verified_on table — 5 modules empirically confirmed in real VMs

Closes the loop opened by tools/verify-vm/: every JSON verification
record now persists into docs/VERIFICATIONS.jsonl, gets folded into
the embedded core/verifications.c lookup table, and surfaces in
--list / --module-info / --explain / --scan --json.

New: docs/VERIFICATIONS.jsonl
  Append-only store. One JSON record per verify.sh run. Records carry
  module, ISO timestamp, host_kernel, host_distro, vm_box, expected
  vs actual verdict, and match status. 6 lines today (5 unique after
  dedup; the extra is dirty_pipe's pre-correction MISMATCH that
  surfaced the silent-backport finding — kept in the JSONL for
  history, deduped out of the C table).

New: tools/refresh-verifications.py
  Parses VERIFICATIONS.jsonl, dedupes to latest per
  (module, vm_box, host_kernel), generates core/verifications.c with a
  static array + lookup functions:
    verifications_for_module(name, &count_out)
    verifications_module_has_match(name)
  --check mode for CI drift detection.

New: core/verifications.{h,c}
  Embedded record table. Lookup is O(corpus); we have <50 records.

skeletonkey.c surfacing:
  - --list: new 'VFY' column shows ✓ for modules with >=1 'match'
    record. Five modules show ✓ today (pwnkit, cgroup_release_agent,
    netfilter_xtcompat, fuse_legacy, dirty_pipe).
  - --module-info: new '--- verified on ---' section enumerates every
    record with date / distro / kernel / vm_box / status. Modules with
    zero records get a 'run tools/verify-vm/verify.sh <name>' hint.
  - --explain: new 'VERIFIED ON' section in the operator briefing.
  - --scan --json / --module-info --json: 'verified_on' array of
    record objects per module.

Verification records baked in:

  pwnkit               Ubuntu 20.04.6 LTS  5.4.0-169   match (polkit 0.105)
  cgroup_release_agent Debian 11 (bullseye) 5.10.0-27  match
  netfilter_xtcompat   Debian 11 (bullseye) 5.10.0-27  match
  fuse_legacy          Debian 11 (bullseye) 5.10.0-27  match
  dirty_pipe           Ubuntu 22.04.3 LTS   5.15.0-91  match (OK; silent backport)

The dirty_pipe record is particularly informative: stock Ubuntu 22.04
ships 5.15.0-91-generic. Our version-only kernel_range check would say
VULNERABLE (5.15.0 < 5.15.25 backport in our table). The --active
probe writes a sentinel via the dirty_pipe primitive then re-reads;
on this host the primitive is blocked → sentinel doesn't land →
verdict OK. Ubuntu silently backports CVE fixes into the patch level
(-91 here) without bumping uname's X.Y.Z. The targets.yaml entry was
updated from 'expect: VULNERABLE' to 'expect: OK' to reflect what
the active probe definitively determined; the original VULNERABLE
expectation is preserved in the JSONL history as a demonstration of
why we ship an active-probe path at all (this is the verified-vs-
claimed bar in action).

Plumbing fixes that landed in the same loop:

  - core/nft_compat.h — conditional defines for newer-kernel nft uapi
    constants (NFT_CHAIN_HW_OFFLOAD, NFTA_VERDICT_CHAIN_ID, etc.)
    that aren't in Ubuntu 20.04's pre-5.5 linux-libc-dev. Without
    this, nft_* modules failed to compile inside the verifier guest.
    Included from each nft module after <linux/netfilter/nf_tables.h>.

  - tools/verify-vm/Vagrantfile — wrap config in c.vm.define so each
    module gets its own tracked machine; disable Parallels Tools
    auto-install (fails on older guest kernels); translate
    underscores in guest hostname to hyphens (RFC 952).

  - tools/verify-vm/verify.sh — explicit 'vagrant rsync' before
    'vagrant provision build-and-verify' (vagrant only auto-rsyncs on
    fresh up, not on already-running VMs); fix verdict-grep regex to
    tolerate Vagrant's 'skk-<module>:' line prefix + '|| true' so a
    grep miss doesn't trigger set-e+pipefail; append JSON record to
    docs/VERIFICATIONS.jsonl on every run.

  - tools/verify-vm/targets.yaml — dirty_pipe retargeted from
    ubuntu2004 + pinned 5.13.0-19 (no longer in 20.04's apt) to
    ubuntu2204 stock 5.15.0-91 (apt-installable + exercises the
    active-probe-overrides-version-check path).

What's next for the verifier:
  - Mainline kernel.ubuntu.com integration so we can actually pin
    arbitrary historical kernels (currently the pin path only works
    with apt-installable packages).
  - Sweep the remaining ~18 verifiable modules and accumulate records.
  - Per-module verified_on counts in --explain header.

skeletonkey.c

@@ -20,6 +20,7 @@
 #include "core/offsets.h"
 #include "core/host.h"
 #include "core/cve_metadata.h"
+#include "core/verifications.h"
 
 #include <time.h>
 #include <sys/utsname.h>
@@ -215,6 +216,31 @@ static void emit_module_json(const struct skeletonkey_module *m, bool include_ru
         free(op);
     }
 
