Add standalone Slack interaction engine with signature verification and immutable audit persistence

[Copilot]

This PR introduces a dedicated FastAPI Slack interaction endpoint to process interactive actions securely and persist transaction state in SQLite. It replaces the ad-hoc example flow with a runnable main_engine.py service wired for environment-based secrets and production-safe request handling.

• Security hardening

  • Added Slack signature verification (X-Slack-Request-Timestamp, X-Slack-Signature) using HMAC SHA256.
  • Enforced timestamp replay window checks.
  • Added startup-time validation for required secret (SLACK_SIGNING_SECRET).

• Interaction processing

  • Implemented /api/slack/interact payload parsing with defensive validation for expected action/user fields.
  • Built transactional status message generation from Slack action context.
  • Added fallback behavior for response_url via SLACK_WEBHOOK_URL env var when needed.

• Slack response delivery

  • Moved outbound Slack callback posting to a thread pool to avoid blocking the request path.
  • Added HTTP error propagation for failed Slack callback updates.

• Immutable audit persistence

  • Added auditoria.db initialization with refs(ref_id, status, timestamp) schema.
  • Persisted action state using INSERT OR REPLACE on ref_id with explicit commit semantics.

sig_basestring = f"v0:{timestamp}:{body.decode()}".encode("utf-8")
my_signature = "v0=" + hmac.new(
    SLACK_SIGNING_SECRET.encode("utf-8"),
    sig_basestring,
    hashlib.sha256,
).hexdigest()

if not hmac.compare_digest(my_signature, signature):
    raise HTTPException(status_code=403, detail="Firma inválida")

[LVT-ENG]

Superconmit_max.sh

[LVT-ENG]

Yes