diff --git a/ROADMAP.md b/ROADMAP.md
index d76c1e4..aa8eae6 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -216,6 +216,17 @@ of the 28-module verified corpus):**
       module's probe is contained and the scan continues. Surfaced
       while testing entrybleed's `prefetchnta` sweep under emulated
       CPUs: exactly the failure mode the isolation now handles.
+- [x] `--dry-run` flag: previews the picked exploit (or single-module
+      operation) without firing. Works with `--auto`, `--exploit`,
+      `--mitigate`, `--cleanup`. `--auto --dry-run` does NOT require
+      `--i-know` (nothing fires) so operators can inspect the host's
+      attack surface without arming. Bare `--auto` still gates on
+      `--i-know` and now points to `--dry-run` in the refusal message.
+- [x] Version-pinned `detect()` for the 3 ported modules — Debian
+      tracker provided the fix commits: `dirtydecrypt` against mainline
+      `a2567217` (Linux 7.0); `fragnesia` against 7.0.9; `pack2theroot`
+      against PackageKit 1.3.5. The `kernel_range` model now drives
+      their verdicts; `--active` confirms empirically on top.
 
 **Carry-overs:**
 
diff --git a/core/module.h b/core/module.h
index b09e862..879d610 100644
--- a/core/module.h
+++ b/core/module.h
@@ -50,6 +50,7 @@ struct skeletonkey_ctx {
     bool          no_shell;     /* --no-shell (exploit prep but don't pop) */
     bool          authorized;   /* user typed --i-know on exploit */
     bool          full_chain;   /* --full-chain (attempt root-pop after primitive) */
+    bool          dry_run;      /* --dry-run (preview only; never call exploit/mitigate/cleanup) */
 };
 
 struct skeletonkey_module {
diff --git a/skeletonkey.c b/skeletonkey.c
index 47af057..bce5b45 100644
--- a/skeletonkey.c
+++ b/skeletonkey.c
@@ -74,6 +74,9 @@ static void usage(const char *prog)
 "  --i-know              authorization gate for --exploit modes\n"
 "  --active              in --scan, do invasive sentinel probes (no /etc/passwd writes)\n"
 "  --no-shell            in --exploit modes, prepare but don't drop to shell\n"
+"  --dry-run             preview only — do the scan + pick, never call exploit/\n"
+"                        mitigate/cleanup. Useful with --auto to see what would\n"
+"                        fire before authorizing it.\n"
 "  --full-chain          in --exploit modes, attempt full root-pop after primitive\n"
 "                        (the 🟡 modules return primitive-only by default; with\n"
 "                        --full-chain they continue to leak → arb-write →\n"
@@ -750,10 +753,11 @@ static void read_os_release(char *id_out, size_t id_cap,
 
 static int cmd_auto(struct skeletonkey_ctx *ctx)
 {
-    if (!ctx->authorized) {
+    if (!ctx->authorized && !ctx->dry_run) {
         fprintf(stderr,
-"[-] --auto requires --i-know. About to attempt root via the safest available\n"
-"    LPE on this host. Authorized testing only. See docs/ETHICS.md.\n");
+"[-] --auto requires --i-know (or --dry-run for a preview that never fires).\n"
+"    About to attempt root via the safest available LPE on this host.\n"
+"    Authorized testing only. See docs/ETHICS.md.\n");
         return 1;
     }
     if (geteuid() == 0) {
@@ -864,6 +868,21 @@ static int cmd_auto(struct skeletonkey_ctx *ctx)
             }
 
     const struct skeletonkey_module *pick = cands[0].m;
+
+    if (ctx->dry_run) {
+        fprintf(stderr,
+"\n[*] auto: %d vulnerable module(s) found. Safest is '%s' (rank %d).\n"
+"[*] auto: --dry-run: would launch `--exploit %s --i-know`; not firing.\n",
+                nc, pick->name, cands[0].rank, pick->name);
+        if (nc > 1) {
+            fprintf(stderr, "[i] auto: other candidates (ranked):\n");
+            for (int i = 1; i < nc; i++)
+                fprintf(stderr, "      %-22s safety rank %d\n",
+                        cands[i].m->name, cands[i].rank);
+        }
+        return 0;
+    }
+
     fprintf(stderr,
 "\n[*] auto: %d vulnerable module(s) found. Safest is '%s' (rank %d).\n"
 "[*] auto: launching --exploit %s...\n\n",
@@ -883,6 +902,11 @@ static int cmd_auto(struct skeletonkey_ctx *ctx)
 static int cmd_one(const struct skeletonkey_module *m, const char *op,
                    const struct skeletonkey_ctx *ctx)
 {
+    if (ctx->dry_run) {
+        fprintf(stderr, "[*] %s: --dry-run: would run --%s; not firing.\n",
+                m->name, op);
+        return 0;
+    }
     skeletonkey_result_t (*fn)(const struct skeletonkey_ctx *) = NULL;
     if (strcmp(op, "exploit") == 0)        fn = m->exploit;
     else if (strcmp(op, "mitigate") == 0)  fn = m->mitigate;
@@ -953,6 +977,7 @@ int main(int argc, char **argv)
         {"json",          no_argument,       0,  4 },
         {"no-color",      no_argument,       0,  5 },
         {"full-chain",    no_argument,       0,  7 },
+        {"dry-run",       no_argument,       0, 10 },
         {"version",       no_argument,       0, 'V'},
         {"help",          no_argument,       0, 'h'},
         {0, 0, 0, 0}
@@ -977,6 +1002,7 @@ int main(int argc, char **argv)
         case  7 : ctx.full_chain = true; break;
         case  8 : mode = MODE_DUMP_OFFSETS; break;
         case  9 : mode = MODE_AUTO; ctx.authorized = i_know ? true : ctx.authorized; break;
+        case 10 : ctx.dry_run = true; break;
         case  6 :
             if      (strcmp(optarg, "auditd") == 0) dr_fmt = FMT_AUDITD;
             else if (strcmp(optarg, "sigma")  == 0) dr_fmt = FMT_SIGMA;