test(inventory): pin new-value routing for composite identifyWith entries

[redbeard]

Why

The script-inventory migration replaced every name-only CSP entry with N per-host entries shaped:

```json
{
"identifyWith": {
"andMatcher": [
{ "headerNameMatcher": "^content-security-policy$" },
{ "hostMatcher": "^m\\.stripe\\.network$" }
]
},
"authoriseWith": [ ContentMatcher, ContentMatcher, … ]
}
```

When a new CSP value arrives from m.stripe.network that doesn't match any existing content matcher, the inventory diff should append the new matcher to this entry's authoriseWith and leave siblings (meandu, hCaptcha, etc.) untouched.

The diff gate checks authoriseWith.matcher, not identifyWith, so this should work — but no existing unit test exercised it. Every header-update test in the suite used a simple headerNameMatcher in identifyWith. This adds the missing coverage.

What the test asserts

1. The new ContentMatcher landed in the Stripe entry's authoriseWith (now 2 entries, was 1).
2. The meandu entry is untouched (still 1 entry).
3. The Stripe entry's composite identifyWith is preserved verbatim through the raw round-trip:
   ```json
   { "andMatcher": [{ "headerNameMatcher": "^content-security-policy$" }, { "hostMatcher": "^m\\.stripe\\.network$" }] }
   ```
4. diff.appliedResults reports the result as applied (drives the truthful "Inventory updated" Slack message).

Test plan

• npm run check:formatting
• npm run check:linting
• npm run check:typing
• npm run test:unit (483 passing, +1 new)

🤖 Generated with Claude Code

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Tests
  • Improved test coverage for header management functionality to ensure proper handling of dynamic updates and selective entry modifications.

Walkthrough

A new regression test is added to validate that ScriptInventoryService.diff correctly targets and updates header entries when their identifyWith field uses a composite andMatcher combining header name and host matchers.

Changes

Header Matcher Composite Update Regression Test

Layer / File(s)	Summary
ScriptInventoryService.diff composite header matcher test src/services/inventory.test.ts	Test verifies that when a new CSP value arrives for a specific host, the service appends the corresponding contentMatcher only to the targeted header entry with matching composite identifier, preserves the andMatcher structure, leaves unrelated entries untouched, and reports the result as applied.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• mr-yum/pci-dss-page-tampering#153: Both PRs validate ScriptInventoryService.diff header matcher and content-matcher behavior, particularly which header updates are correctly applied to targeted entries.

Poem

🐰 A composite matcher stands guard at the gate,
Stripe and Meandu maintain their separate fate.
The test hops through headers with careful precision,
Each contentMatcher lands with decisive decision.
A regression caught, validation's delight! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a regression test for composite identifyWith entries in inventory diff handling.
Description check	✅ Passed	The description is directly related to the changeset, explaining the motivation, test structure, and assertions covered by the new test case.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch test/composite-identify-header-update

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

src/services/inventory.test.ts (1)

1052-1052: 💤 Low value

Clarify whether the url field is necessary.

The header object includes a url field that doesn't appear in similar test cases (e.g., lines 594, 648). If this field is intentionally documenting the production data shape where headers carry source URL context, consider adding a brief comment. If it's unused by the comparison result, it could be removed for consistency.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/services/inventory.test.ts` at line 1052, The test includes an extra url
property on the header object ({ name: 'content-security-policy', value:
newValue, target, workflow: target.workflow, url:
'https://m.stripe.network/something.js' }) which is inconsistent with other
header fixtures and may be unused by the comparison; either remove the url field
to match the other cases, or keep it but add a brief inline comment beside the
header explaining that url is intentionally present to mirror production header
source context and ensure any assertion/comparison logic (the test's header
equality checks) accounts for it.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/services/inventory.test.ts`:
- Line 1052: The test includes an extra url property on the header object ({
name: 'content-security-policy', value: newValue, target, workflow:
target.workflow, url: 'https://m.stripe.network/something.js' }) which is
inconsistent with other header fixtures and may be unused by the comparison;
either remove the url field to match the other cases, or keep it but add a brief
inline comment beside the header explaining that url is intentionally present to
mirror production header source context and ensure any assertion/comparison
logic (the test's header equality checks) accounts for it.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8d7e83ef-5f9b-4cdd-a0cd-8a113628fa71

📥 Commits

Reviewing files that changed from the base of the PR and between 38f5dd8 and 631aade.

📒 Files selected for processing (1)

• src/services/inventory.test.ts