sprints and audit work

2026-01-07 09:36:16 +02:00
parent 05833e0af2
commit ab364c6032
377 changed files with 64534 additions and 1627 deletions
--- a/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/LayerSbomEndpointsTests.cs
+++ b/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/LayerSbomEndpointsTests.cs
@@ -0,0 +1,616 @@
+// -----------------------------------------------------------------------------
+// LayerSbomEndpointsTests.cs
+// Sprint: SPRINT_20260106_003_001_SCANNER_perlayer_sbom_api
+// Task: T016 - Integration tests for layer SBOM API
+// Description: Integration tests for per-layer SBOM and composition recipe endpoints.
+// -----------------------------------------------------------------------------
+
+using System.Collections.Concurrent;
+using System.Collections.Immutable;
+using System.Net;
+using System.Net.Http.Json;
+using System.Text;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using StellaOps.Scanner.Emit.Composition;
+using StellaOps.Scanner.WebService.Contracts;
+using StellaOps.Scanner.WebService.Domain;
+using StellaOps.Scanner.WebService.Services;
+using StellaOps.TestKit;
+
+namespace StellaOps.Scanner.WebService.Tests;
+
+[Trait("Category", TestCategories.Integration)]
+public sealed class LayerSbomEndpointsTests
+{
+    private const string BasePath = "/api/v1/scans";
+
+    #region List Layers Tests
+
+    [Fact]
+    public async Task ListLayers_WhenScanExists_ReturnsLayers()
+    {
+        var scanId = "scan-" + Guid.NewGuid().ToString("N");
+        var mockService = new InMemoryLayerSbomService();
+        mockService.AddScan(scanId, "sha256:image123", CreateTestLayers(3));
+        var stubCoordinator = new StubScanCoordinator();
+        stubCoordinator.AddScan(scanId, "sha256:image123");
+
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<ILayerSbomService>();
+                services.RemoveAll<IScanCoordinator>();
+                services.AddSingleton<ILayerSbomService>(mockService);
+                services.AddSingleton<IScanCoordinator>(stubCoordinator);
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/{scanId}/layers");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var result = await response.Content.ReadFromJsonAsync<LayerListResponseDto>();
+        Assert.NotNull(result);
+        Assert.Equal(scanId, result!.ScanId);
+        Assert.Equal("sha256:image123", result.ImageDigest);
+        Assert.Equal(3, result.Layers.Count);
+        Assert.All(result.Layers, l => Assert.True(l.HasSbom));
+    }
+
+    [Fact]
+    public async Task ListLayers_WhenScanNotFound_Returns404()
+    {
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<ILayerSbomService>();
+                services.AddSingleton<ILayerSbomService, InMemoryLayerSbomService>();
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/scan-not-found/layers");
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task ListLayers_LayersOrderedByOrder()
+    {
+        var scanId = "scan-" + Guid.NewGuid().ToString("N");
+        var mockService = new InMemoryLayerSbomService();
+        var layers = new[]
+        {
+            CreateLayerSummary("sha256:layer2", 2, 15),
+            CreateLayerSummary("sha256:layer0", 0, 42),
+            CreateLayerSummary("sha256:layer1", 1, 8),
+        };
+        mockService.AddScan(scanId, "sha256:image123", layers);
+        var stubCoordinator = new StubScanCoordinator();
+        stubCoordinator.AddScan(scanId, "sha256:image123");
+
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<ILayerSbomService>();
+                services.RemoveAll<IScanCoordinator>();
+                services.AddSingleton<ILayerSbomService>(mockService);
+                services.AddSingleton<IScanCoordinator>(stubCoordinator);
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/{scanId}/layers");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var result = await response.Content.ReadFromJsonAsync<LayerListResponseDto>();
+        Assert.NotNull(result);
+        // Verify layer order is as stored (service already orders by Order)
+        Assert.Equal(0, result!.Layers[0].Order);
+        Assert.Equal(1, result.Layers[1].Order);
+        Assert.Equal(2, result.Layers[2].Order);
