clawarmor 3.1.0 → 3.4.0

package/lib/baseline-cmd.js

@@ -0,0 +1,189 @@
+// ClawArmor baseline command handler.
+// Usage:
+//   clawarmor baseline save [--name <label>]
+//   clawarmor baseline list
+//   clawarmor baseline diff [--from <label>] [--to <label>]
+
+import { paint } from './output/colors.js';
+import { saveBaseline, listBaselines, diffBaselines, loadBaseline } from './baseline.js';
+import { runAuditQuiet } from './audit-quiet.js';
+
+const SEP = paint.dim('─'.repeat(52));
+
+function box(title) {
+  const W = 52, pad = W - 2 - title.length, l = Math.floor(pad / 2), r = pad - l;
+  return [
+    paint.dim('╔' + '═'.repeat(W - 2) + '╗'),
+    paint.dim('║') + ' '.repeat(l) + paint.bold(title) + ' '.repeat(r) + paint.dim('║'),
+    paint.dim('╚' + '═'.repeat(W - 2) + '╝'),
+  ].join('\n');
+}
+
+function fmtDate(iso) {
+  if (!iso) return 'unknown';
+  try { return new Date(iso).toLocaleString(); } catch { return iso; }
+}
+
+function todayLabel() {
+  const d = new Date();
+  return `baseline-${d.getFullYear()}-${String(d.getMonth()+1).padStart(2,'0')}-${String(d.getDate()).padStart(2,'0')}`;
+}
+
+/**
+ * Main baseline command router.
+ * @param {string[]} args - args after "baseline"
+ */
+export async function runBaseline(args) {
+  const sub = args[0];
+
+  if (!sub || sub === '--help' || sub === 'help') {
+    console.log('');
+    console.log(`  ${paint.bold('clawarmor baseline')} — save and compare security baselines`);
+    console.log('');
+    console.log(`  ${paint.cyan('Subcommands:')}`);
+    console.log(`    ${paint.cyan('save')}   [--name <label>]             Save current audit as a baseline`);
+    console.log(`    ${paint.cyan('list')}                                List all saved baselines`);
+    console.log(`    ${paint.cyan('diff')}   [--from <label>] [--to <label>]  Diff two baselines`);
+    console.log('');
+    return 0;
+  }
+
+  // ── SAVE ────────────────────────────────────────────────────────────────────
+  if (sub === 'save') {
+    const nameIdx = args.indexOf('--name');
+    const label = nameIdx !== -1 && args[nameIdx + 1] ? args[nameIdx + 1] : todayLabel();
+
+    console.log(''); console.log(box('ClawArmor Baseline Save')); console.log('');
+    console.log(`  ${paint.dim('Running audit to capture current security posture...')}`);
+    console.log('');
+
+    let auditResult;
+    try {
+      auditResult = await runAuditQuiet({});
+    } catch (e) {
+      console.log(`  ${paint.red('✗')} Audit failed: ${e.message}`);
+      console.log('');
+      return 1;
+    }
+
+    const filePath = saveBaseline({
+      label,
+      score: auditResult.score,
+      findings: auditResult.findings,
+      profile: auditResult.profile || null,
+    });
+
+    console.log(`  ${paint.green('✓')} Baseline saved`);
+    console.log(`  ${paint.dim('Label:')}  ${paint.bold(label)}`);
+    console.log(`  ${paint.dim('Score:')}  ${paint.bold(String(auditResult.score))}/100`);
+    console.log(`  ${paint.dim('Findings:')} ${auditResult.findings.length}`);
+    console.log(`  ${paint.dim('File:')}   ${filePath}`);
+    console.log('');
+    return 0;
+  }
+
+  // ── LIST ─────────────────────────────────────────────────────────────────────
+  if (sub === 'list') {
+    console.log(''); console.log(box('ClawArmor Baselines')); console.log('');
+    const baselines = listBaselines();
+    if (!baselines.length) {
+      console.log(`  ${paint.dim('No baselines saved yet.')}`);
+      console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor baseline save')} ${paint.dim('to create one.')}`);
+      console.log('');
+      return 0;
+    }
+    console.log(`  ${paint.bold(String(baselines.length))} baseline${baselines.length !== 1 ? 's' : ''} saved:\n`);
+    for (const b of baselines) {
