up

src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/BinaryReachabilityLifterTests.cs

@@ -530,9 +530,9 @@ public class BinaryReachabilityLifterTests
         var coff = peHeaderOffset + 4;
         WriteU16LE(buffer, coff + 0, 0x8664); // Machine
         WriteU16LE(buffer, coff + 2, 1); // NumberOfSections
-        WriteU32LE(buffer, coff + 16, 0); // NumberOfSymbols
-        WriteU16LE(buffer, coff + 16 + 4, (ushort)optionalHeaderSize); // SizeOfOptionalHeader
-        WriteU16LE(buffer, coff + 16 + 6, 0x22); // Characteristics
+        WriteU32LE(buffer, coff + 12, 0); // NumberOfSymbols
+        WriteU16LE(buffer, coff + 16, (ushort)optionalHeaderSize); // SizeOfOptionalHeader
+        WriteU16LE(buffer, coff + 18, 0x22); // Characteristics
 
         var opt = peHeaderOffset + 24;
         WriteU16LE(buffer, opt + 0, 0x20b); // PE32+

src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/FakeFileContentAddressableStore.cs

@@ -11,6 +11,9 @@ internal sealed class FakeFileContentAddressableStore : IFileContentAddressableS
 {
     private readonly ConcurrentDictionary<string, byte[]> store = new();
 
+    public byte[]? GetBytes(string key)
+        => store.TryGetValue(key, out var bytes) ? bytes : null;
+
     public ValueTask<FileCasEntry?> TryGetAsync(string sha256, CancellationToken cancellationToken = default)
     {
         if (store.TryGetValue(sha256, out var bytes))

src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/RichGraphPublisherTests.cs

@@ -1,3 +1,5 @@
+using System;
+using System.Text.Json;
 using System.Threading.Tasks;
 using StellaOps.Cryptography;
 using StellaOps.Scanner.Reachability;
@@ -24,6 +26,46 @@ public class RichGraphPublisherTests
 
         Assert.Contains(":", result.GraphHash); // hash format: algorithm:digest
         Assert.StartsWith("cas://reachability/graphs/", result.CasUri);
+        Assert.StartsWith("cas://reachability/graphs/", result.DsseCasUri);
+        Assert.EndsWith(".dsse", result.DsseCasUri, StringComparison.Ordinal);
+        Assert.StartsWith("sha256:", result.DsseDigest, StringComparison.Ordinal);
         Assert.Equal(1, result.NodeCount);
+
+        var casKey = result.CasUri[(result.CasUri.LastIndexOf('/') + 1)..];
+        var dsseKey = $"{casKey}.dsse";
+        var dsseBytes = cas.GetBytes(dsseKey);
+        Assert.NotNull(dsseBytes);
+
+        using var dsseDoc = JsonDocument.Parse(dsseBytes!);
+        Assert.Equal(
+            "application/vnd.stellaops.graph.predicate+json",
+            dsseDoc.RootElement.GetProperty("payloadType").GetString());
+
+        var payloadBase64Url = dsseDoc.RootElement.GetProperty("payload").GetString();
+        Assert.False(string.IsNullOrWhiteSpace(payloadBase64Url));
+
+        var payloadBytes = Base64UrlDecode(payloadBase64Url!);
+        using var payloadDoc = JsonDocument.Parse(payloadBytes);
+        Assert.Equal(
+            result.GraphHash,
+            payloadDoc.RootElement.GetProperty("hashes").GetProperty("graphHash").GetString());
+        Assert.Equal(
+            result.CasUri,
+            payloadDoc.RootElement.GetProperty("cas").GetProperty("location").GetString());
+
+        var signature = dsseDoc.RootElement.GetProperty("signatures")[0];
+        Assert.Equal("scanner-deterministic", signature.GetProperty("keyid").GetString());
+    }
+
+    private static byte[] Base64UrlDecode(string value)
+    {
+        var normalized = value.Replace('-', '+').Replace('_', '/');
+        var remainder = normalized.Length % 4;
+        if (remainder != 0)
+        {
+            normalized = normalized.PadRight(normalized.Length + (4 - remainder), '=');
+        }
+
+        return Convert.FromBase64String(normalized);
     }
 }