feat: ParcelWebhookController for carrier tracking event ingestion

Adds POST /webhooks/parcel/{providerKey} endpoint that accepts
carrier webhook payloads from ParcelPath, UPS, and USPS, normalizes
them into TrackingStatus rows, and lets the existing
TrackingStatusObserver (Task 22) handle downstream Order status
transitions + SocketCluster broadcast.

## Architecture: pure normalizer + thin controller

WebhookPayloadNormalizer (pure, unit-tested):
  - isValidProvider(string): bool — checks against [parcelpath, ups, usps], case-insensitive
  - normalize(providerKey, payload): array — dispatches to provider-specific normalizer:
    * ParcelPath: events already carry Fleetbase-compatible codes; uppercased and passed through
    * UPS: reuses UPS::upsActivityCodeToFleetbaseCode (I→IN_TRANSIT, D→DELIVERED, etc.)
    * USPS: reuses USPS::uspsEventTypeToFleetbaseCode (ALERT→EXCEPTION, rest verbatim)
  - dedupKey(trackingNumberUuid, event): array — composite key for TrackingStatus::firstOrCreate
    matching the poll jobs' dedup logic exactly

ParcelWebhookController (impure, thin):
  1. Validate provider key → 404 if unknown
  2. Verify shared secret → 401 if mismatch (see below)
  3. Normalize payload via the pure normalizer
  4. For each event: resolve TrackingNumber (carrier_tracking_number
     index from Task 7, falling back to tracking_number column),
     firstOrCreate a TrackingStatus row with the dedup key
  5. Return 200 with {processed, skipped} counts

## Authentication: shared-secret header (pluggable)

Checks config('services.{providerKey}.webhook_secret') against the
X-Webhook-Secret request header using hash_equals (timing-safe).
If no secret is configured (null/empty), verification passes — this
makes the endpoint open during development and initial integration
testing. The verification logic is isolated in verifyWebhookSecret()
so it can be replaced with HMAC signing or IP allowlist per provider
without touching the ingestion logic.

## Idempotency

TrackingStatus::firstOrCreate with composite key
(tracking_number_uuid, code, created_at) — identical to the key
used by PollParcelPathTrackingJob, PollUPSTrackingJob, and
PollUSPSTrackingJob. Duplicate webhook deliveries are silently
de-duped. The firstOrCreate match returns the existing row without
inserting; the TrackingStatusObserver only fires on actual `created`
events, so duplicate deliveries also don't trigger redundant Order
status transitions.

## Per-event error isolation

A malformed event (missing tracking number, unresolvable
TrackingNumber record, Eloquent exception) is skipped and report()ed
but does not abort the webhook request. The response always returns
200 so the webhook sender considers delivery successful and doesn't
enter an infinite retry loop on permanently malformed events.

## Expected webhook request shapes

ParcelPath:
  POST /webhooks/parcel/parcelpath
  X-Webhook-Secret: {configured secret}
  {
    "tracking_number": "1Z999AA10123456784",
    "carrier": "UPS",
    "events": [
      {"code": "IN_TRANSIT", "status": "In Transit", "timestamp": "2026-04-07T10:00:00Z", "location": "Chicago"}
    ]
  }

UPS (single event):
  POST /webhooks/parcel/ups
  X-Webhook-Secret: {configured secret}
  {
    "trackingNumber": "1Z999AA10123456784",
    "eventType": "D",
    "eventDescription": "Delivered",
    "eventTimestamp": "2026-04-09T14:22:00",
    "eventCity": "New York",
    "eventState": "NY"
  }

USPS (single event):
  POST /webhooks/parcel/usps
  X-Webhook-Secret: {configured secret}
  {
    "trackingNumber": "9400111202555999999999",
    "eventType": "DELIVERED",
    "eventTimestamp": "2026-04-09T14:22:00",
    "eventCity": "New York"
  }

## Route registration

POST /webhooks/parcel/{providerKey} added to the existing webhooks
group in routes.php, alongside the telematics webhook routes.
Follows the same pattern (providerKey path parameter, any-method
for telematics → POST-only for parcel).

Tests (Pest): 16 new normalizer tests covering ParcelPath / UPS /
USPS normalization, code mapping reuse, dedupKey composition,
provider validation, and edge cases (missing tracking number, no
events, unknown provider). Full suite: 301 passed (644 assertions).