+      const scoreStr = b.score != null ? `${b.score}/100` : 'n/a';
+      const profileStr = b.profile ? `  ${paint.dim('[' + b.profile + ']')}` : '';
+      console.log(`  ${paint.cyan(b.label)}${profileStr}`);
+      console.log(`    ${paint.dim('Date:')}   ${fmtDate(b.savedAt)}`);
+      console.log(`    ${paint.dim('Score:')}  ${scoreStr}`);
+      console.log('');
+    }
+    console.log(`  ${paint.dim('To compare:')} ${paint.cyan('clawarmor baseline diff --from <label> --to <label>')}`);
+    console.log('');
+    return 0;
+  }
+
+  // ── DIFF ──────────────────────────────────────────────────────────────────────
+  if (sub === 'diff') {
+    const fromIdx = args.indexOf('--from');
+    const toIdx = args.indexOf('--to');
+
+    // Resolve from/to — default: latest vs previous
+    let fromLabel = fromIdx !== -1 && args[fromIdx + 1] ? args[fromIdx + 1] : null;
+    let toLabel = toIdx !== -1 && args[toIdx + 1] ? args[toIdx + 1] : null;
+
+    if (!fromLabel || !toLabel) {
+      const all = listBaselines();
+      if (all.length < 2) {
+        console.log('');
+        console.log(`  ${paint.yellow('!')} Need at least 2 baselines to diff.`);
+        console.log(`  ${paint.dim('Run')} ${paint.cyan('clawarmor baseline save')} ${paint.dim('to create baselines.')}`);
+        console.log('');
+        return 1;
+      }
+      if (!fromLabel) fromLabel = all[all.length - 2].label;
+      if (!toLabel) toLabel = all[all.length - 1].label;
+    }
+
+    console.log(''); console.log(box('ClawArmor Baseline Diff')); console.log('');
+
+    let diff;
+    try {
+      diff = diffBaselines(fromLabel, toLabel);
+    } catch (e) {
+      console.log(`  ${paint.red('✗')} ${e.message}`);
+      console.log('');
+      return 1;
+    }
+
+    const deltaStr = diff.scoreDelta > 0
+      ? paint.green(`+${diff.scoreDelta}`)
+      : diff.scoreDelta < 0
+        ? paint.red(String(diff.scoreDelta))
+        : paint.dim('0');
+
+    console.log(`  ${paint.dim('From:')}  ${paint.bold(diff.fromLabel)}  ${paint.dim('(score: ' + diff.fromScore + ')')}`);
+    console.log(`  ${paint.dim('To:')}    ${paint.bold(diff.toLabel)}  ${paint.dim('(score: ' + diff.toScore + ')')}`);
+    console.log(`  ${paint.dim('Delta:')} ${deltaStr}`);
+    console.log('');
+
+    if (diff.newFindings.length) {
+      console.log(SEP);
+      console.log(`  ${paint.yellow('New findings')} ${paint.dim('(' + diff.newFindings.length + ' since ' + diff.fromLabel + ')')}`);
+      console.log(SEP);
+      for (const f of diff.newFindings) {
+        const sev = f.severity || 'MEDIUM';
+        const sevColor = sev === 'CRITICAL' ? paint.red : sev === 'HIGH' ? paint.yellow : paint.cyan;
+        console.log(`  ${sevColor('[' + sev + ']')} ${paint.bold(f.skill || '?')}  ${paint.dim(f.message || f.patternId || '')}`);
+      }
+      console.log('');
+    } else {
+      console.log(`  ${paint.green('✓')} No new findings.`);
+    }
+
+    if (diff.resolvedFindings.length) {
+      console.log(SEP);
+      console.log(`  ${paint.green('Resolved findings')} ${paint.dim('(' + diff.resolvedFindings.length + ' fixed since ' + diff.fromLabel + ')')}`);
+      console.log(SEP);
+      for (const f of diff.resolvedFindings) {
+        console.log(`  ${paint.dim('✓')} ${f.skill || '?'}  ${paint.dim(f.message || f.patternId || '')}`);
+      }
+      console.log('');
+    }
+
+    if (!diff.newFindings.length && !diff.resolvedFindings.length) {
+      console.log(`  ${paint.dim('No changes between baselines.')}`);
+      console.log('');
+    }
+
+    return 0;
+  }
+
+  console.log(`  ${paint.red('✗')} Unknown baseline subcommand: ${paint.bold(sub)}`);
+  console.log(`  ${paint.dim('Use: save | list | diff')}`);
+  console.log('');
+  return 1;
+}

