**feat(webhook):** add WEBHOOK_SECRET for token authentication support

- Protect `/webhook` endpoint using the `Authorization` header
- Update `README.md` with setup instructions and examples for authentication
- Warn when `WEBHOOK_SECRET` is not configured
- Add tests for valid, missing, and invalid token scenarios
- Update `docker-compose.yml` to support `WEBHOOK_SECRET` configuration

README.md

@@ -34,6 +34,18 @@ docker compose up -d
 # open http://localhost:8080
 ```
 
+## Webhook authentication
+
+Set `WEBHOOK_SECRET` to protect the webhook endpoint with token authentication. When set, every `POST /webhook` must include a matching `Authorization` header. When unset, the webhook is open (a warning is logged at startup).
+
+```bash
+# Run with authentication
+WEBHOOK_SECRET=your-secret-token-here go run ./cmd/diunwebhook/
+
+# Or via Docker Compose (.env file or inline)
+WEBHOOK_SECRET=your-secret-token-here docker compose up -d
+```
+
 ## DIUN configuration example
 Configure DIUN to send webhooks to this app. Example (YAML):
 
@@ -42,8 +54,14 @@ notif:
   webhook:
     enable: true
     endpoint: http://your-host-or-ip:8080/webhook
+    headers:
+      authorization: "your-secret-token-here"
 ```
 
+Or via env: `DIUN_NOTIF_WEBHOOK_HEADERS_AUTHORIZATION=your-secret-token-here`
+
+The `authorization` header value must match `WEBHOOK_SECRET` exactly.
+
 Expected JSON payload (simplified):
 ```json
 {
@@ -110,7 +128,7 @@ Aim for 80-90% coverage. Coverage below 80% will emit a warning in CI but will n
 ## Production notes
 - Behind a reverse proxy, ensure the app is reachable at `/webhook` from DIUN.
 - Data is persisted to `diun.db` in the working directory. Mount a volume to preserve data across container recreations.
-- Consider adding auth, rate limiting, or a secret/token on the webhook endpoint if exposed publicly.
+- Set `WEBHOOK_SECRET` to protect the webhook endpoint if exposed publicly.
 
 ## License
 MIT — see `LICENSE`.