{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "Next.js self-hosted server (next start) on 127.0.0.1; middleware checks auth cookie on /protected; bypass via x-middleware-subrequest header",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": ["node", "next", "next-mw-bypass"],
  "proof_artifacts": [
    "logs/nextjs-vuln-1.log",
    "logs/nextjs-vuln-2.log",
    "logs/nextjs-fixed-1.log",
    "logs/nextjs-fixed-2.log",
    "logs/vuln-1-summary.txt",
    "logs/vuln-2-summary.txt",
    "logs/fixed-1-summary.txt",
    "logs/fixed-2-summary.txt",
    "logs/vuln-1-bypass-poly-body.html",
    "logs/vuln-2-bypass-poly-body.html"
  ],
  "notes": "Confirmed: x-middleware-subrequest header bypasses middleware on vulnerable Next.js 14.2.24, while fixed Next.js 14.2.25 continues to reject the bypass."
}
