null]); $response = $this->postJson('/api/v1/calendly/webhooks', ['event' => 'invitee.created']); $response->assertStatus(503) ->assertJsonPath('error.code', 'CALENDLY_WEBHOOK_SECRET_REQUIRED'); } public function test_calendly_webhook_rejects_invalid_signature(): void { config(['app.calendly_webhook_secret' => 'test-secret']); $response = $this->withHeader('Calendly-Webhook-Signature', 'v1=invalid') ->postJson('/api/v1/calendly/webhooks', ['event' => 'invitee.created']); $response->assertStatus(401) ->assertJsonPath('error.code', 'INVALID_CALENDLY_SIGNATURE'); } }