feat: initial commit — HermesMessages SaaS platform

Backend (FastAPI + Python 3.12):
- Multi-tenant auth with JWT: login, register, refresh, Meta OAuth
- Business & BusinessConfig management
- WhatsApp webhook with HMAC signature verification
- Bot engine powered by Claude AI
- Calendar availability with Redis caching
- Reservations CRUD with status management
- Dashboard analytics (stats, agenda, peak hours)
- Billing & plan management
- Admin panel with platform-wide stats
- Async bcrypt via asyncio.to_thread
- IntegrityError handling for concurrent registration race conditions

Frontend (React 18 + Vite + Tailwind CSS):
- Multi-step guided registration form with helper text on every field
- Login page with show/hide password toggle
- Protected routes with AuthContext
- Dashboard with stats cards, bar chart, and daily agenda
- Reservations list with search, filters, and inline status actions
- Calendar with weekly view, slot availability, and date blocking
- Config page: business info, schedules, bot personality
- Billing page with plan comparison and usage bar

Design system:
- Bricolage Grotesque + DM Sans typography
- Emerald primary palette with semantic color tokens
- scale(0.97) button press feedback, ease-out animations
- Skeleton loaders, stagger animations, prefers-reduced-motion support
- Accessible: aria-labels, visible focus rings, 4.5:1 contrast

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/tests/test_webhook.py

@@ -0,0 +1,71 @@
+import hashlib
+import hmac
+
+import pytest
+from fastapi import HTTPException
+
+from app.modules.whatsapp.service import verify_signature
+
+
+def _make_signature(secret: str, body: bytes) -> str:
+    digest = hmac.new(secret.encode(), body, hashlib.sha256).hexdigest()
+    return f"sha256={digest}"
+
+
+def test_valid_signature_passes(monkeypatch):
+    monkeypatch.setattr("app.modules.whatsapp.service.settings.META_APP_SECRET", "mysecret")
+    body = b'{"object":"whatsapp_business_account"}'
+    sig = _make_signature("mysecret", body)
+    verify_signature(body, sig)  # no debe lanzar
+
+
+def test_invalid_signature_raises(monkeypatch):
+    monkeypatch.setattr("app.modules.whatsapp.service.settings.META_APP_SECRET", "mysecret")
+    body = b'{"object":"whatsapp_business_account"}'
+    with pytest.raises(HTTPException) as exc:
+        verify_signature(body, "sha256=invalidsignature")
+    assert exc.value.status_code == 403
+
+
+def test_missing_signature_raises(monkeypatch):
+    monkeypatch.setattr("app.modules.whatsapp.service.settings.META_APP_SECRET", "mysecret")
+    with pytest.raises(HTTPException) as exc:
+        verify_signature(b"body", "")
+    assert exc.value.status_code == 403
+
+
+def test_missing_prefix_raises(monkeypatch):
+    monkeypatch.setattr("app.modules.whatsapp.service.settings.META_APP_SECRET", "mysecret")
+    with pytest.raises(HTTPException):
+        verify_signature(b"body", "notsha256=abc")
+
+
+async def test_webhook_verification_endpoint(client_no_db):
+    import app.core.config as cfg
+    cfg.settings.META_WEBHOOK_VERIFY_TOKEN = "test-verify-token"
+
+    response = await client_no_db.get(
+        "/whatsapp/webhook",
+        params={
+            "hub.mode": "subscribe",
+            "hub.verify_token": "test-verify-token",
+            "hub.challenge": "challenge123",
+        },
+    )
+    assert response.status_code == 200
+    assert response.text == "challenge123"
+
+
+async def test_webhook_verification_wrong_token(client_no_db):
+    import app.core.config as cfg
+    cfg.settings.META_WEBHOOK_VERIFY_TOKEN = "test-verify-token"
+
+    response = await client_no_db.get(
+        "/whatsapp/webhook",
+        params={
+            "hub.mode": "subscribe",
+            "hub.verify_token": "wrong-token",
+            "hub.challenge": "abc",
+        },
+    )
+    assert response.status_code == 403