{
  "schema_version": 1,
  "updated_at": "2026-07-07T20:57:50.381634162Z",
  "accepted": [
    {
      "logical_path": "repro/reproduction_steps.sh",
      "stage": "repro",
      "role": "primary_reproducer",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after repro stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "repro/runtime_manifest.json",
      "stage": "repro",
      "role": "runtime_manifest",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared supplemental repro stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "repro/validation_verdict.json",
      "stage": "repro",
      "role": "validation_verdict",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after repro stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "repro/rca_report.md",
      "stage": "repro",
      "role": "root_cause_analysis",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after repro stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "logs/vulnerable_4.14.5_no_creds.txt",
      "stage": "repro",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Captured HTTP response proving the bypass: unauthenticated GET /api/hello returns HTTP/1.1 200 OK (body ok) on vulnerable 4.14.5.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/fixed_4.14.6_no_creds.txt",
      "stage": "repro",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Negative control: identical unauthenticated GET /api/hello returns HTTP/1.1 401 Unauthorized (WWW-Authenticate: Basic realm=vertx-web) on fixed 4.14.6.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/reproduction_summary.log",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/vulnerable_4.14.5_app.log",
      "stage": "repro",
      "role": "runtime_manifest",
      "destination": "session_replay",
      "required_for_verdict": false,
      "publishable": false,
      "reason": "Camel 4.14.5 startup log proving authenticationEnabled=true, server.path=/api, basicPropertiesFile=auth.properties, and Vert.x HttpServer started on 0.0.0.0:8080.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/fixed_4.14.6_app.log",
      "stage": "repro",
      "role": "runtime_manifest",
      "destination": "session_replay",
      "required_for_verdict": false,
      "publishable": false,
      "reason": "Camel 4.14.6 startup log proving the same auth config is active on the fixed build (auth enabled, server on 8080) yet subpaths are now protected.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/vulnerable_4.14.5_app.log",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/vulnerable_4.14.5_no_creds.txt",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/vulnerable_4.14.5_with_creds.txt",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/fixed_4.14.6_app.log",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/fixed_4.14.6_no_creds.txt",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/fixed_4.14.6_with_creds.txt",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/reproduction_steps.sh",
      "stage": "vuln_variant",
      "role": "primary_reproducer",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/variant_manifest.json",
      "stage": "vuln_variant",
      "role": "variant_manifest",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/validation_verdict.json",
      "stage": "vuln_variant",
      "role": "validation_verdict",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/rca_report.md",
      "stage": "vuln_variant",
      "role": "root_cause_analysis",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/patch_analysis.md",
      "stage": "vuln_variant",
      "role": "patch_analysis",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/source_identity.json",
      "stage": "vuln_variant",
      "role": "source_identity",
      "destination": "variant_candidate",
      "required_for_verdict": false,
      "publishable": true,
      "reason": "Auto-declared supplemental vuln_variant stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/runtime_manifest.json",
      "stage": "vuln_variant",
      "role": "runtime_manifest",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared supplemental vuln_variant stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/root_cause_equivalence.json",
      "stage": "vuln_variant",
      "role": "root_cause_analysis",
      "destination": "variant_candidate",
      "required_for_verdict": false,
      "publishable": true,
      "reason": "Auto-declared supplemental vuln_variant stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "logs/variant_summary.log",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/fixed_biz_bypass_no_creds.txt",
      "stage": "vuln_variant",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Decisive request/response: unauthenticated GET /api/hello on PATCHED 4.14.6 with authenticationPath=/api returns HTTP 200 OK body 'ok' (auth bypass).",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/fixed_mgmt_bypass_info_no_creds.txt",
      "stage": "vuln_variant",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Decisive request/response: unauthenticated GET /admin/observe/info on PATCHED 4.14.6 with management authenticationPath=/admin returns HTTP 200 OK with JSON leaking user/dir/home/pid/JVM/OS (info disclosure).",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/fixed_biz_default_no_creds.txt",
      "stage": "vuln_variant",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Control: unauthenticated GET /api/hello on PATCHED 4.14.6 with default (no authenticationPath) returns HTTP 401, proving the CVE fix works for the default and auth is genuinely enabled.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/fixed_mgmt_default_info_no_creds.txt",
      "stage": "vuln_variant",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Control: unauthenticated GET /admin/observe/info on PATCHED 4.14.6 with default management config returns HTTP 401, proving the management default is fixed.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/fixed_biz_bypass_app.log",
      "stage": "vuln_variant",
      "role": "runtime_manifest",
      "destination": "public_evidence",
      "required_for_verdict": false,
      "publishable": true,
      "reason": "Server log proving camel.server.authenticationPath=/api was read and Vert.x HttpServer started on Apache Camel 4.14.6 for the bypass run.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/fixed_biz_bypass_no_creds.txt",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/fixed_biz_default_no_creds.txt",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/fixed_mgmt_bypass_info_no_creds.txt",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/fixed_mgmt_default_info_no_creds.txt",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/fixed_biz_bypass_app.log",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/fixed_mgmt_bypass_app.log",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "coding/proposed_fix.diff",
      "stage": "coding",
      "role": "proposed_fix",
      "destination": "protection_artifact",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after coding stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "coding/verify_fix.sh",
      "stage": "coding",
      "role": "fix_verification",
      "destination": "protection_artifact",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after coding stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "coding/summary_report.md",
      "stage": "coding",
      "role": "summary_report",
      "destination": "protection_artifact",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after coding stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "coding/verify_contrast.log",
      "stage": "coding",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Before/after contrast for the variant (scenario B): unpatched 4.14.5 returns 200 no-creds (bypass), patched returns 401 no-creds (closed), with identical config.",
      "declared_by": "agent_tool"
    }
  ],
  "rejected": []
}