+    }
+
+    #endregion
+
+    #region Get Layer SBOM Tests
+
+    [Fact]
+    public async Task GetLayerSbom_DefaultFormat_ReturnsCycloneDx()
+    {
+        var scanId = "scan-" + Guid.NewGuid().ToString("N");
+        var layerDigest = "sha256:layer123";
+        var mockService = new InMemoryLayerSbomService();
+        mockService.AddScan(scanId, "sha256:image123", CreateTestLayers(1, layerDigest));
+        mockService.AddLayerSbom(scanId, layerDigest, "cdx", CreateTestSbomBytes("cyclonedx"));
+        mockService.AddLayerSbom(scanId, layerDigest, "spdx", CreateTestSbomBytes("spdx"));
+        var stubCoordinator = new StubScanCoordinator();
+        stubCoordinator.AddScan(scanId, "sha256:image123");
+
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<ILayerSbomService>();
+                services.RemoveAll<IScanCoordinator>();
+                services.AddSingleton<ILayerSbomService>(mockService);
+                services.AddSingleton<IScanCoordinator>(stubCoordinator);
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/{scanId}/layers/{layerDigest}/sbom");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        Assert.Contains("cyclonedx", response.Content.Headers.ContentType?.ToString());
+        var content = await response.Content.ReadAsStringAsync();
+        Assert.Contains("cyclonedx", content);
+    }
+
+    [Fact]
+    public async Task GetLayerSbom_SpdxFormat_ReturnsSpdx()
+    {
+        var scanId = "scan-" + Guid.NewGuid().ToString("N");
+        var layerDigest = "sha256:layer123";
+        var mockService = new InMemoryLayerSbomService();
+        mockService.AddScan(scanId, "sha256:image123", CreateTestLayers(1, layerDigest));
+        mockService.AddLayerSbom(scanId, layerDigest, "cdx", CreateTestSbomBytes("cyclonedx"));
+        mockService.AddLayerSbom(scanId, layerDigest, "spdx", CreateTestSbomBytes("spdx"));
+        var stubCoordinator = new StubScanCoordinator();
+        stubCoordinator.AddScan(scanId, "sha256:image123");
+
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<ILayerSbomService>();
+                services.RemoveAll<IScanCoordinator>();
+                services.AddSingleton<ILayerSbomService>(mockService);
+                services.AddSingleton<IScanCoordinator>(stubCoordinator);
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/{scanId}/layers/{layerDigest}/sbom?format=spdx");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        Assert.Contains("spdx", response.Content.Headers.ContentType?.ToString());
+        var content = await response.Content.ReadAsStringAsync();
+        Assert.Contains("spdx", content);
+    }
+
+    [Fact]
+    public async Task GetLayerSbom_SetsImmutableCacheHeaders()
+    {
+        var scanId = "scan-" + Guid.NewGuid().ToString("N");
+        var layerDigest = "sha256:layer123";
+        var mockService = new InMemoryLayerSbomService();
+        mockService.AddScan(scanId, "sha256:image123", CreateTestLayers(1, layerDigest));
+        mockService.AddLayerSbom(scanId, layerDigest, "cdx", CreateTestSbomBytes("cyclonedx"));
+        var stubCoordinator = new StubScanCoordinator();
+        stubCoordinator.AddScan(scanId, "sha256:image123");
+
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<ILayerSbomService>();
+                services.RemoveAll<IScanCoordinator>();
+                services.AddSingleton<ILayerSbomService>(mockService);
+                services.AddSingleton<IScanCoordinator>(stubCoordinator);
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/{scanId}/layers/{layerDigest}/sbom");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        Assert.NotNull(response.Headers.ETag);
+        Assert.Contains("immutable", response.Headers.CacheControl?.ToString());
+        Assert.True(response.Headers.Contains("X-StellaOps-Layer-Digest"));
+        Assert.True(response.Headers.Contains("X-StellaOps-Format"));
+    }
+
+    [Fact]
+    public async Task GetLayerSbom_WhenScanNotFound_Returns404()
+    {
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<ILayerSbomService>();
+                services.AddSingleton<ILayerSbomService, InMemoryLayerSbomService>();
