{
  "entrypoint_kind": "service_sink_direct",
  "entrypoint_detail": "AttachmentService.save_upload_file filename handling tested at vulnerable, fixed, and latest source revisions; parent RCA establishes POST /api/uploads/{session_id} as the unauthenticated API route to this sink.",
  "service_started": false,
  "healthcheck_passed": false,
  "target_path_reached": true,
  "runtime_stack": [
    "AttachmentService.save_upload_file",
    "FastAPI UploadFile-compatible fake",
    "utils.attachments.AttachmentStore"
  ],
  "proof_artifacts": [
    "logs/vuln_variant_reproduction_steps.log",
    "logs/vuln_variant_driver_vulnerable.log",
    "logs/vuln_variant_driver_fixed.log",
    "vuln_variant/result_vulnerable.json",
    "vuln_variant/result_fixed.json",
    "vuln_variant/result_latest.json",
    "vuln_variant/eval_summary.json"
  ],
  "notes": "The absolute-filename candidate reaches the vulnerable sink but is blocked by fixed/latest basename sanitization; no fixed-version bypass was reproduced.",
  "confirmed": false
}