package/lib/baseline.js

@@ -0,0 +1,106 @@
+// ClawArmor baseline storage — save, list, and diff audit baselines.
+// Baselines are stored in ~/.openclaw/workspace/memory/clawarmor-baselines/
+
+import { writeFileSync, mkdirSync, existsSync, readFileSync, readdirSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+
+const BASELINE_DIR = join(homedir(), '.openclaw', 'workspace', 'memory', 'clawarmor-baselines');
+
+function ensureDir() {
+  mkdirSync(BASELINE_DIR, { recursive: true });
+}
+
+function baselinePath(label) {
+  return join(BASELINE_DIR, `${label}.json`);
+}
+
+/**
+ * Save a baseline snapshot.
+ * @param {{ label: string, score: number, findings: any[], profile?: string }} data
+ */
+export function saveBaseline({ label, score, findings, profile }) {
+  ensureDir();
+  const entry = {
+    label,
+    savedAt: new Date().toISOString(),
+    score,
+    findings: findings || [],
+    profile: profile || null,
+  };
+  writeFileSync(baselinePath(label), JSON.stringify(entry, null, 2), 'utf8');
+  return baselinePath(label);
+}
+
+/**
+ * List all saved baselines, sorted by savedAt ascending.
+ * @returns {Array<{ label, savedAt, score, profile, path }>}
+ */
+export function listBaselines() {
+  if (!existsSync(BASELINE_DIR)) return [];
+  try {
+    const files = readdirSync(BASELINE_DIR).filter(f => f.endsWith('.json'));
+    const baselines = [];
+    for (const f of files) {
+      try {
+        const raw = JSON.parse(readFileSync(join(BASELINE_DIR, f), 'utf8'));
+        baselines.push({
+          label: raw.label || f.replace('.json', ''),
+          savedAt: raw.savedAt || null,
+          score: raw.score ?? null,
+          profile: raw.profile || null,
+          path: join(BASELINE_DIR, f),
+        });
+      } catch { /* skip malformed */ }
+    }
+    baselines.sort((a, b) => (a.savedAt || '').localeCompare(b.savedAt || ''));
+    return baselines;
+  } catch { return []; }
+}
+
+/**
+ * Load a baseline by label.
+ * @param {string} label
+ * @returns {object|null}
+ */
+export function loadBaseline(label) {
+  const p = baselinePath(label);
+  if (!existsSync(p)) return null;
+  try { return JSON.parse(readFileSync(p, 'utf8')); }
+  catch { return null; }
+}
+
+/**
+ * Diff two baselines.
+ * Returns { scoreDelta, newFindings, resolvedFindings, fromLabel, toLabel, fromScore, toScore }
+ */
+export function diffBaselines(fromLabel, toLabel) {
+  const from = loadBaseline(fromLabel);
+  const to = loadBaseline(toLabel);
+
+  if (!from) throw new Error(`Baseline not found: ${fromLabel}`);
+  if (!to) throw new Error(`Baseline not found: ${toLabel}`);
+
+  const fromScore = from.score ?? 0;
+  const toScore = to.score ?? 0;
+  const scoreDelta = toScore - fromScore;
+
+  // Key findings by patternId+skill for comparison
+  const key = f => `${f.skill || ''}:${f.patternId || f.id || ''}:${f.severity || ''}`;
+
+  const fromKeys = new Set((from.findings || []).map(key));
+  const toKeys = new Set((to.findings || []).map(key));
+
+  const newFindings = (to.findings || []).filter(f => !fromKeys.has(key(f)));
+  const resolvedFindings = (from.findings || []).filter(f => !toKeys.has(key(f)));
+
+  return {
+    fromLabel,
+    toLabel,
+    fromScore,
+    toScore,
+    scoreDelta,
+    newFindings,
+    resolvedFindings,
+  };
+}

package/lib/harden.js

@@ -4,10 +4,11 @@
 //   --dry-run:  show what WOULD be fixed, no writes
 //   --auto:     apply all safe + caution fixes without confirmation (skips breaking)
 //   --auto --force: apply ALL fixes including breaking ones
+//   --report [path]:  write a structured report (JSON or Markdown) after hardening
 
