[pitboss] phase 01: M1 — Spec extraction + --verify plumbing (no sandbox)

src/server/health.rs

@@ -619,6 +619,7 @@ mod tests {
             rollup: None,
             finding_id: String::new(),
             alternative_finding_ids: Vec::new(),
+            stable_hash: 0,
         }
     }
 

src/server/models.rs

@@ -880,6 +880,7 @@ mod tests {
             rollup: None,
             finding_id: String::new(),
             alternative_finding_ids: Vec::new(),
+            stable_hash: 0,
         }
     }
 

src/server/routes/scans.rs

@@ -34,6 +34,10 @@ struct StartScanRequest {
     mode: Option<String>,
     /// Engine-depth profile: "fast" | "balanced" | "deep".
     engine_profile: Option<String>,
+    /// Run dynamic verification on findings after the static pass. Default false.
+    /// Requires the binary to be built with `--features dynamic`; returns 400
+    /// when the feature is absent and `verify: true` is requested.
+    verify: Option<bool>,
     #[allow(dead_code)]
     languages: Option<Vec<String>>,
     #[allow(dead_code)]
@@ -93,6 +97,19 @@ async fn start_scan(
         apply_engine_profile(&mut config, profile)?;
     }
 
+    if req.verify == Some(true) {
+        #[cfg(feature = "dynamic")]
+        {
+            config.scanner.verify = true;
+        }
+        #[cfg(not(feature = "dynamic"))]
+        {
+            return Err(bad_request(
+                "binary built without --features dynamic; cannot use verify",
+            ));
+        }
+    }
+
     let event_tx = state.event_tx.clone();
     let db_pool = state.db_pool.clone();
     let database_dir = state.database_dir.clone();