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/scan-not-found/layers/sha256:layer123/sbom");
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task GetLayerSbom_WhenLayerNotFound_Returns404()
+    {
+        var scanId = "scan-" + Guid.NewGuid().ToString("N");
+        var mockService = new InMemoryLayerSbomService();
+        mockService.AddScan(scanId, "sha256:image123", CreateTestLayers(1));
+
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<ILayerSbomService>();
+                services.AddSingleton<ILayerSbomService>(mockService);
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/{scanId}/layers/sha256:nonexistent/sbom");
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    #endregion
+
+    #region Composition Recipe Tests
+
+    [Fact]
+    public async Task GetCompositionRecipe_WhenExists_ReturnsRecipe()
+    {
+        var scanId = "scan-" + Guid.NewGuid().ToString("N");
+        var mockService = new InMemoryLayerSbomService();
+        mockService.AddScan(scanId, "sha256:image123", CreateTestLayers(2));
+        mockService.AddCompositionRecipe(scanId, CreateTestRecipe(scanId, "sha256:image123", 2));
+
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<ILayerSbomService>();
+                services.AddSingleton<ILayerSbomService>(mockService);
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/{scanId}/composition-recipe");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var result = await response.Content.ReadFromJsonAsync<CompositionRecipeResponseDto>();
+        Assert.NotNull(result);
+        Assert.Equal(scanId, result!.ScanId);
+        Assert.Equal("sha256:image123", result.ImageDigest);
+        Assert.NotNull(result.Recipe);
+        Assert.Equal(2, result.Recipe.Layers.Count);
+        Assert.NotNull(result.Recipe.MerkleRoot);
+    }
+
+    [Fact]
+    public async Task GetCompositionRecipe_WhenScanNotFound_Returns404()
+    {
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<ILayerSbomService>();
+                services.AddSingleton<ILayerSbomService, InMemoryLayerSbomService>();
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/scan-not-found/composition-recipe");
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task GetCompositionRecipe_WhenRecipeNotAvailable_Returns404()
+    {
+        var scanId = "scan-" + Guid.NewGuid().ToString("N");
+        var mockService = new InMemoryLayerSbomService();
+        mockService.AddScan(scanId, "sha256:image123", CreateTestLayers(1));
+        // Note: not adding composition recipe
+
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<ILayerSbomService>();
+                services.AddSingleton<ILayerSbomService>(mockService);
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/{scanId}/composition-recipe");
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    #endregion
+
+    #region Verify Composition Recipe Tests
+
+    [Fact]
+    public async Task VerifyCompositionRecipe_WhenValid_ReturnsSuccess()
+    {
+        var scanId = "scan-" + Guid.NewGuid().ToString("N");
+        var mockService = new InMemoryLayerSbomService();
+        mockService.AddScan(scanId, "sha256:image123", CreateTestLayers(2));
+        mockService.SetVerificationResult(scanId, new CompositionRecipeVerificationResult
+        {
+            Valid = true,
+            MerkleRootMatch = true,
+            LayerDigestsMatch = true,
+            Errors = ImmutableArray<string>.Empty,
+        });
+
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<ILayerSbomService>();
+                services.AddSingleton<ILayerSbomService>(mockService);
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.PostAsync($"{BasePath}/{scanId}/composition-recipe/verify", null);
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var result = await response.Content.ReadFromJsonAsync<CompositionRecipeVerificationResponseDto>();
+        Assert.NotNull(result);
+        Assert.True(result!.Valid);
+        Assert.True(result.MerkleRootMatch);
+        Assert.True(result.LayerDigestsMatch);
+        Assert.Null(result.Errors);
+    }
+
+    [Fact]
+    public async Task VerifyCompositionRecipe_WhenInvalid_ReturnsErrors()
+    {
+        var scanId = "scan-" + Guid.NewGuid().ToString("N");
