'1', 'flow' => 'managed_tenant_onboarding', 'generated_at' => now()->toIso8601String(), 'summary' => [ 'overall' => 'warn', 'counts' => [ 'total' => 1, 'pass' => 0, 'fail' => 0, 'warn' => 1, 'skip' => 0, 'running' => 0, ], ], 'checks' => [ [ 'key' => 'permissions.admin_consent', 'title' => 'Admin consent granted', 'status' => 'warn', 'severity' => 'medium', 'blocking' => false, 'reason_code' => 'permissions_inventory_empty', 'message' => 'No permissions detected.', 'evidence' => [ ['kind' => 'app_id', 'value' => '00000000-0000-0000-0000-000000000000'], ['kind' => 'observed_permissions_count', 'value' => 0], ['kind' => 'client_secret', 'value' => 'nope'], ], 'next_steps' => [], ], ], ]; $sanitized = VerificationReportSanitizer::sanitizeReport($report); $evidence = $sanitized['checks'][0]['evidence'] ?? null; expect($evidence)->toBeArray(); expect($evidence)->toContain(['kind' => 'app_id', 'value' => '00000000-0000-0000-0000-000000000000']); expect($evidence)->toContain(['kind' => 'observed_permissions_count', 'value' => 0]); expect($evidence)->not->toContain(['kind' => 'client_secret', 'value' => 'nope']); }); it('keeps safe configuration phrases in verification messages', function (): void { $report = [ 'schema_version' => '1', 'flow' => 'managed_tenant_onboarding', 'generated_at' => now()->toIso8601String(), 'summary' => [ 'overall' => 'warn', 'counts' => [ 'total' => 1, 'pass' => 0, 'fail' => 0, 'warn' => 1, 'skip' => 0, 'running' => 0, ], ], 'checks' => [ [ 'key' => 'password.policy', 'title' => 'Password policy', 'status' => 'warn', 'severity' => 'medium', 'blocking' => false, 'reason_code' => 'password_policy_warning', 'message' => 'passwordMinimumLength remains visible while password=super-secret is hidden.', 'evidence' => [], 'next_steps' => [], ], ], ]; $sanitized = VerificationReportSanitizer::sanitizeReport($report); $message = $sanitized['checks'][0]['message'] ?? null; expect($message)->toContain('passwordMinimumLength'); expect($message)->not->toContain('super-secret'); });