using System.Text.Json; using StellaOps.Aoc; namespace StellaOps.Aoc.Tests; public sealed class AocWriteGuardTests { private static readonly AocWriteGuard Guard = new(); [Fact] public void Validate_ReturnsSuccess_ForMinimalValidDocument() { using var document = JsonDocument.Parse(""" { "tenant": "default", "source": {"vendor": "osv"}, "upstream": { "upstream_id": "GHSA-xxxx", "content_hash": "sha256:abc", "signature": { "present": false } }, "content": { "format": "OSV", "raw": {"id": "GHSA-xxxx"} }, "linkset": {} } """); var result = Guard.Validate(document.RootElement); Assert.True(result.IsValid); Assert.Empty(result.Violations); } [Fact] public void Validate_AllowsLinksAndAdvisoryKey_ByDefault() { using var document = JsonDocument.Parse(""" { "tenant": "default", "source": {"vendor": "osv"}, "upstream": { "upstream_id": "GHSA-xxxx", "content_hash": "sha256:abc", "signature": { "present": false } }, "content": { "format": "OSV", "raw": {"id": "GHSA-xxxx"} }, "linkset": {}, "links": [ { "scheme": "cve", "value": "CVE-2025-0001" } ], "advisory_key": "ghsa-xxxx" } """); var result = Guard.Validate(document.RootElement); Assert.True(result.IsValid); Assert.Empty(result.Violations); } [Fact] public void Validate_FlagsMissingTenant() { using var document = JsonDocument.Parse(""" { "source": {"vendor": "osv"}, "upstream": { "upstream_id": "GHSA-xxxx", "content_hash": "sha256:abc", "signature": { "present": false } }, "content": { "format": "OSV", "raw": {"id": "GHSA-xxxx"} }, "linkset": {} } """); var result = Guard.Validate(document.RootElement); Assert.False(result.IsValid); Assert.Contains(result.Violations, v => v.ErrorCode == "ERR_AOC_004" && v.Path == "/tenant"); } [Fact] public void Validate_FlagsForbiddenField() { using var document = JsonDocument.Parse(""" { "tenant": "default", "identifiers": {}, "severity": "high", "source": {"vendor": "osv"}, "upstream": { "upstream_id": "GHSA-xxxx", "content_hash": "sha256:abc", "signature": { "present": false } }, "content": { "format": "OSV", "raw": {"id": "GHSA-xxxx"} }, "linkset": {} } """); var result = Guard.Validate(document.RootElement); Assert.False(result.IsValid); Assert.Contains(result.Violations, v => v.ErrorCode == "ERR_AOC_001" && v.Path == "/severity"); } [Fact] public void Validate_FlagsUnknownField() { using var document = JsonDocument.Parse(""" { "tenant": "default", "source": {"vendor": "osv"}, "upstream": { "upstream_id": "GHSA-xxxx", "content_hash": "sha256:abc", "signature": { "present": false } }, "content": { "format": "OSV", "raw": {"id": "GHSA-xxxx"} }, "linkset": {}, "custom_field": {"extra": true} } """); var result = Guard.Validate(document.RootElement); Assert.False(result.IsValid); Assert.Contains(result.Violations, v => v.ErrorCode == "ERR_AOC_007" && v.Path == "/custom_field"); } [Fact] public void Validate_AllowsCustomField_WhenConfigured() { using var document = JsonDocument.Parse(""" { "tenant": "default", "source": {"vendor": "osv"}, "upstream": { "upstream_id": "GHSA-xxxx", "content_hash": "sha256:abc", "signature": { "present": false } }, "content": { "format": "OSV", "raw": {"id": "GHSA-xxxx"} }, "linkset": {}, "custom_field": {"extra": true} } """); var options = new AocGuardOptions { AllowedTopLevelFields = AocGuardOptions.Default.AllowedTopLevelFields.Add("custom_field") }; var result = Guard.Validate(document.RootElement, options); Assert.True(result.IsValid); } [Fact] public void Validate_FlagsInvalidSignatureMetadata() { using var document = JsonDocument.Parse(""" { "tenant": "default", "source": {"vendor": "osv"}, "upstream": { "upstream_id": "GHSA-xxxx", "content_hash": "sha256:abc", "signature": { "present": true, "format": "dsse" } }, "content": { "format": "OSV", "raw": {"id": "GHSA-xxxx"} }, "linkset": {} } """); var result = Guard.Validate(document.RootElement); Assert.False(result.IsValid); Assert.Contains(result.Violations, v => v.ErrorCode == "ERR_AOC_005" && v.Path.Contains("/sig")); } }