Webhook Signature Verification Not Implemented

The Flask quickstart example processes all incoming webhook events without verifying the `X-Hub-Signature` HMAC header. As documented extensively in the Messenger Bots report in this series, this allows any HTTP client to forge webhook events. The SDK provides no `verify_signature()` helper, and the README does not mention the requirement.