feat: add e2e tests for npm and PyPI patch lifecycles

Add full end-to-end tests that exercise the CLI against the public
Socket API:

- npm: minimist@1.2.2 patch (CVE-2021-44906, prototype pollution)
- PyPI: pydantic-ai@0.0.36 patch (CVE-2026-25580, SSRF)

Each test covers the complete lifecycle: get → list → rollback → apply
→ remove, plus a dry-run test per ecosystem. Tests are gated with
#[ignore] and run in CI via a dedicated e2e job on ubuntu and macos.

Also fixes a bug where patches with no beforeHash (new files added by a
patch) were silently dropped from the manifest. The apply and rollback
engines now handle empty beforeHash correctly:

- apply: creates new files, skips beforeHash verification
- rollback: deletes patch-created files instead of restoring from blob
- get: includes files in manifest even when beforeHash is absent

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: mikolalysenko

.github/workflows/ci.yml

@@ -39,3 +39,52 @@ jobs:
 
       - name: Run tests
         run: cargo test --workspace
+
+  e2e:
+    needs: test
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            suite: e2e_npm
+          - os: ubuntu-latest
+            suite: e2e_pypi
+          - os: macos-latest
+            suite: e2e_npm
+          - os: macos-latest
+            suite: e2e_pypi
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # stable
+        with:
+          toolchain: stable
+
+      - name: Cache cargo
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ matrix.os }}-cargo-e2e-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: ${{ matrix.os }}-cargo-e2e-
+
+      - name: Setup Node.js
+        if: matrix.suite == 'e2e_npm'
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 20
+
+      - name: Setup Python
+        if: matrix.suite == 'e2e_pypi'
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
+          python-version: "3.12"
+
+      - name: Run e2e tests
+        run: cargo test -p socket-patch-cli --test ${{ matrix.suite }} -- --ignored

Cargo.lock

@@ -21,3 +21,7 @@ indicatif = { workspace = true }
 uuid = { workspace = true }
 regex = { workspace = true }
 tempfile = { workspace = true }
+
+[dev-dependencies]
+sha2 = { workspace = true }
+hex = { workspace = true }

crates/socket-patch-cli/Cargo.toml

@@ -550,13 +550,14 @@ async fn save_and_apply_patch(
     // Build and save patch record
     let mut files = HashMap::new();
     for (file_path, file_info) in &patch.files {
-        if let (Some(ref before), Some(ref after)) =
-            (&file_info.before_hash, &file_info.after_hash)
-        {
+        if let Some(ref after) = file_info.after_hash {
             files.insert(
                 file_path.clone(),
                 PatchFileInfo {
-                    before_hash: before.clone(),
+                    before_hash: file_info
+                        .before_hash
+                        .clone()
+                        .unwrap_or_default(),
                     after_hash: after.clone(),
                 },
             );
@@ -570,6 +571,16 @@ async fn save_and_apply_patch(
                     .ok();
             }
         }
+        // Also store beforeHash blob if present (needed for rollback)
+        if let (Some(ref before_blob), Some(ref before_hash)) =
+            (&file_info.before_blob_content, &file_info.before_hash)
+        {
+            if let Ok(decoded) = base64_decode(before_blob) {
+                tokio::fs::write(blobs_dir.join(before_hash), &decoded)
+                    .await
+                    .ok();
+            }
+        }
     }
 
