clawarmor 3.5.1 → 3.6.0

package/CHANGELOG.md

@@ -1,5 +1,32 @@
 # Changelog
 
+## [3.6.0] — 2026-03-08
+
+### New Features
+
+#### `clawarmor report --compare` — Security Drift Detection
+Diff two ClawArmor report JSON files (scan or harden) to track security posture changes over time.
+
+**Usage:**
+```bash
+clawarmor report --compare baseline.json current.json
+```
+
+**Output sections:**
+- **Regressions** (red) — was PASS, now FAIL/WARN — the important ones
+- **Improvements** (green) — was FAIL/WARN, now PASS
+- **New Issues** — check ID in current but not in baseline
+- **Resolved** — check ID in baseline but no longer present
+- **Unchanged** — count only
+
+Score delta shown when available: `Score: 72 → 85 (+13)`
+
+**CI-safe exit codes:** `0` = no regressions, `1` = regressions found.
+
+Handles mismatched report types (harden vs scan) with a warning but continues.
+
+---
+
 ## [3.4.0] — 2026-03-08
 
 ### New Features

package/README.md

@@ -101,6 +101,7 @@ clawarmor invariant status          # check what's deployed
 |---|---|
 | `trend` | ASCII chart of your security score over time |
 | `compare` | Compare coverage vs openclaw security audit |
+| `report --compare` | Diff two report JSON files — show security drift over time (v3.6.0) |
 | `log` | View the audit event log |
 | `digest` | Show weekly security digest |
 | `watch` | Monitor config and skill changes in real time |
@@ -193,6 +194,34 @@ Example JSON structure:
 
 Terminal output is still shown when `--report` is used — the flag only adds file output on top.
 
+**Report comparison / security drift** (v3.6.0) — Diff two ClawArmor report files to see what changed:
+
+```bash
+# Compare two scan reports and show what got worse (regressions), what improved, and new/resolved issues
+clawarmor report --compare ~/.openclaw/clawarmor-scan-report-2026-03-01.json \
+                            ~/.openclaw/clawarmor-scan-report-2026-03-08.json
+```
+
+Output sections:
+- **Regressions** (red) — checks that were PASS and are now FAIL or WARN
+- **Improvements** (green) — checks that were FAIL/WARN and are now PASS
+- **New Issues** — check IDs in the current report but not in the baseline
+- **Resolved** — check IDs in baseline but no longer present (and they were failing)
+- **Unchanged** — count only, not listed
+
+Score delta is shown when available: `Score: 72 → 85 (+13)`
+
+Works with both scan reports and harden reports. Shows a warning when comparing different report types.
+
+**CI-safe exit codes:**
+- Exit `0` — no regressions (safe to merge/deploy)
+- Exit `1` — one or more regressions detected
+
+Example CI usage:
+```bash
+clawarmor report --compare baseline.json current.json || exit 1
+```
+
 ## Philosophy
 
 ClawArmor runs entirely on your machine — no telemetry, no cloud, no accounts.

package/cli.js

@@ -3,7 +3,7 @@
 
 import { paint } from './lib/output/colors.js';
 
-const VERSION = '3.5.1';
+const VERSION = '3.6.0';
 const GATEWAY_PORT_DEFAULT = 18789;
 
 function isLocalhost(host) {
@@ -170,6 +170,29 @@ if (cmd === 'compare') {
   process.exit(await runCompare());
 }
 
+if (cmd === 'report') {
+  const compareIdx = args.indexOf('--compare');
+  if (compareIdx !== -1) {
+    const file1 = args[compareIdx + 1];
+    const file2 = args[compareIdx + 2];
+    const { runReportCompare } = await import('./lib/report-compare.js');
+    process.exit(await runReportCompare(file1, file2));
+  }
+  // Default: show usage for report subcommand
+  console.log('');
+  console.log(`  ${paint.bold('report')} — report management`);
+  console.log('');
+  console.log(`  ${paint.cyan('Usage:')}`);
+  console.log(`    clawarmor report --compare <baseline.json> <current.json>`);
+  console.log('');
+  console.log(`  ${paint.dim('Flags:')}`);
+  console.log(`    ${paint.dim('--compare <file1> <file2>')}   Diff two report JSON files, show security drift`);
+  console.log('');
+  console.log(`  ${paint.dim('Exit codes:')}  0 = no regressions, 1 = regressions found (CI-safe)`);
+  console.log('');
+  process.exit(0);
+}
+
 
