npm - @nodatachat/guard - Versions diffs - 2.2.0 → 2.4.0 - Mend

@nodatachat/guard 2.2.0 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/capsule-dir.d.ts ADDED Viewed

@@ -0,0 +1,104 @@
+export interface CapsuleProof {
+    version: "1.0";
+    updated_at: string;
+    fields: ProofField[];
+}
+export interface ProofField {
+    table_hash: string;
+    column_hash: string;
+    pattern: string;
+    sentinel_prefix: string;
+    row_count: number;
+    encrypted_count: number;
+    coverage_percent: number;
+    verified_at: string;
+}
+export interface CapsuleOverride {
+    version: "1.0";
+    overrides: Override[];
+}
+export interface Override {
+    finding_id: string;
+    status: "fixed" | "accepted_risk" | "not_applicable" | "compensating_control";
+    note: string;
+    attested_by: string;
+    attested_at: string;
+    hmac: string;
+}
+export interface ScoreSnapshot {
+    date: string;
+    score: number;
+    code_score: number | null;
+    db_score: number | null;
+    pii_total: number;
+    pii_encrypted: number;
+    coverage_percent: number;
+    findings_count: number;
+    critical: number;
+    high: number;
+    medium: number;
+    low: number;
+    scan_type: "code" | "full";
+    guard_version: string;
+}
+export interface EvidenceEntry {
+    date: string;
+    action: string;
+    category: string;
+    detail: string;
+    impact: string;
+    attested_by: string;
+    hmac: string;
+}
+/**
+ * Initialize .capsule/ directory. Called on every scan.
+ * Creates missing dirs/files, never overwrites existing data.
+ */
+export declare function initCapsuleDir(projectDir: string, licenseKey: string): string;
+/**
+ * Save a score snapshot. Called after every scan.
+ */
+export declare function saveScore(capsuleDir: string, score: ScoreSnapshot): void;
+/**
+ * Update proof.json with DB-verified encryption data.
+ * Called after DB scan detects encrypted fields.
+ */
+export declare function updateProof(capsuleDir: string, fields: Array<{
+    table: string;
+    column: string;
+    pattern: string;
+    sentinel_prefix: string;
+    row_count: number;
+    encrypted_count: number;
+}>): void;
+/**
+ * Add an evidence entry. Called after scan or manual attest.
+ */
+export declare function addEvidence(capsuleDir: string, licenseKey: string, entry: Omit<EvidenceEntry, "hmac">): void;
+/**
+ * Read proof.json — used by code-scanner to check for known encryptions.
+ */
+export declare function readProof(projectDir: string): CapsuleProof | null;
+/**
+ * Read overrides.json — used by reporter to adjust scores.
+ */
+export declare function readOverrides(projectDir: string): CapsuleOverride | null;
+/**
+ * Get score history — used for trend display.
+ */
+export declare function getScoreHistory(projectDir: string): ScoreSnapshot[];
+/**
+ * Print .capsule/ status to terminal.
+ */
+export declare function printCapsuleStatus(projectDir: string, ciMode: boolean): void;
+export declare function attestFinding(projectDir: string, licenseKey: string, findingId: string, status: Override["status"], note: string): void;
+/**
+ * Subcommand: guard status
+ * Print full .capsule/ status without running a scan.
+ */
+export declare function printFullStatus(projectDir: string): void;
+/**
+ * Subcommand: guard diff
+ * Show what changed between the two most recent scans.
+ */
+export declare function printDiff(projectDir: string): void;

package/dist/capsule-dir.js ADDED Viewed

@@ -0,0 +1,465 @@
+"use strict";
+// ═══════════════════════════════════════════════════════════
+// .capsule/ Directory Manager
+//
+// Creates and maintains a local evidence directory in the customer's project.
+// Everything stays local. NoData receives ONLY metadata (scores, counts).
