feat(05-01): migrate findings schema with verify_* columns

- schema.sql: new findings columns verified, verify_status, verify_http_code, verify_metadata_json
- db.go: migrateFindingsVerifyColumns runs on Open() for legacy DBs using PRAGMA table_info + ALTER TABLE
- findings.go: Finding struct gains Verified/VerifyStatus/VerifyHTTPCode/VerifyMetadata
- SaveFinding serializes verify metadata as JSON (NULL when nil)
- ListFindings round-trips all verify fields

pkg/storage/findings.go

@@ -2,6 +2,7 @@ package storage
 
 import (
 	"database/sql"
+	"encoding/json"
 	"fmt"
 	"time"
 )
@@ -19,6 +20,13 @@ type Finding struct {
 	SourceType   string
 	LineNumber   int
 	CreatedAt    time.Time
+
+	// Verification fields populated by the Phase 5 verifier. Zero values mean
+	// the finding has not been verified.
+	Verified       bool
+	VerifyStatus   string // "live", "dead", "rate_limited", "error", "unknown"
+	VerifyHTTPCode int
+	VerifyMetadata map[string]string
 }
 
 // MaskKey returns the masked form of a key: first 8 chars + "..." + last 4 chars.
@@ -51,10 +59,32 @@ func (db *DB) SaveFinding(f Finding, encKey []byte) (int64, error) {
 		scanID = sql.NullInt64{}
 	}
 
+	// Serialize verify metadata as JSON (NULL when nil) to match schema.
+	var metaJSON interface{}
+	if f.VerifyMetadata != nil {
+		b, err := json.Marshal(f.VerifyMetadata)
+		if err != nil {
+			return 0, fmt.Errorf("marshaling verify metadata: %w", err)
+		}
+		metaJSON = string(b)
+	} else {
+		metaJSON = sql.NullString{}
+	}
+
+	verifiedInt := 0
+	if f.Verified {
+		verifiedInt = 1
+	}
+
 	res, err := db.sql.Exec(
-		`INSERT INTO findings (scan_id, provider_name, key_value, key_masked, confidence, source_path, source_type, line_number)
-         VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
-		scanID, f.ProviderName, encrypted, masked, f.Confidence, f.SourcePath, f.SourceType, f.LineNumber,
+		`INSERT INTO findings (
+			scan_id, provider_name, key_value, key_masked, confidence,
+			source_path, source_type, line_number,
+			verified, verify_status, verify_http_code, verify_metadata_json
+		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+		scanID, f.ProviderName, encrypted, masked, f.Confidence,
+		f.SourcePath, f.SourceType, f.LineNumber,
+		verifiedInt, f.VerifyStatus, f.VerifyHTTPCode, metaJSON,
 	)
 	if err != nil {
 		return 0, fmt.Errorf("inserting finding: %w", err)
@@ -67,7 +97,9 @@ func (db *DB) SaveFinding(f Finding, encKey []byte) (int64, error) {
 func (db *DB) ListFindings(encKey []byte) ([]Finding, error) {
 	rows, err := db.sql.Query(
 		`SELECT id, scan_id, provider_name, key_value, key_masked, confidence,
-                source_path, source_type, line_number, created_at
+                source_path, source_type, line_number,
+                verified, verify_status, verify_http_code, verify_metadata_json,
+                created_at
          FROM findings ORDER BY created_at DESC`,
 	)
 	if err != nil {
@@ -81,15 +113,26 @@ func (db *DB) ListFindings(encKey []byte) ([]Finding, error) {
 		var encrypted []byte
 		var createdAt string
 		var scanID sql.NullInt64
-		err := rows.Scan(
+		var verifiedInt int
+		var metaJSON sql.NullString
+		if err := rows.Scan(
 			&f.ID, &scanID, &f.ProviderName, &encrypted, &f.KeyMasked,
-			&f.Confidence, &f.SourcePath, &f.SourceType, &f.LineNumber, &createdAt,
-		)
+			&f.Confidence, &f.SourcePath, &f.SourceType, &f.LineNumber,
+			&verifiedInt, &f.VerifyStatus, &f.VerifyHTTPCode, &metaJSON,
+			&createdAt,
+		); err != nil {
+			return nil, fmt.Errorf("scanning finding row: %w", err)
+		}
 		if scanID.Valid {
 			f.ScanID = scanID.Int64
 		}
-		if err != nil {
-			return nil, fmt.Errorf("scanning finding row: %w", err)
+		f.Verified = verifiedInt != 0
+		if metaJSON.Valid && metaJSON.String != "" {
+			m := map[string]string{}
+			if err := json.Unmarshal([]byte(metaJSON.String), &m); err != nil {
+				return nil, fmt.Errorf("unmarshaling verify metadata for finding %d: %w", f.ID, err)
+			}
+			f.VerifyMetadata = m
 		}
 		plain, err := Decrypt(encrypted, encKey)
 		if err != nil {