{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "HTTP requests to real 9router Next.js server on 127.0.0.1:20128: GET /dashboard and GET /api/keys with forged auth_token cookie (HS256 JWT signed with hardcoded secret '9router-default-secret-change-me')",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "node",
    "next.js 16",
    "9router-app v0.4.41 (vulnerable)",
    "9router-app v0.4.44 (fixed control)"
  ],
  "proof_artifacts": [
    "logs/reproduction_steps.log",
    "logs/vuln_server.log",
    "logs/fixed_server.log",
    "artifacts/forged_jwt.txt",
    "artifacts/http/vuln_nocookie_hdr.txt",
    "artifacts/http/vuln_nocookie_resp.html",
    "artifacts/http/vuln_forged_hdr.txt",
    "artifacts/http/vuln_forged_resp.html",
    "artifacts/http/vuln_api_forged_hdr.txt",
    "artifacts/http/vuln_api_forged_resp.txt",
    "artifacts/http/fixed_forged_hdr.txt",
    "artifacts/http/fixed_forged_resp.html",
    "artifacts/http/fixed_api_forged_hdr.txt",
    "artifacts/http/fixed_api_forged_resp.txt"
  ],
  "notes": "Vulnerable v0.4.41 run WITHOUT JWT_SECRET: no-cookie /dashboard -> 307 (redirect /login); forged-JWT /dashboard -> 200 (dashboard served = bypass); forged-JWT /api/keys -> 200 (API data = access). Fixed v0.4.44 run WITHOUT JWT_SECRET (random secret): forged-JWT /dashboard -> 307 (redirect /login = rejected); forged-JWT /api/keys -> 401 (Unauthorized = rejected). confirmed=True"
}