+//
+// Structure:
+//   .capsule/
+//   ├── config.json          ← Scanner settings, license, thresholds
+//   ├── proof.json           ← Encryption sentinels, verified patterns
+//   ├── overrides.json       ← Manual attestations ("I fixed this")
+//   ├── scores/
+//   │   └── YYYY-MM-DD.json  ← Score snapshots per scan
+//   └── evidence/
+//       └── YYYY-MM-DD.json  ← What was fixed, by whom, when
+//
+// Privacy:
+//   - No PII, table names, column names, or data values are stored
+//   - Sentinels are prefix-only (first 12 chars) — never full encrypted values
+//   - HMAC signature prevents tampering (proves the evidence is authentic)
+//   - NoData receives: score, date, finding_count, coverage_percent — NOTHING else
+// ═══════════════════════════════════════════════════════════
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.initCapsuleDir = initCapsuleDir;
+exports.saveScore = saveScore;
+exports.updateProof = updateProof;
+exports.addEvidence = addEvidence;
+exports.readProof = readProof;
+exports.readOverrides = readOverrides;
+exports.getScoreHistory = getScoreHistory;
+exports.printCapsuleStatus = printCapsuleStatus;
+exports.attestFinding = attestFinding;
+exports.printFullStatus = printFullStatus;
+exports.printDiff = printDiff;
+const path_1 = require("path");
+const fs_1 = require("fs");
+const crypto_1 = require("crypto");
+const DIR_NAME = ".capsule";
+const HMAC_KEY_DOMAIN = "capsule:evidence:integrity";
+// ── Helpers ──
+function hashName(name) {
+    return (0, crypto_1.createHash)("sha256").update(`capsule:name:${name}`).digest("hex").slice(0, 16);
+}
+function signEvidence(data, licenseKey) {
+    return (0, crypto_1.createHmac)("sha256", `${HMAC_KEY_DOMAIN}:${licenseKey}`)
+        .update(data)
+        .digest("hex")
+        .slice(0, 32);
+}
+function ensureDir(dir) {
+    if (!(0, fs_1.existsSync)(dir))
+        (0, fs_1.mkdirSync)(dir, { recursive: true });
+}
+// ── Public API ──
+/**
+ * Initialize .capsule/ directory. Called on every scan.
+ * Creates missing dirs/files, never overwrites existing data.
+ */
+function initCapsuleDir(projectDir, licenseKey) {
+    const capsuleDir = (0, path_1.resolve)(projectDir, DIR_NAME);
+    ensureDir(capsuleDir);
+    ensureDir((0, path_1.join)(capsuleDir, "scores"));
+    ensureDir((0, path_1.join)(capsuleDir, "evidence"));
+    // Config — create only if missing
+    const configPath = (0, path_1.join)(capsuleDir, "config.json");
+    if (!(0, fs_1.existsSync)(configPath)) {
+        (0, fs_1.writeFileSync)(configPath, JSON.stringify({
+            version: "1.0",
+            created_at: new Date().toISOString(),
+            license_prefix: licenseKey.slice(0, 12) + "...",
+            thresholds: {
+                fail_on: "critical",
+                target_score: 85,
+                encryption_target: 90,
+            },
+            scan_schedule: "manual",
+            notes: "This directory contains local evidence for SOC compliance. Commit to git for audit history. NoData never receives this data.",
+        }, null, 2), "utf-8");
+    }
+    // Proof — create only if missing
+    const proofPath = (0, path_1.join)(capsuleDir, "proof.json");
+    if (!(0, fs_1.existsSync)(proofPath)) {
+        const proof = { version: "1.0", updated_at: new Date().toISOString(), fields: [] };
+        (0, fs_1.writeFileSync)(proofPath, JSON.stringify(proof, null, 2), "utf-8");
+    }
+    // Overrides — create only if missing
+    const overridesPath = (0, path_1.join)(capsuleDir, "overrides.json");
+    if (!(0, fs_1.existsSync)(overridesPath)) {
+        const overrides = { version: "1.0", overrides: [] };
+        (0, fs_1.writeFileSync)(overridesPath, JSON.stringify(overrides, null, 2), "utf-8");
+    }
+    // Ensure .gitignore does NOT exclude .capsule/
+    // (It should be committed for audit trail)
+    const gitignorePath = (0, path_1.resolve)(projectDir, ".gitignore");
+    if ((0, fs_1.existsSync)(gitignorePath)) {
+        const content = (0, fs_1.readFileSync)(gitignorePath, "utf-8");
+        if (content.includes(".capsule")) {
+            // Remove .capsule from gitignore if present — it should be tracked
+            const lines = content.split("\n").filter(l => !l.trim().startsWith(".capsule"));
+            (0, fs_1.writeFileSync)(gitignorePath, lines.join("\n"), "utf-8");
+        }
+    }
+    return capsuleDir;
+}
+/**
+ * Save a score snapshot. Called after every scan.
