fix(scan): resolve .socket.facts.json against the scan cwd so tier1 finalize isn't silently skipped

[Benjamin Barslev Nielsen (barslev)]

Problem

socket scan reach and socket scan create --reach could silently skip the tier1 reachability finalize when the scan's cwd differed from the CLI process's cwd (e.g. --cwd <dir>, or a wrapper that chdirs elsewhere).

performReachabilityAnalysis defaults the facts output to the relative .socket.facts.json and spawns Coana with the scan cwd, so Coana writes <scanCwd>/.socket.facts.json. The result then read the tier1 scan id back via extractTier1ReachabilityScanId(outputFilePath), which resolves that relative path against process.cwd(). When scanCwd !== process.cwd() the read missed → tier1ReachabilityScanId was undefined → the finalize guard fell through with nothing logged → the tier1 reachability row stayed in its post-Coana state and the full scan's reachability report was never linked. extractReachabilityErrors (used by scan reach) shared the same relative-read bug.

The default case (run from inside the project, no --cwd) was unaffected.

Fix

• Resolve the facts path against the scan cwd at the read sites — extractTier1ReachabilityScanId and extractReachabilityErrors now read path.resolve(cwd, …) — so Coana's write and the CLI's read always agree. The returned/uploaded report path stays cwd-relative and unchanged, so upload and post-success cleanup behavior is untouched.
• Warn when reachability ran and a scan was created but no tier1 id could be extracted, so the skip is never silent.
• Adds regression coverage for the cwd !== process.cwd() case (fails before this change), plus the reachability-errors read and the warning path.

Follow-up

#1331 adds a standalone tier1 finalize to socket scan reach. It reads the same tier1ReachabilityScanId from the shared analysis function, so it inherits this path fix automatically. When the two land together: keep both edits at the tail of handle-scan-reach.mts (its finalize block plus the cwd argument added here), and add the same "missing tier1 id" warning to its guard for parity with the scan-create path.

---

Note

Medium Risk
Changes reachability scan linking and facts-file I/O in scan create/reach paths; behavior is localized with regression tests but affects enterprise tier1 finalize correctness.

Overview
Fixes reachability flows when the scan cwd is not the CLI’s process.cwd() (e.g. --cwd): Coana writes .socket.facts.json under the scan cwd, but tier 1 ID extraction and per-vulnerability error reads used a bare relative path and could miss that file—skipping finalizeTier1Scan and hiding reachability errors.

performReachabilityAnalysis now reads the tier 1 scan id via path.resolve(cwd, …) while still returning a cwd-relative report path for upload/cleanup. outputScanReach takes cwd and resolves the facts file the same way for extractReachabilityErrors. handleCreateNewScan logs a warning when reachability ran and a full scan was created but no tier 1 id was found, instead of silently skipping finalize.

Regression tests cover the cwd !== process.cwd() case, the warning path, and error surfacing from outputScanReach.

^{Reviewed by Cursor Bugbot for commit c831cbf. Configure here.}