-import { existsSync, readdirSync, statSync, readFileSync } from 'fs';
-import { join } from 'path';
-import { homedir } from 'os';
+import { existsSync, readdirSync, statSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
+import { join, dirname } from 'path';
+import { homedir, platform, release } from 'os';
 import { execSync, spawnSync } from 'child_process';
 import { createInterface } from 'readline';
 import { paint } from './output/colors.js';
@@ -24,6 +25,8 @@ const HISTORY_FILE = join(CLAWARMOR_DIR, 'history.json');
 const CLI_PATH = new URL('../cli.js', import.meta.url).pathname;
 const SEP = paint.dim('─'.repeat(52));
 
+const VERSION = '3.4.0';
+
 // ── Impact levels ─────────────────────────────────────────────────────────────
 // SAFE:     No functionality impact. Pure security improvement.
 // CAUTION:  May change agent behavior. User should be aware.
@@ -83,8 +86,6 @@ function buildFixes(config) {
   // Fix 1: world/group-readable credential files — chmod 600
   const badFiles = findWorldReadableCredFiles();
   for (const f of badFiles) {
-    // Classify: credential files (tokens, keys) are safe to lock down.
-    // Config files that other tools might read need caution.
     const isSensitive = /\.(env|json|key|pem|token|secret)$/i.test(f.name) ||
                         f.name === 'agent-accounts.json' ||
                         f.name === 'openclaw.json';
@@ -101,6 +102,9 @@ function buildFixes(config) {
         ? 'Only restricts other system users. Scripts will still run as you.'
         : 'Only restricts other system users from reading this file. Your agent is unaffected.',
       manualNote: null,
+      // for report: capture before state
+      _reportBefore: f.mode,
+      _reportAfter: '600',
     });
   }
 
@@ -119,6 +123,8 @@ function buildFixes(config) {
         '     tablet, or another computer), those connections will be blocked.\n' +
         '     Only localhost access will work after this change.',
       manualNote: 'Restart gateway after applying: openclaw gateway restart',
+      _reportBefore: '0.0.0.0',
+      _reportAfter: '127.0.0.1',
     });
   }
 
@@ -137,6 +143,8 @@ function buildFixes(config) {
         '     shell commands may pause waiting for approval.\n' +
         '     You\'ll need to approve commands via the web UI or CLI.',
       manualNote: 'Restart gateway after applying: openclaw gateway restart',
+      _reportBefore: String(execAsk),
+      _reportAfter: 'on-miss',
     });
   }
 
@@ -236,6 +244,171 @@ function printImpactSummary(fixes) {
   return parts.join(paint.dim(' · '));
 }
 