+ */
+function saveScore(capsuleDir, score) {
+    const date = new Date().toISOString().slice(0, 10);
+    const scoresDir = (0, path_1.join)(capsuleDir, "scores");
+    ensureDir(scoresDir);
+    (0, fs_1.writeFileSync)((0, path_1.join)(scoresDir, `${date}.json`), JSON.stringify(score, null, 2), "utf-8");
+}
+/**
+ * Update proof.json with DB-verified encryption data.
+ * Called after DB scan detects encrypted fields.
+ */
+function updateProof(capsuleDir, fields) {
+    const proofPath = (0, path_1.join)(capsuleDir, "proof.json");
+    const proof = (0, fs_1.existsSync)(proofPath)
+        ? JSON.parse((0, fs_1.readFileSync)(proofPath, "utf-8"))
+        : { version: "1.0", updated_at: "", fields: [] };
+    for (const f of fields) {
+        const tableHash = hashName(f.table);
+        const columnHash = hashName(f.column);
+        const coverage = f.row_count > 0 ? Math.round((f.encrypted_count / f.row_count) * 100) : 0;
+        // Update existing or add new
+        const existing = proof.fields.find(p => p.table_hash === tableHash && p.column_hash === columnHash);
+        if (existing) {
+            existing.pattern = f.pattern;
+            existing.sentinel_prefix = f.sentinel_prefix.slice(0, 12);
+            existing.row_count = f.row_count;
+            existing.encrypted_count = f.encrypted_count;
+            existing.coverage_percent = coverage;
+            existing.verified_at = new Date().toISOString();
+        }
+        else {
+            proof.fields.push({
+                table_hash: tableHash,
+                column_hash: columnHash,
+                pattern: f.pattern,
+                sentinel_prefix: f.sentinel_prefix.slice(0, 12),
+                row_count: f.row_count,
+                encrypted_count: f.encrypted_count,
+                coverage_percent: coverage,
+                verified_at: new Date().toISOString(),
+            });
+        }
+    }
+    proof.updated_at = new Date().toISOString();
+    (0, fs_1.writeFileSync)(proofPath, JSON.stringify(proof, null, 2), "utf-8");
+}
+/**
+ * Add an evidence entry. Called after scan or manual attest.
+ */
+function addEvidence(capsuleDir, licenseKey, entry) {
+    const date = new Date().toISOString().slice(0, 10);
+    const evidenceDir = (0, path_1.join)(capsuleDir, "evidence");
+    ensureDir(evidenceDir);
+    const filePath = (0, path_1.join)(evidenceDir, `${date}.json`);
+    const entries = (0, fs_1.existsSync)(filePath)
+        ? JSON.parse((0, fs_1.readFileSync)(filePath, "utf-8"))
+        : [];
+    // Sign the entry — proves it wasn't tampered with
+    const payload = JSON.stringify({ ...entry });
+    const hmac = signEvidence(payload, licenseKey);
+    entries.push({ ...entry, hmac });
+    (0, fs_1.writeFileSync)(filePath, JSON.stringify(entries, null, 2), "utf-8");
+}
+/**
+ * Read proof.json — used by code-scanner to check for known encryptions.
