#21531: Security/Webhooks: block signed replay for Nextcloud, Google Chat, and LINE

## Summary - split replay-deduping work out of #21203 into a focused webhook replay PR - block signed webhook replay for Nextcloud Talk - dedupe replayed webhook events for Google Chat - block replayed signed payloads for LINE webhook handlers ## Scope boundaries - intentionally excludes voice-call webhook changes - intentionally excludes Control UI containment changes - intentionally excludes test-runner CI harness changes ## Validation - pnpm test -- extensions/nextcloud-talk/src/monitor.webhook-security.test.ts extensions/googlechat/src/monitor.webhook-routing.test.ts src/line/webhook-node.test.ts src/line/webhook.test.ts <!-- greptile_comment --> <h3>Greptile Summary</h3> Adds replay protection to webhook handlers for Nextcloud Talk, Google Chat, and LINE by deduplicating webhook events within a 5-minute window. Each implementation uses an in-memory cache with cleanup logic to prevent unbounded memory growth (max 5,000 keys). Nextcloud Talk uses `random:signature` pairs, Google Chat uses account-scoped event keys built from message/space metadata, and LINE uses webhook event IDs (falling back to `signature:bodyhash` when IDs are unavailable). <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - Focused security improvement with solid test coverage. The replay protection implementations follow consistent patterns across all three integrations, use proper constant-time signature validation, include appropriate bounds checks for memory management, and are thoroughly tested. The changes are additive (no breaking modifications to existing behavior) and all validation/rejection occurs before event processing. - No files require special attention _{Last reviewed commit: 04ad8fc} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->