build( 'conditionalAccessPolicy', Spec425::fixture('conditional-access', 'redaction'), [ 'claim_state' => 'internal_only', 'identity_state' => 'stable', 'last_captured' => 'Jul 1, 2026 10:00 AM', ], ); $encoded = json_encode($summary, JSON_THROW_ON_ERROR); expect($summary)->toBeArray() ->and($summary['resource_type'])->toBe('Conditional Access policy') ->and($encoded)->not->toContain('raw_payload') ->not->toContain('raw Graph response') ->not->toContain('permission_context') ->not->toContain('spec425-ca-secret') ->not->toContain('spec425-ca-token'); }); it('Spec425 renders Security Defaults certification summaries without raw or secret output', function (): void { $summary = app(EntraRenderableSummaryBuilder::class)->build( 'securityDefaults', Spec425::fixture('security-defaults', 'redaction'), [ 'claim_state' => 'internal_only', 'identity_state' => 'stable', 'evidence_state' => 'content_backed', 'last_captured' => 'Jul 1, 2026 10:00 AM', ], ); $encoded = json_encode($summary, JSON_THROW_ON_ERROR); expect($summary)->toBeArray() ->and($summary['resource_type'])->toBe('Security Defaults') ->and($encoded)->not->toContain('raw_payload') ->not->toContain('raw Graph response') ->not->toContain('permission_context') ->not->toContain('spec425-security-defaults-secret') ->not->toContain('spec425-security-defaults-token') ->not->toContain('spec425-cookie') ->not->toContain('spec425-private-key') ->not->toContain('spec425-certificate'); }); it('Spec425 renders Conditional Access device conditions for certified summaries', function (): void { $summary = app(EntraRenderableSummaryBuilder::class)->build( 'conditionalAccessPolicy', Spec425::fixture('conditional-access', 'device-condition-change'), [ 'claim_state' => 'internal_only', 'identity_state' => 'stable', 'last_captured' => 'Jul 1, 2026 10:00 AM', ], ); $devices = collect($summary['conditions'] ?? [])->firstWhere('label', 'Devices'); expect($devices)->toBeArray() ->and($devices['value'])->toContain('States: Include compliant; Exclude domainJoined') ->and($devices['value'])->toContain('Filter: Include device.trustType -eq "AzureAD"'); });