+ */
+function readProof(projectDir) {
+    const proofPath = (0, path_1.join)(projectDir, DIR_NAME, "proof.json");
+    if (!(0, fs_1.existsSync)(proofPath))
+        return null;
+    try {
+        return JSON.parse((0, fs_1.readFileSync)(proofPath, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Read overrides.json — used by reporter to adjust scores.
+ */
+function readOverrides(projectDir) {
+    const overridesPath = (0, path_1.join)(projectDir, DIR_NAME, "overrides.json");
+    if (!(0, fs_1.existsSync)(overridesPath))
+        return null;
+    try {
+        return JSON.parse((0, fs_1.readFileSync)(overridesPath, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Get score history — used for trend display.
+ */
+function getScoreHistory(projectDir) {
+    const scoresDir = (0, path_1.join)(projectDir, DIR_NAME, "scores");
+    if (!(0, fs_1.existsSync)(scoresDir))
+        return [];
+    const files = (0, fs_1.readdirSync)(scoresDir)
+        .filter((f) => f.endsWith(".json"))
+        .sort();
+    return files.map((f) => {
+        try {
+            return JSON.parse((0, fs_1.readFileSync)((0, path_1.join)(scoresDir, f), "utf-8"));
+        }
+        catch {
+            return null;
+        }
+    }).filter(Boolean);
+}
+/**
+ * Print .capsule/ status to terminal.
+ */
+function printCapsuleStatus(projectDir, ciMode) {
+    const capsuleDir = (0, path_1.join)(projectDir, DIR_NAME);
+    if (!(0, fs_1.existsSync)(capsuleDir))
+        return;
+    if (ciMode)
+        return;
+    const history = getScoreHistory(projectDir);
+    const proof = readProof(projectDir);
+    const overrides = readOverrides(projectDir);
+    console.log("");
+    console.log("  ══════════════════════════════════════");
+    console.log("  .capsule/ LOCAL EVIDENCE");
+    console.log("  ══════════════════════════════════════");
+    console.log(`  Score history:   ${history.length} scan(s)`);
+    if (history.length >= 2) {
+        const first = history[0];
+        const last = history[history.length - 1];
+        const delta = last.score - first.score;
+        const arrow = delta > 0 ? `\x1b[32m↑${delta}%\x1b[0m` : delta < 0 ? `\x1b[31m↓${Math.abs(delta)}%\x1b[0m` : "→ no change";
+        console.log(`  Trend:           ${first.score}% → ${last.score}% ${arrow}`);
+    }
+    if (proof) {
+        console.log(`  Proven fields:   ${proof.fields.length} (DB-verified encryption)`);
+    }
+    if (overrides && overrides.overrides.length > 0) {
+        console.log(`  Overrides:       ${overrides.overrides.length} manual attestation(s)`);
+    }
+    console.log("  ──────────────────────────────────────");
+    console.log("  \x1b[2mAll evidence stays local. Commit to git for audit trail.\x1b[0m");
+    console.log("  ══════════════════════════════════════\n");
+}
+// ═══════════════════════════════════════════════════════════
+// Subcommand: guard attest
+//
+// Allows the user to manually attest that a finding has been
+// addressed. Creates a signed entry in overrides.json.
