# Tasks: Secret Redaction Hardening & Snapshot Data Integrity **Input**: Design documents from `/specs/120-secret-redaction-integrity/` **Prerequisites**: plan.md (required), spec.md (required for user stories), research.md, data-model.md **Tests**: For runtime behavior changes in this repo, tests are REQUIRED (Pest). **RBAC**: The feature keeps existing authorization planes intact. Tenant/admin surfaces remain under `/admin`. Non-members remain 404, members missing capability remain 403. **Filament UI Action Surfaces**: Existing surfaces are read-only updates only. No new tenant-facing or platform-facing action workflow is introduced in this reduced scope. **Organization**: Tasks are grouped by user story to enable independent implementation and testing. ## Phase 1: Setup **Purpose**: Shared test utilities used across snapshot and sanitizer work. - [X] T001 Create shared protected snapshot assertions in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Support/ProtectedSnapshotAssertions.php --- ## Phase 2: Foundational **Purpose**: Core persistence and classifier infrastructure that MUST be complete before user-story work. - [X] T002 Add `policy_versions.secret_fingerprints` and `policy_versions.redaction_version` in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/database/migrations/2026_03_07_000121_add_redaction_contract_to_policy_versions_table.php - [X] T003 Update casts and factory defaults for the new redaction fields in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Models/PolicyVersion.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/database/factories/PolicyVersionFactory.php - [X] T004 Implement the shared exact/path-based classifier and DTO in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/SecretClassificationService.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/ProtectedSnapshotResult.php - [X] T005 Implement deterministic protected snapshot building with JSON Pointer fingerprint paths in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/PolicySnapshotRedactor.php - [X] T006 Implement workspace-scoped fingerprint HMAC derivation in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/SecretFingerprintHasher.php - [X] T007 Add a regression guard for forbidden substring-based storage and audit-path redaction patterns in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Guards/NoBroadSecretRedactionPatternsTest.php - [X] T008 Add an audit-path guard for forbidden broad redaction fallbacks in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Guards/Spec120NoBroadAuditRedactionFallbacksTest.php - [X] T009 Add a scope guard proving phase 1 does not require `GraphContractRegistry` secret metadata in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Guards/Spec120NoGraphContractSecretMetadataTest.php --- ## Phase 3: User Story 1 - Preserve trustworthy drift and compare evidence (Priority: P1) **Goal**: Persist protected snapshots without corrupting safe configuration fields and keep secret-only changes visible to drift/compare workflows. ### Tests for User Story 1 - [X] T010 Add classifier corpus coverage for safe fields, protected fields, and JSON Pointer paths in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Unit/Intune/SecretClassificationServiceTest.php - [X] T011 Update snapshot persistence and secret-only version-change coverage in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Intune/PolicySnapshotRedactionTest.php - [X] T012 Add workspace-isolation fingerprint coverage in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Intune/PolicySnapshotFingerprintIsolationTest.php - [X] T013 Add compare/drift protected-change coverage in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Baselines/BaselineCompareProtectedChangeTest.php ### Implementation for User Story 1 - [X] T014 Refactor snapshot persistence to write `[REDACTED]`, `secret_fingerprints`, and `redaction_version` in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/VersionService.php - [X] T015 Remove duplicate pre-redaction and align version reuse with the protected snapshot contract in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/PolicyCaptureOrchestrator.php - [X] T016 Integrate workspace-scoped fingerprint derivation into protected snapshot generation in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/PolicySnapshotRedactor.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/VersionService.php - [X] T017 Update composite version identity hashing for secret-only changes in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Drift/DriftHasher.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/VersionService.php - [X] T018 Surface protected-change evidence in compare and diff generation in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Jobs/CompareBaselineToTenantJob.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Drift/DriftFindingDiffBuilder.php - [X] T019 Preserve restore fidelity while carrying redaction integrity metadata forward in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/RestoreService.php --- ## Phase 4: User Story 2 - Protect secrets consistently across operational surfaces (Priority: P2) **Goal**: Reuse the same classification rules across audit, verification, monitoring, review/export, and viewer surfaces without hiding harmless configuration language. ### Tests for User Story 2 - [X] T020 Expand audit false-positive and audit-log persistence coverage in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Unit/AuditContextSanitizerTest.