95 lines
4.8 KiB
Markdown
95 lines
4.8 KiB
Markdown
# Implementation Plan: Secret Redaction Hardening & Snapshot Data Integrity
|
|
|
|
**Branch**: `120-secret-redaction-integrity` | **Date**: 2026-03-06 | **Spec**: [specs/120-secret-redaction-integrity/spec.md](specs/120-secret-redaction-integrity/spec.md)
|
|
**Input**: Feature specification from `/specs/120-secret-redaction-integrity/spec.md`
|
|
|
|
## Summary
|
|
|
|
Harden persisted policy evidence by replacing broad substring-based masking with one exact/path-based classifier, moving protected snapshot ownership to `VersionService`, adding dedicated `policy_versions.secret_fingerprints` and `policy_versions.redaction_version` fields, and extending audit/output sanitizers to preserve safe configuration language.
|
|
|
|
## Technical Context
|
|
|
|
**Language/Version**: PHP 8.4, Laravel 12, Filament v5, Livewire v4
|
|
**Primary Dependencies**: Laravel framework, Filament admin panels, Livewire, PostgreSQL JSONB persistence, Laravel Sail
|
|
**Storage**: PostgreSQL (`policy_versions`, `operation_runs`, `audit_logs`, related evidence tables)
|
|
**Testing**: Pest 4 feature/unit tests run via `vendor/bin/sail artisan test --compact`
|
|
**Target Platform**: Laravel Sail containers for local dev; web application with tenant `/admin` and workspace/admin monitoring surfaces
|
|
**Project Type**: Single Laravel web application
|
|
**Performance Goals**: Deterministic protected snapshot generation on every capture; monitoring pages remain DB-only; secret-only changes must not collapse during dedupe
|
|
**Constraints**: No new dependencies; no historical-data remediation workflow; workspace-scoped HMACs only; no raw substring redaction in persisted snapshot or audit paths
|
|
**Scale/Scope**: Touches all `PolicyVersion` writes, downstream drift/compare/restore consumers, audit/verification/ops sanitizers, and focused Pest regression coverage
|
|
|
|
## Constitution Check
|
|
|
|
*GATE: Passed before Phase 0 research. Re-checked after scope update: still passed.*
|
|
|
|
- **Inventory-first**: PASS — inventory remains “last observed”; Spec 120 only hardens immutable snapshot protection.
|
|
- **Read/write separation**: PASS — writes are limited to protected snapshot persistence and existing user-initiated flows.
|
|
- **Graph contract path**: PASS — no new Graph endpoints or bypasses are introduced.
|
|
- **Deterministic capabilities**: PASS — capability logic is unchanged; regression work focuses on deterministic classifier output and version identity.
|
|
- **RBAC / plane separation**: PASS — tenant evidence remains under `/admin`; no new cross-plane workflow remains in scope.
|
|
- **Workspace / tenant isolation**: PASS — workspace-scoped HMAC derivation uses `workspace_id`.
|
|
- **Destructive confirmation standard**: PASS — no new destructive surfaces are introduced.
|
|
- **Global search safety**: PASS — no new searchable resources are added.
|
|
- **Run observability**: PASS — existing capture/compare/restore/export flows keep their current operations behavior.
|
|
- **Ops-UX 3-surface feedback**: PASS — existing operation starts remain unchanged.
|
|
- **OperationRun lifecycle ownership**: PASS — no direct status/outcome writes are introduced.
|
|
- **Ops regression guards**: PASS — the plan keeps regression tests for redaction and output behavior.
|
|
- **Data minimization**: PASS — fingerprint storage is non-reversible, logs/audit remain sanitized, and no raw secret material is persisted.
|
|
- **BADGE-001 / Filament action surface / UX-001**: PASS — the release changes existing read-only views only.
|
|
|
|
## Project Structure
|
|
|
|
### Documentation (this feature)
|
|
|
|
```text
|
|
specs/[###-feature]/
|
|
├── plan.md
|
|
├── research.md
|
|
├── data-model.md
|
|
├── quickstart.md
|
|
└── tasks.md
|
|
```
|
|
|
|
### Source Code (repository root)
|
|
|
|
```text
|
|
app/
|
|
├── Filament/
|
|
│ ├── Pages/Operations/
|
|
│ ├── Resources/FindingResource/
|
|
│ ├── Support/
|
|
│ └── Widgets/Tenant/
|
|
├── Models/
|
|
├── Services/
|
|
│ ├── Audit/
|
|
│ └── Intune/
|
|
└── Support/
|
|
├── Audit/
|
|
├── OpsUx/
|
|
└── Verification/
|
|
|
|
database/
|
|
├── factories/
|
|
└── migrations/
|
|
|
|
tests/
|
|
├── Feature/
|
|
│ ├── Audit/
|
|
│ ├── Intune/
|
|
│ ├── OpsUx/
|
|
│ ├── Operations/
|
|
│ └── Verification/
|
|
└── Unit/
|
|
├── Intune/
|
|
├── OpsUx/
|
|
└── Verification/
|
|
```
|
|
|
|
**Structure Decision**: Keep the existing single Laravel application structure. Implement the central classifier and protected snapshot DTO under `app/Services/Intune`, extend existing sanitizers in `app/Support/*`, evolve `PolicyVersion` persistence via migrations/model/factory updates, and cover the behavior with focused Pest tests under existing `tests/Feature` and `tests/Unit` namespaces.
|
|
|
|
## Complexity Tracking
|
|
|
|
| Violation | Why Needed | Simpler Alternative Rejected Because |
|
|
|-----------|------------|-------------------------------------|
|