{
  "claim_outcome": "partial_bypass",
  "claim_block_reason": null,
  "repro_result": "partial",
  "variant_class": "host_allowlist_overbreadth",
  "validated_surface": "http_api_loopback_host_testserver",
  "evidence_scope": "production_path",
  "claimed_impact_class": "code_execution",
  "observed_impact_class": "auth_bypass_default__code_execution_opted_in",
  "exploitability_confidence": "medium",
  "attacker_controlled_input": "Loopback peer HTTP request carrying Host: testserver:<port> with no Authorization bearer token (simulated via curl --resolve testserver:<port>:127.0.0.1). Not deliverable from an attacker-owned domain via standard DNS rebinding.",
  "trigger_path": "loopback peer -> _reject_untrusted_loopback_host: _is_local_client()=True AND _is_allowed_loopback_host('testserver')=True (allowlist gap) -> middleware passes -> require_auth/_validate_api_auth: _is_local_client()=True -> no auth -> POST /sessions (201) -> POST /sessions/{id}/messages -> _shell_tools_enabled_for_request()=True only if VIBE_TRADING_ENABLE_SHELL_TOOLS=1 -> BashTool subprocess.run(shell=True) -> RCE",
  "end_to_end_target_reached": true,
  "end_to_end_scope": "conditional_full_bypass_on_fixed_opted_in_config",
  "standard_dns_rebinding_bypass_confirmed": false,
  "partial_bypass_confirmed": true,
  "partial_bypass_detail": "Host=testserver auth-bypasses the PR #242 middleware on fixed v0.1.10 (POST /sessions -> 201) because 'testserver' is in _DEFAULT_LOOPBACK_HOSTS despite being a non-loopback test hostname. Attacker-domain Host is correctly rejected (403).",
  "conditional_full_bypass_detail": "With VIBE_TRADING_ENABLE_SHELL_TOOLS=1 (operator opt-in) on fixed v0.1.10, Host=testserver -> 201 -> agent message -> BashTool subprocess.run(shell=True) -> RCE_CONFIRMED. Requires testserver to resolve to loopback in the victim environment (not standard DNS rebinding).",
  "default_config_rce_on_fixed": false,
  "opted_in_config_rce_on_fixed": true,
  "fix_still_blocks_standard_dns_rebinding": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": true,
  "exploit_chain_demonstrated": true,
  "exploit_chain_condition": "operator opted in to VIBE_TRADING_ENABLE_SHELL_TOOLS AND testserver resolves to loopback",
  "blocking_mitigation": "PR #243 (VIBE_TRADING_ENABLE_SHELL_TOOLS opt-in, default off) blocks the BashTool RCE primitive in the default configuration even when the testserver Host bypass succeeds. PR #242 correctly rejects attacker-domain Hosts. The testserver allowlist entry is the residual gap.",
  "inferred": false,
  "candidates_tested": [
    {"id": "attacker_domain_host", "result": "blocked_on_fixed", "http_on_fixed": 403, "note": "control: fix works"},
    {"id": "testserver_host", "result": "auth_bypass_on_fixed", "http_on_fixed": 201, "note": "partial bypass via over-broad allowlist"},
    {"id": "localhost_host", "result": "allowed_by_design", "http_on_fixed": 201, "note": "baseline; cross-origin browser use is CORS-limited"},
    {"id": "testserver_host_full_chain_default", "result": "no_rce", "note": "bash gated by PR #243 opt-in (default off)"},
    {"id": "testserver_host_full_chain_opted_in", "result": "rce_on_fixed", "note": "conditional full bypass"}
  ],
  "ruled_out_candidates": [
    "direct_cross_origin_to_localhost (CORS-limited, cannot read session_id)",
    "unauthenticated_routes /health /api /skills /correlation (non-sensitive, no RCE sink)",
    "websocket_transport (no @app.websocket endpoints)",
    "sse_event_streams (pass through Host middleware then _validate_api_auth)",
    "non_shell_file_tools (secondary gap, only matters post-auth-bypass)"
  ]
}