+        var mockService = new InMemoryLayerSbomService();
+        mockService.AddScan(scanId, "sha256:image123", CreateTestLayers(2));
+        mockService.SetVerificationResult(scanId, new CompositionRecipeVerificationResult
+        {
+            Valid = false,
+            MerkleRootMatch = false,
+            LayerDigestsMatch = true,
+            Errors = ImmutableArray.Create("Merkle root mismatch: expected sha256:abc, got sha256:def"),
+        });
+
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<ILayerSbomService>();
+                services.AddSingleton<ILayerSbomService>(mockService);
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.PostAsync($"{BasePath}/{scanId}/composition-recipe/verify", null);
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var result = await response.Content.ReadFromJsonAsync<CompositionRecipeVerificationResponseDto>();
+        Assert.NotNull(result);
+        Assert.False(result!.Valid);
+        Assert.False(result.MerkleRootMatch);
+        Assert.NotNull(result.Errors);
+        Assert.Single(result.Errors!);
+        Assert.Contains("Merkle root mismatch", result.Errors![0]);
+    }
+
+    [Fact]
+    public async Task VerifyCompositionRecipe_WhenScanNotFound_Returns404()
+    {
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<ILayerSbomService>();
+                services.AddSingleton<ILayerSbomService, InMemoryLayerSbomService>();
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.PostAsync($"{BasePath}/scan-not-found/composition-recipe/verify", null);
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    #endregion
+
+    #region Test Helpers
+
+    private static LayerSummary[] CreateTestLayers(int count, string? specificDigest = null)
+    {
+        var layers = new LayerSummary[count];
+        for (int i = 0; i < count; i++)
+        {
+            layers[i] = CreateLayerSummary(
+                i == 0 && specificDigest != null ? specificDigest : $"sha256:layer{i}",
+                i,
+                10 + i * 5);
+        }
+        return layers;
+    }
+
+    private static LayerSummary CreateLayerSummary(string digest, int order, int componentCount)
+    {
+        return new LayerSummary
+        {
+            LayerDigest = digest,
+            Order = order,
+            HasSbom = true,
+            ComponentCount = componentCount,
+        };
+    }
+
+    private static byte[] CreateTestSbomBytes(string format)
+    {
+        var content = format == "spdx"
+            ? """{"spdxVersion":"SPDX-3.0.1","format":"spdx"}"""
+            : """{"bomFormat":"CycloneDX","specVersion":"1.7","format":"cyclonedx"}""";
+        return Encoding.UTF8.GetBytes(content);
+    }
+
+    private static CompositionRecipeResponse CreateTestRecipe(string scanId, string imageDigest, int layerCount)
+    {
+        var layers = new CompositionRecipeLayer[layerCount];
+        for (int i = 0; i < layerCount; i++)
+        {
+            layers[i] = new CompositionRecipeLayer
+            {
+                Digest = $"sha256:layer{i}",
+                Order = i,
+                FragmentDigest = $"sha256:frag{i}",
+                SbomDigests = new LayerSbomDigests
+                {
+                    CycloneDx = $"sha256:cdx{i}",
+                    Spdx = $"sha256:spdx{i}",
+                },
+                ComponentCount = 10 + i * 5,
+            };
+        }
+
+        return new CompositionRecipeResponse
+        {
+            ScanId = scanId,
+            ImageDigest = imageDigest,
+            CreatedAt = DateTimeOffset.UtcNow.ToString("O"),
+            Recipe = new CompositionRecipe
+            {
+                Version = "1.0.0",
+                GeneratorName = "StellaOps.Scanner",
+                GeneratorVersion = "2026.04",
+                Layers = layers.ToImmutableArray(),
+                MerkleRoot = "sha256:merkleroot123",
+                AggregatedSbomDigests = new AggregatedSbomDigests
+                {
+                    CycloneDx = "sha256:finalcdx",
+                    Spdx = "sha256:finalspdx",
+                },
+            },
+        };
+    }
+
+    #endregion
+}
+
+/// <summary>
+/// In-memory implementation of ILayerSbomService for testing.
