fix(notification-service): resolve NotificationService-005..009 — explicit TLS modes, per-credential token cache, timeout/throttle, address validation, credential redaction

tests/ScadaLink.NotificationService.Tests/CredentialRedactorTests.cs

@@ -0,0 +1,38 @@
+namespace ScadaLink.NotificationService.Tests;
+
+/// <summary>
+/// NS-009: Tests for scrubbing SMTP credential secrets out of log/result text.
+/// </summary>
+public class CredentialRedactorTests
+{
+    [Fact]
+    public void Scrub_BasicAuthPassword_IsMasked()
+    {
+        var text = "535 5.7.8 Authentication failed for user 'svc' with password 'Hunter2pw!'";
+        var result = CredentialRedactor.Scrub(text, "svc:Hunter2pw!");
+
+        Assert.DoesNotContain("Hunter2pw!", result);
+        Assert.DoesNotContain("svc:Hunter2pw!", result);
+    }
+
+    [Fact]
+    public void Scrub_OAuth2ClientSecret_IsMasked()
+    {
+        var text = "Token request failed: client_secret=Sup3rSecretValue rejected by tenant";
+        var result = CredentialRedactor.Scrub(text, "tenant-guid:client-guid:Sup3rSecretValue");
+
+        Assert.DoesNotContain("Sup3rSecretValue", result);
+    }
+
+    [Fact]
+    public void Scrub_NullCredentials_ReturnsTextUnchanged()
+    {
+        Assert.Equal("plain text", CredentialRedactor.Scrub("plain text", null));
+    }
+
+    [Fact]
+    public void Scrub_NullText_ReturnsEmpty()
+    {
+        Assert.Equal(string.Empty, CredentialRedactor.Scrub(null, "user:pass"));
+    }
+}