<?php

declare(strict_types=1);

use App\Services\TenantConfiguration\CoveragePayloadRedactor;

it('redacts sensitive metadata keys recursively', function (): void {
    $redacted = (new CoveragePayloadRedactor)->redact([
        'Authorization' => 'Bearer top-secret',
        'bearer' => 'top-secret',
        'client_secret' => 'super-secret',
        'cookie' => 'session=secret',
        'set-cookie' => 'session=secret',
        'nested' => [
            'access_token' => 'token',
            'id_token' => 'jwt',
            'refresh_token' => 'refresh',
            'safe' => 'value',
        ],
    ]);

    expect($redacted)->toBe([
        'Authorization' => '[redacted]',
        'bearer' => '[redacted]',
        'client_secret' => '[redacted]',
        'cookie' => '[redacted]',
        'set-cookie' => '[redacted]',
        'nested' => [
            'access_token' => '[redacted]',
            'id_token' => '[redacted]',
            'refresh_token' => '[redacted]',
            'safe' => 'value',
        ],
    ]);
});