+// ═══════════════════════════════════════════════════════════
+function attestFinding(projectDir, licenseKey, findingId, status, note) {
+    const capsuleDir = (0, path_1.join)(projectDir, DIR_NAME);
+    if (!(0, fs_1.existsSync)(capsuleDir)) {
+        initCapsuleDir(projectDir, licenseKey);
+    }
+    const overridesPath = (0, path_1.join)(capsuleDir, "overrides.json");
+    const overrides = (0, fs_1.existsSync)(overridesPath)
+        ? JSON.parse((0, fs_1.readFileSync)(overridesPath, "utf-8"))
+        : { version: "1.0", overrides: [] };
+    const deviceHash = (0, crypto_1.createHash)("sha256")
+        .update(`capsule:device:${require("os").hostname()}`)
+        .digest("hex").slice(0, 12);
+    const now = new Date().toISOString();
+    const payload = JSON.stringify({ finding_id: findingId, status, note, attested_by: deviceHash, attested_at: now });
+    const hmac = signEvidence(payload, licenseKey);
+    // Update existing or add new
+    const existing = overrides.overrides.findIndex(o => o.finding_id === findingId);
+    const entry = { finding_id: findingId, status, note, attested_by: deviceHash, attested_at: now, hmac };
+    if (existing >= 0) {
+        overrides.overrides[existing] = entry;
+    }
+    else {
+        overrides.overrides.push(entry);
+    }
+    (0, fs_1.writeFileSync)(overridesPath, JSON.stringify(overrides, null, 2), "utf-8");
+    // Also log as evidence
+    addEvidence(capsuleDir, licenseKey, {
+        date: now,
+        action: "override_added",
+        category: status === "fixed" ? "remediation" : "risk_management",
+        detail: `Attested "${findingId}" as ${status}: ${note}`,
+        impact: `Override: ${status}`,
+        attested_by: deviceHash,
+    });
+}
+/**
+ * Subcommand: guard status
+ * Print full .capsule/ status without running a scan.
+ */
+function printFullStatus(projectDir) {
+    const capsuleDir = (0, path_1.join)(projectDir, DIR_NAME);
+    if (!(0, fs_1.existsSync)(capsuleDir)) {
+        console.log("\n  No .capsule/ directory found. Run a scan first.\n");
+        return;
+    }
+    const history = getScoreHistory(projectDir);
+    const proof = readProof(projectDir);
+    const overrides = readOverrides(projectDir);
+    console.log("");
+    console.log("  ╔══════════════════════════════════════╗");
+    console.log("  ║      NoData Guard — Status           ║");
+    console.log("  ╚══════════════════════════════════════╝");
+    console.log("");
+    // ── Score history ──
+    console.log("  \x1b[33m── SCORE HISTORY ──\x1b[0m");
+    if (history.length === 0) {
+        console.log("  No scans recorded yet.\n");
+    }
+    else {
+        const last = history[history.length - 1];
+        console.log(`  Latest score:    \x1b[1m${last.score}%\x1b[0m (${last.scan_type} scan, Guard v${last.guard_version})`);
+        console.log(`  Last scan date:  ${last.date}`);
+        console.log(`  Total scans:     ${history.length}`);
+        if (last.code_score != null)
+            console.log(`  Code score:      ${last.code_score}%`);
+        if (last.db_score != null)
+            console.log(`  DB score:        ${last.db_score}%`);
+        console.log(`  PII coverage:    ${last.pii_encrypted}/${last.pii_total} encrypted (${last.coverage_percent}%)`);
+        console.log(`  Issues:          ${last.critical} critical, ${last.high} high, ${last.medium} medium, ${last.low} low`);
