From 3a2d48b3b563a7008ae2a7baeeefb13b19058ef7 Mon Sep 17 00:00:00 2001
From: jedarden <github@jedarden.com>
Date: Thu, 30 Apr 2026 21:53:15 -0400
Subject: [PATCH] fix(test): use deterministic garbage signature in
 TestVerifyRequest

The old test used "0"+sig[1:] to corrupt the signature. If the real HMAC
starts with "0", the corruption is a no-op and the test fails non-deterministically.
Replace with a fixed 64-char hex constant that is never a valid HMAC output.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 engine/auth_test.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/engine/auth_test.go b/engine/auth_test.go
index e168108..f41ce26 100644
--- a/engine/auth_test.go
+++ b/engine/auth_test.go
@@ -87,9 +87,9 @@ func TestVerifyRequest(t *testing.T) {
 		t.Error("wrong secret should fail verification")
 	}
 
-	// Wrong signature should fail
+	// Wrong signature should fail — use a fixed garbage value that is never a valid HMAC
 	auth2 := auth
-	auth2.Signature = "0" + auth.Signature[1:]
+	auth2.Signature = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
 	if err := VerifyRequest(secret, auth2, body); err == nil {
 		t.Error("wrong signature should fail verification")
 	}