[codex] Add optional summary JSON output

[stacknil]

Brief Design Summary

This PR adds optional --summary-json PATH support to sbom-diff-risk compare.

When provided, the command writes only the same stable summary object already present in report.json["summary"]. The implementation reuses the existing summary rendering path via render_summary_json(report), so it does not introduce a second summary schema.

Existing --out-json behavior is unchanged.

Files Changed

• tools/sbom-diff-and-risk/src/sbom_diff_risk/cli.py
• tools/sbom-diff-and-risk/src/sbom_diff_risk/report_json.py
• tools/sbom-diff-and-risk/tests/test_cli_summary_json.py
• tools/sbom-diff-and-risk/tests/test_cli_exit_codes.py
• tools/sbom-diff-and-risk/README.md
• tools/sbom-diff-and-risk/docs/report-schema.md

Tests Added/Updated

Added CLI coverage for:

• summary-only output
• equality with report.json["summary"]
• policy summary output
• PyPI enrichment summary output
• Scorecard enrichment summary output
• omitted-output behavior
• help text exposure

Validation

cd tools/sbom-diff-and-risk
python -m pytest
python -m build
$files = Get-ChildItem dist -File | ForEach-Object { $_.FullName }
python -m twine check $files
git diff --check
python -m pip install -e .[dev]
sbom-diff-risk compare `
  --before examples/cdx_before.json `
  --after examples/cdx_after.json `
  --out-json outputs/report.json `
  --summary-json outputs/summary.json

Confirmed:

• 153 passed
• build passed
• twine check passed
• outputs/summary.json is valid JSON
• outputs/summary.json equals outputs/report.json["summary"]
• unchanged remains absent
• no Markdown output changes
• no SARIF output changes
• no workflow changes
• no package version change
• no network or CVE behavior change

Out of Scope

• No CLI behavior changes beyond the optional flag
• No changes to existing --out-json
• No Markdown output changes
• No SARIF changes
• No workflow changes
• No package version bump
• No production PyPI workflow