+        console.log(`  Findings:        ${last.findings_count} total`);
+        if (history.length >= 2) {
+            console.log("");
+            console.log("  \x1b[33m── TREND ──\x1b[0m");
+            const maxShow = Math.min(history.length, 10);
+            for (let i = history.length - maxShow; i < history.length; i++) {
+                const h = history[i];
+                const prev = i > 0 ? history[i - 1] : null;
+                const delta = prev ? h.score - prev.score : 0;
+                const arrow = delta > 0 ? `\x1b[32m+${delta}\x1b[0m` : delta < 0 ? `\x1b[31m${delta}\x1b[0m` : " 0";
+                const bar = "\x1b[32m" + "█".repeat(Math.round(h.score / 5)) + "\x1b[0m" + "░".repeat(20 - Math.round(h.score / 5));
+                console.log(`  ${h.date}  ${bar}  ${h.score}% (${arrow})`);
+            }
+        }
+        console.log("");
+    }
+    // ── Proof ──
+    console.log("  \x1b[33m── DB-VERIFIED ENCRYPTION ──\x1b[0m");
+    if (!proof || proof.fields.length === 0) {
+        console.log("  No DB-verified encryption yet. Run with --db to verify.\n");
+    }
+    else {
+        console.log(`  ${proof.fields.length} field(s) verified in database:\n`);
+        for (const f of proof.fields) {
+            const cov = f.coverage_percent;
+            const covColor = cov >= 90 ? "\x1b[32m" : cov >= 50 ? "\x1b[33m" : "\x1b[31m";
+            console.log(`  ${f.table_hash}:${f.column_hash}  ${f.pattern}  ${covColor}${cov}%\x1b[0m (${f.encrypted_count}/${f.row_count} rows)`);
+        }
+        console.log(`\n  Last verified: ${proof.updated_at}\n`);
+    }
+    // ── Overrides ──
+    console.log("  \x1b[33m── MANUAL ATTESTATIONS ──\x1b[0m");
+    if (!overrides || overrides.overrides.length === 0) {
+        console.log("  No overrides. Use \x1b[36mguard attest\x1b[0m to declare fixes.\n");
+    }
+    else {
+        for (const o of overrides.overrides) {
+            const statusColor = o.status === "fixed" ? "\x1b[32m" : o.status === "accepted_risk" ? "\x1b[33m" : "\x1b[36m";
+            console.log(`  ${o.finding_id}`);
+            console.log(`    Status:  ${statusColor}${o.status}\x1b[0m`);
+            console.log(`    Note:    ${o.note}`);
+            console.log(`    Date:    ${o.attested_at}`);
+            console.log(`    Device:  ${o.attested_by}`);
+            console.log("");
+        }
+    }
+    // ── Evidence summary ──
+    const evidenceDir = (0, path_1.join)(capsuleDir, "evidence");
+    if ((0, fs_1.existsSync)(evidenceDir)) {
+        const evidenceFiles = (0, fs_1.readdirSync)(evidenceDir).filter(f => f.endsWith(".json"));
+        let totalEntries = 0;
+        for (const ef of evidenceFiles) {
+            try {
+                const entries = JSON.parse((0, fs_1.readFileSync)((0, path_1.join)(evidenceDir, ef), "utf-8"));
+                totalEntries += entries.length;
+            }
+            catch { /* skip */ }
+        }
+        console.log("  \x1b[33m── EVIDENCE LOG ──\x1b[0m");
+        console.log(`  ${totalEntries} entries across ${evidenceFiles.length} day(s)`);
+        console.log("  \x1b[2mAll evidence stays local. Commit .capsule/ to git for audit trail.\x1b[0m\n");
+    }
+}
+/**
+ * Subcommand: guard diff
+ * Show what changed between the two most recent scans.
