{
  "entrypoint_kind": "library_api",
  "entrypoint_detail": "jest harness exercising @sigstore/verify Verifier.verify() on a DECOUPLED SignedEntity (tlogEntries empty) whose sole timestamp is a tlog entry with a FORGED inclusionPromise + attacker-chosen integratedTime; real cert-signed V3 hashedrekord fixture",
  "service_started": false,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "node",
    "jest",
    "@swc/jest",
    "@sigstore/verify",
    "@sigstore/bundle",
    "@sigstore/core",
    "@sigstore/protobuf-specs"
  ],
  "proof_artifacts": [
    "logs/vuln_variant_vuln.log",
    "logs/vuln_variant_fixed.log",
    "logs/vuln_variant_vuln_jest.log",
    "logs/vuln_variant_fixed_jest.log",
    "vuln_variant/variant_harness.ts"
  ],
  "marker_counts": {
    "fixed": {
      "BYPASS_OK": 2,
      "NC_REJECT": 1,
      "ORIG_REJECT": 1
    },
    "vuln": {
      "BYPASS_OK": 2,
      "NC_REJECT": 1,
      "ORIG_OK": 1
    }
  },
  "bypass_on_fixed": true,
  "notes": "vulnerable_commit=7845532f9d17f6f765363dbee82b01bd159fb52b (parent of fix f074710, @sigstore/verify 3.1.0); fixed_commit=f074710a91ea9260a9ac2142345634579843a3cd (@sigstore/verify 3.1.1). bypass_on_fixed=True. The fix's getTLogTimestamp presence-check (!entry.inclusionPromise) is satisfied by a FORGED inclusionPromise; because the timestamp-providing tlog entry is decoupled from tlogEntries, verifyTLogs()->verifyTLogSET() never validates the SET, so the attacker-chosen integratedTime is trusted and an expired certificate is accepted on the FIXED version. Negative control (coupled bundle path) is rejected by verifyTLogSET on both versions; original inclusionProof-only vector is rejected (TIMESTAMP_ERROR) on fixed and accepted on vulnerable."
}