+/// </summary>
+internal sealed class InMemoryLayerSbomService : ILayerSbomService
+{
+    private readonly Dictionary<string, (string ImageDigest, LayerSummary[] Layers)> _scans = new(StringComparer.OrdinalIgnoreCase);
+    private readonly Dictionary<(string ScanId, string LayerDigest, string Format), byte[]> _layerSboms = new();
+    private readonly Dictionary<string, CompositionRecipeResponse> _recipes = new(StringComparer.OrdinalIgnoreCase);
+    private readonly Dictionary<string, CompositionRecipeVerificationResult> _verificationResults = new(StringComparer.OrdinalIgnoreCase);
+
+    public void AddScan(string scanId, string imageDigest, LayerSummary[] layers)
+    {
+        _scans[scanId] = (imageDigest, layers);
+    }
+
+    public bool HasScan(string scanId) => _scans.ContainsKey(scanId);
+
+    public (string ImageDigest, LayerSummary[] Layers)? GetScanData(string scanId)
+    {
+        if (_scans.TryGetValue(scanId, out var data))
+            return data;
+        return null;
+    }
+
+    public void AddLayerSbom(string scanId, string layerDigest, string format, byte[] sbomBytes)
+    {
+        _layerSboms[(scanId, layerDigest, format)] = sbomBytes;
+    }
+
+    public void AddCompositionRecipe(string scanId, CompositionRecipeResponse recipe)
+    {
+        _recipes[scanId] = recipe;
+    }
+
+    public void SetVerificationResult(string scanId, CompositionRecipeVerificationResult result)
+    {
+        _verificationResults[scanId] = result;
+    }
+
+    public Task<ImmutableArray<LayerSummary>> GetLayerSummariesAsync(
+        ScanId scanId,
+        CancellationToken cancellationToken = default)
+    {
+        if (!_scans.TryGetValue(scanId.Value, out var scanData))
+        {
+            return Task.FromResult(ImmutableArray<LayerSummary>.Empty);
+        }
+
+        return Task.FromResult(scanData.Layers.OrderBy(l => l.Order).ToImmutableArray());
+    }
+
+    public Task<byte[]?> GetLayerSbomAsync(
+        ScanId scanId,
+        string layerDigest,
+        string format,
+        CancellationToken cancellationToken = default)
+    {
+        if (_layerSboms.TryGetValue((scanId.Value, layerDigest, format), out var sbomBytes))
+        {
+            return Task.FromResult<byte[]?>(sbomBytes);
+        }
+
+        return Task.FromResult<byte[]?>(null);
+    }
+
+    public Task<CompositionRecipeResponse?> GetCompositionRecipeAsync(
+        ScanId scanId,
+        CancellationToken cancellationToken = default)
+    {
+        if (_recipes.TryGetValue(scanId.Value, out var recipe))
+        {
+            return Task.FromResult<CompositionRecipeResponse?>(recipe);
+        }
+
+        return Task.FromResult<CompositionRecipeResponse?>(null);
+    }
+
+    public Task<CompositionRecipeVerificationResult?> VerifyCompositionRecipeAsync(
+        ScanId scanId,
+        CancellationToken cancellationToken = default)
+    {
+        if (_verificationResults.TryGetValue(scanId.Value, out var result))
+        {
+            return Task.FromResult<CompositionRecipeVerificationResult?>(result);
+        }
+
+        return Task.FromResult<CompositionRecipeVerificationResult?>(null);
+    }
+
+    public Task StoreLayerSbomsAsync(
+        ScanId scanId,
+        string imageDigest,
+        LayerSbomCompositionResult result,
+        CancellationToken cancellationToken = default)
+    {
+        // Not implemented for tests
+        return Task.CompletedTask;
+    }
+}
+
+/// <summary>
+/// Stub IScanCoordinator that returns snapshots for registered scans.
+/// </summary>
+internal sealed class StubScanCoordinator : IScanCoordinator
+{
+    private readonly ConcurrentDictionary<string, ScanSnapshot> _scans = new(StringComparer.OrdinalIgnoreCase);
+
+    public void AddScan(string scanId, string imageDigest)
+    {
+        var snapshot = new ScanSnapshot(
+            ScanId.Parse(scanId),
+            new ScanTarget("test-image", imageDigest, null),
+            ScanStatus.Completed,
+            DateTimeOffset.UtcNow.AddMinutes(-5),
+            DateTimeOffset.UtcNow,
+            null, null, null);
+        _scans[scanId] = snapshot;
+    }
+
+    public ValueTask<ScanSubmissionResult> SubmitAsync(ScanSubmission submission, CancellationToken cancellationToken)
+        => throw new NotImplementedException();
+
+    public ValueTask<ScanSnapshot?> GetAsync(ScanId scanId, CancellationToken cancellationToken)
+    {
+        if (_scans.TryGetValue(scanId.Value, out var snapshot))
+        {
+            return ValueTask.FromResult<ScanSnapshot?>(snapshot);
+        }
+        return ValueTask.FromResult<ScanSnapshot?>(null);
+    }
+
+    public ValueTask<ScanSnapshot?> TryFindByTargetAsync(string? reference, string? digest, CancellationToken cancellationToken)
+        => ValueTask.FromResult<ScanSnapshot?>(null);
+
+    public ValueTask<bool> AttachReplayAsync(ScanId scanId, ReplayArtifacts replay, CancellationToken cancellationToken)
+        => ValueTask.FromResult(false);
+
