verified_on table — 5 modules empirically confirmed in real VMs

Closes the loop opened by tools/verify-vm/: every JSON verification
record now persists into docs/VERIFICATIONS.jsonl, gets folded into
the embedded core/verifications.c lookup table, and surfaces in
--list / --module-info / --explain / --scan --json.

New: docs/VERIFICATIONS.jsonl
  Append-only store. One JSON record per verify.sh run. Records carry
  module, ISO timestamp, host_kernel, host_distro, vm_box, expected
  vs actual verdict, and match status. 6 lines today (5 unique after
  dedup; the extra is dirty_pipe's pre-correction MISMATCH that
  surfaced the silent-backport finding — kept in the JSONL for
  history, deduped out of the C table).

New: tools/refresh-verifications.py
  Parses VERIFICATIONS.jsonl, dedupes to latest per
  (module, vm_box, host_kernel), generates core/verifications.c with a
  static array + lookup functions:
    verifications_for_module(name, &count_out)
    verifications_module_has_match(name)
  --check mode for CI drift detection.

New: core/verifications.{h,c}
  Embedded record table. Lookup is O(corpus); we have <50 records.

skeletonkey.c surfacing:
  - --list: new 'VFY' column shows ✓ for modules with >=1 'match'
    record. Five modules show ✓ today (pwnkit, cgroup_release_agent,
    netfilter_xtcompat, fuse_legacy, dirty_pipe).
  - --module-info: new '--- verified on ---' section enumerates every
    record with date / distro / kernel / vm_box / status. Modules with
    zero records get a 'run tools/verify-vm/verify.sh <name>' hint.
  - --explain: new 'VERIFIED ON' section in the operator briefing.
  - --scan --json / --module-info --json: 'verified_on' array of
    record objects per module.

Verification records baked in:

  pwnkit               Ubuntu 20.04.6 LTS  5.4.0-169   match (polkit 0.105)
  cgroup_release_agent Debian 11 (bullseye) 5.10.0-27  match
  netfilter_xtcompat   Debian 11 (bullseye) 5.10.0-27  match
  fuse_legacy          Debian 11 (bullseye) 5.10.0-27  match
  dirty_pipe           Ubuntu 22.04.3 LTS   5.15.0-91  match (OK; silent backport)

The dirty_pipe record is particularly informative: stock Ubuntu 22.04
ships 5.15.0-91-generic. Our version-only kernel_range check would say
VULNERABLE (5.15.0 < 5.15.25 backport in our table). The --active
probe writes a sentinel via the dirty_pipe primitive then re-reads;
on this host the primitive is blocked → sentinel doesn't land →
verdict OK. Ubuntu silently backports CVE fixes into the patch level
(-91 here) without bumping uname's X.Y.Z. The targets.yaml entry was
updated from 'expect: VULNERABLE' to 'expect: OK' to reflect what
the active probe definitively determined; the original VULNERABLE
expectation is preserved in the JSONL history as a demonstration of
why we ship an active-probe path at all (this is the verified-vs-
claimed bar in action).

Plumbing fixes that landed in the same loop:

  - core/nft_compat.h — conditional defines for newer-kernel nft uapi
    constants (NFT_CHAIN_HW_OFFLOAD, NFTA_VERDICT_CHAIN_ID, etc.)
    that aren't in Ubuntu 20.04's pre-5.5 linux-libc-dev. Without
    this, nft_* modules failed to compile inside the verifier guest.
    Included from each nft module after <linux/netfilter/nf_tables.h>.

  - tools/verify-vm/Vagrantfile — wrap config in c.vm.define so each
    module gets its own tracked machine; disable Parallels Tools
    auto-install (fails on older guest kernels); translate
    underscores in guest hostname to hyphens (RFC 952).

  - tools/verify-vm/verify.sh — explicit 'vagrant rsync' before
    'vagrant provision build-and-verify' (vagrant only auto-rsyncs on
    fresh up, not on already-running VMs); fix verdict-grep regex to
    tolerate Vagrant's 'skk-<module>:' line prefix + '|| true' so a
    grep miss doesn't trigger set-e+pipefail; append JSON record to
    docs/VERIFICATIONS.jsonl on every run.

  - tools/verify-vm/targets.yaml — dirty_pipe retargeted from
    ubuntu2004 + pinned 5.13.0-19 (no longer in 20.04's apt) to
    ubuntu2204 stock 5.15.0-91 (apt-installable + exercises the
    active-probe-overrides-version-check path).

