<?php

use App\Support\OpsUx\RunFailureSanitizer;

it('normalizes provider auth and outage reason codes', function (): void {
    expect(RunFailureSanitizer::normalizeReasonCode('invalid_client'))->toBe(RunFailureSanitizer::REASON_PROVIDER_AUTH_FAILED);
    expect(RunFailureSanitizer::normalizeReasonCode('AADSTS700016'))->toBe(RunFailureSanitizer::REASON_PROVIDER_AUTH_FAILED);
    expect(RunFailureSanitizer::normalizeReasonCode('bad_gateway'))->toBe(RunFailureSanitizer::REASON_PROVIDER_OUTAGE);
    expect(RunFailureSanitizer::normalizeReasonCode('500'))->toBe(RunFailureSanitizer::REASON_PROVIDER_OUTAGE);
});

it('redacts common secret patterns and forbidden substrings', function (): void {
    $message = 'Authorization: Bearer super-secret-token access_token=abc refresh_token=def client_secret=ghi password=jkl';

    $sanitized = RunFailureSanitizer::sanitizeMessage($message);

    expect($sanitized)
        ->not->toContain('Authorization')
        ->not->toContain('Bearer ')
        ->not->toContain('access_token')
        ->not->toContain('refresh_token')
        ->not->toContain('client_secret')
        ->not->toContain('password')
        ->not->toContain('super-secret-token')
        ->not->toContain('abc')
        ->not->toContain('def')
        ->not->toContain('ghi')
        ->not->toContain('jkl');
});