compare( 'securityDefaults', Spec425::fixture('security-defaults', 'enabled-false'), Spec425::fixture('security-defaults', 'enabled-true'), ); $fields = collect($result['changes'])->keyBy('field'); expect($result['changed'])->toBeTrue() ->and($result['classification'])->toBe('changed') ->and($fields['enabled']['importance'])->toBe('critical') ->and($fields['enabled_state']['importance'])->toBe('critical'); }); it('Spec425 treats Security Defaults no-change and volatile-only changes as non-material', function (): void { $unchanged = app(EntraCoverageComparator::class)->compare( 'securityDefaults', Spec425::fixture('security-defaults', 'no-change'), Spec425::fixture('security-defaults', 'no-change'), ); $volatile = app(EntraCoverageComparator::class)->compare( 'securityDefaults', Spec425::fixture('security-defaults', 'no-change'), Spec425::fixture('security-defaults', 'volatile-only-change'), ); expect($unchanged['changed'])->toBeFalse() ->and($unchanged['classification'])->toBe('unchanged') ->and($volatile['changed'])->toBeFalse() ->and(collect($volatile['changes'])->pluck('classification'))->toContain('ignored_volatile'); }); it('Spec425 keeps Security Defaults redaction diagnostic and secret-free', function (): void { $result = app(EntraCoverageComparator::class)->compare( 'securityDefaults', Spec425::fixture('security-defaults', 'no-change'), Spec425::fixture('security-defaults', 'redaction'), ); expect($result['changed'])->toBeFalse() ->and(collect($result['changes'])->pluck('classification'))->toContain('redacted', 'unsupported_field') ->and(json_encode($result, JSON_THROW_ON_ERROR)) ->not->toContain('spec425-security-defaults-secret') ->not->toContain('spec425-security-defaults-token') ->not->toContain('spec425-cookie') ->not->toContain('spec425-private-key') ->not->toContain('spec425-certificate'); });