{
  "entrypoint_kind": "endpoint",
  "entrypoint_detail": "Nuclio Kubernetes controller watches a real NuclioFunction custom resource, generates a Kubernetes CronJob for the cron trigger, and a real CronJob-derived pod executes the generated container command",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "kind Kubernetes",
    "Nuclio controller binary",
    "NuclioFunction CRD",
    "Kubernetes CronJob",
    "CronJob pod",
    "curlimages/curl container"
  ],
  "proof_artifacts": [
    "logs/vulnerable_attempt1/pod.log",
    "logs/vulnerable_attempt2/pod.log",
    "logs/vulnerable_attempt1/cronjob_pretty.json",
    "logs/fixed_attempt1/cronjob_pretty.json",
    "logs/fixed_attempt1/pod.log",
    "logs/fixed_attempt2/pod.log",
    "logs/reproduction_steps.log"
  ],
  "notes": "Confirmed through the production Kubernetes CR/controller/CronJob boundary. Two vulnerable attempts executed attacker-controlled id/echo commands in real CronJob pods; two fixed attempts used exec-form curl and did not execute the marker."
}
