[pitboss/grind] deferred session-0003 (20260521T201327Z-3848)

src/server/jobs.rs

@@ -268,6 +268,8 @@ impl JobManager {
                     }
                     Ok(diags)
                 });
+            #[cfg(feature = "dynamic")]
+            crate::dynamic::sandbox::cleanup_docker_containers();
             let elapsed = start.elapsed().as_secs_f64();
 
             // Collect snapshots and do expensive work (post-processing,

src/server/models.rs

@@ -234,7 +234,11 @@ pub fn collect_filter_values(findings: &[Diag]) -> FilterValues {
         }
         rules.insert(d.id.clone());
         statuses.insert(status_for_diag(d).to_string());
-        verification_statuses.insert(dynamic_status_for_diag(d).unwrap_or("Unverified").to_string());
+        verification_statuses.insert(
+            dynamic_status_for_diag(d)
+                .unwrap_or("Unverified")
+                .to_string(),
+        );
     }
 
     // Always include all valid triage states so the filter dropdown is complete

src/server/routes/findings.rs

@@ -5,8 +5,8 @@ use crate::database::index::Indexer;
 use crate::server::app::{AppState, CachedFindings};
 use crate::server::error::{ApiError, ApiResult};
 use crate::server::models::{
-    FilterValues, FindingSummary, FindingView, collect_filter_values, finding_from_diag,
-    finding_from_diag_with_detail, dynamic_status_label, overlay_triage_states, summarize_findings,
+    FilterValues, FindingSummary, FindingView, collect_filter_values, dynamic_status_label,
+    finding_from_diag, finding_from_diag_with_detail, overlay_triage_states, summarize_findings,
 };
 use axum::extract::{Path, Query, State};
 use axum::routing::get;

src/server/routes/scans.rs

@@ -45,6 +45,10 @@ struct StartScanRequest {
     verify: Option<bool>,
     /// Also verify `Confidence < Medium` findings. Default false.
     verify_all_confidence: Option<bool>,
+    /// Dynamic verification backend: "auto" | "docker" | "process" | "firecracker".
+    verify_backend: Option<String>,
+    /// Process-backend hardening profile: "standard" | "strict".
+    harden_profile: Option<String>,
     #[allow(dead_code)]
     languages: Option<Vec<String>>,
     #[allow(dead_code)]
@@ -89,6 +93,38 @@ fn apply_engine_profile(
     Ok(())
 }
 
+fn apply_verify_backend(
+    config: &mut crate::utils::config::Config,
+    backend: &str,
+) -> Result<(), (StatusCode, Json<serde_json::Value>)> {
+    let backend = backend.to_ascii_lowercase();
+    match backend.as_str() {
+        "auto" | "docker" | "process" | "firecracker" => {
+            config.scanner.verify_backend = backend;
+            Ok(())
+        }
+        _ => Err(bad_request(
+            "verify_backend must be one of: auto, docker, process, firecracker",
+        )),
+    }
+}
+
+fn apply_harden_profile(
+    config: &mut crate::utils::config::Config,
+    profile: &str,
+) -> Result<(), (StatusCode, Json<serde_json::Value>)> {
+    let profile = profile.to_ascii_lowercase();
+    match profile.as_str() {
+        "standard" | "strict" => {
+            config.scanner.harden_profile = profile;
+            Ok(())
+        }
+        _ => Err(bad_request(
+            "harden_profile must be one of: standard, strict",
+        )),
+    }
+}
+
 async fn start_scan(
     State(state): State<AppState>,
     body: Option<Json<StartScanRequest>>,
@@ -125,6 +161,12 @@ async fn start_scan(
     if req.verify_all_confidence == Some(true) {
         config.scanner.verify_all_confidence = true;
     }
+    if let Some(ref backend) = req.verify_backend {
+        apply_verify_backend(&mut config, backend)?;
+    }
+    if let Some(ref profile) = req.harden_profile {
+        apply_harden_profile(&mut config, profile)?;
+    }
 
     #[cfg(not(feature = "dynamic"))]
     if config.scanner.verify || config.scanner.verify_all_confidence {