ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
bab01f07a9
TenantAtlas/specs/120-secret-redaction-integrity/quickstart.md
ahmido cd811cff4f Spec 120: harden secret redaction integrity (#146) 
## Summary
- replace broad substring-based masking with a shared exact/path-based secret classifier and workspace-scoped fingerprint hashing
- persist protected snapshot metadata on `policy_versions` and keep secret-only changes visible in compare, drift, restore, review, verification, and ops surfaces
- add Spec 120 artifacts, audit documentation, and focused Pest regression coverage for snapshot, audit, verification, review-pack, and notification behavior

## Validation
- `vendor/bin/sail artisan test --compact tests/Feature/Intune/PolicySnapshotRedactionTest.php tests/Feature/Intune/PolicySnapshotFingerprintIsolationTest.php tests/Feature/ReviewPack/ReviewPackRedactionIntegrityTest.php tests/Feature/OpsUx/OperationRunNotificationRedactionTest.php tests/Feature/Verification/VerificationReportViewerDbOnlyTest.php`
- `vendor/bin/sail bin pint --dirty --format agent`

## Spec / checklist status
| Checklist | Total | Completed | Incomplete | Status |
|-----------|-------|-----------|------------|--------|
| requirements.md | 16 | 16 | 0 | ✓ PASS |

- `tasks.md`: T001-T032 complete
- `tasks.md`: T033 manual quickstart validation is still open and noted for follow-up

## Filament / platform notes
- Livewire v4 compliance is unchanged
- no panel provider changes; `bootstrap/providers.php` remains the registration location
- no new globally searchable resources were introduced, so global search requirements are unchanged
- no new destructive Filament actions were added
- no new Filament assets were added; no `filament:assets` deployment change is required

## Testing coverage touched
- snapshot persistence and fingerprint isolation
- compare/drift protected-change evidence
- audit, verification, review-pack, ops-failure, and notification sanitization
- viewer/read-only Filament presentation updates

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #146
2026-03-07 16:43:01 +00:00

2.5 KiB
Raw Blame History

Quickstart — Secret Redaction Hardening & Snapshot Data Integrity (Spec 120)

Prereqs

  • Run the app with Sail.
  • Use a workspace with at least one tenant that already has policy snapshots.

Local setup

  • Start containers: vendor/bin/sail up -d
  • Run migrations: vendor/bin/sail artisan migrate

How to exercise the feature (manual)

1) Capture a policy with safe configuration fields

  • Capture or refresh a policy version whose payload contains safe keys such as:
    • passwordMinimumLength
    • passwordRequired
    • certificateValidityPeriodScale
    • tokenType
  • Expected:
    • The persisted PolicyVersion keeps those configuration values intact.
    • redaction_version = 1.
    • secret_fingerprints is empty if no true protected fields are present.

2) Capture a policy with true protected fields

  • Capture or refresh a policy version whose payload contains true secrets such as:
    • password
    • clientSecret
    • privateKey
  • Expected:
    • The persisted payload stores [REDACTED] at the protected paths.
    • secret_fingerprints contains digests for those paths.
    • No raw secret appears in snapshot, assignments, scope_tags, audit metadata, verification output, or run failures.

3) Validate secret-only change detection

  • Re-capture the same policy after changing only a true protected value.
  • Expected:
    • A new PolicyVersion is created even if the visible protected payload is unchanged.
    • Compare/drift surfaces report a protected change without revealing the value.
    • Safe configuration fields remain readable.

4) Validate audit and output readability

  • Review the existing tenant/admin and workspace/admin surfaces that show sanitized evidence:
    • finding detail view
    • verification report viewer/widget
    • operation run detail / monitoring surfaces
  • Expected:
    • true secret values remain hidden
    • harmless phrases such as passwordMinimumLength remain readable
    • protected-value messaging is visible where the UI explains hidden values

Tests (Pest)

  • Run focused suites once implemented:
    • vendor/bin/sail artisan test --compact tests/Feature/Intune/PolicySnapshotRedactionTest.php
    • vendor/bin/sail artisan test --compact tests/Unit/AuditContextSanitizerTest.php
    • vendor/bin/sail artisan test --compact --filter=VerificationReportSanitizer
    • vendor/bin/sail artisan test --compact --filter=RunFailureSanitizer
  • Format changed PHP files before final review:
    • vendor/bin/sail bin pint --dirty --format agent