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Audit/WorkspaceAuditLoggerRedactionTest.php - [X] T021 Expand verification sanitizer and viewer readability coverage in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Unit/VerificationReportSanitizerEvidenceKindsTest.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Verification/VerificationReportViewerDbOnlyTest.php - [X] T022 Add review/export artifact redaction-integrity coverage in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/ReviewPack/ReviewPackRedactionIntegrityTest.php - [X] T023 Expand failure-message and monitoring readability coverage in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Unit/OpsUx/RunFailureSanitizerTest.php, /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/OpsUx/FailureSanitizationTest.php, and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Operations/TenantlessOperationRunViewerTest.php - [X] T024 Add explainability coverage for protected-value messaging in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Drift/DriftFindingDetailTest.php - [X] T025 Add notification payload sanitization coverage for redaction-safe terminal messages in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/OpsUx/OperationRunNotificationRedactionTest.php ### Implementation for User Story 2 - [X] T026 Switch audit sanitization to the shared classifier in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/Audit/AuditContextSanitizer.php, /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Audit/WorkspaceAuditLogger.php, and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/AuditLogger.php - [X] T027 Switch verification and ops-failure sanitizers to the shared classifier in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/Verification/VerificationReportSanitizer.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/OpsUx/RunFailureSanitizer.php - [X] T028 Apply redaction-integrity rules to review/export artifacts and operation notification payloads in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Jobs/GenerateReviewPackJob.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Notifications/OperationRunCompleted.php - [X] T029 Add protected-value messaging to evidence viewers in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Filament/Resources/FindingResource/Pages/ViewFinding.php, /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Filament/Support/VerificationReportViewer.php, and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Filament/Widgets/Tenant/TenantVerificationReport.php - [X] T030 Update operations detail rendering and terminal notification copy for protected values in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Filament/Pages/Operations/TenantlessOperationRunViewer.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/OpsUx/OperationUxPresenter.php --- ## Phase 5: Polish & Cross-Cutting Concerns - [X] T031 Run the focused Spec 120 Pest suites covering /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Intune/PolicySnapshotRedactionTest.php, /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Intune/PolicySnapshotFingerprintIsolationTest.php, /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/ReviewPack/ReviewPackRedactionIntegrityTest.php, /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/OpsUx/OperationRunNotificationRedactionTest.php, and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Verification/VerificationReportViewerDbOnlyTest.php - [X] T032 Run formatting on touched PHP files with `vendor/bin/sail bin pint --dirty --format agent` - [ ] T033 Validate the manual scenarios documented in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/120-secret-redaction-integrity/quickstart.md --- ## Dependencies & Execution Order ### Phase Dependencies - **Setup (Phase 1)**: No dependencies. - **Foundational (Phase 2)**: Depends on Setup completion and blocks all story work. - **User Story 1 (Phase 3)**: Starts after Foundational completion. - **User Story 2 (Phase 4)**: Starts after Foundational completion and may be developed in parallel with US1 once the shared classifier, workspace-scoped hasher, and schema are in place. - **Polish (Phase 5)**: Depends on the desired stories being complete. ### Within Each User Story - Tests must be written first and fail before implementation. - Persistence/model updates precede service refactors. - Service refactors precede viewer/export integration. - Ops-UX behavior and authorization semantics must be preserved before a story is considered done. ### Parallel Opportunities - **Foundational**: T006, T007, T008, and T009 can run in parallel after T002 begins; T003 depends on T002. - **US1**: T010, T011, T012, and T013 can run in parallel. - **US2**: T020, T021, T022, T023, T024, and T025 can run in parallel. - **Polish**: T031 and T033 can run in parallel before T032 finalizes formatting.