+ */
+function printDiff(projectDir) {
+    const history = getScoreHistory(projectDir);
+    if (history.length < 2) {
+        console.log("\n  Need at least 2 scans to show a diff. Run another scan first.\n");
+        return;
+    }
+    const prev = history[history.length - 2];
+    const curr = history[history.length - 1];
+    console.log("");
+    console.log("  ╔══════════════════════════════════════╗");
+    console.log("  ║       NoData Guard — Diff            ║");
+    console.log("  ╚══════════════════════════════════════╝");
+    console.log("");
+    console.log(`  Comparing: ${prev.date} → ${curr.date}`);
+    console.log("");
+    // Score delta
+    const scoreDelta = curr.score - prev.score;
+    const scoreArrow = scoreDelta > 0 ? `\x1b[32m↑ +${scoreDelta}%\x1b[0m` : scoreDelta < 0 ? `\x1b[31m↓ ${scoreDelta}%\x1b[0m` : "→ no change";
+    console.log(`  Overall score:   ${prev.score}% → ${curr.score}% ${scoreArrow}`);
+    // Code score delta
+    if (prev.code_score != null && curr.code_score != null) {
+        const cd = curr.code_score - prev.code_score;
+        const ca = cd > 0 ? `\x1b[32m+${cd}\x1b[0m` : cd < 0 ? `\x1b[31m${cd}\x1b[0m` : "0";
+        console.log(`  Code score:      ${prev.code_score}% → ${curr.code_score}% (${ca})`);
+    }
+    // DB score delta
+    if (prev.db_score != null && curr.db_score != null) {
+        const dd = curr.db_score - prev.db_score;
+        const da = dd > 0 ? `\x1b[32m+${dd}\x1b[0m` : dd < 0 ? `\x1b[31m${dd}\x1b[0m` : "0";
+        console.log(`  DB score:        ${prev.db_score}% → ${curr.db_score}% (${da})`);
+    }
+    console.log("");
+    // PII coverage
+    const piiDelta = curr.coverage_percent - prev.coverage_percent;
+    const piiArrow = piiDelta > 0 ? `\x1b[32m+${piiDelta}%\x1b[0m` : piiDelta < 0 ? `\x1b[31m${piiDelta}%\x1b[0m` : "0";
+    console.log(`  PII encrypted:   ${prev.pii_encrypted}/${prev.pii_total} → ${curr.pii_encrypted}/${curr.pii_total} (${piiArrow})`);
+    // Findings delta
+    const findDelta = curr.findings_count - prev.findings_count;
+    const findArrow = findDelta < 0 ? `\x1b[32m${findDelta} resolved\x1b[0m` : findDelta > 0 ? `\x1b[31m+${findDelta} new\x1b[0m` : "no change";
+    console.log(`  Findings:        ${prev.findings_count} → ${curr.findings_count} (${findArrow})`);
+    // Issues breakdown
+    console.log("");
+    console.log("  \x1b[33m── ISSUES BREAKDOWN ──\x1b[0m");
+    const showDelta = (label, p, c) => {
+        const d = c - p;
+        const color = d < 0 ? "\x1b[32m" : d > 0 ? "\x1b[31m" : "";
+        const sign = d > 0 ? "+" : "";
+        console.log(`  ${label.padEnd(12)} ${p} → ${c}  ${color}${d !== 0 ? `(${sign}${d})` : "(=)"}\x1b[0m`);
+    };
+    showDelta("Critical:", prev.critical, curr.critical);
+    showDelta("High:", prev.high, curr.high);
+    showDelta("Medium:", prev.medium, curr.medium);
+    showDelta("Low:", prev.low, curr.low);
+    // Scan type change
+    if (prev.scan_type !== curr.scan_type) {
+        console.log(`\n  \x1b[36mNote:\x1b[0m Scan type changed from "${prev.scan_type}" to "${curr.scan_type}"`);
+    }
+    // Guard version change
+    if (prev.guard_version !== curr.guard_version) {
+        console.log(`  \x1b[36mNote:\x1b[0m Guard version changed from v${prev.guard_version} to v${curr.guard_version}`);
+    }
+    console.log("");
+    if (scoreDelta > 0) {
+        console.log("  \x1b[32m✓ Score improved! Keep going.\x1b[0m\n");
+    }
+    else if (scoreDelta < 0) {
+        console.log("  \x1b[31m⚠ Score dropped. Check the full report for new issues.\x1b[0m\n");
+    }
+    else {
+        console.log("  \x1b[33m→ No score change. Fix open findings to improve.\x1b[0m\n");
+    }
+}