{
  "verdict": "no_distinct_variant_or_bypass_confirmed",
  "confirmed": false,
  "bypass_confirmed_on_fixed_version": false,
  "variant_candidate": {
    "summary": "Low-privileged Member API-token/private-key retrieval path suggested by the ticket was tested as an adjacent chain.",
    "entrypoint_kind": "api_and_livewire_model_probe",
    "entrypoint_detail": "Member-created read/write Sanctum token -> /api/v1/security/keys sensitive-data serialization path",
    "distinct_from_parent": true,
    "same_root_cause": false,
    "same_sink_reached": false
  },
  "tested_targets": {
    "vulnerable": {
      "repository": "https://github.com/coollabsio/coolify",
      "ref": "v4.0.0-beta.470",
      "commit_sha": "575b0766d12bad2a78febff72ab59c017772bcf7",
      "result": "candidate_did_not_leak_private_key",
      "member_token_can_read_sensitive": false,
      "private_key_marker_leaked": false
    },
    "fixed": {
      "repository": "https://github.com/coollabsio/coolify",
      "ref": "v4.0.0-beta.471",
      "commit_sha": "914d7e0b50505bc1fd56c34974fca09ad354e92a",
      "result": "candidate_did_not_leak_private_key_no_bypass",
      "member_token_can_read_sensitive": false,
      "private_key_marker_leaked": false
    },
    "latest_checked_by_source": {
      "repository": "https://github.com/coollabsio/coolify",
      "ref": "v4.1.2",
      "commit_sha": "e7dff30b7c998c301fd91bd169727b90c59ec291",
      "result": "terminal_auth_routes_still_have_can_access_terminal_middleware"
    }
  },
  "blocking_mitigation": "v4.0.0-beta.471 adds can.access.terminal middleware to /terminal/auth and /terminal/auth/ips; the WebSocket terminal sink depends on those endpoints and fails closed for Member sessions. The adjacent API-token/private-key path hides private_key unless the token has read:sensitive or root ability.",
  "evidence": {
    "reproducer": "bundle/vuln_variant/reproduction_steps.sh",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "vulnerable_probe_log": "bundle/logs/vuln_variant/vulnerable_api_token_private_key_probe.log",
    "fixed_probe_log": "bundle/logs/vuln_variant/fixed_api_token_private_key_probe.log",
    "main_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "patch_analysis": "bundle/vuln_variant/patch_analysis.md",
    "rca_report": "bundle/vuln_variant/rca_report.md"
  },
  "script_exit_code_convention": {
    "exit_0": "fixed-version bypass reproduced",
    "exit_1": "no fixed-version bypass reproduced",
    "observed_final_exit": 1
  }
}