 if (cmd === 'fix') {
   const { runFix } = await import('./lib/fix.js');

package/lib/report-compare.js

@@ -0,0 +1,350 @@
+// ClawArmor v3.6.0 — report --compare command
+// Diffs two ClawArmor report JSON files to show security drift over time.
+
+import { readFileSync, existsSync } from 'fs';
+import { paint, severityColor } from './output/colors.js';
+
+const SEP = paint.dim('─'.repeat(60));
+const SEP_SHORT = paint.dim('─'.repeat(40));
+
+function box(title) {
+  const W = 60, pad = W - 2 - title.length;
+  const l = Math.floor(pad / 2), r = pad - l;
+  return [
+    paint.dim('╔' + '═'.repeat(W - 2) + '╗'),
+    paint.dim('║') + ' '.repeat(l) + paint.bold(title) + ' '.repeat(r) + paint.dim('║'),
+    paint.dim('╚' + '═'.repeat(W - 2) + '╝'),
+  ].join('\n');
+}
+
+function formatTimestamp(ts) {
+  if (!ts) return 'unknown';
+  try {
+    return new Date(ts).toLocaleString('en-US', {
+      year: 'numeric', month: 'short', day: 'numeric',
+      hour: '2-digit', minute: '2-digit', hour12: false,
+    });
+  } catch {
+    return ts;
+  }
+}
+
+function getScore(report) {
+  // scan reports have top-level score, harden reports don't
+  if (typeof report.score === 'number') return report.score;
+  const summary = report.summary || {};
+  if (typeof summary.score === 'number') return summary.score;
+  return null;
+}
+
+function getReportType(report) {
+  // Detect report type from command field or structure
+  if (report.command) return report.command;
+  if (Array.isArray(report.checks)) return 'scan';
+  if (Array.isArray(report.items)) return 'harden';
+  return 'unknown';
+}
+
+/**
+ * Normalize checks from any report format into a common shape:
+ * { id, name, status, severity, detail }
+ *
+ * Scan reports: checks[] with { name, status, severity, detail }
+ * Harden reports: items[] with { check, status, action }
+ */
+function normalizeChecks(report) {
+  const checks = [];
+
+  // Scan report format
+  if (Array.isArray(report.checks)) {
+    for (const c of report.checks) {
+      const id = c.id || c.name;
+      checks.push({
+        id,
+        name: c.name || id,
+        status: c.status,   // 'pass' | 'warn' | 'block' | 'info'
+        severity: c.severity || 'NONE',
+        detail: c.detail || '',
+      });
+    }
+  }
+
+  // Harden report format
+  if (Array.isArray(report.items)) {
+    for (const item of report.items) {
+      const id = item.check || item.id;
+      checks.push({
+        id,
+        name: item.check || id,
+        status: item.status,  // 'hardened' | 'already_good' | 'skipped' | 'failed'
+        severity: item.severity || 'NONE',
+        detail: item.action || item.detail || '',
+      });
+    }
+  }
+
+  return checks;
+}
+
+function isPass(status) {
+  return status === 'pass' || status === 'already_good';
+}
+
+function isFail(status) {
+  return status === 'block' || status === 'fail' || status === 'failed';
+}
+
+function isWarn(status) {
+  return status === 'warn' || status === 'skipped';
+}
+
+function statusLabel(status) {
+  if (isPass(status)) return paint.green(status.toUpperCase());
+  if (isFail(status)) return paint.red(status.toUpperCase());
+  if (isWarn(status)) return paint.yellow(status.toUpperCase());
+  return paint.dim(status.toUpperCase());
+}
+
+/**
+ * Core diff logic — exported for unit testing.
+ *
+ * Returns:
+ * {
+ *   regressions:  [{ id, name, oldStatus, newStatus, severity, detail }]
+ *   improvements: [{ id, name, oldStatus, newStatus, severity, detail }]
+ *   newIssues:    [{ id, name, status, severity, detail }]
+ *   resolved:     [{ id, name, status, severity, detail }]
+ *   unchanged:    number
+ *   scoreOld:     number|null
+ *   scoreNew:     number|null
+ * }
+ */
+export function diffReports(report1, report2) {
+  const checks1 = normalizeChecks(report1);
+  const checks2 = normalizeChecks(report2);
+
+  const map1 = new Map(checks1.map(c => [c.id, c]));
+  const map2 = new Map(checks2.map(c => [c.id, c]));
+
+  const regressions = [];
+  const improvements = [];
+  const newIssues = [];
+  const resolved = [];
+  let unchanged = 0;
+
+  // Check all IDs from file2
+  for (const [id, c2] of map2) {
+    if (!map1.has(id)) {
+      // New check in file2