Author: TLemmAI

server/src/Http/Controllers/Api/v1/ParcelWebhookController.php

@@ -0,0 +1,158 @@
+<?php
+
+namespace Fleetbase\FleetOps\Http\Controllers\Api\v1;
+
+use Fleetbase\FleetOps\Http\Controllers\FleetOpsController;
+use Fleetbase\FleetOps\Models\TrackingNumber;
+use Fleetbase\FleetOps\Models\TrackingStatus;
+use Fleetbase\FleetOps\Support\WebhookPayloadNormalizer;
+use Illuminate\Http\Request;
+use Throwable;
+
+/**
+ * Webhook ingestion endpoint for carrier tracking events.
+ *
+ * POST /webhooks/parcel/{providerKey}
+ *
+ * Accepts webhook payloads from ParcelPath, UPS, and USPS (or any
+ * future provider added to WebhookPayloadNormalizer::PROVIDERS),
+ * normalizes the events via the pure normalizer, and creates
+ * TrackingStatus rows using the same dedup key as the poll jobs.
+ *
+ * The existing TrackingStatusObserver (Task 22) handles downstream
+ * effects: Order status transitions + SocketCluster broadcast.
+ * This controller only creates the rows — it does not touch Orders
+ * or fire notifications directly.
+ *
+ * ## Authentication
+ *
+ * Shared-secret header validation via X-Webhook-Secret. The secret
+ * is looked up from config at services.{providerKey}.webhook_secret.
+ * If no secret is configured, the endpoint is effectively open
+ * (suitable for development / initial integration testing). The
+ * verification logic is isolated in verifyWebhookSecret() so it can
+ * be replaced with HMAC or IP allowlist verification per provider
+ * without touching the ingestion logic.
+ *
+ * ## Idempotency
+ *
+ * TrackingStatus::firstOrCreate with the composite key
+ * (tracking_number_uuid, code, created_at) — same key the poll
+ * jobs use. Duplicate webhook deliveries are silently de-duped.
+ *
+ * ## Error isolation
+ *
+ * Per-event isolation: a malformed event row is skipped and logged
+ * but does not abort the webhook request. The response always
+ * returns 200 with a count of processed/skipped events, so the
+ * webhook sender considers delivery successful and doesn't retry
+ * (avoiding an infinite retry loop on permanently malformed events).
+ */
+class ParcelWebhookController extends FleetOpsController
+{
+    /**
+     * Handle an inbound webhook payload.
+     *
+     * @param string  $providerKey  one of: parcelpath, ups, usps
+     * @param Request $request      the webhook HTTP request
+     */
+    public function handle(string $providerKey, Request $request)
+    {
+        // 1. Validate provider key.
+        if (!WebhookPayloadNormalizer::isValidProvider($providerKey)) {
+            return response()->json(['error' => 'unknown provider'], 404);
+        }
+
+        // 2. Verify shared secret (pluggable — see verifyWebhookSecret).
+        if (!$this->verifyWebhookSecret($providerKey, $request)) {
+            return response()->json(['error' => 'unauthorized'], 401);
+        }
+
+        // 3. Normalize the payload into tracking events.
+        $payload = $request->all();
+        $events  = WebhookPayloadNormalizer::normalize($providerKey, $payload);
+
+        if (empty($events)) {
+            return response()->json(['processed' => 0, 'skipped' => 0]);
+        }
+
+        // 4. Process each event: resolve TrackingNumber, firstOrCreate TrackingStatus.
+        $processed = 0;
+        $skipped   = 0;
+
+        foreach ($events as $event) {
+            try {
+                $trackingNumber = $this->resolveTrackingNumber($event['tracking_number'] ?? '');
+                if ($trackingNumber === null) {
+                    $skipped++;
+                    continue;
+                }
+
+                $dedupKey = WebhookPayloadNormalizer::dedupKey(
+                    $trackingNumber->uuid,
+                    $event
+                );
+
+                TrackingStatus::firstOrCreate(
+                    $dedupKey,
+                    [
+                        'company_uuid' => $trackingNumber->company_uuid,
+                        'status'       => $event['status'] ?? $event['code'],
+                        'details'      => $event['location'] ?? $event['details'] ?? null,
+                    ]
+                );
+
+                $processed++;
+            } catch (Throwable $e) {
+                report($e);
+                $skipped++;
+            }
+        }
+
+        // 5. Always return 200 so the sender considers delivery successful.
+        return response()->json([
+            'processed' => $processed,
+            'skipped'   => $skipped,
+        ]);
+    }
+
+    /**
+     * Resolve a TrackingNumber model from a carrier tracking identifier.
+     * Checks the carrier_tracking_number column first (indexed,
+     * added in Phase 1 Task 7), then falls back to the primary
+     * tracking_number column.
+     */
+    protected function resolveTrackingNumber(string $carrierTrackingNumber): ?TrackingNumber
+    {
+        if ($carrierTrackingNumber === '') {
+            return null;
+        }
+
+        return TrackingNumber::where('carrier_tracking_number', $carrierTrackingNumber)
+            ->orWhere('tracking_number', $carrierTrackingNumber)
+            ->first();
+    }
+
+    /**
+     * Verify the webhook request's shared secret. Isolated so it can
+     * be replaced with HMAC signing or IP allowlist per provider
+     * without touching the ingestion logic.
+     *
+     * Checks config('services.{providerKey}.webhook_secret'). If no
+     * secret is configured (null/empty), verification passes — this
+     * makes the endpoint effectively open during development.
+     */
+    protected function verifyWebhookSecret(string $providerKey, Request $request): bool
+    {
+        $configuredSecret = config('services.' . strtolower($providerKey) . '.webhook_secret');
+
+        // No secret configured = verification disabled (dev mode).
+        if (empty($configuredSecret)) {
+            return true;
+        }
+
+        $providedSecret = $request->header('X-Webhook-Secret', '');
+
+        return hash_equals((string) $configuredSecret, (string) $providedSecret);
+    }
+}