{
  "parent_root_cause": {
    "summary": "Terminal WebSocket authorization bypass caused by missing can.access.terminal middleware on /terminal/auth and /terminal/auth/ips.",
    "sink": "docker/coolify-realtime/terminal-server.js pty.spawn('ssh', ...)",
    "trust_boundary": "authenticated low-privileged Member to administrator/owner-only terminal execution"
  },
  "candidate_root_cause": {
    "summary": "Member-created API token used to request private-key API data; sensitive serialization controlled by token abilities.",
    "sink": "app/Http/Controllers/Api/SecurityController.php sensitive private_key serialization",
    "trust_boundary": "authenticated low-privileged Member to sensitive team private-key material"
  },
  "equivalence": {
    "same_sink": false,
    "same_authorization_boundary": "partially_related_authenticated_member_boundary",
    "same_fix_coverage": false,
    "same_root_cause_confidence": 0.15,
    "notes": "The candidate is an adjacent chain from the ticket, not the same terminal WebSocket sink. Runtime testing showed it does not leak private_key with a Member read/write token, so it is not a bypass of the terminal middleware fix."
  },
  "fixed_version_result": {
    "commit_sha": "914d7e0b50505bc1fd56c34974fca09ad354e92a",
    "bypass_confirmed": false,
    "reason": "Fixed terminal routes block Members, and candidate API-token path hides private_key unless token can read:sensitive/root."
  }
}