+      if (!isPass(c2.status)) {
+        newIssues.push(c2);
+      }
+      continue;
+    }
+
+    const c1 = map1.get(id);
+    if (isPass(c1.status) && !isPass(c2.status)) {
+      // Was passing, now failing/warning → regression
+      regressions.push({
+        id,
+        name: c2.name,
+        oldStatus: c1.status,
+        newStatus: c2.status,
+        severity: c2.severity,
+        detail: c2.detail,
+      });
+    } else if (!isPass(c1.status) && isPass(c2.status)) {
+      // Was failing/warning, now passing → improvement
+      improvements.push({
+        id,
+        name: c2.name,
+        oldStatus: c1.status,
+        newStatus: c2.status,
+        severity: c1.severity,
+        detail: c2.detail,
+      });
+    } else {
+      unchanged++;
+    }
+  }
+
+  // Checks only in file1 (resolved / no longer present)
+  for (const [id, c1] of map1) {
+    if (!map2.has(id) && !isPass(c1.status)) {
+      resolved.push(c1);
+    } else if (!map2.has(id) && isPass(c1.status)) {
+      // Was passing, no longer checked — just ignore (counts as unchanged context)
+      unchanged++;
+    }
+  }
+
+  return {
+    regressions,
+    improvements,
+    newIssues,
+    resolved,
+    unchanged,
+    scoreOld: getScore(report1),
+    scoreNew: getScore(report2),
+  };
+}
+
+export async function runReportCompare(file1, file2) {
+  // ── Validate inputs ──────────────────────────────────────────────────────────
+  if (!file1 || !file2) {
+    console.error('');
+    console.error(`  ${paint.red('✗')} Usage: clawarmor report --compare <file1> <file2>`);
+    console.error(`  ${paint.dim('Example: clawarmor report --compare old-report.json new-report.json')}`);
+    console.error('');
+    return 1;
+  }
+
+  if (!existsSync(file1)) {
+    console.error('');
+    console.error(`  ${paint.red('✗')} File not found: ${file1}`);
+    console.error('');
+    return 1;
+  }
+
+  if (!existsSync(file2)) {
+    console.error('');
+    console.error(`  ${paint.red('✗')} File not found: ${file2}`);
+    console.error('');
+    return 1;
+  }
+
+  let report1, report2;
+  try {
+    report1 = JSON.parse(readFileSync(file1, 'utf8'));
+  } catch (e) {
+    console.error('');
+    console.error(`  ${paint.red('✗')} Could not parse ${file1}: ${e.message}`);
+    console.error('');
+    return 1;
+  }
+
+  try {
+    report2 = JSON.parse(readFileSync(file2, 'utf8'));
+  } catch (e) {
+    console.error('');
+    console.error(`  ${paint.red('✗')} Could not parse ${file2}: ${e.message}`);
+    console.error('');
+    return 1;
+  }
+
+  // ── Header ───────────────────────────────────────────────────────────────────
+  console.log('');
+  console.log(box('ClawArmor — Security Drift Report'));
+  console.log('');
+
+  const type1 = getReportType(report1);
+  const type2 = getReportType(report2);
+
+  if (type1 !== type2) {
+    console.log(`  ${paint.yellow('⚠')}  Report types differ: ${paint.bold(type1)} vs ${paint.bold(type2)}`);
+    console.log(`     ${paint.dim('Comparison may be incomplete — check IDs may not align.')}`);
+    console.log('');
+  }
+
+  console.log(`  ${paint.dim('Baseline:')}  ${formatTimestamp(report1.timestamp)}  ${paint.dim('(' + file1 + ')')}`);
+  console.log(`  ${paint.dim('Current:')}   ${formatTimestamp(report2.timestamp)}  ${paint.dim('(' + file2 + ')')}`);
+  console.log('');
+
+  // ── Score delta ───────────────────────────────────────────────────────────────
+  const diff = diffReports(report1, report2);
+
+  if (diff.scoreOld !== null && diff.scoreNew !== null) {
+    const delta = diff.scoreNew - diff.scoreOld;
+    const deltaStr = delta > 0 ? paint.green(`+${delta}`) : delta < 0 ? paint.red(`${delta}`) : paint.dim('±0');
+    const oldColor = diff.scoreOld >= 80 ? paint.green : diff.scoreOld >= 60 ? paint.yellow : paint.red;
+    const newColor = diff.scoreNew >= 80 ? paint.green : diff.scoreNew >= 60 ? paint.yellow : paint.red;
+    console.log(`  ${paint.bold('Score:')} ${oldColor(String(diff.scoreOld))} → ${newColor(String(diff.scoreNew))} (${deltaStr})`);
+    console.log('');
+  } else if (diff.scoreOld !== null || diff.scoreNew !== null) {
+    const s = diff.scoreOld ?? diff.scoreNew;
