@spec call(Plug.Conn.t(), any()) :: Plug.Conn.t()

Handles webhook auth for /i/:webhook requests.

• CORS preflight: If the request method is OPTIONS, this plug is a no-op and returns the connection unchanged so upstream CORS handling can respond. This avoids doing DB lookups or emitting 401/404 on preflight requests.

• Auth flow: For non-OPTIONS requests whose path matches /i/:webhook, this plug:

  1. Looks up the webhook trigger (with workflow and edges) and its webhook_auth_methods, wrapped in Lightning.Retry.with_webhook_retry/2 so transient DB errors are retried.
  2. If the trigger is missing → responds 404 {"error":"webhook_not_found"}.
  3. If auth methods are configured:
     • If credentials match → assigns :trigger and continues.
     • If credentials are present but wrong → responds 404 (hide existence).
     • If credentials are missing → responds 401.
  4. If retries exhaust due to DB issues → responds 503 with Retry-After based on WEBHOOK_RETRY_TIMEOUT_MS.

Returns the (possibly halted) connection.

Initializes the options.