{
  "same_root_cause": true,
  "same_root_cause_confidence": "high",
  "same_sink": true,
  "same_sink_confidence": "high",
  "same_trust_boundary": true,
  "trust_boundary_detail": "Authenticated non-admin management API session crosses to the controller's enrollment management state",
  "same_vulnerable_code": true,
  "vulnerable_code_path": "controller/internal/routes/enrollment_router.go",
  "vulnerable_code_anchor": "EnrollmentRouter.Create / Detail / Delete / Refresh / List",
  "root_cause_summary": "The enrollment management API failed to check whether the target identity of an enrollment is an admin identity before minting, exposing, or mutating the enrollment token. All tested variants (OTT-CA, UPDB, list/detail/refresh/delete) reach the same sink and are blocked by the same fix.",
  "differences_from_parent": "The parent reproduction used an OTT enrollment. The variant analysis demonstrates that the same root cause is reachable through OTT-CA and UPDB enrollment methods and through list/detail/refresh/delete operations on an admin-owned enrollment. These are alternate triggers, not bypasses of the fixed code.",
  "tested_refs": [
    "c2e6c8ee3da42321ef22442c8d25d0413caf4a4f",
    "3027fdffd3e57884487b7c46e5e669cfbc8becdf",
    "45b5046f5259e685d7d99e54564c7e38eec9f1f7"
  ]
}
