{
  "entrypoint_kind": "endpoint",
  "entrypoint_detail": "POST /api/auth/sso/register -> /api/auth/sign-in/sso -> /api/auth/sso/callback/:providerId",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "node",
    "better-auth",
    "@better-auth/sso",
    "vitest"
  ],
  "proof_artifacts": [
    "logs/reproduction_steps.log",
    "logs/vuln-test.log",
    "logs/fixed-test.log"
  ],
  "notes": "Vulnerable @better-auth/sso 1.6.10 accepted private OIDC endpoints, performed server-side fetches to attacker /token and /userinfo, and linked attacker to existing victim@example.com account. Fixed 1.6.11 rejected registration with discovery_private_host."
}
