{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "HTTP GET /vscode/unpkg/{namespace}/{extension}/{version}/{path} - serves files from VSIX packages",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "postgresql-16.2",
    "openvsx-server-spring-boot-jetty",
    "jdk-25"
  ],
  "proof_artifacts": [
    "logs/vuln_v1.0.1_headers.txt",
    "logs/vuln_v1.0.1_body.html",
    "logs/fixed_v1.0.2_headers.txt",
    "logs/fixed_v1.0.2_body.html",
    "logs/reproduction_verdict.txt",
    "logs/vuln_analysis.json",
    "logs/fixed_analysis.json",
    "logs/server_vuln_v1.0.1.log",
    "logs/server_fixed_v1.0.2.log"
  ],
  "notes": "Real Open VSX Registry server built from source (v1.0.1 and v1.0.2), running with PostgreSQL. Published VSIX with HTML payload and verified /vscode/unpkg/ endpoint response headers. Vulnerable version serves text/html with no CSP; fixed version serves text/plain with strict CSP."
}