**feat(webhook):** add WEBHOOK_SECRET for token authentication support

- Protect `/webhook` endpoint using the `Authorization` header
- Update `README.md` with setup instructions and examples for authentication
- Warn when `WEBHOOK_SECRET` is not configured
- Add tests for valid, missing, and invalid token scenarios
- Update `docker-compose.yml` to support `WEBHOOK_SECRET` configuration

cmd/diunwebhook/main.go

@@ -18,6 +18,14 @@ func main() {
 		log.Fatalf("InitDB: %v", err)
 	}
 
+	secret := os.Getenv("WEBHOOK_SECRET")
+	if secret == "" {
+		log.Println("WARNING: WEBHOOK_SECRET not set — webhook endpoint is unprotected")
+	} else {
+		diun.SetWebhookSecret(secret)
+		log.Println("Webhook endpoint protected with token authentication")
+	}
+
 	port := os.Getenv("PORT")
 	if port == "" {
 		port = "8080"