TenantAtlas/tests/Feature/Drift/DriftEvidenceMinimizationTest.php

<?php

use App\Services\Drift\DriftEvidence;

test('drift evidence sanitizer keeps only allowlisted keys', function () {
    $payload = [
        'change_type' => 'modified',
        'summary' => ['changed_fields' => ['assignments_hash']],
        'baseline' => ['hash' => 'a'],
        'current' => ['hash' => 'b'],
        'diff' => ['a' => 'b'],
        'notes' => 'ok',
        'access_token' => 'should-not-leak',
        'client_secret' => 'should-not-leak',
        'raw_payload' => ['big' => 'blob'],
    ];

    $safe = app(DriftEvidence::class)->sanitize($payload);

    expect($safe)->toHaveKeys(['change_type', 'summary', 'baseline', 'current', 'diff', 'notes']);
    expect($safe)->not->toHaveKey('access_token');
    expect($safe)->not->toHaveKey('client_secret');
    expect($safe)->not->toHaveKey('raw_payload');
});