[pitboss/grind] cleanup session-0012 (20260521T201327Z-3848)

docs/dynamic.md

@@ -119,7 +119,7 @@ Each line is a JSON object with a versioned envelope:
 {
   "schema_version": 1,
   "nyx_version": "0.7.0",
-  "corpus_version": "4",
+  "corpus_version": "15",
   "kind": "verdict",
   "ts": "2026-05-15T18:42:09Z",
   "finding_id": "a3b1...",
@@ -134,6 +134,8 @@ Each line is a JSON object with a versioned envelope:
 }
 ```
 
+The literal `nyx_version` and `corpus_version` values shift between releases; see `crate::dynamic::telemetry::CORPUS_VERSION` for the active payload-corpus version your binary writes.
+
 | Field | Meaning |
 | --- | --- |
 | `schema_version` | Event schema version. Readers reject mismatches. |

docs/output.md

@@ -19,9 +19,9 @@ Human-readable, color-coded output to stdout. Status messages go to stderr.
 
 | Tag | Color | Meaning |
 |-----|-------|---------|
-| `[HIGH]` | Red, bold | Critical -- likely exploitable |
-| `[MEDIUM]` | Orange, bold | Important -- may be exploitable |
-| `[LOW]` | Muted blue-gray | Informational -- code quality or weak signal |
+| `[HIGH]` | Red, bold | Critical, likely exploitable |
+| `[MEDIUM]` | Orange, bold | Important, may be exploitable |
+| `[LOW]` | Muted blue-gray | Informational: code quality or weak signal |
 
 ### Evidence fields
 
@@ -139,9 +139,9 @@ Fields marked "no" are omitted when empty/null/false to keep output compact.
 
 | Level | Meaning |
 |-------|---------|
-| `High` | Strong signal -- taint-confirmed flow, definite state violation |
-| `Medium` | Moderate signal -- resource leak, path-validated taint, CFG structural |
-| `Low` | Weak signal -- AST pattern match, possible resource leak, degraded analysis |
+| `High` | Strong signal: taint-confirmed flow, definite state violation |
+| `Medium` | Moderate signal: resource leak, path-validated taint, CFG structural |
+| `Low` | Weak signal: AST pattern match, possible resource leak, degraded analysis |
 
 ### Evidence object
 
@@ -192,12 +192,12 @@ nyx scan . --format sarif > results.sarif
 
 The SARIF output includes:
 
-- **Tool metadata** -- Nyx name and version
-- **Rules** -- Rule ID, description, severity mapping
-- **Results** -- One result per finding with location, message, and properties
-- **Properties** -- Each result includes `category` and optionally `confidence` and `rollup.count`
-- **Related locations** -- Rollup findings include example locations in `relatedLocations`
-- **Artifacts** -- File paths referenced by findings
+- **Tool metadata**: Nyx name and version
+- **Rules**: Rule ID, description, severity mapping
+- **Results**: One result per finding with location, message, and properties
+- **Properties**: Each result includes `category` and optionally `confidence` and `rollup.count`
+- **Related locations**: Rollup findings include example locations in `relatedLocations`
+- **Artifacts**: File paths referenced by findings
 
 ### GitHub Code Scanning integration
 
@@ -219,9 +219,10 @@ The SARIF output includes:
 |------|---------|
 | `0` | Scan completed successfully; no findings matched `--fail-on` threshold |
 | `1` | `--fail-on` threshold breached (at least one finding meets or exceeds the specified severity) |
-| Non-zero | Error (I/O, config, database, parse error) |
+| `2` | `--gate` policy tripped (e.g. `no-new-confirmed` saw a new Confirmed finding, or `resolve-all-confirmed` saw a previously Confirmed finding still open) |
+| Other non-zero | Error (I/O, config, database, parse error) |
 
-Without `--fail-on`, Nyx always exits `0` on a successful scan regardless of findings count.
+Without `--fail-on` or `--gate`, Nyx always exits `0` on a successful scan regardless of findings count.
 
 ---
 
@@ -229,9 +230,9 @@ Without `--fail-on`, Nyx always exits `0` on a successful scan regardless of fin
 
 | Level | Description | Typical rules |
 |-------|-------------|---------------|
-| **High** | Critical vulnerabilities -- likely exploitable | Command injection, unsafe deserialization, banned C functions, taint-confirmed flows with user input sources |
-| **Medium** | Important issues -- may be exploitable with additional context | SQL concatenation, XSS sinks, reflection, unguarded sinks, resource leaks |
-| **Low** | Informational -- code quality or weak signals | Weak crypto algorithms, insecure randomness, `unwrap()`/`panic!()`, type-safety escapes |
+| **High** | Critical vulnerabilities, likely exploitable | Command injection, unsafe deserialization, banned C functions, taint-confirmed flows with user input sources |
+| **Medium** | Important issues, may be exploitable with additional context | SQL concatenation, XSS sinks, reflection, unguarded sinks, resource leaks |
+| **Low** | Informational: code quality or weak signals | Weak crypto algorithms, insecure randomness, `unwrap()`/`panic!()`, type-safety escapes |
 
 ### Non-production severity downgrade
 
@@ -260,13 +261,13 @@ Suppress specific findings directly in source code using `nyx:ignore` comments.
 ### Directive forms
 
 ```python
-x = dangerous()  # nyx:ignore taint-unsanitised-flow     ← suppresses this line
+x = dangerous()  # nyx:ignore taint-unsanitised-flow     (suppresses this line)
 # nyx:ignore-next-line taint-unsanitised-flow
-x = dangerous()                                           ← suppresses this line
+x = dangerous()                                           (suppressed by the comment above)
 ```
 
-- `nyx:ignore <RULE_ID>` -- suppresses findings on the **same line** as the comment.
-- `nyx:ignore-next-line <RULE_ID>` -- suppresses findings on the **next line**.
+- `nyx:ignore <RULE_ID>`: suppresses findings on the **same line** as the comment.
+- `nyx:ignore-next-line <RULE_ID>`: suppresses findings on the **next line**.
 - For taint findings, the primary line is the **sink line** (the `line` field in output).
 
 ### Rule ID matching