{
  "schema_version": 1,
  "updated_at": "2026-07-09T18:25:32.351286264Z",
  "entries": [
    {
      "logical_path": "repro/reproduction_steps.sh",
      "stage": "repro",
      "role": "primary_reproducer",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after repro stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "repro/rca_report.md",
      "stage": "repro",
      "role": "root_cause_analysis",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after repro stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "repro/validation_verdict.json",
      "stage": "repro",
      "role": "validation_verdict",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after repro stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "repro/runtime_manifest.json",
      "stage": "repro",
      "role": "runtime_manifest",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared supplemental repro stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "logs/poc_vulnerable.log",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/poc_fixed.log",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/gadget_executed_vulnerable.txt",
      "stage": "repro",
      "role": "marker_output",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Marker file written by the MaliciousGadget.readObject() method during deserialization, proving arbitrary code execution occurred before the cast to SvmDoccatModel",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "repro/harness/MaliciousGadget.java",
      "stage": "repro",
      "role": "source_identity",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Source code of the simulated deserialization gadget class whose readObject() method executes arbitrary code during deserialization",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "repro/harness/Poc.java",
      "stage": "repro",
      "role": "source_identity",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Source code of the PoC harness that serializes the gadget and feeds it to SvmDoccatModel.deserialize(), checking for code execution",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/gadget_executed_vulnerable.txt",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/build_vulnerable.log",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/build_fixed.log",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/vuln_variant/fixed_oom_small.log",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/vuln_variant/fixed_oom_large.log",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/vuln_variant/fixed_rce.log",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/vuln_variant/vuln_rce.log",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/vuln_variant/gadget_executed_vuln_variant.txt",
      "stage": "vuln_variant",
      "role": "marker_output",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Marker file written by the gadget's readObject() on the vulnerable build, proving arbitrary code execution during deserialisation (the parent CVE mechanism).",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/vuln_variant/fixed_version.txt",
      "stage": "vuln_variant",
      "role": "source_identity",
      "destination": "private_only",
      "required_for_verdict": true,
      "publishable": false,
      "reason": "Exact tested fixed/variant-target commit identity (3cf42d4a, opennlp-3.0.0-M4) resolved via git rev-parse.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "vuln_variant/reproduction_steps.sh",
      "stage": "vuln_variant",
      "role": "primary_reproducer",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/harness/Variant.java",
      "stage": "vuln_variant",
      "role": "primary_reproducer",
      "destination": "private_only",
      "required_for_verdict": true,
      "publishable": false,
      "reason": "Variant harness (build/oom/rce modes) that crafts the allow-listed primitive-array payload and feeds it to SvmDoccatModel.deserialize().",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "vuln_variant/variant_manifest.json",
      "stage": "vuln_variant",
      "role": "variant_manifest",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/validation_verdict.json",
      "stage": "vuln_variant",
      "role": "validation_verdict",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/source_identity.json",
      "stage": "vuln_variant",
      "role": "source_identity",
      "destination": "variant_candidate",
      "required_for_verdict": false,
      "publishable": true,
      "reason": "Auto-declared supplemental vuln_variant stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/runtime_manifest.json",
      "stage": "vuln_variant",
      "role": "runtime_manifest",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared supplemental vuln_variant stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/root_cause_equivalence.json",
      "stage": "vuln_variant",
      "role": "root_cause_analysis",
      "destination": "variant_candidate",
      "required_for_verdict": false,
      "publishable": true,
      "reason": "Auto-declared supplemental vuln_variant stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/patch_analysis.md",
      "stage": "vuln_variant",
      "role": "patch_analysis",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/rca_report.md",
      "stage": "vuln_variant",
      "role": "summary_report",
      "destination": "private_only",
      "required_for_verdict": false,
      "publishable": false,
      "reason": "Variant RCA report following the variant template: summary, fix coverage, variant path, impact, impact parity, root cause, reproduction steps, evidence, recommendations.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "vuln_variant/rca_report.md",
      "stage": "vuln_variant",
      "role": "root_cause_analysis",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "logs/vuln_variant/vuln_oom_large.log",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/vuln_variant/gadget_executed_vuln_variant.txt",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/vuln_variant/fixed_version.txt",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/vuln_variant/vulnerable_version.txt",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    }
  ]
}
