{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "POST /v1/mcp with Bearer token ./telegram (alternate traversal alias)",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "fast-mcp-telegram",
    "uvicorn",
    "fastmcp"
  ],
  "proof_artifacts": [
    "logs/server_vuln_variant.log",
    "logs/server_fixed_variant.log",
    "vuln_variant/artifacts/http_vuln_reserved.txt",
    "vuln_variant/artifacts/http_vuln_dot_slash.txt",
    "vuln_variant/artifacts/http_vuln_original.txt",
    "vuln_variant/artifacts/http_vuln_invalid.txt",
    "vuln_variant/artifacts/http_vuln_url_dot_slash.txt",
    "vuln_variant/artifacts/http_fixed_dot_slash.txt",
    "vuln_variant/artifacts/http_fixed_original.txt",
    "vuln_variant/artifacts/http_fixed_url_dot_slash.txt"
  ],
  "notes": "Vulnerable 0.19.0 accepted ./telegram traversal token (HTTP 200) while rejecting the reserved token and invalid token; fixed 0.19.1 rejected ./telegram and the original traversal token (HTTP 401). This is an alternate trigger, not a bypass of the fix."
}
