook call is logged via Winston