[codex] Add stable JSON run summary fields

tools/sbom-diff-and-risk/examples/sample-policy-fail-report.json

@@ -11,6 +11,12 @@
       "stale_package": 0,
       "suspicious_source": 0,
       "not_evaluated": 2
+    },
+    "policy": {
+      "status": "fail",
+      "blocking": 3,
+      "warning": 1,
+      "suppressed": 0
     }
   },
   "components": {

tools/sbom-diff-and-risk/examples/sample-policy-warn-report.json

@@ -11,6 +11,12 @@
       "stale_package": 0,
       "suspicious_source": 0,
       "not_evaluated": 2
+    },
+    "policy": {
+      "status": "warn",
+      "blocking": 0,
+      "warning": 1,
+      "suppressed": 0
     }
   },
   "components": {

tools/sbom-diff-and-risk/examples/sample-provenance-report.json

@@ -11,6 +11,25 @@
       "stale_package": 0,
       "suspicious_source": 0,
       "not_evaluated": 0
+    },
+    "policy": {
+      "status": "fail",
+      "blocking": 2,
+      "warning": 1,
+      "suppressed": 0
+    },
+    "enrichment": {
+      "status": "used",
+      "mode": "opt_in_pypi",
+      "pypi": {
+        "candidate_components": 3,
+        "supported_components": 3,
+        "status_counts": {
+          "attestation_available": 2,
+          "attestation_unavailable": 1,
+          "provenance_available": 2
+        }
+      }
     }
   },
   "components": {

tools/sbom-diff-and-risk/examples/sample-scorecard-report.json

@@ -11,6 +11,24 @@
       "stale_package": 0,
       "suspicious_source": 0,
       "not_evaluated": 0
+    },
+    "policy": {
+      "status": "warn",
+      "blocking": 0,
+      "warning": 1,
+      "suppressed": 0
+    },
+    "enrichment": {
+      "status": "used",
+      "mode": "opt_in_scorecard",
+      "scorecard": {
+        "candidate_components": 3,
+        "supported_components": 2,
+        "status_counts": {
+          "repository_unmapped": 1,
+          "scorecard_available": 2
+        }
+      }
     }
   },
   "components": {

tools/sbom-diff-and-risk/src/sbom_diff_risk/report_json.py

@@ -3,21 +3,17 @@
 import json
 
 from .enrichment import enrichment_metadata_to_dict, provenance_evidence_to_dict
-from .models import CompareReport, Component, ComponentChange, RiskFinding
+from .models import CompareReport, Component, ComponentChange, ReportEnrichmentMetadata, RiskFinding
 from .presentation import build_policy_report_sections, build_trust_signal_report_sections
+from .policy_models import PolicyEvaluation
 from .scorecard_enrichment import scorecard_evidence_to_dict
 
 
 def render_report_json(report: CompareReport) -> str:
     policy_sections = build_policy_report_sections(report.metadata.policy_evaluation)
     trust_signal_sections = build_trust_signal_report_sections(report)
     payload = {
-        "summary": {
-            "added": report.summary.added,
-            "removed": report.summary.removed,
-            "changed": report.summary.changed,
-            "risk_counts": dict(report.summary.risk_counts),
-        },
+        "summary": _summary_to_dict(report),
         "components": {
             "added": [_component_to_dict(component) for component in report.components.added],
             "removed": [_component_to_dict(component) for component in report.components.removed],
@@ -51,6 +47,69 @@ def render_report_json(report: CompareReport) -> str:
     return json.dumps(payload, indent=2) + "\n"
 
 
+def _summary_to_dict(report: CompareReport) -> dict[str, object]:
+    summary: dict[str, object] = {
+        "added": report.summary.added,
+        "removed": report.summary.removed,
+        "changed": report.summary.changed,
+        "risk_counts": dict(report.summary.risk_counts),
+    }
+
+    policy_summary = _policy_summary_to_dict(report.metadata.policy_evaluation)
+    if policy_summary is not None:
+        summary["policy"] = policy_summary
+
+    enrichment_summary = _enrichment_summary_to_dict(report.metadata.enrichment)
+    if enrichment_summary is not None:
+        summary["enrichment"] = enrichment_summary
+
+    return summary
+
+
+def _policy_summary_to_dict(evaluation: PolicyEvaluation | None) -> dict[str, object] | None:
+    if evaluation is None or not evaluation.applied:
+        return None
+
+    blocking = len(evaluation.blocking_violations)
+    warning = len(evaluation.warning_violations)
+    suppressed = len(evaluation.suppressed_violations)
+    status = "fail" if blocking else "warn" if warning else "pass"
+
+    return {
+        "status": status,
+        "blocking": blocking,
+        "warning": warning,
+        "suppressed": suppressed,
+    }
+
+
+def _enrichment_summary_to_dict(metadata: ReportEnrichmentMetadata) -> dict[str, object] | None:
+    if not (metadata.pypi_enabled or metadata.scorecard_enabled):
+        return None
+
+    summary: dict[str, object] = {
+        "status": "used",
+        "mode": metadata.mode,
+    }
+    if metadata.pypi_enabled:
+        summary["pypi"] = {
+            "candidate_components": metadata.candidate_components,
+            "supported_components": metadata.supported_components,
+            "status_counts": _sorted_counts(metadata.status_counts),
+        }
+    if metadata.scorecard_enabled:
+        summary["scorecard"] = {
+            "candidate_components": metadata.scorecard_candidate_components,
+            "supported_components": metadata.scorecard_supported_components,
+            "status_counts": _sorted_counts(metadata.scorecard_status_counts),
+        }
+    return summary
+
+
+def _sorted_counts(counts: dict[str, int]) -> dict[str, int]:
+    return {key: counts[key] for key in sorted(counts)}
+
+
 def _component_to_dict(component: Component) -> dict[str, object]:
     evidence = dict(component.evidence)
     provenance = provenance_evidence_to_dict(component.provenance)

