test(e2e): walk the v3.0 envelope for list --json output

The e2e (real-registry) suite was asserting on `list["patches"]` —
the pre-v3 ad-hoc shape. v3.0 migrated `list --json` to the unified
envelope, which emits `{command, status, events, summary}` with one
`discovered` event per manifest entry. Patch metadata
(vulnerabilities, tier, license) lives under `details`.

Updated four sites (e2e_npm × 2, e2e_pypi × 1, e2e_gem × 1) to
filter events by `action == "discovered"` and walk
`details.vulnerabilities[]` for CVE assertions.

Closes the `e2e (ubuntu/macos, e2e_npm|e2e_pypi|e2e_gem)` matrix
failures surfaced once the e2e workflow started passing on the v3.0
branch.

Assisted-by: Claude Code:opus-4-7

Author: mikolalysenko

crates/socket-patch-cli/tests/e2e_gem.rs

@@ -332,14 +332,21 @@ fn test_gem_full_lifecycle() {
     assert_after_hashes(&gem_dir, files);
 
     // -- LIST: verify JSON output ---------------------------------------------
+    // v3.0 envelope: `list --json` emits {command,status,events,summary}
+    // with one `discovered` event per manifest entry. Vulnerabilities
+    // live under `details.vulnerabilities[]`.
     let (stdout, _) = assert_run_ok(cwd, &["list", "--json"], "list --json");
     let list: serde_json::Value = serde_json::from_str(&stdout).unwrap();
-    let patches = list["patches"].as_array().expect("patches should be an array");
+    let events = list["events"].as_array().expect("envelope events array");
+    let patches: Vec<&serde_json::Value> = events
+        .iter()
+        .filter(|e| e["action"] == "discovered")
+        .collect();
     assert_eq!(patches.len(), 1);
     assert_eq!(patches[0]["uuid"].as_str().unwrap(), GEM_UUID);
     assert_eq!(patches[0]["purl"].as_str().unwrap(), GEM_PURL);
 
-    let vulns = patches[0]["vulnerabilities"]
+    let vulns = patches[0]["details"]["vulnerabilities"]
         .as_array()
         .expect("vulnerabilities array");
     assert!(!vulns.is_empty(), "patch should report at least one vulnerability");

crates/socket-patch-cli/tests/e2e_npm.rs

@@ -163,14 +163,21 @@ fn test_npm_full_lifecycle() {
     );
 
     // -- LIST: verify JSON output ------------------------------------------
+    // v3.0 envelope: `list --json` emits {command,status,events,summary}
+    // with one `discovered` event per manifest entry. Patch metadata
+    // (vulnerabilities, tier, license, etc.) lives under `details`.
     let (stdout, _) = assert_run_ok(cwd, &["list", "--json"], "list --json");
     let list: serde_json::Value = serde_json::from_str(&stdout).unwrap();
-    let patches = list["patches"].as_array().expect("patches should be an array");
+    let events = list["events"].as_array().expect("envelope events array");
+    let patches: Vec<&serde_json::Value> = events
+        .iter()
+        .filter(|e| e["action"] == "discovered")
+        .collect();
     assert_eq!(patches.len(), 1);
     assert_eq!(patches[0]["uuid"].as_str().unwrap(), NPM_UUID);
     assert_eq!(patches[0]["purl"].as_str().unwrap(), NPM_PURL);
 
-    let vulns = patches[0]["vulnerabilities"]
+    let vulns = patches[0]["details"]["vulnerabilities"]
         .as_array()
         .expect("vulnerabilities array");
     assert!(!vulns.is_empty(), "patch should report at least one vulnerability");
@@ -342,9 +349,14 @@ fn test_npm_global_lifecycle() {
     );
 
     // -- LIST: verify patch in output ----------------------------------------
+    // v3.0 envelope shape — see the main lifecycle test for details.
     let (stdout, _) = assert_run_ok(cwd, &["list", "--json"], "list --json");
     let list: serde_json::Value = serde_json::from_str(&stdout).unwrap();
-    let patches = list["patches"].as_array().expect("patches array");
+    let events = list["events"].as_array().expect("envelope events array");
+    let patches: Vec<&serde_json::Value> = events
+        .iter()
+        .filter(|e| e["action"] == "discovered")
+        .collect();
     assert_eq!(patches.len(), 1);
     assert_eq!(patches[0]["uuid"].as_str().unwrap(), NPM_UUID);
 

crates/socket-patch-cli/tests/e2e_pypi.rs

@@ -242,14 +242,21 @@ fn test_pypi_full_lifecycle() {
     }
 
     // -- LIST: verify JSON output ------------------------------------------
+    // v3.0 envelope: `list --json` emits {command,status,events,summary}
+    // with one `discovered` event per manifest entry. Vulnerabilities
+    // live under `details.vulnerabilities[]`.
     let (stdout, _) = assert_run_ok(cwd, &["list", "--json"], "list --json");
     let list: serde_json::Value = serde_json::from_str(&stdout).unwrap();
-    let patches = list["patches"].as_array().expect("patches array");
+    let events = list["events"].as_array().expect("envelope events array");
+    let patches: Vec<&serde_json::Value> = events
+        .iter()
+        .filter(|e| e["action"] == "discovered")
+        .collect();
     assert_eq!(patches.len(), 1, "should have exactly one patch");
     assert_eq!(patches[0]["uuid"].as_str().unwrap(), PYPI_UUID);
 
     // Verify vulnerability
-    let vulns = patches[0]["vulnerabilities"]
+    let vulns = patches[0]["details"]["vulnerabilities"]
         .as_array()
         .expect("vulnerabilities array");
     assert!(!vulns.is_empty(), "should have vulnerability info");