{
  "entrypoint_kind": "tcp_peer",
  "entrypoint_detail": "Kafka broker SASL/OAUTHBEARER authentication over a real TCP listener using raw Kafka SaslHandshake/SaslAuthenticate frames",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "apache-kafka-4.1.0-broker",
    "apache-kafka-4.1.2-broker",
    "raw-kafka-sasl-tcp-client",
    "mock-jwks-oauth-issuer"
  ],
  "proof_artifacts": [
    "logs/vuln_variant/reproduction_steps.log",
    "logs/vuln_variant/variant_evidence.log",
    "logs/vuln_variant/raw_vulnerable_wrong_issuer.json",
    "logs/vuln_variant/raw_vulnerable_wrong_audience.json",
    "logs/vuln_variant/raw_vulnerable_tampered_signature.json",
    "logs/vuln_variant/raw_fixed_wrong_issuer.json",
    "logs/vuln_variant/raw_fixed_wrong_audience.json",
    "logs/vuln_variant/raw_fixed_tampered_signature.json",
    "logs/vuln_variant/broker_vulnerable.log",
    "logs/vuln_variant/broker_fixed.log",
    "logs/vuln_variant/mock_oauth_server.log"
  ],
  "notes": "No fixed-version bypass: invalid issuer, invalid audience, and tampered-signature tokens are accepted by Kafka 4.1.0 but rejected by Kafka 4.1.2 when JWKS is configured."
}