{
  "schema_version": 1,
  "updated_at": "2026-07-05T16:09:12.107339083Z",
  "entries": [
    {
      "logical_path": "artifacts/http/openapi_auth_list_response.json",
      "stage": "repro",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Primary proof: low-priv user (ceshi/test role) retrieved admin's OpenAPI AK/SK credentials in plaintext via GET /openapi/auth/list (success=true, sk=4hV5dBrZtmGAtPdbA5yseaeKRYNpzGsS, owner=admin)",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "artifacts/http/openapi_add_negcontrol_response.json",
      "stage": "repro",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Negative control: protected /openapi/add endpoint (has @RequiresRoles admin) correctly rejected low-priv user with 'Subject does not have role [admin]' (success=false), contrasting with the unprotected /openapi/auth/add endpoint",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "artifacts/http/openapi_auth_add_response.json",
      "stage": "repro",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Proof 2: low-priv user successfully created a new OpenAPI credential via POST /openapi/auth/add (success=true, '添加成功'), confirmed persisted in database",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "artifacts/http/openapi_auth_delete_response.json",
      "stage": "repro",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Proof 3: low-priv user successfully deleted an OpenAPI credential via DELETE /openapi/auth/delete (success=true, '删除成功')",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "artifacts/http/openapi_auth_genAKSK_response.json",
      "stage": "repro",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": false,
      "publishable": true,
      "reason": "Proof 4: low-priv user generated a new AK/SK pair via GET /openapi/auth/genAKSK (success=true, returned new ak/sk)",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "repro/reproduction_steps.sh",
      "stage": "repro",
      "role": "primary_reproducer",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after repro stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "repro/runtime_manifest.json",
      "stage": "repro",
      "role": "runtime_manifest",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared supplemental repro stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "repro/rca_report.md",
      "stage": "repro",
      "role": "root_cause_analysis",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after repro stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "repro/validation_verdict.json",
      "stage": "repro",
      "role": "validation_verdict",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after repro stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "logs/jeecgboot_app.log",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/login_ceshi_response.json",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/openapi_auth_list_response.json",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/openapi_auth_add_response.json",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/openapi_auth_delete_response.json",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/openapi_auth_genAKSK_response.json",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/openapi_add_negcontrol_response.json",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/login_admin_response.json",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/openapi_add_admin_response.json",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/http/record_list_ceshi.json",
      "stage": "vuln_variant",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Variant A proof: low-priv user (ceshi/test role) GET /openapi/record/list returns success:true with all 27 OpenAPI audit logs (callAuthId = admin's auth id) — broken access control on OpenApiLogController, a controller absent from the CVE description.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "vuln_variant/http/record_add_ceshi.json",
      "stage": "vuln_variant",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Variant A proof: low-priv user POST /openapi/record/add succeeds (添加成功), creating an audit-log row attributed to the admin's auth id — unauthorized write/forgery on OpenApiLogController.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "vuln_variant/http/record_delete_ceshi.json",
      "stage": "vuln_variant",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Variant A proof: low-priv user DELETE /openapi/record/delete succeeds (删除成功); DB row count went 1->0, demonstrating audit-log tampering/destruction by a low-priv user on OpenApiLogController.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "vuln_variant/http/permission_add_ceshi.json",
      "stage": "vuln_variant",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Variant B proof: low-priv user POST /openapi/permission/add succeeds (保存成功), granting OpenAPI permissions on the admin's auth record (2 rows persisted) — CVE-claimed OpenApiPermissionController surface exercised at runtime for the first time.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "vuln_variant/http/openapi_add_negcontrol.json",
      "stage": "vuln_variant",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Negative control: low-priv user POST /openapi/add (OpenApiController, @RequiresRoles admin) is correctly rejected with 'Subject does not have role [admin]', proving the authz gap is specific to the unannotated controllers.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "vuln_variant/reproduction_steps.sh",
      "stage": "vuln_variant",
      "role": "primary_reproducer",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/validation_verdict.json",
      "stage": "vuln_variant",
      "role": "validation_verdict",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "logs/vuln_variant/reproduction_steps.log",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/vuln_variant/latest_version.txt",
      "stage": "vuln_variant",
      "role": "runtime_manifest",
      "destination": "private_only",
      "required_for_verdict": true,
      "publishable": false,
      "reason": "Source identity resolution: master HEAD 32a8dfe is byte-identical to v3.9.2 for the affected controllers, proving the variant is confirmed on the latest available code with no patch.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "vuln_variant/http/permission_getOpenApi_ceshi.json",
      "stage": "vuln_variant",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": false,
      "publishable": true,
      "reason": "Variant B proof: low-priv user GET /openapi/permission/getOpenApi succeeds, retrieving OpenAPI definitions mapped to the admin's auth record.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "vuln_variant/http/record_queryById_ceshi.json",
      "stage": "vuln_variant",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": false,
      "publishable": true,
      "reason": "Variant A proof: low-priv user GET /openapi/record/queryById succeeds, reading a specific audit log by id on OpenApiLogController.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "vuln_variant/rca_report.md",
      "stage": "vuln_variant",
      "role": "root_cause_analysis",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/patch_analysis.md",
      "stage": "vuln_variant",
      "role": "patch_analysis",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/variant_manifest.json",
      "stage": "vuln_variant",
      "role": "variant_manifest",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/source_identity.json",
      "stage": "vuln_variant",
      "role": "source_identity",
      "destination": "variant_candidate",
      "required_for_verdict": false,
      "publishable": true,
      "reason": "Auto-declared supplemental vuln_variant stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/runtime_manifest.json",
      "stage": "vuln_variant",
      "role": "runtime_manifest",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared supplemental vuln_variant stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/root_cause_equivalence.json",
      "stage": "vuln_variant",
      "role": "root_cause_analysis",
      "destination": "variant_candidate",
      "required_for_verdict": false,
      "publishable": true,
      "reason": "Auto-declared supplemental vuln_variant stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/http/login_ceshi.json",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/http/login_admin.json",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/http/record_list_ceshi.json",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/http/record_add_ceshi.json",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/http/record_delete_ceshi.json",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/http/record_queryById_ceshi.json",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/http/permission_add_ceshi.json",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/http/permission_getOpenApi_ceshi.json",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/http/openapi_add_negcontrol.json",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/vuln_variant/jeecgboot_app.log",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/vuln_variant/latest_version.txt",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/vuln_variant/fixed_version.txt",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    }
  ]
}