+// ── Report support ────────────────────────────────────────────────────────────
+
+function getSystemInfo() {
+  let osInfo = `${platform()} ${release()}`;
+  let ocVersion = 'unknown';
+  try {
+    const r = spawnSync('openclaw', ['--version'], { encoding: 'utf8', timeout: 5000 });
+    if (r.stdout) ocVersion = r.stdout.trim().split('\n')[0] || 'unknown';
+  } catch { /* non-fatal */ }
+  return { os: osInfo, openclaw_version: ocVersion };
+}
+
+function defaultReportPath(format) {
+  const date = new Date().toISOString().slice(0, 10); // YYYY-MM-DD
+  const ext = format === 'text' ? 'md' : 'json';
+  return join(HOME, '.openclaw', `clawarmor-harden-report-${date}.${ext}`);
+}
+
+function buildReportItems({ fixes, applied, skipped, failed, skippedBreaking, applyResults }) {
+  const items = [];
+  const appliedSet = new Set(applied);
+  const skippedSet = new Set(skipped);
+  const failedSet = new Set(failed);
+
+  for (const fix of fixes) {
+    if (failedSet.has(fix.id)) {
+      const res = applyResults[fix.id];
+      items.push({
+        check: fix.id,
+        status: 'failed',
+        action: fix.description,
+        error: res?.err || 'unknown error',
+      });
+    } else if (skippedSet.has(fix.id)) {
+      const isBreaking = fix.impact === IMPACT.BREAKING;
+      items.push({
+        check: fix.id,
+        status: 'skipped',
+        skipped_reason: isBreaking
+          ? 'Breaking fix — skipped in auto mode (use --auto --force to include)'
+          : 'User declined',
+      });
+    } else if (appliedSet.has(fix.id)) {
+      items.push({
+        check: fix.id,
+        status: 'hardened',
+        before: fix._reportBefore ?? null,
+        after: fix._reportAfter ?? null,
+        action: fix.description,
+      });
+    }
+  }
+  return items;
+}
+
+function writeJsonReport(reportPath, items) {
+  const sysInfo = getSystemInfo();
+  const hardened = items.filter(i => i.status === 'hardened').length;
+  const already_good = items.filter(i => i.status === 'already_good').length;
+  const skipped = items.filter(i => i.status === 'skipped').length;
+  const failed = items.filter(i => i.status === 'failed').length;
+
+  const report = {
+    version: VERSION,
+    timestamp: new Date().toISOString(),
+    system: sysInfo,
+    summary: {
+      total_checks: items.length,
+      hardened,
+      already_good,
+      skipped,
+      failed,
+    },
+    items,
+  };
+
+  try { mkdirSync(dirname(reportPath), { recursive: true }); } catch {}
+  writeFileSync(reportPath, JSON.stringify(report, null, 2), 'utf8');
+  return report;
+}
+
+function writeMarkdownReport(reportPath, items) {
+  const sysInfo = getSystemInfo();
+  const now = new Date();
+  const dateStr = now.toLocaleString('en-US', {
+    year: 'numeric', month: '2-digit', day: '2-digit',
+    hour: '2-digit', minute: '2-digit', hour12: false
+  });
+
+  const hardened = items.filter(i => i.status === 'hardened');
+  const alreadyGood = items.filter(i => i.status === 'already_good');
+  const skippedItems = items.filter(i => i.status === 'skipped');
+  const failedItems = items.filter(i => i.status === 'failed');
+
+  let md = `# ClawArmor Hardening Report
+Generated: ${dateStr}
+ClawArmor: v${VERSION} | OS: ${sysInfo.os} | OpenClaw: ${sysInfo.openclaw_version}
+
+## Summary
+- ✅ ${alreadyGood.length} check${alreadyGood.length !== 1 ? 's' : ''} already good
+- 🔧 ${hardened.length} hardened
+- ⚠️  ${skippedItems.length} skipped
+${failedItems.length ? `- ❌ ${failedItems.length} failed\n` : ''}`;
+
+  if (hardened.length) {
+    md += `
+## Actions Taken
+
+| Check | Before | After | Action |
+|-------|--------|-------|--------|
+`;
+    for (const item of hardened) {
+      md += `| ${item.check} | ${item.before ?? '—'} | ${item.after ?? '—'} | ${item.action ?? '—'} |\n`;
+    }
+  }
+
+  if (alreadyGood.length) {
+    md += `
+## Already Good
+
+`;
+    for (const item of alreadyGood) {
+      md += `- ${item.check}\n`;
+    }
+  }
+
+  if (skippedItems.length) {
+    md += `
+## Skipped
+
+`;
+    for (const item of skippedItems) {
+      md += `- **${item.check}**: ${item.skipped_reason || 'no reason given'}\n`;
+    }
+  }
+
+  if (failedItems.length) {
+    md += `
+## Failed
+
+`;
+    for (const item of failedItems) {
+      md += `- **${item.check}**: ${item.error || 'unknown error'}\n`;
+    }
+  }
+
+  try { mkdirSync(dirname(reportPath), { recursive: true }); } catch {}
+  writeFileSync(reportPath, md, 'utf8');
+}
+
+function printReportSummary(items, reportPath, format) {
+  const hardened = items.filter(i => i.status === 'hardened').length;
+  const alreadyGood = items.filter(i => i.status === 'already_good').length;
+  const skipped = items.filter(i => i.status === 'skipped').length;
+  const failed = items.filter(i => i.status === 'failed').length;
+
+  console.log('');
+  console.log(SEP);
+  console.log(`  ${paint.bold('Hardening Report')}`);
+  console.log(`  ${paint.green('✅')} ${alreadyGood} already good  ${paint.cyan('🔧')} ${hardened} hardened  ${paint.yellow('⚠️')}  ${skipped} skipped${failed ? `  ${paint.red('❌')} ${failed} failed` : ''}`);
+  console.log(`  ${paint.dim('Report written:')} ${reportPath}`);
+  console.log(`  ${paint.dim('Format:')} ${format === 'text' ? 'Markdown (.md)' : 'JSON'}`);
+  console.log('');
+}
+
 // ── Main export ───────────────────────────────────────────────────────────────
 
