{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "GET /apis/iam.grafana.app/v0alpha1/namespaces/{org}/serviceaccounts as a low-privileged scoped user against real Grafana unified-storage server; vulnerable vs fixed access.go comparison",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "go",
    "grafana-server-testenv",
    "grafana-unified-storage",
    "sqlite"
  ],
  "proof_artifacts": [
    "logs/evidence.log",
    "logs/api_http_vulnerable.log",
    "logs/api_http_fixed.log",
    "logs/library_vulnerable.log",
    "logs/library_fixed.log"
  ],
  "notes": "Confirmed on original HTTP endpoint: vulnerable Grafana returns both alpha-sa and unauthorized beta-sa to low-privileged scoped-sa-reader via GET /apis/iam.grafana.app/v0alpha1/namespaces/{org}/serviceaccounts; fixed Grafana filters to alpha-sa only. Library sanity check also confirmed the allowlist root cause."
}