up

src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/ScansEndpointsTests.RecordMode.cs

@@ -0,0 +1,104 @@
+using System;
+using System.Collections.Concurrent;
+using System.Collections.Generic;
+using System.Net.Http.Json;
+using System.Text;
+using System.Threading.Tasks;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using StellaOps.Replay.Core;
+using StellaOps.Scanner.Reachability;
+using StellaOps.Scanner.Storage.ObjectStore;
+using StellaOps.Scanner.WebService.Replay;
+using StellaOps.Scanner.WebService.Services;
+using Xunit;
+
+namespace StellaOps.Scanner.WebService.Tests;
+
+public sealed partial class ScansEndpointsTests
+{
+    [Fact]
+    public async Task RecordModeService_StoresBundlesAndAttachesReplay()
+    {
+        using var secrets = new TestSurfaceSecretsScope();
+        var store = new InMemoryArtifactObjectStore();
+
+        using var factory = new ScannerApplicationFactory(configureConfiguration: cfg =>
+        {
+            cfg["scanner:artifactStore:bucket"] = "replay-bucket";
+        },
+        configureServices: services =>
+        {
+            services.RemoveAll<IArtifactObjectStore>();
+            services.AddSingleton<IArtifactObjectStore>(store);
+        });
+
+        using var client = factory.CreateClient();
+        var submit = await client.PostAsJsonAsync("/api/v1/scans", new { image = new { digest = "sha256:demo" } });
+        submit.EnsureSuccessStatusCode();
+        var scanId = (await submit.Content.ReadFromJsonAsync<ScanSubmitResponse>())!.ScanId;
+
+        using var scope = factory.Services.CreateScope();
+        var recordMode = scope.ServiceProvider.GetRequiredService<IRecordModeService>();
+        var coordinator = scope.ServiceProvider.GetRequiredService<IScanCoordinator>();
+
+        var request = new RecordModeRequest(
+            scanId,
+            "sha256:demo",
+            "sha256:sbom",
+            "sha256:findings",
+            Encoding.UTF8.GetBytes("{}"),
+            Encoding.UTF8.GetBytes("[]"),
+            ReadOnlyMemory<byte>.Empty,
+            Encoding.UTF8.GetBytes("logs"))
+        {
+            PolicyDigest = "sha256:policy",
+            FeedSnapshot = "feed-001",
+            Toolchain = "scanner/1.0",
+            AnalyzerSetDigest = "sha256:analyzers",
+            ReachabilityAnalysisId = "reach-123",
+            ReachabilityGraphs = new[] { new ReachabilityReplayGraph("static", "cas://g/aa", "aa", "reach", "1.0") },
+            ReachabilityTraces = new[] { new ReachabilityReplayTrace("runtime", "cas://t/bb", "bb", DateTimeOffset.UtcNow) },
+            ScanTime = DateTimeOffset.UtcNow
+        };
+
+        var result = await recordMode.RecordAsync(request, coordinator);
+
+        Assert.NotNull(result);
+        Assert.Equal("sha256:sbom", result.Run.Outputs.Sbom);
+        Assert.True(store.Objects.Count >= 2);
+
+        var status = await client.GetFromJsonAsync<ScanStatusResponse>($"/api/v1/scans/{scanId}");
+        Assert.NotNull(status!.Replay);
+        Assert.Equal(result.Artifacts.ManifestHash, status.Replay!.ManifestHash);
+    }
+
+    private sealed class InMemoryArtifactObjectStore : IArtifactObjectStore
+    {
+        public ConcurrentDictionary<string, byte[]> Objects { get; } = new(StringComparer.Ordinal);
+
+        public Task DeleteAsync(ArtifactObjectDescriptor descriptor, CancellationToken cancellationToken)
+        {
+            Objects.TryRemove(descriptor.Key, out _);
+            return Task.CompletedTask;
+        }
+
+        public Task<Stream?> GetAsync(ArtifactObjectDescriptor descriptor, CancellationToken cancellationToken)
+        {
+            if (Objects.TryGetValue(descriptor.Key, out var bytes))
+            {
+                return Task.FromResult<Stream?>(new MemoryStream(bytes, writable: false));
+            }
+
+            return Task.FromResult<Stream?>(null);
+        }
+
+        public Task PutAsync(ArtifactObjectDescriptor descriptor, Stream content, CancellationToken cancellationToken)
+        {
+            using var buffer = new MemoryStream();
+            content.CopyTo(buffer);
+            Objects[descriptor.Key] = buffer.ToArray();
+            return Task.CompletedTask;
+        }
+    }
+}

src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/ScansEndpointsTests.cs

@@ -72,6 +72,44 @@ public sealed partial class ScansEndpointsTests
         Assert.True(coordinator.LastToken.CanBeCanceled);
     }
 
+    [Fact]
+    public async Task SubmitScanAddsDeterminismPinsToMetadata()
+    {
+        using var secrets = new TestSurfaceSecretsScope();
+        RecordingCoordinator coordinator = null!;
+
+        using var factory = new ScannerApplicationFactory(configuration =>
+        {
+            configuration["scanner:determinism:feedSnapshotId"] = "feed-2025-11-26";
+            configuration["scanner:determinism:policySnapshotId"] = "rev-42";
+        }, configureServices: services =>
+        {
+            services.AddSingleton<IScanCoordinator>(sp =>
+            {
+                coordinator = new RecordingCoordinator(
+                    sp.GetRequiredService<IHttpContextAccessor>(),
+                    sp.GetRequiredService<TimeProvider>(),
+                    sp.GetRequiredService<IScanProgressPublisher>());
+                return coordinator;
+            });
+        });
+
+        using var client = factory.CreateClient();
+        var request = new ScanSubmitRequest
+        {
+            Image = new ScanImageDescriptor { Reference = "example.com/demo:1.0" }
+        };
+
+        var response = await client.PostAsJsonAsync("/api/v1/scans", request);
+
+        Assert.Equal(HttpStatusCode.Accepted, response.StatusCode);
+        Assert.NotNull(coordinator?.LastSubmission);
+        var metadata = coordinator!.LastSubmission!.Metadata;
+
+        Assert.Equal("feed-2025-11-26", metadata["determinism.feed"]);
+        Assert.Equal("rev-42", metadata["determinism.policy"]);
+    }
+
     [Fact]
     public async Task GetEntryTraceReturnsStoredResult()
     {
@@ -154,11 +192,13 @@ public sealed partial class ScansEndpointsTests
 
         public CancellationToken LastToken { get; private set; }
         public bool TokenMatched { get; private set; }
+        public ScanSubmission? LastSubmission { get; private set; }
 
         public async ValueTask<ScanSubmissionResult> SubmitAsync(ScanSubmission submission, CancellationToken cancellationToken)
         {
             LastToken = cancellationToken;
             TokenMatched = _accessor.HttpContext?.RequestAborted.Equals(cancellationToken) ?? false;
+            LastSubmission = submission;
             return await _inner.SubmitAsync(submission, cancellationToken);
         }