1 files changed, 74 insertions, 0 deletions

diff --git a/tests/integration/secrets.rs b/tests/integration/secrets.rs
new file mode 100644
index 0000000..f07c2a0
--- /dev/null
+++ b/tests/integration/secrets.rs
@@ -0,0 +1,74 @@
+use crate::harness::{self, SiteBuilder, TestServer};
+
+/// Tier 1: env-var token resolves and auth works
+#[tokio::test]
+async fn env_var_token_auth() {
+    let var_name = "WITRYNA_INTEG_SECRET_01";
+    let token_value = "env-resolved-secret-token";
+    // SAFETY: test-only, called before spawning server
+    unsafe { std::env::set_var(var_name, token_value) };
+
+    let dir = tempfile::tempdir().unwrap().keep();
+    let site = SiteBuilder::new(
+        "secret-site",
+        "https://example.com/repo.git",
+        &format!("${{{var_name}}}"),
+    )
+    .build();
+    let config = harness::test_config_with_site(dir, site);
+    let server = TestServer::start(config).await;
+
+    // Valid token → 404 (site exists but no real repo)
+    let resp = TestServer::client()
+        .post(server.url("secret-site"))
+        .header("Authorization", format!("Bearer {token_value}"))
+        .send()
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), 202);
+
+    // Wrong token → 401
+    let resp = TestServer::client()
+        .post(server.url("secret-site"))
+        .header("Authorization", "Bearer wrong-token")
+        .send()
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), 401);
+
+    // SAFETY: test-only cleanup
+    unsafe { std::env::remove_var(var_name) };
+}
+
+/// Tier 1: file-based token resolves and auth works
+#[tokio::test]
+async fn file_token_auth() {
+    let token_value = "file-resolved-secret-token";
+    let dir = tempfile::tempdir().unwrap().keep();
+    let token_path = std::path::PathBuf::from(&dir).join("webhook_token");
+    std::fs::write(&token_path, format!("  {token_value}  \n")).unwrap();
+
+    let site = SiteBuilder::new("file-site", "https://example.com/repo.git", "")
+        .webhook_token_file(token_path)
+        .build();
+    let config = harness::test_config_with_site(dir, site);
+    let server = TestServer::start(config).await;
+
+    // Valid token → 202
+    let resp = TestServer::client()
+        .post(server.url("file-site"))
+        .header("Authorization", format!("Bearer {token_value}"))
+        .send()
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), 202);
+
+    // Wrong token → 401
+    let resp = TestServer::client()
+        .post(server.url("file-site"))
+        .header("Authorization", "Bearer wrong-token")
+        .send()
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), 401);
+}