+    public ValueTask<bool> AttachEntropyAsync(ScanId scanId, EntropySnapshot entropy, CancellationToken cancellationToken)
+        => ValueTask.FromResult(false);
+}
--- a/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj
+++ b/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj
@@ -10,6 +10,7 @@
  </PropertyGroup>
  <ItemGroup>
    <ProjectReference Include="../../StellaOps.Scanner.WebService/StellaOps.Scanner.WebService.csproj" />
+    <ProjectReference Include="../../__Libraries/StellaOps.Scanner.Gate/StellaOps.Scanner.Gate.csproj" />
    <ProjectReference Include="../../../__Tests/__Libraries/StellaOps.Infrastructure.Postgres.Testing/StellaOps.Infrastructure.Postgres.Testing.csproj" />
    <ProjectReference Include="../../../__Libraries/StellaOps.TestKit/StellaOps.TestKit.csproj" />
    <ProjectReference Include="../../../Authority/__Libraries/StellaOps.Authority.Persistence/StellaOps.Authority.Persistence.csproj" />
--- a/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/VexGateEndpointsTests.cs
+++ b/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/VexGateEndpointsTests.cs
@@ -0,0 +1,361 @@
+// -----------------------------------------------------------------------------
+// VexGateEndpointsTests.cs
+// Sprint: SPRINT_20260106_003_002_SCANNER_vex_gate_service
+// Task: T025 - API integration tests
+// Description: Integration tests for VEX gate API endpoints.
+// -----------------------------------------------------------------------------
+
+using System.Net;
+using System.Net.Http.Json;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using StellaOps.Scanner.Gate;
+using StellaOps.Scanner.WebService.Contracts;
+using StellaOps.Scanner.WebService.Services;
+using StellaOps.TestKit;
+
+namespace StellaOps.Scanner.WebService.Tests;
+
+[Trait("Category", TestCategories.Integration)]
+public sealed class VexGateEndpointsTests
+{
+    private const string BasePath = "/api/v1/scans";
+
+    [Fact]
+    public async Task GetGatePolicy_ReturnsPolicy()
+    {
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<IVexGateQueryService>();
+                services.AddSingleton<IVexGateQueryService, InMemoryVexGateQueryService>();
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/gate-policy");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var policy = await response.Content.ReadFromJsonAsync<VexGatePolicyDto>();
+        Assert.NotNull(policy);
+        Assert.NotNull(policy!.Version);
+        Assert.NotNull(policy.Rules);
+    }
+
+    [Fact]
+    public async Task GetGatePolicy_WithTenantId_ReturnsPolicy()
+    {
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<IVexGateQueryService>();
+                services.AddSingleton<IVexGateQueryService, InMemoryVexGateQueryService>();
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/gate-policy?tenantId=tenant-a");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var policy = await response.Content.ReadFromJsonAsync<VexGatePolicyDto>();
+        Assert.NotNull(policy);
+    }
+
+    [Fact]
+    public async Task GetGateResults_WhenScanNotFound_Returns404()
+    {
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<IVexGateQueryService>();
+                services.AddSingleton<IVexGateQueryService, InMemoryVexGateQueryService>();
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/scan-not-exists/gate-results");
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task GetGateResults_WhenScanExists_ReturnsResults()
+    {
+        var scanId = "scan-" + Guid.NewGuid().ToString("N");
+        var mockService = new InMemoryVexGateQueryService();
+        mockService.AddScanResult(scanId, CreateTestGateResults(scanId));
+
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<IVexGateQueryService>();
+                services.AddSingleton<IVexGateQueryService>(mockService);
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/{scanId}/gate-results");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var results = await response.Content.ReadFromJsonAsync<VexGateResultsResponse>();
+        Assert.NotNull(results);
+        Assert.Equal(scanId, results!.ScanId);
+        Assert.NotNull(results.GateSummary);
+        Assert.NotNull(results.GatedFindings);
+    }
+
+    [Fact]
+    public async Task GetGateResults_WithDecisionFilter_ReturnsFilteredResults()
+    {
+        var scanId = "scan-" + Guid.NewGuid().ToString("N");
+        var mockService = new InMemoryVexGateQueryService();
+        mockService.AddScanResult(scanId, CreateTestGateResults(scanId, blockedCount: 3, warnCount: 5, passCount: 10));
+
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<IVexGateQueryService>();
+                services.AddSingleton<IVexGateQueryService>(mockService);
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/{scanId}/gate-results?decision=Block");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var results = await response.Content.ReadFromJsonAsync<VexGateResultsResponse>();
+        Assert.NotNull(results);
+        Assert.All(results!.GatedFindings, f => Assert.Equal("Block", f.Decision));