     let vulnerabilities: HashMap<String, VulnerabilityInfo> = patch

crates/socket-patch-cli/src/commands/get.rs

@@ -0,0 +1,268 @@
+//! End-to-end tests for the npm patch lifecycle.
+//!
+//! These tests exercise the full CLI against the real Socket API, using the
+//! **minimist@1.2.2** patch (UUID `80630680-4da6-45f9-bba8-b888e0ffd58c`),
+//! which fixes CVE-2021-44906 (Prototype Pollution).
+//!
+//! # Prerequisites
+//! - `npm` on PATH
+//! - Network access to `patches-api.socket.dev` and `registry.npmjs.org`
+//!
+//! # Running
+//! ```sh
+//! cargo test -p socket-patch-cli --test e2e_npm -- --ignored
+//! ```
+
+use std::path::{Path, PathBuf};
+use std::process::{Command, Output};
+
+use sha2::{Digest, Sha256};
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+const NPM_UUID: &str = "80630680-4da6-45f9-bba8-b888e0ffd58c";
+const NPM_PURL: &str = "pkg:npm/minimist@1.2.2";
+
+/// Git SHA-256 of the *unpatched* `index.js` shipped with minimist 1.2.2.
+const BEFORE_HASH: &str = "311f1e893e6eac502693fad8617dcf5353a043ccc0f7b4ba9fe385e838b67a10";
+
+/// Git SHA-256 of the *patched* `index.js` after the security fix.
+const AFTER_HASH: &str = "043f04d19e884aa5f8371428718d2a3f27a0d231afe77a2620ac6312f80aaa28";
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+fn binary() -> PathBuf {
+    env!("CARGO_BIN_EXE_socket-patch").into()
+}
+
+fn has_command(cmd: &str) -> bool {
+    Command::new(cmd)
+        .arg("--version")
+        .stdout(std::process::Stdio::null())
+        .stderr(std::process::Stdio::null())
+        .status()
+        .is_ok()
+}
+
+/// Compute Git SHA-256: `SHA256("blob <len>\0" ++ content)`.
+fn git_sha256(content: &[u8]) -> String {
+    let header = format!("blob {}\0", content.len());
+    let mut hasher = Sha256::new();
+    hasher.update(header.as_bytes());
+    hasher.update(content);
+    hex::encode(hasher.finalize())
+}
+
+fn git_sha256_file(path: &Path) -> String {
+    let content = std::fs::read(path).unwrap_or_else(|e| panic!("read {}: {e}", path.display()));
+    git_sha256(&content)
+}
+
+/// Run the CLI binary with the given args, setting `cwd` as the working dir.
+/// Returns `(exit_code, stdout, stderr)`.
+fn run(cwd: &Path, args: &[&str]) -> (i32, String, String) {
+    let out: Output = Command::new(binary())
+        .args(args)
+        .current_dir(cwd)
+        .env_remove("SOCKET_API_TOKEN") // force public proxy (free-tier)
+        .output()
+        .expect("failed to execute socket-patch binary");
+
+    let code = out.status.code().unwrap_or(-1);
+    let stdout = String::from_utf8_lossy(&out.stdout).to_string();
+    let stderr = String::from_utf8_lossy(&out.stderr).to_string();
+    (code, stdout, stderr)
+}
+
+fn assert_run_ok(cwd: &Path, args: &[&str], context: &str) -> (String, String) {
+    let (code, stdout, stderr) = run(cwd, args);
+    assert_eq!(
+        code, 0,
+        "{context} failed (exit {code}).\nstdout:\n{stdout}\nstderr:\n{stderr}"
+    );
+    (stdout, stderr)
+}
+
+fn npm_run(cwd: &Path, args: &[&str]) {
+    let out = Command::new("npm")
+        .args(args)
+        .current_dir(cwd)
+        .output()
+        .expect("failed to run npm");
+    assert!(
+        out.status.success(),
+        "npm {args:?} failed (exit {:?}).\nstdout:\n{}\nstderr:\n{}",
+        out.status.code(),
+        String::from_utf8_lossy(&out.stdout),
+        String::from_utf8_lossy(&out.stderr),
+    );
+}
+
+/// Write a minimal package.json (avoids `npm init -y` which rejects temp dir
+/// names that start with `.` or contain invalid characters).
+fn write_package_json(cwd: &Path) {
+    std::fs::write(
+        cwd.join("package.json"),
+        r#"{"name":"e2e-test","version":"0.0.0","private":true}"#,
+    )
+    .expect("write package.json");
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+/// Full lifecycle: get → verify → list → rollback → apply → remove.
+#[test]
+#[ignore]
+fn test_npm_full_lifecycle() {
+    if !has_command("npm") {
+        eprintln!("SKIP: npm not found on PATH");
+        return;
+    }
+
+    let dir = tempfile::tempdir().unwrap();
+    let cwd = dir.path();
+
+    // -- Setup: create a project and install minimist@1.2.2 ----------------
+    write_package_json(cwd);
+    npm_run(cwd, &["install", "minimist@1.2.2"]);
+
+    let index_js = cwd.join("node_modules/minimist/index.js");
+    assert!(index_js.exists(), "minimist/index.js must exist after npm install");
+