+    console.log(`  ${paint.bold('Score:')} ${paint.dim('N/A')} → ${s} ${paint.dim('(only one report has a score)')}`);
+    console.log('');
+  }
+
+  // ── Regressions ──────────────────────────────────────────────────────────────
+  console.log(SEP);
+  if (diff.regressions.length === 0) {
+    console.log(`  ${paint.green('✓')} ${paint.bold('No regressions')} — nothing got worse`);
+  } else {
+    console.log(`  ${paint.red('✗')} ${paint.bold(`Regressions (${diff.regressions.length})`)} — ${paint.red('things that got worse')}`);
+    console.log(SEP);
+    for (const r of diff.regressions) {
+      const sevCol = severityColor[r.severity] || paint.dim;
+      console.log(`  ${paint.red('↓')} ${paint.bold(r.name)}`);
+      console.log(`     ${paint.dim('Was:')} ${statusLabel(r.oldStatus)}  ${paint.dim('→')}  ${paint.dim('Now:')} ${statusLabel(r.newStatus)}  ${sevCol('[' + r.severity + ']')}`);
+      if (r.detail) console.log(`     ${paint.dim(r.detail)}`);
+    }
+  }
+  console.log('');
+
+  // ── Improvements ─────────────────────────────────────────────────────────────
+  console.log(SEP);
+  if (diff.improvements.length === 0) {
+    console.log(`  ${paint.dim('─')} No improvements`);
+  } else {
+    console.log(`  ${paint.green('✓')} ${paint.bold(`Improvements (${diff.improvements.length})`)} — ${paint.green('things that got better')}`);
+    console.log(SEP);
+    for (const r of diff.improvements) {
+      const sevCol = severityColor[r.severity] || paint.dim;
+      console.log(`  ${paint.green('↑')} ${paint.bold(r.name)}`);
+      console.log(`     ${paint.dim('Was:')} ${statusLabel(r.oldStatus)}  ${paint.dim('→')}  ${paint.dim('Now:')} ${statusLabel(r.newStatus)}  ${sevCol('[' + r.severity + ']')}`);
+      if (r.detail) console.log(`     ${paint.dim(r.detail)}`);
+    }
+  }
+  console.log('');
+
+  // ── New Issues ────────────────────────────────────────────────────────────────
+  console.log(SEP);
+  if (diff.newIssues.length === 0) {
+    console.log(`  ${paint.dim('─')} No new issues`);
+  } else {
+    console.log(`  ${paint.yellow('!')} ${paint.bold(`New Issues (${diff.newIssues.length})`)} — ${paint.yellow('checks not in baseline report')}`);
+    console.log(SEP);
+    for (const r of diff.newIssues) {
+      const sevCol = severityColor[r.severity] || paint.dim;
+      console.log(`  ${paint.yellow('+')} ${paint.bold(r.name)}  ${sevCol('[' + r.severity + ']')}`);
+      if (r.detail) console.log(`     ${paint.dim(r.detail)}`);
+    }
+  }
+  console.log('');
+
+  // ── Resolved ─────────────────────────────────────────────────────────────────
+  console.log(SEP);
+  if (diff.resolved.length === 0) {
+    console.log(`  ${paint.dim('─')} Nothing resolved`);
+  } else {
+    console.log(`  ${paint.green('✓')} ${paint.bold(`Resolved (${diff.resolved.length})`)} — ${paint.green('issues no longer present')}`);
+    console.log(SEP);
+    for (const r of diff.resolved) {
+      console.log(`  ${paint.green('✓')} ${paint.bold(r.name)}  ${paint.dim('[' + r.severity + ']')}`);
+      if (r.detail) console.log(`     ${paint.dim(r.detail)}`);
+    }
+  }
+  console.log('');
+
+  // ── Summary ───────────────────────────────────────────────────────────────────
+  console.log(SEP);
+  console.log(`  ${paint.bold('Summary')}`);
+  console.log(SEP);
+  console.log(`  ${paint.red('Regressions:')}   ${diff.regressions.length}`);
+  console.log(`  ${paint.green('Improvements:')}  ${diff.improvements.length}`);
+  console.log(`  ${paint.yellow('New Issues:')}    ${diff.newIssues.length}`);
+  console.log(`  ${paint.green('Resolved:')}      ${diff.resolved.length}`);
+  console.log(`  ${paint.dim('Unchanged:')}     ${diff.unchanged}`);
+  console.log('');
+
+  if (diff.regressions.length > 0) {
+    console.log(`  ${paint.red('⚠')}  ${paint.bold(diff.regressions.length + ' regression(s) detected.')}  Exit code: 1`);
+    console.log('');
+    return 1;
+  }
+
+  console.log(`  ${paint.green('✓')} ${paint.bold('No regressions.')}  Exit code: 0`);
+  console.log('');
+  return 0;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clawarmor",
-  "version": "3.5.1",
+  "version": "3.6.0",
   "description": "Security armor for OpenClaw agents \u2014 audit, scan, monitor",
   "bin": {
     "clawarmor": "cli.js"

