From 93e4764e3cab5f57eead4c3ba99e7d6ccb815a87 Mon Sep 17 00:00:00 2001
From: pitboss <pitboss@local>
Date: Fri, 15 May 2026 20:51:20 -0500
Subject: [PATCH] [pitboss] sweep after phase 31: 1 deferred items resolved

---
 src/cli.rs           | 11 +++++++++++
 src/commands/mod.rs  |  2 ++
 src/commands/scan.rs |  5 +++++
 3 files changed, 18 insertions(+)

diff --git a/src/cli.rs b/src/cli.rs
index cbcfbd85..e41c5d15 100644
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -272,6 +272,17 @@ pub enum Commands {
         #[arg(long, help_heading = "Output")]
         quiet: bool,
 
+        /// Print the dynamic-verifier trace to stderr at end-of-verify.
+        ///
+        /// When dynamic verification is enabled, the verifier records a
+        /// per-finding [`crate::dynamic::trace::VerifyTrace`].  Setting this
+        /// flag flushes every recorded `TraceEvent` to stderr after each
+        /// verdict, matching the stream that already lands in the repro
+        /// bundle at `expected/trace.jsonl`.  Off by default so non-interactive
+        /// scans stay quiet.
+        #[arg(long, help_heading = "Output")]
+        verbose: bool,
+
         /// Exit with code 1 if any finding meets or exceeds this severity
         ///
         /// Useful for CI gating. Example: --fail-on HIGH
diff --git a/src/commands/mod.rs b/src/commands/mod.rs
index 3706b72f..039876b2 100644
--- a/src/commands/mod.rs
+++ b/src/commands/mod.rs
@@ -58,6 +58,7 @@ pub fn handle_command(
             all_targets,
             keep_nonprod_severity,
             quiet,
+            verbose,
             fail_on,
             no_state,
             no_rank,
@@ -378,6 +379,7 @@ pub fn handle_command(
                 baseline.as_deref().map(std::path::Path::new),
                 baseline_write.as_deref().map(std::path::Path::new),
                 gate.as_deref(),
+                verbose,
             )?;
         }
         #[cfg(feature = "dynamic")]
diff --git a/src/commands/scan.rs b/src/commands/scan.rs
index 371f8f9f..2e0f5d4e 100644
--- a/src/commands/scan.rs
+++ b/src/commands/scan.rs
@@ -404,6 +404,7 @@ pub fn handle(
     baseline: Option<&Path>,
     baseline_write: Option<&Path>,
     gate: Option<&str>,
+    #[cfg_attr(not(feature = "dynamic"), allow(unused_variables))] verbose: bool,
 ) -> NyxResult<()> {
     let scan_path = Path::new(path).canonicalize()?;
     let (project_name, db_path) = get_project_info(&scan_path, database_dir)?;
@@ -548,6 +549,10 @@ pub fn handle(
     #[cfg(feature = "dynamic")]
     if config.scanner.verify {
         let mut opts = crate::dynamic::verify::VerifyOptions::from_config(config);
+        // Phase 30 (Track C observability): surface the per-finding
+        // [`crate::dynamic::trace::VerifyTrace`] on stderr when the
+        // operator passes `--verbose`.
+        opts.trace_verbose = verbose;
         // Enable the verdict cache (§12 Q5) when an index DB is in use.
         // When index_mode is Off, the DB is never created, so no cache.
         if index_mode != IndexMode::Off && db_path.exists() {