TenantAtlas/tests/Unit/VerificationReportSanitizerEvidenceKindsTest.php

<?php

declare(strict_types=1);

use App\Support\Verification\VerificationReportSanitizer;

it('preserves safe evidence pointer kinds for app diagnostics', function (): void {
    $report = [
        'schema_version' => '1',
        'flow' => 'managed_tenant_onboarding',
        'generated_at' => now()->toIso8601String(),
        'summary' => [
            'overall' => 'warn',
            'counts' => [
                'total' => 1,
                'pass' => 0,
                'fail' => 0,
                'warn' => 1,
                'skip' => 0,
                'running' => 0,
            ],
        ],
        'checks' => [
            [
                'key' => 'permissions.admin_consent',
                'title' => 'Required application permissions',
                'status' => 'warn',
                'severity' => 'medium',
                'blocking' => false,
                'reason_code' => 'permissions_inventory_empty',
                'message' => 'No permissions detected.',
                'evidence' => [
                    ['kind' => 'app_id', 'value' => '00000000-0000-0000-0000-000000000000'],
                    ['kind' => 'observed_permissions_count', 'value' => 0],
                    ['kind' => 'client_secret', 'value' => 'nope'],
                ],
                'next_steps' => [],
            ],
        ],
    ];

    $sanitized = VerificationReportSanitizer::sanitizeReport($report);

    $evidence = $sanitized['checks'][0]['evidence'] ?? null;
    $title = $sanitized['checks'][0]['title'] ?? null;

    expect($title)->toBe('Required application permissions');
    expect($evidence)->toBeArray();
    expect($evidence)->toContain(['kind' => 'app_id', 'value' => '00000000-0000-0000-0000-000000000000']);
    expect($evidence)->toContain(['kind' => 'observed_permissions_count', 'value' => 0]);
    expect($evidence)->not->toContain(['kind' => 'client_secret', 'value' => 'nope']);
});

it('keeps safe configuration phrases in verification messages', function (): void {
    $report = [
        'schema_version' => '1',
        'flow' => 'managed_tenant_onboarding',
        'generated_at' => now()->toIso8601String(),
        'summary' => [
            'overall' => 'warn',
            'counts' => [
                'total' => 1,
                'pass' => 0,
                'fail' => 0,
                'warn' => 1,
                'skip' => 0,
                'running' => 0,
            ],
        ],
        'checks' => [
            [
                'key' => 'password.policy',
                'title' => 'Password policy',
                'status' => 'warn',
                'severity' => 'medium',
                'blocking' => false,
                'reason_code' => 'password_policy_warning',
                'message' => 'passwordMinimumLength remains visible while password=super-secret is hidden.',
                'evidence' => [],
                'next_steps' => [],
            ],
        ],
    ];

    $sanitized = VerificationReportSanitizer::sanitizeReport($report);
    $message = $sanitized['checks'][0]['message'] ?? null;

    expect($message)->toContain('passwordMinimumLength');
    expect($message)->not->toContain('super-secret');
});