feat: add support to wire webhooks from orchestrator to emitter workflows

[Kiran01bm]

What and Why ?

Adds the detector → emitter webhook so the OrchestratorWorkflow can
notify the downstream emitter as soon as a snapshot is persisted,
instead of waiting for the emitter's own cron.

No breaking changes. No schema changes.
This work is purely additive at every layer that other systems can observe.

Auth model: this PR is wire-only. Network isolation between detector
and emitter could be enforced as required ranging from options like no-auth to
network policies in k8s all the way till the app layer authn and authz.

What's new (production code):

• pkg/workflow/orchestrator/notify.go: NotifyEmitter activity. POSTs
  {"snapshot_id": ...} to /trigger-act with an
  injectable HTTPDoer so tests can swap in a fake (no live HTTP).
  Default client uses a 10s timeout.
• pkg/workflow/orchestrator/workflow.go: OrchestratorWorkflow gains
  Stage 3 (NotifyEmitter), invoked only when EmitterWebhookURL is
  non-empty. Failures are non-fatal: the snapshot is already durable
  in S3, so a transient emitter outage just delays emission and
  Temporal's retry policy handles the rest.
• pkg/workflow/orchestrator/activities.go: optional HTTPDoer field on
  Activities for test injection.
• pkg/scan/scan.go: NewTrigger gains a 4th positional arg
  emitterWebhookURL plus a WithEmitterWebhookURL functional-option
  helper. WorkflowInput.EmitterWebhookURL is forwarded into the
  orchestrator workflow input.
• pkg/schedule/schedule.go: Config.EmitterWebhookURL plumbed into the
  scheduled workflow input.
• cmd/server/main.go: new EMITTER_WEBHOOK_URL env flag, registers
  NotifyEmitter activity, threads the URL through the schedule and
  the admin /scan trigger.
• cmd/cli/main.go: passes "" so CLI runs stay detector-only.

Local testability (also production-safe; defaults preserve current
behavior):

• pkg/snapshot/memory_store.go: in-process Store implementation for
  laptop dev / CI smoke tests. Selectable via SNAPSHOT_STORE=memory
  (default remains s3). Lets the orchestrator's Stage 2 succeed
  without AWS credentials.
• cmd/server/main.go: when Wiz credentials are absent the wiz-source
  branch now falls back to pkg/inventory/mock.InventorySource (one
  synthetic resource per config) instead of skipping every resource
  and crashing with "no resources configured". Production paths set
  the Wiz secrets and remain unaffected — the misleading "using mock
  inventory" log line that already existed now actually does what it
  says.
• Makefile: temporal-docker, webhook-e2e, webhook-e2e-smoke targets
  (all run the Temporal CLI / curl via Docker — no brew install temporal needed). make dev no longer hard-requires entr;
  auto-reload is used when entr is on $PATH, otherwise it falls back
  to plain go run ./cmd/server.

Backwards compatibility:

• The only Go-level API change is pkg/scan.NewTrigger gaining a 4th
  arg. The package is internal to this private repo and all in-repo
  callers (cmd/server, cmd/cli) are updated.
• WorkflowInput, Config, and Activities only gain new optional fields;
  zero-values reproduce the prior behavior.
• New env flags (EMITTER_WEBHOOK_URL, SNAPSHOT_STORE) have safe
  defaults: empty webhook URL = Stage 3 skipped (legacy behavior);
  SNAPSHOT_STORE defaults to "s3".
• No snapshot schema changes, no S3 layout changes, no Temporal
  workflow ID changes.

Tests: full unit suite green (pkg/scan, pkg/schedule, pkg/snapshot,
pkg/workflow/orchestrator, pkg/workflow/detection). NotifyEmitter has
7 tests covering success, 4xx, 5xx, network error, missing URL,
malformed body, and successful-but-empty body.

Local e2e workflow test confirmation