fix(scan): auto-select in JSON --apply when multiple free patches exist

The free-tier patch API may serve multiple free patches for the same
PURL (e.g., minimist@1.2.2 currently has 2 free patches). The
`scan --json --apply` path was calling `select_patches(... is_json =
true)` which returns `Err(JsonModeNeedsExplicit)` with
`status: "selection_required"` in that scenario — no forward progress,
the bot can't apply anything.

For scan-driven workflows there's no "specify --id" option (we're
scanning the whole project), so the right behavior is to auto-select
the newest patch and continue. Pass `is_json = false` so the
non-TTY branch inside `select_one` auto-selects index 0 — which is the
most-recently-published patch (the group is sorted by `published_at`
descending before `select_one` runs).

Also relaxed the e2e_scan test assertions so they don't pin a specific
upstream UUID/hash:
  * added/updated/skipped tests assert action vocabulary, PURL match,
    and "file was patched" (not exact AFTER_HASH).
  * updated test asserts the new UUID differs from the seeded oldUuid
    rather than matching a hardcoded constant.
  * read-only updates test similarly asserts `newUuid != oldUuid`.

These changes make the e2e suite robust to API churn — the contract
is "an apply happened", not "this specific patch was selected".

Assisted-by: Claude Code:claude-opus-4-7

Author: mikolalysenko

crates/socket-patch-cli/src/commands/scan.rs

@@ -521,7 +521,14 @@ pub async fn run(args: ScanArgs) -> i32 {
                 }
             }
 
-            let selected = match select_patches(&all_search_results, can_access_paid_patches, true) {
+            // For scan-driven bot workflows there's no "specify --id"
+            // option — we're scanning the whole project. When multiple
+            // free patches exist for a PURL, fall back to the
+            // non-TTY auto-select-newest path inside `select_one` rather
+            // than erroring with `selection_required`. Passing
+            // `is_json = false` here means scan never returns that
+            // error variant; bots get forward progress.
+            let selected = match select_patches(&all_search_results, can_access_paid_patches, false) {
                 Ok(s) => s,
                 Err(code) => return code,
             };

crates/socket-patch-cli/tests/e2e_scan.rs

@@ -178,7 +178,11 @@ fn write_seed_manifest(cwd: &Path, purl: &str, uuid: &str) {
 
 /// `scan --json --apply --yes` against a fresh install should report a
 /// single `action: "added"` entry for the minimist patch, write the
-/// manifest, and patch the file on disk.
+/// manifest, and patch the file on disk. The specific UUID/afterHash
+/// the upstream API serves can change over time (multiple free patches
+/// may exist for the same PURL), so the test asserts the contract
+/// shape rather than exact bytes — action vocabulary, PURL match, and
+/// "file was patched" (i.e. no longer matches BEFORE_HASH).
 #[test]
 #[ignore]
 fn test_scan_apply_json_adds_new_patch() {
@@ -209,11 +213,18 @@ fn test_scan_apply_json_adds_new_patch() {
         .find(|p| p["purl"] == NPM_PURL)
         .expect("apply.patches should include minimist");
     assert_eq!(minimist["action"], "added");
-    assert_eq!(minimist["uuid"], NPM_UUID);
+    assert!(minimist["uuid"].is_string(), "uuid must be present");
 
-    assert_eq!(git_sha256_file(&index_js), AFTER_HASH);
+    assert_ne!(
+        git_sha256_file(&index_js),
+        BEFORE_HASH,
+        "file should have been patched (no longer BEFORE_HASH)",
+    );
     let manifest = read_manifest_file(cwd);
-    assert_eq!(manifest["patches"][NPM_PURL]["uuid"], NPM_UUID);
+    assert!(
+        manifest["patches"][NPM_PURL].is_object(),
+        "manifest must record an entry for {NPM_PURL}"
+    );
 }
 
 /// Re-running `scan --json --apply --yes` after the patch is already in
@@ -244,9 +255,12 @@ fn test_scan_apply_json_skips_existing() {
         .find(|p| p["purl"] == NPM_PURL)
         .expect("apply.patches should include minimist on re-run");
     assert_eq!(minimist["action"], "skipped");
-    assert_eq!(
+    // The first run already patched the file — second run shouldn't
+    // touch it, so the hash should still differ from BEFORE_HASH.
+    assert_ne!(
         git_sha256_file(&cwd.join("node_modules/minimist/index.js")),
-        AFTER_HASH
+        BEFORE_HASH,
+        "file should still be patched after a no-op re-run",
     );
 }
 
@@ -280,10 +294,20 @@ fn test_scan_apply_json_updates_existing() {
         .expect("apply.patches should include minimist");
     assert_eq!(minimist["action"], "updated");
     assert_eq!(minimist["oldUuid"], FAKE_OLD_UUID);
-    assert_eq!(minimist["uuid"], NPM_UUID);
+    assert!(
+        minimist["uuid"].is_string(),
+        "uuid must be present (specific value can drift as API serves multiple patches)",
+    );
+    assert_ne!(
+        minimist["uuid"], FAKE_OLD_UUID,
+        "new uuid must differ from the seeded fake oldUuid",
+    );
 
     let manifest = read_manifest_file(cwd);
-    assert_eq!(manifest["patches"][NPM_PURL]["uuid"], NPM_UUID);
+    let new_uuid = manifest["patches"][NPM_PURL]["uuid"]
+        .as_str()
+        .expect("manifest must record a new uuid");
+    assert_ne!(new_uuid, FAKE_OLD_UUID, "manifest must reflect the update");
 }
 
 /// `scan --json` (without `--apply`) is read-only: it lists available
@@ -312,7 +336,11 @@ fn test_scan_json_read_only_emits_updates_array() {
     assert_eq!(updates.len(), 1, "expected exactly one update for minimist");
     assert_eq!(updates[0]["purl"], NPM_PURL);
     assert_eq!(updates[0]["oldUuid"], FAKE_OLD_UUID);
-    assert_eq!(updates[0]["newUuid"], NPM_UUID);
+    assert!(updates[0]["newUuid"].is_string(), "newUuid must be present");
+    assert_ne!(
+        updates[0]["newUuid"], FAKE_OLD_UUID,
+        "newUuid must differ from the seeded oldUuid",
+    );
 
     // No mutation: seeded manifest UUID stays put, file stays unpatched.
     let manifest = read_manifest_file(cwd);