feat: add webhook auth guard and IRC password/username support

Add WEBHOOK_SECRET env var for authenticating incoming Owncast webhooks
via a ?secret= query parameter. Requests with a missing or incorrect
secret are rejected with 401. If unset, all requests are accepted
(with a startup warning).

Also includes previously uncommitted work:
- IRC server password support (IRC_PASSWORD env var, PASS command)
- IRC username/ident field in config
- IRC_PASSWORD and SELinux volume flag in docker-compose.yml

Made-with: Cursor

README.md

@@ -29,6 +29,7 @@ Or create a `.env` file (git-ignored):
 
 ```
 OWNCAST_ACCESS_TOKEN=your-token-here
+WEBHOOK_SECRET=some-random-secret
 ```
 
 **4. Configure the Owncast webhook**
@@ -36,9 +37,11 @@ OWNCAST_ACCESS_TOKEN=your-token-here
 In your Owncast admin, go to **Integrations > Webhooks** and add a webhook pointing to:
 
 ```
-http://<bridge-host>:9078/webhook
+http://<bridge-host>:9078/webhook?secret=some-random-secret
 ```
 
+If `WEBHOOK_SECRET` is set, the bridge rejects any request that doesn't include a matching `?secret=` query parameter. If unset, all requests are accepted (a warning is logged at startup).
+
 Select the events: **Chat Message**, **Stream Started**, **Stream Stopped**.
 
 **5. Run it**
@@ -82,7 +85,13 @@ See [`config.example.toml`](config.example.toml) for all options. The only requi
 | `bridge` | `owncast_prefix` | `[OC]` | Prefix for Owncast messages in IRC |
 | `control` | `socket_path` | `/tmp/owncast-irc-bridge.sock` | Unix socket for `bridge-ctl` |
 
-The access token is always read from the `OWNCAST_ACCESS_TOKEN` environment variable (not the config file).
+Secrets are always read from environment variables (not the config file):
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `OWNCAST_ACCESS_TOKEN` | Yes | Owncast integration API token |
+| `IRC_PASSWORD` | No | IRC server password (PASS command) |
+| `WEBHOOK_SECRET` | No | Shared secret for webhook authentication |
 
 ## Runtime Control