# Quickstart — Secret Redaction Hardening & Snapshot Data Integrity (Spec 120)

## Prereqs
- Run the app with Sail.
- Use a workspace with at least one tenant that already has policy snapshots.

## Local setup
- Start containers: `vendor/bin/sail up -d`
- Run migrations: `vendor/bin/sail artisan migrate`

## How to exercise the feature (manual)

### 1) Capture a policy with safe configuration fields
- Capture or refresh a policy version whose payload contains safe keys such as:
  - `passwordMinimumLength`
  - `passwordRequired`
  - `certificateValidityPeriodScale`
  - `tokenType`
- Expected:
  - The persisted `PolicyVersion` keeps those configuration values intact.
  - `redaction_version = 1`.
  - `secret_fingerprints` is empty if no true protected fields are present.

### 2) Capture a policy with true protected fields
- Capture or refresh a policy version whose payload contains true secrets such as:
  - `password`
  - `clientSecret`
  - `privateKey`
- Expected:
  - The persisted payload stores `[REDACTED]` at the protected paths.
  - `secret_fingerprints` contains digests for those paths.
  - No raw secret appears in `snapshot`, `assignments`, `scope_tags`, audit metadata, verification output, or run failures.

### 3) Validate secret-only change detection
- Re-capture the same policy after changing only a true protected value.
- Expected:
  - A new `PolicyVersion` is created even if the visible protected payload is unchanged.
  - Compare/drift surfaces report a protected change without revealing the value.
  - Safe configuration fields remain readable.

### 4) Validate audit and output readability
- Review the existing tenant/admin and workspace/admin surfaces that show sanitized evidence:
  - finding detail view
  - verification report viewer/widget
  - operation run detail / monitoring surfaces
- Expected:
  - true secret values remain hidden
  - harmless phrases such as `passwordMinimumLength` remain readable
  - protected-value messaging is visible where the UI explains hidden values

## Tests (Pest)
- Run focused suites once implemented:
  - `vendor/bin/sail artisan test --compact tests/Feature/Intune/PolicySnapshotRedactionTest.php`
  - `vendor/bin/sail artisan test --compact tests/Unit/AuditContextSanitizerTest.php`
  - `vendor/bin/sail artisan test --compact --filter=VerificationReportSanitizer`
  - `vendor/bin/sail artisan test --compact --filter=RunFailureSanitizer`
- Format changed PHP files before final review:
  - `vendor/bin/sail bin pint --dirty --format agent`