TenantAtlas/tests/Unit/OpsUx/RunFailureSanitizerTest.php

<?php

use App\Support\OpsUx\RunFailureSanitizer;
use App\Support\Providers\ProviderReasonCodes;

it('normalizes provider auth and outage reason codes', function (): void {
    expect(RunFailureSanitizer::normalizeReasonCode('invalid_client'))->toBe(ProviderReasonCodes::ProviderAuthFailed);
    expect(RunFailureSanitizer::normalizeReasonCode('AADSTS700016'))->toBe(ProviderReasonCodes::ProviderAuthFailed);
    expect(RunFailureSanitizer::normalizeReasonCode('bad_gateway'))->toBe(ProviderReasonCodes::NetworkUnreachable);
    expect(RunFailureSanitizer::normalizeReasonCode('500'))->toBe(ProviderReasonCodes::NetworkUnreachable);
});

it('distinguishes structured operator reason codes from fallback-only inputs', function (): void {
    expect(RunFailureSanitizer::isStructuredOperatorReasonCode('missing_capability'))->toBeTrue()
        ->and(RunFailureSanitizer::isStructuredOperatorReasonCode('provider_connection_missing'))->toBeTrue()
        ->and(RunFailureSanitizer::isStructuredOperatorReasonCode('foundation.capture_failed'))->toBeFalse();
});

it('redacts common secret patterns and forbidden substrings', function (): void {
    $message = 'Authorization: Bearer super-secret-token access_token=abc refresh_token=def client_secret=ghi password=jkl';

    $sanitized = RunFailureSanitizer::sanitizeMessage($message);

    expect($sanitized)
        ->not->toContain('Authorization')
        ->not->toContain('Bearer ')
        ->not->toContain('access_token')
        ->not->toContain('refresh_token')
        ->not->toContain('client_secret')
        ->not->toContain('password')
        ->not->toContain('super-secret-token')
        ->not->toContain('abc')
        ->not->toContain('def')
        ->not->toContain('ghi')
        ->not->toContain('jkl');
});

it('keeps safe configuration language readable in failure messages', function (): void {
    $message = 'passwordMinimumLength is 12 while password=super-secret should stay hidden.';

    $sanitized = RunFailureSanitizer::sanitizeMessage($message);

    expect($sanitized)->toContain('passwordMinimumLength');
    expect($sanitized)->not->toContain('super-secret');
});

it('redacts email domains that survive token redaction boundaries', function (): void {
    $message = 'Authorization: Bearer highly-sensitive-token-for-user@example.com';

    $sanitized = RunFailureSanitizer::sanitizeMessage($message);

    expect($sanitized)
        ->not->toContain('Bearer')
        ->not->toContain('@example.com')
        ->toContain('[REDACTED_EMAIL]');
});