{
  "entrypoint_kind": "library_api",
  "entrypoint_detail": "Fastify app.inject + real 127.0.0.1 HTTP server exercising @fastify/middie auth guard on /user/:id/comments with encoded slash %2F in the :id parameter",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "node",
    "fastify",
    "@fastify/middie"
  ],
  "proof_artifacts": [
    "logs/reproduction_steps.log",
    "artifacts/inject_vuln.json",
    "artifacts/inject_fixed.json",
    "logs/inject_vuln.log",
    "logs/inject_fixed.log",
    "artifacts/http/vuln/server.log",
    "artifacts/http/vuln/responses.txt",
    "artifacts/http/fixed/server.log",
    "artifacts/http/fixed/responses.txt"
  ],
  "confirmed": true,
  "evidence": {
    "vulnerable_version": "9.3.2",
    "fixed_version": "9.3.3",
    "inject_bypass_status_vulnerable": 200,
    "inject_bypass_status_fixed": 401,
    "server_bypass_status_vulnerable": 200,
    "server_bypass_status_fixed": 401
  },
  "notes": "Vulnerable build returns 200 (handler reached, auth guard bypassed) for /user/a%2Fb/comments without x-api-key; fixed build returns 401 (guard matches). Demonstrated via Fastify app.inject (library_api) and a real 127.0.0.1 HTTP server with a raw node http client that preserves %2F."
}
