Security: WebhookSecretController lacks authorization checks #11
Description
The WebhookSecretController methods check that a webhook belongs to a workspace, but do not verify that the authenticated user has permission to manage webhooks in that workspace. The controller uses defaultHostWorkspace() which may not reflect the user actual permission level. A user with read-only access to a workspace could potentially rotate webhook secrets. Add explicit authorization checks using Laravel policies to check webhook management permissions. Priority: Medium - Authorization gaps could allow privilege escalation within a workspace.