test: add 29 new tests for cleanup, orchestrator, findings, tool registry, models

- cleanup.rs: 8 tests — routing logic, skip conditions, missing config errors
- orchestrator.rs: 7 tests — summarize_tool_output (screenshot strip, truncation, recursion)
- findings.rs: 6 tests — empty state, severity grouping, SAST correlation, evidence table
- tools/mod.rs: 4 tests — registry completeness, schema validation, browser action enum
- models.rs: 4 tests — TestUserRecord serde, IdentityProvider variants, BSON roundtrip

Total: 326 tests (was 297)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

compliance-agent/src/pentest/report/html/findings.rs

@@ -367,3 +367,156 @@ fn build_code_correlation(
         sections.join("\n")
     )
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use compliance_core::models::dast::{DastEvidence, DastVulnType};
+    use compliance_core::models::finding::Severity;
+    use compliance_core::models::scan::ScanType;
+
+    /// Helper: create a minimal `DastFinding`.
+    fn make_dast(title: &str, severity: Severity, endpoint: &str) -> DastFinding {
+        DastFinding::new(
+            "run1".into(),
+            "target1".into(),
+            DastVulnType::Xss,
+            title.into(),
+            "desc".into(),
+            severity,
+            endpoint.into(),
+            "GET".into(),
+        )
+    }
+
+    /// Helper: create a minimal SAST `Finding` with an ObjectId.
+    fn make_sast(title: &str) -> Finding {
+        let mut f = Finding::new(
+            "repo1".into(),
+            "fp1".into(),
+            "semgrep".into(),
+            ScanType::Sast,
+            title.into(),
+            "sast desc".into(),
+            Severity::High,
+        );
+        f.id = Some(mongodb::bson::oid::ObjectId::new());
+        f
+    }
+
+    #[test]
+    fn test_findings_empty() {
+        let result = findings(&[], &[], &[], &[]);
+        assert!(
+            result.contains("No vulnerabilities were identified"),
+            "Empty findings should contain the no-vulns message"
+        );
+    }
+
+    #[test]
+    fn test_findings_grouped_by_severity() {
+        let f_high = make_dast("High vuln", Severity::High, "/a");
+        let f_low = make_dast("Low vuln", Severity::Low, "/b");
+        let f_critical = make_dast("Crit vuln", Severity::Critical, "/c");
+
+        let result = findings(&[f_high, f_low, f_critical], &[], &[], &[]);
+
+        // All severity group headers should appear
+        assert!(
+            result.contains("Critical (1)"),
+            "should have Critical header"
+        );
+        assert!(result.contains("High (1)"), "should have High header");
+        assert!(result.contains("Low (1)"), "should have Low header");
+
+        // Critical should appear before High, High before Low
+        let crit_pos = result.find("Critical (1)");
+        let high_pos = result.find("High (1)");
+        let low_pos = result.find("Low (1)");
+        assert!(crit_pos < high_pos, "Critical should come before High");
+        assert!(high_pos < low_pos, "High should come before Low");
+    }
+
+    #[test]
+    fn test_code_correlation_sast_link() {
+        let mut sast = make_sast("SQL Injection in query");
+        sast.file_path = Some("src/db/query.rs".into());
+        sast.line_number = Some(42);
+        sast.code_snippet =
+            Some("let q = format!(\"SELECT * FROM {} WHERE id={}\", table, id);".into());
+
+        let sast_id = sast.id.as_ref().map(|oid| oid.to_hex()).unwrap_or_default();
+
+        let mut dast = make_dast("SQLi on /api/users", Severity::High, "/api/users");
+        dast.linked_sast_finding_id = Some(sast_id);
+
+        let result = findings(&[dast], &[sast], &[], &[]);
+
+        assert!(
+            result.contains("SAST Correlation"),
+            "should render SAST Correlation badge"
+        );
+        assert!(
+            result.contains("src/db/query.rs"),
+            "should contain the file path"
+        );
+        assert!(result.contains(":42"), "should contain the line number");
+        assert!(
+            result.contains("Vulnerable Code"),
+            "should render code snippet block"
+        );
+    }
+
+    #[test]
+    fn test_code_correlation_no_match() {
+        let dast = make_dast("XSS in search", Severity::Medium, "/search");
+        // No linked_sast_finding_id, no code context, no sbom
+        let result = findings(&[dast], &[], &[], &[]);
+
+        assert!(
+            !result.contains("code-correlation"),
+            "should not contain any code-correlation div"
+        );
+    }
+
+    #[test]
+    fn test_evidence_html_empty() {
+        let f = make_dast("No evidence", Severity::Low, "/x");
+        let result = build_evidence_html(&f);
+        assert!(result.is_empty(), "no evidence should yield empty string");
+    }
+
+    #[test]
+    fn test_evidence_html_with_entries() {
+        let mut f = make_dast("Has evidence", Severity::High, "/y");
+        f.evidence.push(DastEvidence {
+            request_method: "POST".into(),
+            request_url: "https://example.com/login".into(),
+            request_headers: None,
+            request_body: None,
+            response_status: 200,
+            response_headers: None,
+            response_snippet: Some("OK".into()),
+            screenshot_path: None,
+            payload: Some("<script>alert(1)</script>".into()),
+            response_time_ms: None,
+        });
+
+        let result = build_evidence_html(&f);
+
+        assert!(
+            result.contains("evidence-table"),
+            "should render the evidence table"
+        );
+        assert!(result.contains("POST"), "should contain request method");
+        assert!(
+            result.contains("https://example.com/login"),
+            "should contain request URL"
+        );
+        assert!(result.contains("200"), "should contain response status");
+        assert!(
+            result.contains("&lt;script&gt;alert(1)&lt;/script&gt;"),
+            "payload should be HTML-escaped"
+        );
+    }
+}