+    // Confirm the original file matches the expected before-hash.
+    assert_eq!(
+        git_sha256_file(&index_js),
+        BEFORE_HASH,
+        "freshly installed index.js should have the expected beforeHash"
+    );
+
+    // -- GET: download + apply patch ---------------------------------------
+    assert_run_ok(cwd, &["get", NPM_UUID], "get");
+
+    // Manifest should exist and contain the patch.
+    let manifest_path = cwd.join(".socket/manifest.json");
+    assert!(manifest_path.exists(), ".socket/manifest.json should exist after get");
+
+    let manifest: serde_json::Value =
+        serde_json::from_str(&std::fs::read_to_string(&manifest_path).unwrap()).unwrap();
+    let patch = &manifest["patches"][NPM_PURL];
+    assert!(patch.is_object(), "manifest should contain {NPM_PURL}");
+    assert_eq!(patch["uuid"].as_str().unwrap(), NPM_UUID);
+
+    // The file should now be patched.
+    assert_eq!(
+        git_sha256_file(&index_js),
+        AFTER_HASH,
+        "index.js should match afterHash after get"
+    );
+
+    // -- LIST: verify JSON output ------------------------------------------
+    let (stdout, _) = assert_run_ok(cwd, &["list", "--json"], "list --json");
+    let list: serde_json::Value = serde_json::from_str(&stdout).unwrap();
+    let patches = list["patches"].as_array().expect("patches should be an array");
+    assert_eq!(patches.len(), 1);
+    assert_eq!(patches[0]["uuid"].as_str().unwrap(), NPM_UUID);
+    assert_eq!(patches[0]["purl"].as_str().unwrap(), NPM_PURL);
+
+    let vulns = patches[0]["vulnerabilities"]
+        .as_array()
+        .expect("vulnerabilities array");
+    assert!(!vulns.is_empty(), "patch should report at least one vulnerability");
+
+    // Verify the vulnerability details match CVE-2021-44906
+    let has_cve = vulns.iter().any(|v| {
+        v["cves"]
+            .as_array()
+            .map_or(false, |cves| cves.iter().any(|c| c == "CVE-2021-44906"))
+    });
+    assert!(has_cve, "vulnerability list should include CVE-2021-44906");
+
+    // -- ROLLBACK: restore original file -----------------------------------
+    assert_run_ok(cwd, &["rollback"], "rollback");
+
+    assert_eq!(
+        git_sha256_file(&index_js),
+        BEFORE_HASH,
+        "index.js should match beforeHash after rollback"
+    );
+
+    // -- APPLY: re-apply from manifest ------------------------------------
+    assert_run_ok(cwd, &["apply"], "apply");
+
+    assert_eq!(
+        git_sha256_file(&index_js),
+        AFTER_HASH,
+        "index.js should match afterHash after re-apply"
+    );
+
+    // -- REMOVE: rollback + remove from manifest ---------------------------
+    assert_run_ok(cwd, &["remove", NPM_UUID], "remove");
+
+    // File should be back to original.
+    assert_eq!(
+        git_sha256_file(&index_js),
+        BEFORE_HASH,
+        "index.js should match beforeHash after remove"
+    );
+
+    // Manifest should have no patches left.
+    let manifest: serde_json::Value =
+        serde_json::from_str(&std::fs::read_to_string(&manifest_path).unwrap()).unwrap();
+    assert!(
+        manifest["patches"].as_object().unwrap().is_empty(),
+        "manifest should be empty after remove"
+    );
+}
+
+/// `apply --dry-run` should not modify files on disk.
+#[test]
+#[ignore]
+fn test_npm_dry_run() {
+    if !has_command("npm") {
+        eprintln!("SKIP: npm not found on PATH");
+        return;
+    }
+
+    let dir = tempfile::tempdir().unwrap();
+    let cwd = dir.path();
+
+    write_package_json(cwd);
+    npm_run(cwd, &["install", "minimist@1.2.2"]);
+
+    let index_js = cwd.join("node_modules/minimist/index.js");
+    assert_eq!(git_sha256_file(&index_js), BEFORE_HASH);
+
+    // Download the patch *without* applying.
+    assert_run_ok(cwd, &["get", NPM_UUID, "--no-apply"], "get --no-apply");
+
+    // File should still be original.
+    assert_eq!(
+        git_sha256_file(&index_js),
+        BEFORE_HASH,
+        "file should not change after get --no-apply"
+    );
+
+    // Dry-run should succeed but leave file untouched.
+    assert_run_ok(cwd, &["apply", "--dry-run"], "apply --dry-run");
+
+    assert_eq!(
+        git_sha256_file(&index_js),
+        BEFORE_HASH,
+        "file should not change after apply --dry-run"
+    );
+
+    // Real apply should work.
+    assert_run_ok(cwd, &["apply"], "apply");
+
+    assert_eq!(
+        git_sha256_file(&index_js),
+        AFTER_HASH,
+        "file should match afterHash after real apply"
+    );
+}