fix: enforce HTTPS for webhook, no hardcoded defaults (HQ-20)

- Webhook URL must be set via env var (no fallback)
- Webhook URL must start with https:// or it's rejected
- Both URL and token required, skip silently if missing

backend/src/routes/tasks.ts

@@ -5,13 +5,17 @@ import { eq, asc, desc, sql, inArray, or } from "drizzle-orm";
 import { auth } from "../lib/auth";
 
 const BEARER_TOKEN = process.env.API_BEARER_TOKEN || "hammer-dev-token";
-const CLAWDBOT_HOOK_URL = process.env.CLAWDBOT_HOOK_URL || "https://hooks.donovankelly.xyz/hooks/agent";
+const CLAWDBOT_HOOK_URL = process.env.CLAWDBOT_HOOK_URL || "";
 const CLAWDBOT_HOOK_TOKEN = process.env.CLAWDBOT_HOOK_TOKEN || "";
 
 // Fire webhook to Clawdbot when a task is activated
 async function notifyTaskActivated(task: { id: string; title: string; description: string | null; source: string; priority: string }) {
-  if (!CLAWDBOT_HOOK_TOKEN) {
+  if (!CLAWDBOT_HOOK_URL || !CLAWDBOT_HOOK_TOKEN) {
-    console.warn("CLAWDBOT_HOOK_TOKEN not set — skipping webhook");
+    console.warn("CLAWDBOT_HOOK_URL or CLAWDBOT_HOOK_TOKEN not set — skipping webhook");
+    return;
+  }
+  if (!CLAWDBOT_HOOK_URL.startsWith("https://")) {
+    console.warn("CLAWDBOT_HOOK_URL must use HTTPS — skipping webhook");
     return;
   }
   try {