ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
7db8eb81ba
TenantAtlas/specs/120-secret-redaction-integrity/tasks.md
Ahmed Darrazi 7db8eb81ba feat: harden secret redaction integrity
2026-03-07 17:41:55 +01:00

11 KiB
Raw Blame History

Tasks: Secret Redaction Hardening & Snapshot Data Integrity

Input: Design documents from /specs/120-secret-redaction-integrity/ Prerequisites: plan.md (required), spec.md (required for user stories), research.md, data-model.md

Tests: For runtime behavior changes in this repo, tests are REQUIRED (Pest). RBAC: The feature keeps existing authorization planes intact. Tenant/admin surfaces remain under /admin. Non-members remain 404, members missing capability remain 403. Filament UI Action Surfaces: Existing surfaces are read-only updates only. No new tenant-facing or platform-facing action workflow is introduced in this reduced scope. Organization: Tasks are grouped by user story to enable independent implementation and testing.

Phase 1: Setup

Purpose: Shared test utilities used across snapshot and sanitizer work.

  • T001 Create shared protected snapshot assertions in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Support/ProtectedSnapshotAssertions.php

Phase 2: Foundational

Purpose: Core persistence and classifier infrastructure that MUST be complete before user-story work.

  • T002 Add policy_versions.secret_fingerprints and policy_versions.redaction_version in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/database/migrations/2026_03_07_000121_add_redaction_contract_to_policy_versions_table.php
  • T003 Update casts and factory defaults for the new redaction fields in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Models/PolicyVersion.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/database/factories/PolicyVersionFactory.php
  • T004 Implement the shared exact/path-based classifier and DTO in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/SecretClassificationService.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/ProtectedSnapshotResult.php
  • T005 Implement deterministic protected snapshot building with JSON Pointer fingerprint paths in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/PolicySnapshotRedactor.php
  • T006 Implement workspace-scoped fingerprint HMAC derivation in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/SecretFingerprintHasher.php
  • T007 Add a regression guard for forbidden substring-based storage and audit-path redaction patterns in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Guards/NoBroadSecretRedactionPatternsTest.php
  • T008 Add an audit-path guard for forbidden broad redaction fallbacks in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Guards/Spec120NoBroadAuditRedactionFallbacksTest.php
  • T009 Add a scope guard proving phase 1 does not require GraphContractRegistry secret metadata in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Guards/Spec120NoGraphContractSecretMetadataTest.php

Phase 3: User Story 1 - Preserve trustworthy drift and compare evidence (Priority: P1)

Goal: Persist protected snapshots without corrupting safe configuration fields and keep secret-only changes visible to drift/compare workflows.

Tests for User Story 1

  • T010 Add classifier corpus coverage for safe fields, protected fields, and JSON Pointer paths in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Unit/Intune/SecretClassificationServiceTest.php
  • T011 Update snapshot persistence and secret-only version-change coverage in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Intune/PolicySnapshotRedactionTest.php
  • T012 Add workspace-isolation fingerprint coverage in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Intune/PolicySnapshotFingerprintIsolationTest.php
  • T013 Add compare/drift protected-change coverage in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Baselines/BaselineCompareProtectedChangeTest.php

Implementation for User Story 1

  • T014 Refactor snapshot persistence to write [REDACTED], secret_fingerprints, and redaction_version in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/VersionService.php
  • T015 Remove duplicate pre-redaction and align version reuse with the protected snapshot contract in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/PolicyCaptureOrchestrator.php
  • T016 Integrate workspace-scoped fingerprint derivation into protected snapshot generation in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/PolicySnapshotRedactor.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/VersionService.php
  • T017 Update composite version identity hashing for secret-only changes in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Drift/DriftHasher.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/VersionService.php
  • T018 Surface protected-change evidence in compare and diff generation in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Jobs/CompareBaselineToTenantJob.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Drift/DriftFindingDiffBuilder.php
  • T019 Preserve restore fidelity while carrying redaction integrity metadata forward in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/RestoreService.php

Phase 4: User Story 2 - Protect secrets consistently across operational surfaces (Priority: P2)

Goal: Reuse the same classification rules across audit, verification, monitoring, review/export, and viewer surfaces without hiding harmless configuration language.

