{
  "entrypoint_kind": "tcp_peer",
  "entrypoint_detail": "Kafka broker SASL/OAUTHBEARER authentication over a real TCP listener using raw Kafka SaslHandshake/SaslAuthenticate frames",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "apache-kafka-4.1.0-broker",
    "apache-kafka-4.1.2-broker",
    "raw-kafka-sasl-tcp-client",
    "mock-jwks-oauth-issuer"
  ],
  "proof_artifacts": [
    "logs/reproduction_steps.log",
    "logs/evidence.log",
    "logs/raw_vulnerable_expired.json",
    "logs/raw_vulnerable_valid.json",
    "logs/raw_fixed_expired.json",
    "logs/raw_fixed_valid.json",
    "logs/broker_vulnerable.log",
    "logs/broker_fixed.log",
    "logs/mock_oauth_server.log",
    "logs/javap_defaultjwtvalidator_4.1.0.txt",
    "logs/javap_defaultjwtvalidator_4.1.2.txt"
  ],
  "notes": "Confirmed: Kafka 4.1.0 accepted the expired JWT over the real SASL TCP broker boundary; Kafka 4.1.2 rejected the same replayed JWT with invalid_token/expiration validation evidence."
}