[pitboss] phase 09: M7 — Default-on flip + real-corpus calibration

2026-06-15 20:05:13 +02:00 · 2026-05-12 14:33:40 -04:00 · 2026-05-12 14:33:40 -04:00 · 996bff5983
commit 996bff5983
parent 118cafa535
19 changed files with 1094 additions and 51 deletions
--- a/src/dynamic/spec.rs
+++ b/src/dynamic/spec.rs
@ -107,17 +107,29 @@ impl HarnessSpec {
    /// Build a spec from a finding. Returns `Err` with a typed reason when
    /// the finding cannot be driven dynamically.
    ///
-    /// Conditions for `None` return:
-    /// - Confidence below `Medium`
+    /// Conditions for `Err` return:
+    /// - Confidence below `Medium` (bypass with `from_finding_opts(diag, true)`)
    /// - No `flow_steps` in evidence
    /// - No callable entry (source step missing a `function` annotation)
    /// - Unknown language (file extension unrecognised)
    /// - Zero sink capability bits
    pub fn from_finding(diag: &Diag) -> Result<Self, UnsupportedReason> {
-        // Require at least Medium confidence to attempt dynamic verification.
-        match diag.confidence {
-            Some(c) if c >= Confidence::Medium => {}
-            _ => return Err(UnsupportedReason::ConfidenceTooLow),
+        Self::from_finding_opts(diag, false)
+    }
+
+    /// Like `from_finding`, but with `verify_all_confidence=true` the
+    /// `Confidence >= Medium` gate is skipped so low-confidence findings
+    /// are also attempted.
+    pub fn from_finding_opts(
+        diag: &Diag,
+        verify_all_confidence: bool,
+    ) -> Result<Self, UnsupportedReason> {
+        // Require at least Medium confidence unless caller opts out.
+        if !verify_all_confidence {
+            match diag.confidence {
+                Some(c) if c >= Confidence::Medium => {}
+                _ => return Err(UnsupportedReason::ConfidenceTooLow),
+            }
        }

        let evidence = diag.evidence.as_ref().ok_or(UnsupportedReason::NoFlowSteps)?;
--- a/src/dynamic/verify.rs
+++ b/src/dynamic/verify.rs
@ -24,6 +24,9 @@ pub struct VerifyOptions {
    /// Path to the Nyx index database for the dynamic verdict cache (§12 Q5).
    /// When `None` (e.g. `--no-index` mode), the cache is bypassed entirely.
    pub db_path: Option<std::path::PathBuf>,
+    /// When `true`, skip the `Confidence >= Medium` gate and attempt
+    /// verification on all findings. Corresponds to `--verify-all-confidence`.
+    pub verify_all_confidence: bool,
 }

 impl VerifyOptions {
@ -42,6 +45,7 @@ impl VerifyOptions {
            },
            project_root: None,
            db_path: None,
+            verify_all_confidence: config.scanner.verify_all_confidence,
        }
    }
 }
@ -155,7 +159,7 @@ fn insert_verdict_cache(
 pub fn verify_finding(diag: &Diag, opts: &VerifyOptions) -> VerifyResult {
    let finding_id = format!("{:016x}", diag.stable_hash);

-    let spec = match HarnessSpec::from_finding(diag) {
+    let spec = match HarnessSpec::from_finding_opts(diag, opts.verify_all_confidence) {
        Ok(s) => s,
        Err(reason) => {
            return VerifyResult {