[pitboss] phase 05: Track C.2 + Track I.1 quick unlocks — OOB listener wired + golden-verdict fixture runner

2026-06-24 20:28:06 +02:00 · 2026-05-14 05:01:50 -05:00 · 2026-05-14 05:01:50 -05:00 · cdbc7f2d21
commit cdbc7f2d21
parent 937eb479e6
50 changed files with 790 additions and 587 deletions
--- a/src/dynamic/oob.rs
+++ b/src/dynamic/oob.rs
@ -5,6 +5,17 @@
 //! URL path.  The lifetime of the listener is per-scan: create one
 //! [`OobListener`] at scan start, drop it when the scan finishes.
 //!
+//! # Wiring
+//!
+//! As of Phase 05 the listener is load-bearing: [`crate::dynamic::verify::VerifyOptions::from_config`]
+//! constructs one per scan via [`OobListener::bind`] and threads it into
+//! [`crate::dynamic::sandbox::SandboxOptions::oob_listener`]. The runner
+//! polls [`OobListener::was_nonce_hit`] after each sandbox run (see
+//! `src/dynamic/runner.rs`) and toggles
+//! [`crate::dynamic::sandbox::SandboxOutcome::oob_callback_seen`] when a
+//! probe arrives — that is the only signal that turns an OOB-only sink
+//! (e.g. blind SSRF) into a `Confirmed` verdict.
+//!
 //! # Nonce URL
 //!
 //! The caller generates a per-finding nonce (UUID4 hex) and embeds it in