{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "Real Gogs HTTP API creates a path-traversal organisation whose nested repository lands inside another repository local worktree; attacker pushes an executable Git hook through Gogs Git smart-HTTP and a web upload sync materialises it into the nested bare repo; a git-receive-pack on the planted bare repo executes the hook (RCE)",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "gogs",
    "sqlite3",
    "git-smart-http",
    "web-upload",
    "git-receive-pack",
    "git-hooks"
  ],
  "proof_artifacts": [
    "logs/reproduction_steps.log",
    "logs/build_vuln.log",
    "logs/build_fixed.log",
    "repro/proof_summary.txt",
    "logs/gogs_vuln_1.log",
    "logs/http_vuln_1.log",
    "logs/git_vuln_1.log",
    "logs/state_vuln_1.log",
    "logs/gogs_vuln_2.log",
    "logs/http_vuln_2.log",
    "logs/git_vuln_2.log",
    "logs/state_vuln_2.log",
    "logs/gogs_fixed_1.log",
    "logs/http_fixed_1.log",
    "logs/git_fixed_1.log",
    "logs/state_fixed_1.log",
    "logs/gogs_fixed_2.log",
    "logs/http_fixed_2.log",
    "logs/git_fixed_2.log",
    "logs/state_fixed_2.log",
    "repro/rce_marker_vuln_1.txt",
    "repro/rce_marker_vuln_2.txt"
  ],
  "notes": "2/2 vulnerable hook executions + 2/2 fixed traversal rejections"
}