{
  "schema_version": 1,
  "updated_at": "2026-07-07T20:35:37.840169626Z",
  "entries": [
    {
      "logical_path": "repro/reproduction_steps.sh",
      "stage": "repro",
      "role": "primary_reproducer",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after repro stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "repro/rca_report.md",
      "stage": "repro",
      "role": "root_cause_analysis",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after repro stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "repro/runtime_manifest.json",
      "stage": "repro",
      "role": "runtime_manifest",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared supplemental repro stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "repro/validation_verdict.json",
      "stage": "repro",
      "role": "validation_verdict",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after repro stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "logs/reproduction_steps.log",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/RCE_MARKER.txt",
      "stage": "repro",
      "role": "marker_output",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "The /tmp/pwned/MARKER file created by Splunk executing the attacker-written modular-input script, containing 'id' output uid=41812(splunk) - direct proof of unauthenticated code execution.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "artifacts/http/ssg_enable_modular_input.PAYLOAD.py",
      "stage": "repro",
      "role": "marker_output",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "The attacker-controlled 3-line Python payload that lo_export wrote over the Splunk modular-input script (benign marker-creating PoC code). Proves arbitrary-content file write.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "artifacts/http/ssg_enable_modular_input.ORIGINAL.py",
      "stage": "repro",
      "role": "source_identity",
      "destination": "public_evidence",
      "required_for_verdict": false,
      "publishable": true,
      "reason": "The original 83-line Splunk Secure Gateway modular-input script before overwrite, establishing the before/after contrast for the file-write proof.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "artifacts/http/stage1_backup_resp.json",
      "stage": "repro",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": false,
      "publishable": true,
      "reason": "HTTP response (state=BackupPending, id) from the unauthenticated backup request that created the attacker-chosen file on the Splunk filesystem.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "artifacts/http/stage2b_restore_resp.json",
      "stage": "repro",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": false,
      "publishable": true,
      "reason": "HTTP response from the unauthenticated restore request whose connection-string injection (passfile= + dbname=template1) drove the lo_export file write.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "artifacts/http/fixed_control_responses.txt",
      "stage": "repro",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Negative-control evidence: fixed Splunk 10.0.7 returns HTTP 401 'Authorization header must use Splunk token' for the same unauthenticated requests - vulnerable behavior absent.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "artifacts/http/stage1_created_file.dump",
      "stage": "repro",
      "role": "marker_output",
      "destination": "public_evidence",
      "required_for_verdict": false,
      "publishable": true,
      "reason": "The 2550-byte pg_dump custom-format file created at the attacker-chosen path /tmp/cve2026_stage1_file on the Splunk filesystem via the unauthenticated backup endpoint.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "artifacts/http/stage1_backup_resp.json",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/stage1_created_file.dump",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/stage2a_backup_resp.json",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/stage2b_restore_resp.json",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/ssg_enable_modular_input.ORIGINAL.py",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/ssg_enable_modular_input.PAYLOAD.py",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/RCE_MARKER.txt",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/fixed_control_responses.txt",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/variant_bypass_proof.txt",
      "stage": "vuln_variant",
      "role": "marker_output",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Proof that lo_export wrote attacker-controlled bytes to /tmp/variant_bypass_proof.txt on the FIXED 10.0.7 build via the database connection string injection bypass",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "vuln_variant/variant_rce_marker.txt",
      "stage": "vuln_variant",
      "role": "crash_trace",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "RCE marker showing code execution as the splunk user (uid=41812) on the FIXED 10.0.7 build via the authenticated variant bypass chain",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/vuln_variant/variant_reproduction.log",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/reproduction_steps.sh",
      "stage": "vuln_variant",
      "role": "primary_reproducer",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/patch_analysis.md",
      "stage": "vuln_variant",
      "role": "patch_analysis",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "logs/vuln_variant/variant_restore_log.json",
      "stage": "vuln_variant",
      "role": "request_response",
      "destination": "warm_proof_carry",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Sidecar log showing pg_restore processing the malicious dump, firing CHECK constraints, restoring large objects (lo_export), and the lo_export side effect that wrote to the filesystem on the FIXED build",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "vuln_variant/rca_report.md",
      "stage": "vuln_variant",
      "role": "root_cause_analysis",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/variant_manifest.json",
      "stage": "vuln_variant",
      "role": "variant_manifest",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/validation_verdict.json",
      "stage": "vuln_variant",
      "role": "validation_verdict",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/source_identity.json",
      "stage": "vuln_variant",
      "role": "source_identity",
      "destination": "variant_candidate",
      "required_for_verdict": false,
      "publishable": true,
      "reason": "Auto-declared supplemental vuln_variant stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/runtime_manifest.json",
      "stage": "vuln_variant",
      "role": "runtime_manifest",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared supplemental vuln_variant stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/root_cause_equivalence.json",
      "stage": "vuln_variant",
      "role": "root_cause_analysis",
      "destination": "variant_candidate",
      "required_for_verdict": false,
      "publishable": true,
      "reason": "Auto-declared supplemental vuln_variant stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/variant_bypass_proof.txt",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/variant_rce_marker.txt",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/variant_backup_resp.json",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/variant_restore_resp.json",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/variant_fixed_unauth_control.txt",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/variant_vuln_control.txt",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/ssg_enable_modular_input.FIXED_ORIGINAL.py",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/http/ssg_enable_modular_input.FIXED_AFTER_VARIANT.py",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "coding/proposed_fix.diff",
      "stage": "coding",
      "role": "proposed_fix",
      "destination": "protection_artifact",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after coding stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "coding/verify_fix.sh",
      "stage": "coding",
      "role": "fix_verification",
      "destination": "protection_artifact",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after coding stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "coding/summary_report.md",
      "stage": "coding",
      "role": "summary_report",
      "destination": "protection_artifact",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after coding stage deliverable validation",
      "declared_by": "stage_validator"
    }
  ]
}
