W
Wrkr

wrkr regress

wrkr regress

Subcommands

wrkr regress init --baseline <scan-state-path> [--output <baseline-path>] [--json]
wrkr regress run --baseline <baseline-path-or-scan-state-path> [--state <state-path>] [--summary-md] [--summary-md-path <path>] [--template exec|operator|audit|public] [--share-profile internal|public] [--top <n>] [--json]

Flags

regress init

  • --json
  • --baseline
  • --output

regress run

  • --json
  • --baseline
  • --state
  • --summary-md
  • --summary-md-path
  • --template
  • --share-profile
  • --top

Example

wrkr regress init --baseline ./.wrkr/last-scan.json --output ./.wrkr/wrkr-regress-baseline.json --json
wrkr regress run --baseline ./.wrkr/wrkr-regress-baseline.json --state ./.wrkr/last-scan.json --summary-md --summary-md-path ./.tmp/regress-summary.md --template operator --json

Compatibility example using a raw saved scan snapshot baseline:

cp ./.wrkr/last-scan.json ./.wrkr/inventory-baseline.json
wrkr regress run --baseline ./.wrkr/inventory-baseline.json --state ./.wrkr/last-scan.json --json

Expected JSON keys include status, baseline_path, tool_count (init) and drift fields plus optional summary_md_path (run). Baseline tools[*] continue to expose agent_id and tool_id; additive agent_instance_id is now included when instance-scoped identity is available. Drift reasons[*] continue to expose agent_id/tool_id and now include additive agent_instance_id when the current state carries instance-scoped identity. When critical attack-path sets diverge above deterministic thresholds, reasons includes a single critical_attack_path_drift summary entry with machine-readable attack_path_drift details (added, removed, score_changed). Regress baselines and drift comparison operate on lifecycle-bearing real tool identities only. Finding-only signals such as secret_presence, source_discovery, policy_*, and parse_error stay in findings/risk output and do not create new_unapproved_tool drift on their own.

Compatibility note:

  • wrkr inventory is the developer-facing wrapper for deterministic added/removed/changed inventory review from scan state.
  • wrkr regress run accepts either a wrkr regress init artifact or a raw saved scan snapshot. The regress init artifact remains the canonical path for CI and policy workflows.
  • v1 baselines created before instance identities are automatically reconciled against equivalent current identities at the same legacy anchor. Additional current instances beyond that legacy match still drift normally.

Canonical state/baseline path behavior: `docs/state_lifecycle.md`.