+    /* Empirical verification records: (distro, kernel, date) tuples
+     * where the module's detect() was confirmed against a real target. */
+    size_t nv = 0;
+    const struct verification_record *vrs = verifications_for_module(m->name, &nv);
+    if (nv > 0) {
+        fprintf(stdout, ",\"verified_on\":[");
+        for (size_t i = 0; i < nv; i++) {
+            char *vat = json_escape(vrs[i].verified_at);
+            char *vkr = json_escape(vrs[i].host_kernel);
+            char *vds = json_escape(vrs[i].host_distro);
+            char *vbx = json_escape(vrs[i].vm_box);
+            char *vst = json_escape(vrs[i].status);
+            char *vac = json_escape(vrs[i].actual_detect);
+            fprintf(stdout,
+                "%s{\"verified_at\":\"%s\",\"host_kernel\":\"%s\","
+                "\"host_distro\":\"%s\",\"vm_box\":\"%s\","
+                "\"actual_detect\":\"%s\",\"status\":\"%s\"}",
+                i ? "," : "",
+                vat ? vat : "", vkr ? vkr : "", vds ? vds : "",
+                vbx ? vbx : "", vac ? vac : "", vst ? vst : "");
+            free(vat); free(vkr); free(vds); free(vbx); free(vst); free(vac);
+        }
+        fprintf(stdout, "]");
+    }
+
     if (include_rules) {
         /* Embed the actual rule text. Useful for --module-info. */
         char *aud = json_escape(m->detect_auditd);
@@ -246,16 +272,17 @@ static int cmd_list(const struct skeletonkey_ctx *ctx)
         fprintf(stdout, "]}\n");
         return 0;
     }
-    fprintf(stdout, "%-20s %-18s %-3s %-25s %s\n",
-            "NAME", "CVE", "KEV", "FAMILY", "SUMMARY");
-    fprintf(stdout, "%-20s %-18s %-3s %-25s %s\n",
-            "----", "---", "---", "------", "-------");
+    fprintf(stdout, "%-20s %-18s %-3s %-3s %-25s %s\n",
+            "NAME", "CVE", "KEV", "VFY", "FAMILY", "SUMMARY");
+    fprintf(stdout, "%-20s %-18s %-3s %-3s %-25s %s\n",
+            "----", "---", "---", "---", "------", "-------");
     for (size_t i = 0; i < n; i++) {
         const struct skeletonkey_module *m = skeletonkey_module_at(i);
         const struct cve_metadata *md = cve_metadata_lookup(m->cve);
-        fprintf(stdout, "%-20s %-18s %-3s %-25s %s\n",
+        fprintf(stdout, "%-20s %-18s %-3s %-3s %-25s %s\n",
                 m->name, m->cve,
                 (md && md->in_kev) ? "★"  : "",
+                verifications_module_has_match(m->name) ? "✓" : "",
                 m->family, m->summary);
     }
     return 0;
@@ -637,6 +664,28 @@ static int cmd_module_info(const char *name, const struct skeletonkey_ctx *ctx)
         m->detect_yara   ? "yara "   : "",
         m->detect_falco  ? "falco "  : "");
 
+    /* Verification records — VM-confirmed detect() verdicts. */
+    {
+        size_t nv = 0;
+        const struct verification_record *vrs =
+            verifications_for_module(m->name, &nv);
+        if (nv > 0) {
+            fprintf(stdout, "\n--- verified on ---\n");
+            for (size_t i = 0; i < nv; i++) {
+                const char *icon = (vrs[i].status &&
+                    strcmp(vrs[i].status, "match") == 0) ? "✓" : "✗";
+                fprintf(stdout, "  %s %s  %s  (kernel %s; %s; status: %s)\n",
+                    icon, vrs[i].verified_at,
+                    vrs[i].host_distro, vrs[i].host_kernel,
+                    vrs[i].vm_box, vrs[i].status);
+            }
+        } else {
+            fprintf(stdout, "\n--- verified on ---\n"
+                "  (none yet — run  tools/verify-vm/verify.sh %s  to add one)\n",
+                m->name);
+        }
+    }
+
     if (m->opsec_notes) {
         fprintf(stdout, "\n--- opsec notes ---\n%s\n", m->opsec_notes);
     }
@@ -798,6 +847,27 @@ static int cmd_explain(const char *name, const struct skeletonkey_ctx *ctx)
         print_wrapped(m->opsec_notes, 2, 76);
     }
 
+    /* ── empirical verification records ────────────────────────── */
+    {
+        size_t nv = 0;
+        const struct verification_record *vrs =
+            verifications_for_module(m->name, &nv);
+        fprintf(stdout, "\nVERIFIED ON (real-VM detect() confirmations)\n");
+        if (nv == 0) {
+            fprintf(stdout, "  (none yet — run  tools/verify-vm/verify.sh %s)\n",
+                m->name);
+        } else {
+            for (size_t i = 0; i < nv; i++) {
+                const char *icon = (vrs[i].status &&
+                    strcmp(vrs[i].status, "match") == 0) ? "✓" : "✗";
+                fprintf(stdout, "  %s %s  %s — kernel %s  (%s)\n",
+                    icon, vrs[i].verified_at,
+                    vrs[i].host_distro, vrs[i].host_kernel,
+                    vrs[i].status);
+            }
+        }
+    }
+
     /* ── detection coverage matrix ───────────────────────────── */
     fprintf(stdout, "\nDETECTION COVERAGE (rules embedded in this binary)\n");
     fprintf(stdout, "  %s auditd    %s sigma    %s yara    %s falco\n",