build($canonicalType, $payload, [ 'claim_state' => 'internal_only', 'identity_state' => 'stable', 'last_captured' => 'Jun 30, 2026 07:30 AM', ]); $encoded = json_encode($summary, JSON_THROW_ON_ERROR); expect($summary)->toBeArray() ->and($summary['resource_type'])->toBe($resourceType) ->and($encoded)->toContain($expectedText) ->and($encoded)->toContain('internal_only') ->and($encoded)->toContain('Ready for operator review') ->and($encoded)->not->toContain('raw_payload') ->and($encoded)->not->toContain('source_endpoint'); })->with([ 'retention policy' => [ 'retentionCompliancePolicy', [ 'DisplayName' => 'Spec423 Retention', 'RetentionDuration' => 7, 'RetentionDurationUnit' => 'Years', 'DispositionAction' => 'Delete', 'IncludedLocations' => ['Exchange'], ], 'Retention compliance policy', '7 Years', ], 'label policy' => [ 'labelPolicy', [ 'DisplayName' => 'Spec423 Labels', 'PublishedLabels' => [['displayName' => 'Highly Confidential']], 'Mandatory' => true, ], 'Label policy', 'Highly Confidential', ], 'dlp policy' => [ 'dlpCompliancePolicy', [ 'DisplayName' => 'Spec423 DLP', 'Mode' => 'Enforce', 'Locations' => ['Exchange'], 'Rules' => [['Name' => 'Rule', 'Actions' => ['BlockAccess']]], ], 'DLP compliance policy', 'BlockAccess', ], ]); it('Spec423 summaries hide raw JSON, provider responses, secrets, fingerprints, and content payloads', function (): void { $summary = app(SecurityComplianceRenderableSummaryBuilder::class)->build('dlpCompliancePolicy', [ 'DisplayName' => 'Spec423 DLP', 'Mode' => 'Enforce', 'providerResponse' => ['body' => 'spec423-provider-response'], 'fingerprint' => 'spec423-fingerprint', 'clientSecret' => 'spec423-render-secret', 'Rules' => [ [ 'Name' => 'Rule', 'Actions' => ['BlockAccess'], 'DlpIncidentContent' => 'spec423-dlp-incident-content', 'MailContent' => 'spec423-mail-content', 'FileContent' => 'spec423-file-content', ], ], ]); $encoded = json_encode($summary, JSON_THROW_ON_ERROR); expect($summary['redacted_fields'])->toContain( 'providerResponse', 'fingerprint', 'clientSecret', 'Rules.0.DlpIncidentContent', 'Rules.0.MailContent', 'Rules.0.FileContent', ) ->and($encoded)->not->toContain('spec423-provider-response') ->and($encoded)->not->toContain('spec423-fingerprint') ->and($encoded)->not->toContain('spec423-render-secret') ->and($encoded)->not->toContain('spec423-dlp-incident-content') ->and($encoded)->not->toContain('spec423-mail-content') ->and($encoded)->not->toContain('spec423-file-content'); });