#23463: Cron: require authenticated webhook delivery

## Summary - require authenticated cron webhook delivery for `delivery.mode = "webhook"` - reject cron add/update webhook jobs when `cron.webhookToken` is missing - skip runtime webhook sends when token is absent (no unauthenticated fallback) - keep auth header explicit on webhook POST (`Authorization: Bearer <cron.webhookToken>`) - update cron docs/config reference/control-ui docs to match enforced behavior ## Why Webhook delivery without auth is a high-risk footgun. This change makes unauthenticated webhook delivery impossible by default for webhook-mode jobs. ## Testing - `pnpm test src/cron/service.jobs.test.ts src/cron/service.get-job.test.ts src/gateway/server-cron.test.ts` - `pnpm test:e2e src/gateway/server.cron.e2e.test.ts` - `pnpm check` <!-- greptile_comment --> <h3>Greptile Summary</h3> Enforces authenticated webhook delivery for cron jobs by requiring `cron.webhookToken` for `delivery.mode = "webhook"` jobs. Jobs are rejected at creation/update time when the token is missing, and runtime webhook sends are skipped (with warning) when the token is absent. Legacy `notify: true` jobs remain backwards-compatible but will skip webhook delivery without a token. Documentation updated across all references to clarify the requirement. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with no issues identified - The implementation is thorough with validation at both creation/update time and runtime. Test coverage is comprehensive including unit and e2e tests. Documentation is consistent across all references. The security improvement eliminates unauthenticated webhook delivery while maintaining backwards compatibility for legacy jobs. Code follows existing patterns and includes proper error messages. - No files require special attention _{Last reviewed commit: 6dfe67f} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->