 export async function runHarden(flags = {}) {
@@ -285,12 +458,9 @@ export async function runHarden(flags = {}) {
     const overrideSev = getOverriddenSeverity(profile.name, fix.id);
     const expected = isExpectedFinding(profile.name, fix.id);
     if (expected) {
-      // Mark as expected — skip entirely from harden output
       return { ...fix, _skipForProfile: true };
     }
     if (overrideSev) {
-      // Upgrade to higher severity if unexpected for this profile
-      const currentWeight = { SAFE: 1, CAUTION: 2, BREAKING: 3 };
       const upgradeMap = { HIGH: IMPACT.BREAKING, MEDIUM: IMPACT.CAUTION, INFO: IMPACT.SAFE };
       const newImpact = upgradeMap[overrideSev] || fix.impact;
       return { ...fix, impact: newImpact, _profileOverride: overrideSev };
@@ -380,11 +550,24 @@ export async function runHarden(flags = {}) {
       console.log(`    ${paint.dim('•')} ${item}`);
     }
     console.log('');
+
+    // If report requested but nothing to harden, still write an empty/all-good report
+    if (flags.report) {
+      const format = flags.reportFormat || 'json';
+      const reportPath = flags.reportPath || defaultReportPath(format);
+      const items = []; // no fixes, no items (could add "already_good" items if we tracked checks)
+      if (format === 'text') {
+        writeMarkdownReport(reportPath, items);
+      } else {
+        writeJsonReport(reportPath, items);
+      }
+      printReportSummary(items, reportPath, format);
+    }
+
     return 0;
   }
 
   if (flags.auto) {
-    // --auto mode: apply safe + caution, SKIP breaking unless --force
     const autoLabel = flags.force
       ? paint.cyan('Auto mode (--force) — applying ALL fixes including breaking')
       : paint.cyan('Auto mode — applying safe + caution fixes (skipping breaking)');
@@ -406,6 +589,12 @@ export async function runHarden(flags = {}) {
   let applied = 0, skipped = 0, failed = 0, skippedBreaking = 0;
   const restartNotes = [];
 
+  // Report tracking
+  const appliedIds = [];
+  const skippedIds = [];
+  const failedIds = [];
+  const applyResults = {};
+
   for (const fix of fixes) {
     const badge = IMPACT_BADGE[fix.impact]();
 
@@ -420,17 +609,16 @@ export async function runHarden(flags = {}) {
     let doApply;
 
     if (flags.auto) {
-      // In auto mode: apply safe + caution, skip breaking unless --force
       if (fix.impact === IMPACT.BREAKING && !flags.force) {
         console.log(`  ${paint.red('⊘ Skipped')} ${paint.dim('(breaking — use --auto --force to include)')}`);
         skippedBreaking++;
         skipped++;
+        skippedIds.push(fix.id);
         console.log('');
         continue;
       }
       doApply = true;
     } else {
-      // Interactive mode: always ask, but warn about breaking
       if (fix.impact === IMPACT.BREAKING) {
         console.log(`  ${paint.red('⚠  This fix will change how your agent works.')}`);
         console.log(`  ${paint.red('   Read the impact above carefully before applying.')}`);
@@ -442,18 +630,22 @@ export async function runHarden(flags = {}) {
     if (!doApply) {
       console.log(`  ${paint.dim('✗ Skipped')}`);
       skipped++;
+      skippedIds.push(fix.id);
       console.log('');
       continue;
     }
 
     const result = applyFix(fix);
+    applyResults[fix.id] = result;
     if (result.ok) {
       console.log(`  ${paint.green('✓ Fixed')}`);
       applied++;
+      appliedIds.push(fix.id);
       if (fix.manualNote) restartNotes.push(fix.manualNote);
     } else {
       console.log(`  ${paint.red('✗ Failed:')} ${result.err}`);
       failed++;
+      failedIds.push(fix.id);
     }
     console.log('');
   }
@@ -505,6 +697,28 @@ export async function runHarden(flags = {}) {
     }
   }
 
+  // ── Write report if requested ──────────────────────────────────────────────
+  if (flags.report) {
+    const format = flags.reportFormat || 'json';
+    const reportPath = flags.reportPath || defaultReportPath(format);
+
+    const reportItems = buildReportItems({
+      fixes,
+      applied: appliedIds,
+      skipped: skippedIds,
+      failed: failedIds,
+      applyResults,
+    });
+
+    if (format === 'text') {
+      writeMarkdownReport(reportPath, reportItems);
+    } else {
+      writeJsonReport(reportPath, reportItems);
+    }
+
+    printReportSummary(reportItems, reportPath, format);
+  }
+
   console.log('');
   return failed > 0 ? 1 : 0;
 }