+    }
+
+    [Fact]
+    public async Task GetGateSummary_WhenScanNotFound_Returns404()
+    {
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<IVexGateQueryService>();
+                services.AddSingleton<IVexGateQueryService, InMemoryVexGateQueryService>();
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/scan-not-exists/gate-summary");
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task GetGateSummary_WhenScanExists_ReturnsSummary()
+    {
+        var scanId = "scan-" + Guid.NewGuid().ToString("N");
+        var mockService = new InMemoryVexGateQueryService();
+        mockService.AddScanResult(scanId, CreateTestGateResults(scanId, blockedCount: 2, warnCount: 8, passCount: 40));
+
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<IVexGateQueryService>();
+                services.AddSingleton<IVexGateQueryService>(mockService);
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/{scanId}/gate-summary");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var summary = await response.Content.ReadFromJsonAsync<VexGateSummaryDto>();
+        Assert.NotNull(summary);
+        Assert.Equal(50, summary!.TotalFindings);
+        Assert.Equal(2, summary.Blocked);
+        Assert.Equal(8, summary.Warned);
+        Assert.Equal(40, summary.Passed);
+    }
+
+    [Fact]
+    public async Task GetBlockedFindings_WhenScanNotFound_Returns404()
+    {
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<IVexGateQueryService>();
+                services.AddSingleton<IVexGateQueryService, InMemoryVexGateQueryService>();
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/scan-not-exists/gate-blocked");
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task GetBlockedFindings_WhenScanExists_ReturnsOnlyBlocked()
+    {
+        var scanId = "scan-" + Guid.NewGuid().ToString("N");
+        var mockService = new InMemoryVexGateQueryService();
+        mockService.AddScanResult(scanId, CreateTestGateResults(scanId, blockedCount: 5, warnCount: 10, passCount: 20));
+
+        using var factory = new ScannerApplicationFactory()
+            .WithOverrides(configureServices: services =>
+            {
+                services.RemoveAll<IVexGateQueryService>();
+                services.AddSingleton<IVexGateQueryService>(mockService);
+            });
+        using var client = factory.CreateClient();
+
+        var response = await client.GetAsync($"{BasePath}/{scanId}/gate-blocked");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var findings = await response.Content.ReadFromJsonAsync<List<GatedFindingDto>>();
+        Assert.NotNull(findings);
+        Assert.Equal(5, findings!.Count);
+        Assert.All(findings, f => Assert.Equal("Block", f.Decision));
+    }
+
+    private static VexGateResultsResponse CreateTestGateResults(
+        string scanId,
+        int blockedCount = 1,
+        int warnCount = 2,
+        int passCount = 7)
+    {
+        var findings = new List<GatedFindingDto>();
+        var totalFindings = blockedCount + warnCount + passCount;
+
+        for (int i = 0; i < blockedCount; i++)
+        {
+            findings.Add(CreateFinding($"CVE-2025-{1000 + i}", "Block", $"pkg:npm/vulnerable-lib@1.{i}.0"));
+        }
+
+        for (int i = 0; i < warnCount; i++)
+        {
+            findings.Add(CreateFinding($"CVE-2025-{2000 + i}", "Warn", $"pkg:npm/risky-lib@2.{i}.0"));
+        }
+
+        for (int i = 0; i < passCount; i++)
+        {
+            findings.Add(CreateFinding($"CVE-2025-{3000 + i}", "Pass", $"pkg:npm/safe-lib@3.{i}.0"));
+        }
+
+        return new VexGateResultsResponse
+        {
+            ScanId = scanId,
+            GateSummary = new VexGateSummaryDto
+            {
+                TotalFindings = totalFindings,
+                Passed = passCount,
+                Warned = warnCount,
+                Blocked = blockedCount,
+                EvaluatedAt = DateTimeOffset.UtcNow,
+            },
+            GatedFindings = findings,
+        };
+    }
+
+    private static GatedFindingDto CreateFinding(string cve, string decision, string purl)
+    {
+        return new GatedFindingDto
+        {
+            FindingId = $"finding-{Guid.NewGuid():N}",
+            Cve = cve,
+            Purl = purl,
+            Decision = decision,
+            Rationale = $"Test rationale for {decision}",
+            PolicyRuleMatched = decision switch
+            {
+                "Block" => "block-exploitable-reachable",
+                "Warn" => "warn-high-not-reachable",
+                "Pass" => "pass-vendor-not-affected",
+                _ => "default",
+            },
+            Evidence = new GateEvidenceDto
+            {
+                VendorStatus = decision == "Pass" ? "not_affected" : null,
+                IsReachable = decision == "Block",
+                HasCompensatingControl = false,
+                ConfidenceScore = 0.95,
+            },
+        };
+    }
+}
+
+/// <summary>
+/// In-memory implementation of IVexGateQueryService for testing.
