skills(call-adcp-agent): document RFC 9421 as default webhook signing path

[EvgenyAndroid]

Second leg of the two-PR shape proposed in #4270 (storyboard / SDK-skill on-ramp inventory). Pairs with #4273 (schema-description fix for reporting-webhook.json + auth-scheme.json) — independent landing order, both close pieces of #4270.

Why

The five protocol skills (adcp-media-buy, adcp-creative, adcp-signals, adcp-governance, adcp-si, adcp-brand) all defer cross-cutting buyer-side basics with:

Buyer-side basics — idempotency replay, oneOf variants, async status:'submitted' polling, error recovery from adcp_error.issues[] — live in skills/call-adcp-agent/SKILL.md.

That skill teaches idempotency_key, the account oneOf, status:'submitted' polling, and error recovery — but was silent on webhook signing. New buyers reading push-notification-config.json see a visible authentication field and reach for it; the modern 9421 default (omit the block, verify against the seller's JWKS) is invisible from the schema alone. That's the silent-default trap I called out in #4270 inventory.

This PR adds a section to the cross-cutting skill so all five protocol skills inherit the framing.

What this PR does

Single new H3 in skills/call-adcp-agent/SKILL.md titled "Webhook signing — default to RFC 9421, don't reach for authentication", placed inside "Non-obvious rules every buyer must follow" right after the async-polling section. Covers:

• Default 9421 path — seller publishes a webhook-signing key at brand.json agents[].jwks_uri; buyer verifies via that JWKS; no shared secret on the wire.
• Switch-not-fallback rule (per schemas(push-notification-config): state legacy/9421 precedence in authentication field #2506) — presence of push_notification_config.authentication selects legacy; absence selects 9421. Buyer MUST NOT attempt try-9421-then-HMAC verification.
• Inbound verifier checklist — required covered components (@method, @authority, @target-uri, content-type, content-digest — all required on webhooks; no policy branch); tag=\"adcp/webhook-signing/v1\"; adcp_use=\"webhook-signing\"; error taxonomy webhook_signature_*.
• Conformance vectors — pointer at compliance/{version}/test-vectors/webhook-signing/ as the only deterministic path to cover every webhook_signature_* error code.
• "Use the SDK's verifier" — explicit nudge against rolling your own; RFC 9421 canonicalization is the dominant interop-bug surface (cross-references the canonicalization-bug language already in request-signing/README.md).

Plus a changeset entry mirroring the convention from #2506.

What this PR does NOT do

• No schema changes (those live in schemas(reporting-webhook, auth-scheme): deprecate HMAC-SHA256 recommendation, point at RFC 9421 #4273).
• No normative change — the section surfaces existing rules from security.mdx § Webhook callbacks at the on-ramp surface where SDK consumers actually read them.
• No edits to the per-protocol skills (adcp-media-buy, adcp-signals, etc.) — they delegate to call-adcp-agent already, so this single addition flows through.
• No dist/ regen; skills/ is the source.

Test plan

• Markdown renders cleanly (no broken anchor refs in the existing skill)
• Anchor URLs in the new section resolve (docs/building/implementation/security#verifier-checklist-for-webhooks, #webhook-error-taxonomy)
• Cross-link to schemas(push-notification-config): state legacy/9421 precedence in authentication field #2506 + the test-vector path is correct
• CI lint:schema-links (will run on PR — note: this PR doesn't touch schema files but the linter scope check is good)

Cross-references

• Storyboard / SDK skill on-ramp inventory: HMAC vs RFC 9421 #4270 (parent — storyboard / SDK-skill on-ramp inventory)
• schemas(reporting-webhook, auth-scheme): deprecate HMAC-SHA256 recommendation, point at RFC 9421 #4273 (sibling PR — schema-description fixes; same close-piece)
• schemas(push-notification-config): state legacy/9421 precedence in authentication field #2506 (precedent — push-notification-config.json switch-not-fallback framing)
• [meta] Coordinate RFC 9421 webhook signing migration — adoption telemetry + threshold + ownership #4205 (RFC 9421 webhook signing migration coordination — on-ramp framing)
• spec(webhooks): unify webhook signing on RFC 9421 profile #2423 (original 9421 unification PR)

I have read the IPR Policy

[EvgenyAndroid]

I have read the IPR Policy

[EvgenyAndroid]

Deferring to #4271 per @bokelley's triage comment on #4270 — #4271 covers the same call-adcp-agent surface atomically with the schema fixes, targets 3.0.x correctly, and is tighter than mine (catches the token-not-deprecated cut + the "sellers MAY decline to support" normative line that I missed). Closing this PR.