Tests for User Story 2

  • T020 Expand audit false-positive and audit-log persistence coverage in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Unit/AuditContextSanitizerTest.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Audit/WorkspaceAuditLoggerRedactionTest.php
  • T021 Expand verification sanitizer and viewer readability coverage in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Unit/VerificationReportSanitizerEvidenceKindsTest.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Verification/VerificationReportViewerDbOnlyTest.php
  • T022 Add review/export artifact redaction-integrity coverage in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/ReviewPack/ReviewPackRedactionIntegrityTest.php
  • T023 Expand failure-message and monitoring readability coverage in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Unit/OpsUx/RunFailureSanitizerTest.php, /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/OpsUx/FailureSanitizationTest.php, and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Operations/TenantlessOperationRunViewerTest.php
  • T024 Add explainability coverage for protected-value messaging in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Drift/DriftFindingDetailTest.php
  • T025 Add notification payload sanitization coverage for redaction-safe terminal messages in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/OpsUx/OperationRunNotificationRedactionTest.php

Implementation for User Story 2

  • T026 Switch audit sanitization to the shared classifier in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/Audit/AuditContextSanitizer.php, /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Audit/WorkspaceAuditLogger.php, and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Services/Intune/AuditLogger.php
  • T027 Switch verification and ops-failure sanitizers to the shared classifier in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/Verification/VerificationReportSanitizer.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/OpsUx/RunFailureSanitizer.php
  • T028 Apply redaction-integrity rules to review/export artifacts and operation notification payloads in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Jobs/GenerateReviewPackJob.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Notifications/OperationRunCompleted.php
  • T029 Add protected-value messaging to evidence viewers in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Filament/Resources/FindingResource/Pages/ViewFinding.php, /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Filament/Support/VerificationReportViewer.php, and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Filament/Widgets/Tenant/TenantVerificationReport.php
  • T030 Update operations detail rendering and terminal notification copy for protected values in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Filament/Pages/Operations/TenantlessOperationRunViewer.php and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/app/Support/OpsUx/OperationUxPresenter.php

Phase 5: Polish & Cross-Cutting Concerns

  • T031 Run the focused Spec 120 Pest suites covering /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Intune/PolicySnapshotRedactionTest.php, /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Intune/PolicySnapshotFingerprintIsolationTest.php, /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/ReviewPack/ReviewPackRedactionIntegrityTest.php, /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/OpsUx/OperationRunNotificationRedactionTest.php, and /Users/ahmeddarrazi/Documents/projects/TenantAtlas/tests/Feature/Verification/VerificationReportViewerDbOnlyTest.php
  • T032 Run formatting on touched PHP files with vendor/bin/sail bin pint --dirty --format agent
  • T033 Validate the manual scenarios documented in /Users/ahmeddarrazi/Documents/projects/TenantAtlas/specs/120-secret-redaction-integrity/quickstart.md

Dependencies & Execution Order

Phase Dependencies

  • Setup (Phase 1): No dependencies.
  • Foundational (Phase 2): Depends on Setup completion and blocks all story work.
  • User Story 1 (Phase 3): Starts after Foundational completion.
  • User Story 2 (Phase 4): Starts after Foundational completion and may be developed in parallel with US1 once the shared classifier, workspace-scoped hasher, and schema are in place.
  • Polish (Phase 5): Depends on the desired stories being complete.

Within Each User Story

  • Tests must be written first and fail before implementation.
  • Persistence/model updates precede service refactors.
  • Service refactors precede viewer/export integration.
  • Ops-UX behavior and authorization semantics must be preserved before a story is considered done.

Parallel Opportunities

  • Foundational: T006, T007, T008, and T009 can run in parallel after T002 begins; T003 depends on T002.
  • US1: T010, T011, T012, and T013 can run in parallel.
  • US2: T020, T021, T022, T023, T024, and T025 can run in parallel.
  • Polish: T031 and T033 can run in parallel before T032 finalizes formatting.