+/// </summary>
+internal sealed class InMemoryVexGateQueryService : IVexGateQueryService
+{
+    private readonly Dictionary<string, VexGateResultsResponse> _scanResults = new(StringComparer.OrdinalIgnoreCase);
+
+    public void AddScanResult(string scanId, VexGateResultsResponse results)
+    {
+        _scanResults[scanId] = results;
+    }
+
+    public Task<VexGateResultsResponse?> GetGateResultsAsync(
+        string scanId,
+        VexGateResultsQuery? query,
+        CancellationToken cancellationToken = default)
+    {
+        if (!_scanResults.TryGetValue(scanId, out var results))
+        {
+            return Task.FromResult<VexGateResultsResponse?>(null);
+        }
+
+        // Apply query filters if present
+        if (query is not null)
+        {
+            var filteredFindings = results.GatedFindings.AsEnumerable();
+
+            if (!string.IsNullOrEmpty(query.Decision))
+            {
+                filteredFindings = filteredFindings.Where(f =>
+                    string.Equals(f.Decision, query.Decision, StringComparison.OrdinalIgnoreCase));
+            }
+
+            if (query.MinConfidence.HasValue)
+            {
+                filteredFindings = filteredFindings.Where(f =>
+                    f.Evidence?.ConfidenceScore >= query.MinConfidence.Value);
+            }
+
+            if (query.Offset.HasValue)
+            {
+                filteredFindings = filteredFindings.Skip(query.Offset.Value);
+            }
+
+            if (query.Limit.HasValue)
+            {
+                filteredFindings = filteredFindings.Take(query.Limit.Value);
+            }
+
+            return Task.FromResult<VexGateResultsResponse?>(new VexGateResultsResponse
+            {
+                ScanId = results.ScanId,
+                GateSummary = results.GateSummary,
+                GatedFindings = filteredFindings.ToList(),
+            });
+        }
+
+        return Task.FromResult<VexGateResultsResponse?>(results);
+    }
+
+    public Task<VexGatePolicyDto> GetPolicyAsync(
+        string? tenantId,
+        CancellationToken cancellationToken = default)
+    {
+        var defaultPolicy = VexGatePolicy.Default;
+        var policyDto = new VexGatePolicyDto
+        {
+            Version = "1.0.0",
+            DefaultDecision = defaultPolicy.DefaultDecision.ToString(),
+            Rules = defaultPolicy.Rules.Select(r => new VexGatePolicyRuleDto
+            {
+                RuleId = r.RuleId,
+                Priority = r.Priority,
+                Decision = r.Decision.ToString(),
+                Condition = new VexGatePolicyConditionDto
+                {
+                    VendorStatus = r.Condition.VendorStatus?.ToString(),
+                    IsExploitable = r.Condition.IsExploitable,
+                    IsReachable = r.Condition.IsReachable,
+                    HasCompensatingControl = r.Condition.HasCompensatingControl,
+                    SeverityLevels = r.Condition.SeverityLevels?.ToList(),
+                },
+            }).ToList(),
+        };
+
+        return Task.FromResult(policyDto);
+    }
+}