feat(api): karakeep webhook (HMAC-verified)

POST /api/ingest/karakeep accepts Karakeep webhook payloads. HMAC
signature on the raw body captured by express.json's verify hook.
Mounted on app before mountApi so it bypasses agentOrOwner — the
shared secret IS the auth.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

server.js

@@ -5,14 +5,22 @@ import { log } from './lib/log.js';
 import { mountApi } from './lib/api/index.js';
 import * as queue from './lib/jobs/queue.js';
 import { registerWorkers } from './lib/jobs/index.js';
+import { router as ingestRouter } from './lib/api/routes/ingest.js';
 
 const VERSION = '2.0.0-alpha.2';
 
 export function createApp() {
   const app = express();
-  app.use(express.json({ limit: '10mb' }));
+  app.use(express.json({
+    limit: '10mb',
+    verify: (req, _res, buf) => { req.rawBody = buf; }
+  }));
   app.use(express.static('public'));
 
+  // /api/ingest/* bypasses agentOrOwner — webhooks authenticate via HMAC
+  // and need access to req.rawBody captured above.
+  app.use('/api/ingest', ingestRouter);
+
   app.get('/health', async (_req, res) => {
     let db_ok = false;
     try {