feat: Add comprehensive PHPUnit test suite and CI/CD test gating (v0.5.0)

189 tests across 8 test classes covering all core plugin classes:
CustomMetricBuilder, StorageFactory, Authentication, DashboardProvider,
RuntimeCollector, Installer, Collector, and MetricsEndpoint.

Added test job to Gitea release workflow that gates build-release.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tests/Unit/AuthenticationTest.php

@@ -0,0 +1,148 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Magdev\WpPrometheus\Tests\Unit;
+
+use Magdev\WpPrometheus\Tests\Helpers\GlobalFunctionState;
+use PHPUnit\Framework\Attributes\CoversFunction;
+use PHPUnit\Framework\Attributes\Test;
+
+#[CoversFunction('wp_prometheus_authenticate_request')]
+#[CoversFunction('wp_prometheus_get_authorization_header')]
+class AuthenticationTest extends TestCase
+{
+    private array $originalServer = [];
+    private array $originalGet = [];
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->originalServer = $_SERVER;
+        $this->originalGet = $_GET;
+    }
+
+    protected function tearDown(): void
+    {
+        $_SERVER = $this->originalServer;
+        $_GET = $this->originalGet;
+        parent::tearDown();
+    }
+
+    // ── wp_prometheus_authenticate_request() ─────────────────────────
+
+    #[Test]
+    public function returns_false_when_no_token_configured(): void
+    {
+        // No auth token in options → deny all.
+        $this->assertFalse(wp_prometheus_authenticate_request());
+    }
+
+    #[Test]
+    public function returns_false_when_token_is_empty_string(): void
+    {
+        GlobalFunctionState::$options['wp_prometheus_auth_token'] = '';
+        $this->assertFalse(wp_prometheus_authenticate_request());
+    }
+
+    #[Test]
+    public function bearer_token_authenticates_successfully(): void
+    {
+        GlobalFunctionState::$options['wp_prometheus_auth_token'] = 'secret-token-123';
+        $_SERVER['HTTP_AUTHORIZATION'] = 'Bearer secret-token-123';
+
+        $this->assertTrue(wp_prometheus_authenticate_request());
+    }
+
+    #[Test]
+    public function bearer_token_fails_with_wrong_token(): void
+    {
+        GlobalFunctionState::$options['wp_prometheus_auth_token'] = 'secret-token-123';
+        $_SERVER['HTTP_AUTHORIZATION'] = 'Bearer wrong-token';
+
+        $this->assertFalse(wp_prometheus_authenticate_request());
+    }
+
+    #[Test]
+    public function bearer_prefix_is_case_insensitive(): void
+    {
+        GlobalFunctionState::$options['wp_prometheus_auth_token'] = 'secret-token-123';
+        $_SERVER['HTTP_AUTHORIZATION'] = 'BEARER secret-token-123';
+
+        $this->assertTrue(wp_prometheus_authenticate_request());
+    }
+
+    #[Test]
+    public function query_parameter_authenticates_successfully(): void
+    {
+        GlobalFunctionState::$options['wp_prometheus_auth_token'] = 'secret-token-123';
+        $_GET['token'] = 'secret-token-123';
+
+        $this->assertTrue(wp_prometheus_authenticate_request());
+    }
+
+    #[Test]
+    public function query_parameter_fails_with_wrong_token(): void
+    {
+        GlobalFunctionState::$options['wp_prometheus_auth_token'] = 'secret-token-123';
+        $_GET['token'] = 'wrong-token';
+
+        $this->assertFalse(wp_prometheus_authenticate_request());
+    }
+
+    #[Test]
+    public function returns_false_when_no_auth_provided(): void
+    {
+        GlobalFunctionState::$options['wp_prometheus_auth_token'] = 'secret-token-123';
+        unset($_SERVER['HTTP_AUTHORIZATION'], $_SERVER['REDIRECT_HTTP_AUTHORIZATION']);
+        unset($_GET['token']);
+
+        $this->assertFalse(wp_prometheus_authenticate_request());
+    }
+
+    #[Test]
+    public function bearer_takes_precedence_over_query_parameter(): void
+    {
+        GlobalFunctionState::$options['wp_prometheus_auth_token'] = 'correct-token';
+        $_SERVER['HTTP_AUTHORIZATION'] = 'Bearer correct-token';
+        $_GET['token'] = 'wrong-token';
+
+        $this->assertTrue(wp_prometheus_authenticate_request());
+    }
+
+    // ── wp_prometheus_get_authorization_header() ─────────────────────
+
+    #[Test]
+    public function get_authorization_header_from_http_authorization(): void
+    {
+        $_SERVER['HTTP_AUTHORIZATION'] = 'Bearer my-token';
+
+        $this->assertSame('Bearer my-token', wp_prometheus_get_authorization_header());
+    }
+
+    #[Test]
+    public function get_authorization_header_from_redirect(): void
+    {
+        unset($_SERVER['HTTP_AUTHORIZATION']);
+        $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] = 'Bearer redirect-token';
+
+        $this->assertSame('Bearer redirect-token', wp_prometheus_get_authorization_header());
+    }
+
+    #[Test]
+    public function get_authorization_header_returns_empty_when_absent(): void
+    {
+        unset($_SERVER['HTTP_AUTHORIZATION'], $_SERVER['REDIRECT_HTTP_AUTHORIZATION']);
+
+        $this->assertSame('', wp_prometheus_get_authorization_header());
+    }
+
+    #[Test]
+    public function http_authorization_takes_precedence_over_redirect(): void
+    {
+        $_SERVER['HTTP_AUTHORIZATION'] = 'Bearer primary';
+        $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] = 'Bearer redirect';
+
+        $this->assertSame('Bearer primary', wp_prometheus_get_authorization_header());
+    }
+}