Harden credit flows and add RevenueCat webhook

tests/Feature/RevenueCatWebhookTest.php

@@ -0,0 +1,57 @@
+<?php
+
+namespace Tests\Feature;
+
+use App\Jobs\ProcessRevenueCatWebhook;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Bus;
+use Tests\TestCase;
+
+class RevenueCatWebhookTest extends TestCase
+{
+    use RefreshDatabase;
+
+    public function test_webhook_dispatches_job_with_valid_signature(): void
+    {
+        config()->set('services.revenuecat.webhook', 'shared-secret');
+
+        $payload = [
+            'event' => [
+                'app_user_id' => 'tenant-123',
+                'product_id' => 'pro_month',
+            ],
+        ];
+
+        $json = json_encode($payload);
+        $signature = base64_encode(hash_hmac('sha1', $json, 'shared-secret', true));
+
+        Bus::fake();
+
+        $response = $this->postJson('/api/v1/webhooks/revenuecat', $payload, [
+            'X-Signature' => $signature,
+        ]);
+
+        $response->assertStatus(202)
+            ->assertJson(['status' => 'accepted']);
+
+        Bus::assertDispatched(ProcessRevenueCatWebhook::class);
+    }
+
+    public function test_webhook_rejects_invalid_signature(): void
+    {
+        config()->set('services.revenuecat.webhook', 'shared-secret');
+
+        Bus::fake();
+
+        $response = $this->postJson('/api/v1/webhooks/revenuecat', [
+            'event' => ['app_user_id' => 'tenant-123'],
+        ], [
+            'X-Signature' => 'invalid-signature',
+        ]);
+
+        $response->assertStatus(400)
+            ->assertJson(['error' => 'Invalid signature']);
+
+        Bus::assertNotDispatched(ProcessRevenueCatWebhook::class);
+    }
+}