package/test-report-compare.js

@@ -0,0 +1,158 @@
+#!/usr/bin/env node
+// Unit tests for report-compare diffReports logic
+// Run: node test-report-compare.js
+
+import assert from 'assert';
+import { diffReports } from './lib/report-compare.js';
+
+let passed = 0;
+let failed = 0;
+
+function test(name, fn) {
+  try {
+    fn();
+    console.log(`  ✓ ${name}`);
+    passed++;
+  } catch (e) {
+    console.log(`  ✗ ${name}`);
+    console.log(`    ${e.message}`);
+    failed++;
+  }
+}
+
+const baseReport = (checks, score = 80) => ({
+  version: '3.5.1',
+  timestamp: '2026-03-01T10:00:00Z',
+  score,
+  checks,
+});
+
+console.log('\n  ClawArmor — diffReports unit tests\n');
+
+// ── Regressions ──────────────────────────────────────────────────────────────
+
+test('detects regression: PASS → WARN', () => {
+  const r1 = baseReport([{ name: 'gateway', status: 'pass', severity: 'NONE', detail: '' }]);
+  const r2 = baseReport([{ name: 'gateway', status: 'warn', severity: 'HIGH', detail: 'exposed' }]);
+  const diff = diffReports(r1, r2);
+  assert.strictEqual(diff.regressions.length, 1);
+  assert.strictEqual(diff.regressions[0].id, 'gateway');
+  assert.strictEqual(diff.regressions[0].oldStatus, 'pass');
+  assert.strictEqual(diff.regressions[0].newStatus, 'warn');
+});
+
+test('detects regression: PASS → block (CRITICAL)', () => {
+  const r1 = baseReport([{ name: 'auth', status: 'pass', severity: 'NONE', detail: '' }]);
+  const r2 = baseReport([{ name: 'auth', status: 'block', severity: 'CRITICAL', detail: 'exposed token' }]);
+  const diff = diffReports(r1, r2);
+  assert.strictEqual(diff.regressions.length, 1);
+  assert.strictEqual(diff.regressions[0].severity, 'CRITICAL');
+});
+
+// ── Improvements ────────────────────────────────────────────────────────────
+
+test('detects improvement: WARN → PASS', () => {
+  const r1 = baseReport([{ name: 'gateway', status: 'warn', severity: 'HIGH', detail: 'exposed' }]);
+  const r2 = baseReport([{ name: 'gateway', status: 'pass', severity: 'NONE', detail: '' }]);
+  const diff = diffReports(r1, r2);
+  assert.strictEqual(diff.improvements.length, 1);
+  assert.strictEqual(diff.improvements[0].id, 'gateway');
+});
+
+test('detects improvement: block → PASS', () => {
+  const r1 = baseReport([{ name: 'auth', status: 'block', severity: 'CRITICAL', detail: '' }]);
+  const r2 = baseReport([{ name: 'auth', status: 'pass', severity: 'NONE', detail: '' }]);
+  const diff = diffReports(r1, r2);
+  assert.strictEqual(diff.improvements.length, 1);
+});
+
+// ── New Issues ───────────────────────────────────────────────────────────────
+
+test('detects new issues (check in file2 but not file1)', () => {
+  const r1 = baseReport([{ name: 'old-check', status: 'pass', severity: 'NONE', detail: '' }]);
+  const r2 = baseReport([
+    { name: 'old-check', status: 'pass', severity: 'NONE', detail: '' },
+    { name: 'new-check', status: 'warn', severity: 'HIGH', detail: 'new problem' },
+  ]);
+  const diff = diffReports(r1, r2);
+  assert.strictEqual(diff.newIssues.length, 1);