What's next for the verifier:
  - Mainline kernel.ubuntu.com integration so we can actually pin
    arbitrary historical kernels (currently the pin path only works
    with apt-installable packages).
  - Sweep the remaining ~18 verifiable modules and accumulate records.
  - Per-module verified_on counts in --explain header.

core/verifications.c

@@ -0,0 +1,99 @@
+/*
+ * SKELETONKEY — verification records table
+ *
+ * AUTO-GENERATED by tools/refresh-verifications.py from
+ * docs/VERIFICATIONS.jsonl. Do not hand-edit; rerun the script.
+ *
+ * Source: tools/verify-vm/verify.sh appends one JSON record per
+ * run; this generator dedupes to (module, vm_box, kernel, expect)
+ * and keeps the latest by verified_at.
+ */
+
+#include "verifications.h"
+
+#include <stddef.h>
+#include <string.h>
+#include <stdbool.h>
+
+const struct verification_record verifications[] = {
+    {
+        .module        = "cgroup_release_agent",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.10.0-27-amd64",
+        .host_distro   = "Debian GNU/Linux 11 (bullseye)",
+        .vm_box        = "generic/debian11",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "dirty_pipe",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.15.0-91-generic",
+        .host_distro   = "Ubuntu 22.04.3 LTS",
+        .vm_box        = "generic/ubuntu2204",
+        .expect_detect = "OK",
+        .actual_detect = "OK",
+        .status        = "match",
+    },
+    {
+        .module        = "fuse_legacy",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.10.0-27-amd64",
+        .host_distro   = "Debian GNU/Linux 11 (bullseye)",
+        .vm_box        = "generic/debian11",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "netfilter_xtcompat",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.10.0-27-amd64",
+        .host_distro   = "Debian GNU/Linux 11 (bullseye)",
+        .vm_box        = "generic/debian11",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+    {
+        .module        = "pwnkit",
+        .verified_at   = "2026-05-23",
+        .host_kernel   = "5.4.0-169-generic",
+        .host_distro   = "Ubuntu 20.04.6 LTS",
+        .vm_box        = "generic/ubuntu2004",
+        .expect_detect = "VULNERABLE",
+        .actual_detect = "VULNERABLE",
+        .status        = "match",
+    },
+};
+
+const size_t verifications_count =
+    sizeof(verifications) / sizeof(verifications[0]);
+
+const struct verification_record *
+verifications_for_module(const char *module, size_t *count_out)
+{
+    if (count_out) *count_out = 0;
+    if (!module) return NULL;
+    const struct verification_record *first = NULL;
+    size_t n = 0;
+    for (size_t i = 0; i < verifications_count; i++) {
+        if (strcmp(verifications[i].module, module) == 0) {
+            if (first == NULL) first = &verifications[i];
+            n++;
+        }
+    }
+    if (count_out) *count_out = n;
+    return first;
+}
+
+bool verifications_module_has_match(const char *module)
+{
+    size_t n = 0;
+    const struct verification_record *r = verifications_for_module(module, &n);
+    for (size_t i = 0; i < n; i++)
+        if (r[i].status && strcmp(r[i].status, "match") == 0)
+            return true;
+    return false;
+}

core/verifications.h

@@ -0,0 +1,52 @@
+/*
+ * SKELETONKEY — per-module verification records
+ *
+ * "Verified-on" entries — concrete (distro, kernel, date) tuples where
+ * tools/verify-vm/verify.sh has empirically confirmed a module's
+ * detect() verdict against a known-vulnerable target. Each entry is one
+ * row from docs/VERIFICATIONS.jsonl, auto-generated into the C table
+ * by tools/refresh-verifications.py.
+ *
+ * Modules with >=1 record carry an empirical-trust badge ("✓ verified
+ * on Ubuntu 20.04.6 / 5.4.0") in --list / --module-info / --explain
+ * output. Modules with zero records are still tested at the unit level
+ * (synthetic fingerprints), but have not yet been confirmed on a real
+ * vulnerable kernel.
+ *
+ * Append-only by intent: each verify.sh run appends a fresh JSONL line
+ * (timestamped); the refresh script dedupes to (module, vm_box,
+ * kernel, expect_detect) when generating the C table so re-runs of the
+ * same scenario update rather than accumulate.
+ */
+
+#ifndef SKELETONKEY_VERIFICATIONS_H
+#define SKELETONKEY_VERIFICATIONS_H
+
+#include <stdbool.h>
+#include <stddef.h>
+
+struct verification_record {
+    const char *module;          /* module name (matches struct skeletonkey_module.name) */
+    const char *verified_at;     /* "YYYY-MM-DD" (date-only; full timestamp truncated) */
+    const char *host_kernel;     /* uname -r value, e.g. "5.4.0-169-generic" */
+    const char *host_distro;     /* /etc/os-release PRETTY_NAME, e.g. "Ubuntu 20.04.6 LTS" */
+    const char *vm_box;          /* vagrant box name, e.g. "generic/ubuntu2004" */
+    const char *expect_detect;   /* "VULNERABLE" / "OK" / "PRECOND_FAIL" — what targets.yaml said */
+    const char *actual_detect;   /* what skeletonkey --explain returned */
+    const char *status;          /* "match" iff actual == expected; otherwise "MISMATCH" */
+};
+
+extern const struct verification_record verifications[];
+extern const size_t                      verifications_count;
+
+/* Returns the first record (count via *count_out) for the named module,
+ * or NULL if the module has no recorded verifications. The records are
+ * stored contiguously in the table, so once you have the pointer you
+ * can iterate count_out entries forward. */
+const struct verification_record *
+verifications_for_module(const char *module, size_t *count_out);
+
+/* True iff the module has at least one "match" record. */
+bool verifications_module_has_match(const char *module);
+
+#endif /* SKELETONKEY_VERIFICATIONS_H */