{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "SimpleHelp HTTPS /auth/v1/account/oidc_get and /oidc callback with pending state",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "SimpleHelp 5.5.15 server",
    "SimpleHelp 5.5.16 server",
    "Python fake OIDC IdP"
  ],
  "proof_artifacts": [
    "logs/reproduction_steps.log",
    "logs/vuln_flow.json",
    "logs/patched_flow.json",
    "logs/vuln_idp.log",
    "logs/patched_idp.log",
    "logs/vuln_runtime_tail.log",
    "logs/patched_runtime_tail.log",
    "logs/class_comparison.log",
    "logs/forged_jwt.txt"
  ],
  "notes": "Real SimpleHelp HTTPS OIDC flow reached /oidc with server-issued state and a forged alg:none/bogus-signature ID token; vulnerable build reached OIDC group-authentication code and lacks IDTokenVerifier; patched build includes IDTokenVerifier. The vulnerable build creates a FULLY_AUTHENTICATED technician session for the forged identity; the patched build fails closed."
}