tools/sbom-diff-and-risk/tests/test_provenance_reporting.py

@@ -52,6 +52,25 @@ def test_provenance_report_json_includes_provenance_policy_summary() -> None:
 
     payload = json.loads(render_report_json(report))
 
+    assert payload["summary"]["policy"] == {
+        "status": "fail",
+        "blocking": 2,
+        "warning": 1,
+        "suppressed": 0,
+    }
+    assert payload["summary"]["enrichment"] == {
+        "status": "used",
+        "mode": "opt_in_pypi",
+        "pypi": {
+            "candidate_components": 3,
+            "supported_components": 3,
+            "status_counts": {
+                "attestation_available": 2,
+                "attestation_unavailable": 1,
+                "provenance_available": 2,
+            },
+        },
+    }
     assert payload["provenance_policy"]["configured"] is True
     assert payload["provenance_policy_impact"] == payload["provenance_policy"]
     assert payload["provenance_policy"]["requirements"]["require_attestations_for_new_packages"] is True

tools/sbom-diff-and-risk/tests/test_reports.py

@@ -131,6 +131,20 @@ def test_report_json_offline_enrichment_metadata_is_stable_by_default() -> None:
     payload = json.loads(first)
 
     assert first == second
+    assert payload["summary"] == {
+        "added": 1,
+        "removed": 0,
+        "changed": 1,
+        "risk_counts": {
+            "new_package": 1,
+            "major_upgrade": 0,
+            "version_change_unclassified": 1,
+            "unknown_license": 0,
+            "stale_package": 0,
+            "suspicious_source": 0,
+            "not_evaluated": 2,
+        },
+    }
     assert payload["metadata"]["enrichment"] == {
         "mode": "offline_default",
         "pypi_enabled": False,
@@ -159,6 +173,20 @@ def test_report_json_offline_enrichment_metadata_is_stable_by_default() -> None:
     assert all("scorecard" not in component["evidence"] for component in added_components)
 
 
+def test_report_json_summary_includes_policy_status_when_policy_is_used() -> None:
+    report = _build_report("cdx_before.json", "cdx_after.json", policy_name="policy-minimal.yml")
+
+    payload = json.loads(render_report_json(report))
+
+    assert payload["summary"]["policy"] == {
+        "status": "warn",
+        "blocking": 0,
+        "warning": 1,
+        "suppressed": 0,
+    }
+    assert "enrichment" not in payload["summary"]
+
+
 def test_reports_render_suppressions_when_policy_ignores_findings() -> None:
     policy = PolicyConfig(
         version=1,

tools/sbom-diff-and-risk/tests/test_scorecard_reporting.py

@@ -36,6 +36,31 @@ def test_scorecard_report_json_matches_golden() -> None:
     assert rendered == expected
 
 
+def test_scorecard_report_json_summary_includes_enrichment_status() -> None:
+    report, _, _ = _build_sample_scorecard_report()
+
+    payload = json.loads(render_report_json(report))
+
+    assert payload["summary"]["policy"] == {
+        "status": "warn",
+        "blocking": 0,
+        "warning": 1,
+        "suppressed": 0,
+    }
+    assert payload["summary"]["enrichment"] == {
+        "status": "used",
+        "mode": "opt_in_scorecard",
+        "scorecard": {
+            "candidate_components": 3,
+            "supported_components": 2,
+            "status_counts": {
+                "repository_unmapped": 1,
+                "scorecard_available": 2,
+            },
+        },
+    }
+
+
 def test_scorecard_report_markdown_matches_golden() -> None:
     report, _, _ = _build_sample_scorecard_report()