ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
7db8eb81ba
TenantAtlas/specs/120-secret-redaction-integrity/quickstart.md
Ahmed Darrazi 7db8eb81ba feat: harden secret redaction integrity
2026-03-07 17:41:55 +01:00

59 lines
2.5 KiB
Markdown
Raw Blame History

# Quickstart — Secret Redaction Hardening & Snapshot Data Integrity (Spec 120)
## Prereqs
- Run the app with Sail.
- Use a workspace with at least one tenant that already has policy snapshots.
## Local setup
- Start containers: `vendor/bin/sail up -d`
- Run migrations: `vendor/bin/sail artisan migrate`
## How to exercise the feature (manual)
### 1) Capture a policy with safe configuration fields
- Capture or refresh a policy version whose payload contains safe keys such as:
- `passwordMinimumLength`
- `passwordRequired`
- `certificateValidityPeriodScale`
- `tokenType`
- Expected:
- The persisted `PolicyVersion` keeps those configuration values intact.
- `redaction_version = 1`.
- `secret_fingerprints` is empty if no true protected fields are present.
### 2) Capture a policy with true protected fields
- Capture or refresh a policy version whose payload contains true secrets such as:
- `password`
- `clientSecret`
- `privateKey`
- Expected:
- The persisted payload stores `[REDACTED]` at the protected paths.
- `secret_fingerprints` contains digests for those paths.
- No raw secret appears in `snapshot`, `assignments`, `scope_tags`, audit metadata, verification output, or run failures.
### 3) Validate secret-only change detection
- Re-capture the same policy after changing only a true protected value.
- Expected:
- A new `PolicyVersion` is created even if the visible protected payload is unchanged.
- Compare/drift surfaces report a protected change without revealing the value.
- Safe configuration fields remain readable.
### 4) Validate audit and output readability
- Review the existing tenant/admin and workspace/admin surfaces that show sanitized evidence:
- finding detail view
- verification report viewer/widget
- operation run detail / monitoring surfaces
- Expected:
- true secret values remain hidden
- harmless phrases such as `passwordMinimumLength` remain readable
- protected-value messaging is visible where the UI explains hidden values
## Tests (Pest)
- Run focused suites once implemented:
- `vendor/bin/sail artisan test --compact tests/Feature/Intune/PolicySnapshotRedactionTest.php`
- `vendor/bin/sail artisan test --compact tests/Unit/AuditContextSanitizerTest.php`
- `vendor/bin/sail artisan test --compact --filter=VerificationReportSanitizer`
- `vendor/bin/sail artisan test --compact --filter=RunFailureSanitizer`
- Format changed PHP files before final review:
- `vendor/bin/sail bin pint --dirty --format agent`
Reference in New Issue View Git Blame Copy Permalink