+  assert.strictEqual(diff.newIssues[0].id, 'new-check');
+});
+
+test('new passing checks are NOT in newIssues', () => {
+  const r1 = baseReport([]);
+  const r2 = baseReport([{ name: 'new-pass', status: 'pass', severity: 'NONE', detail: '' }]);
+  const diff = diffReports(r1, r2);
+  assert.strictEqual(diff.newIssues.length, 0);
+});
+
+// ── Resolved ─────────────────────────────────────────────────────────────────
+
+test('detects resolved: failing check no longer in file2', () => {
+  const r1 = baseReport([
+    { name: 'old-issue', status: 'block', severity: 'CRITICAL', detail: 'bad' },
+    { name: 'keep', status: 'pass', severity: 'NONE', detail: '' },
+  ]);
+  const r2 = baseReport([{ name: 'keep', status: 'pass', severity: 'NONE', detail: '' }]);
+  const diff = diffReports(r1, r2);
+  assert.strictEqual(diff.resolved.length, 1);
+  assert.strictEqual(diff.resolved[0].id, 'old-issue');
+});
+
+// ── Unchanged ────────────────────────────────────────────────────────────────
+
+test('unchanged count is correct', () => {
+  const r1 = baseReport([
+    { name: 'a', status: 'pass', severity: 'NONE', detail: '' },
+    { name: 'b', status: 'warn', severity: 'HIGH', detail: '' },
+  ]);
+  const r2 = baseReport([
+    { name: 'a', status: 'pass', severity: 'NONE', detail: '' },
+    { name: 'b', status: 'warn', severity: 'HIGH', detail: 'same' },
+  ]);
+  const diff = diffReports(r1, r2);
+  assert.strictEqual(diff.unchanged, 2);
+  assert.strictEqual(diff.regressions.length, 0);
+  assert.strictEqual(diff.improvements.length, 0);
+});
+
+// ── Score delta ──────────────────────────────────────────────────────────────
+
+test('score delta is extracted', () => {
+  const r1 = baseReport([], 72);
+  const r2 = baseReport([], 85);
+  const diff = diffReports(r1, r2);
+  assert.strictEqual(diff.scoreOld, 72);
+  assert.strictEqual(diff.scoreNew, 85);
+});
+
+test('score null when not in report', () => {
+  const r1 = { version: '1.0', timestamp: '2026-01-01T00:00:00Z', items: [] };
+  const r2 = { version: '1.0', timestamp: '2026-01-01T00:00:00Z', items: [] };
+  const diff = diffReports(r1, r2);
+  assert.strictEqual(diff.scoreOld, null);
+  assert.strictEqual(diff.scoreNew, null);
+});
+
+// ── Harden report format ─────────────────────────────────────────────────────
+
+test('handles harden report format (items[] instead of checks[])', () => {
+  const r1 = {
+    version: '3.5.0', timestamp: '2026-03-01T00:00:00Z',
+    items: [{ check: 'cred-perms', status: 'already_good', action: 'Files are 600' }],
+  };
+  const r2 = {
+    version: '3.5.1', timestamp: '2026-03-08T00:00:00Z',
+    items: [{ check: 'cred-perms', status: 'failed', action: 'Could not fix' }],
+  };
+  const diff = diffReports(r1, r2);
+  assert.strictEqual(diff.regressions.length, 1);
+  assert.strictEqual(diff.regressions[0].id, 'cred-perms');
+});
+
+// ── Results ──────────────────────────────────────────────────────────────────
+
+console.log('');
+console.log(`  Results: ${passed} passed, ${failed} failed`);
+console.log('');
+if (failed > 0) process.exit(1);