for($tenant)->create([ 'status' => Finding::STATUS_NEW, 'evidence_jsonb' => [ 'secret_token' => 'should-not-be-audited', 'payload' => ['x' => 'y'], ], ]); $service = app(FindingWorkflowService::class); $service->triage($finding, $tenant, $user); $service->resolve($finding->refresh(), $tenant, $user, 'fixed'); $audit = AuditLog::query() ->where('tenant_id', (int) $tenant->getKey()) ->where('resource_type', 'finding') ->where('resource_id', (string) $finding->getKey()) ->where('action', 'finding.resolved') ->latest('id') ->first(); expect($audit)->not->toBeNull(); expect((int) $audit->actor_id)->toBe((int) $user->getKey()) ->and($audit->actor_email)->toBe($user->email) ->and(data_get($audit->metadata, 'finding_id'))->toBe((int) $finding->getKey()) ->and(data_get($audit->metadata, 'before_status'))->toBe(Finding::STATUS_TRIAGED) ->and(data_get($audit->metadata, 'after_status'))->toBe(Finding::STATUS_RESOLVED) ->and(data_get($audit->metadata, 'resolved_reason'))->toBe('fixed') ->and(data_get($audit->metadata, 'before'))->toBeArray() ->and(data_get($audit->metadata, 'after'))->toBeArray() ->and(data_get($audit->metadata, 'evidence_jsonb'))->toBeNull() ->and(data_get($audit->metadata, 'before.evidence_jsonb'))->toBeNull() ->and(data_get($audit->metadata, 'after.evidence_jsonb'))->toBeNull(); }); it('writes assignment audit entries without evidence payloads', function (): void { [$owner, $tenant] = createUserWithTenant(role: 'owner'); $assignee = User::factory()->create(); createUserWithTenant(tenant: $tenant, user: $assignee, role: 'operator'); $finding = Finding::factory()->for($tenant)->create([ 'status' => Finding::STATUS_NEW, ]); app(FindingWorkflowService::class)->assign( finding: $finding, tenant: $tenant, actor: $owner, assigneeUserId: (int) $assignee->getKey(), ownerUserId: (int) $owner->getKey(), ); $audit = AuditLog::query() ->where('tenant_id', (int) $tenant->getKey()) ->where('action', 'finding.assigned') ->latest('id') ->first(); expect($audit)->not->toBeNull(); expect(data_get($audit->metadata, 'assignee_user_id'))->toBe((int) $assignee->getKey()) ->and(data_get($audit->metadata, 'owner_user_id'))->toBe((int) $owner->getKey()) ->and(data_get($audit->metadata, 'before'))->toBeArray() ->and(data_get($audit->metadata, 'after'))->toBeArray() ->and(data_get($audit->metadata, 'before.evidence_jsonb'))->toBeNull() ->and(data_get($audit->metadata, 'after.evidence_jsonb'))->toBeNull(); });