TenantAtlas/tests/Feature/ProviderConnections/CredentialLeakGuardTest.php

<?php

declare(strict_types=1);

use App\Models\OperationRun;
use App\Services\OperationRunService;
use Filament\Facades\Filament;

it('never persists secret-like substrings in operation run failures or notifications', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');
    $this->actingAs($user);

    Filament::setTenant($tenant, true);

    $run = OperationRun::factory()->create([
        'tenant_id' => $tenant->getKey(),
        'user_id' => $user->getKey(),
        'initiator_name' => $user->name,
        'type' => 'provider.connection.check',
        'status' => 'running',
        'outcome' => 'pending',
        'context' => [
            'provider' => 'microsoft',
            'provider_connection_id' => 123,
        ],
    ]);

    /** @var OperationRunService $service */
    $service = app(OperationRunService::class);

    $service->updateRun(
        $run,
        status: 'completed',
        outcome: 'failed',
        failures: [[
            'code' => 'provider.auth',
            'message' => 'Authorization: Bearer super-secret-token access_token=abc refresh_token=def client_secret=ghi',
        ]],
    );

    $run->refresh();

    $failuresJson = json_encode($run->failure_summary);

    expect($failuresJson)
        ->not->toContain('Authorization')
        ->not->toContain('Bearer ')
        ->not->toContain('access_token')
        ->not->toContain('refresh_token')
        ->not->toContain('client_secret')
        ->not->toContain('super-secret-token')
        ->not->toContain('abc')
        ->not->toContain('def')
        ->not->toContain('ghi');

    $notification = $user->notifications()->latest('id')->first();
    expect($notification)->not->toBeNull();

    $body = (string) ($notification->data['body'] ?? '');

    expect($body)
        ->not->toContain('Authorization')
        ->not->toContain('Bearer ')
        ->not->toContain('access_token')
        ->not->toContain('refresh_token')
        ->not->toContain('client_secret')
        ->not->toContain('super-secret-token')
        ->not->toContain('abc')
        ->not->toContain('def')
        ->not->toContain('ghi');
})->group('ops-ux');