{
  "entrypoint_kind": "converter_document",
  "entrypoint_detail": "Vite dev server @fs file->module/raw converter endpoint (HTTP), exposed via host:true",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "node",
    "vite-dev-server"
  ],
  "proof_artifacts": [
    "logs/vuln_server.log",
    "logs/fixed_server.log",
    "logs/result.txt",
    "artifacts/http/vuln_normal_resp.txt",
    "artifacts/http/vuln_crafted_resp.txt",
    "artifacts/http/fixed_crafted_resp.txt"
  ],
  "evidence": {
    "vuln_version": "vite@6.2.2",
    "fixed_version": "vite@6.2.3",
    "vuln_normal_status": "403",
    "vuln_crafted_status": "200",
    "fixed_crafted_status": "403",
    "vuln_secret_leaked": true,
    "fixed_secret_leaked": false,
    "secret_token_substring": "TOP_SECRET_VITE_BYPASS_TOKEN_18017_CANARY"
  },
  "notes": "Vulnerable vite@6.2.2 returns 200 with secret content for /@fs/<file>?import&raw?? while the normal request is 403; fixed vite@6.2.3 returns 403 for the same crafted request."
}
