{
  "schema_version": 1,
  "updated_at": "2026-07-13T16:44:51.777661265Z",
  "accepted": [
    {
      "logical_path": "logs/harness_vulnerable.log",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/harness_fixed.log",
      "stage": "repro",
      "role": "validation_verdict",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Shows the identical forged HS256 JWT rejected with HTTP 401 on fixed APISIX 3.17.0 — the negative control proving the fix",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/apisix_fixed.log",
      "stage": "repro",
      "role": "runtime_manifest",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "APISIX 3.17.0 error log containing the fix's specific rejection: jwt-auth.lua:338 algorithm mismatch, expected RS256",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "artifacts/results_vulnerable.json",
      "stage": "repro",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Structured result: forged_jwt_code=200, no_jwt_code=401 on vulnerable version",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "artifacts/results_fixed.json",
      "stage": "repro",
      "role": "request_response",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Structured result: forged_jwt_code=401 on fixed version",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "repro/reproduction_steps.sh",
      "stage": "repro",
      "role": "primary_reproducer",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after repro stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "repro/runtime_manifest.json",
      "stage": "repro",
      "role": "runtime_manifest",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared supplemental repro stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "repro/rca_report.md",
      "stage": "repro",
      "role": "root_cause_analysis",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after repro stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "repro/validation_verdict.json",
      "stage": "repro",
      "role": "validation_verdict",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after repro stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "logs/harness_fixed.log",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/apisix_vulnerable.log",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/apisix_fixed.log",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/results_vulnerable.json",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/results_fixed.json",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/rsa_public.pem",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "artifacts/apisix_config.yaml",
      "stage": "repro",
      "role": "proof_log",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/variant_apisix_fixed.log",
      "stage": "judge",
      "role": "validation_verdict",
      "destination": "session_replay",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "APISIX 3.17.0 error log containing the three definitive 'algorithm mismatch, expected RS256/ES256/EdDSA' lines from jwt-auth.lua:338 — proves the fix's alg-match guard covers all three asymmetric consumer families (no bypass).",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/variant_harness_vulnerable.log",
      "stage": "repro",
      "role": "request_response",
      "destination": "session_replay",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Harness output on 3.16.0 showing RS256/ES256/EdDSA forged HS256 tokens all accepted (HTTP 200 BYPASS) — confirms alternate triggers reproduce the authz_bypass on the vulnerable version.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "logs/variant_harness_fixed.log",
      "stage": "judge",
      "role": "request_response",
      "destination": "session_replay",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Harness output on 3.17.0 showing RS256/ES256/EdDSA forged HS256 tokens all rejected (HTTP 401) — confirms the fix holds (no bypass).",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "vuln_variant/reproduction_steps.sh",
      "stage": "repro",
      "role": "primary_reproducer",
      "destination": "private_only",
      "required_for_verdict": true,
      "publishable": false,
      "reason": "Idempotent variant/bypass reproduction script: deploys APISIX 3.16.0 and 3.17.0, tests forged HS256 tokens against RS256/ES256/EdDSA consumers on both. Exit 1 = no bypass.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "vuln_variant/validation_verdict.json",
      "stage": "judge",
      "role": "validation_verdict",
      "destination": "public_evidence",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Structured final verdict for the variant stage: no bypass, no distinct variant; alternate triggers (ES256/EdDSA) reproduce on vulnerable only and are covered by the generic fix.",
      "declared_by": "agent_tool"
    },
    {
      "logical_path": "vuln_variant/reproduction_steps.sh",
      "stage": "vuln_variant",
      "role": "primary_reproducer",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/rca_report.md",
      "stage": "vuln_variant",
      "role": "root_cause_analysis",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/patch_analysis.md",
      "stage": "vuln_variant",
      "role": "patch_analysis",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/variant_manifest.json",
      "stage": "vuln_variant",
      "role": "variant_manifest",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/validation_verdict.json",
      "stage": "vuln_variant",
      "role": "validation_verdict",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared after vuln_variant stage deliverable validation",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/source_identity.json",
      "stage": "vuln_variant",
      "role": "source_identity",
      "destination": "variant_candidate",
      "required_for_verdict": false,
      "publishable": true,
      "reason": "Auto-declared supplemental vuln_variant stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/runtime_manifest.json",
      "stage": "vuln_variant",
      "role": "runtime_manifest",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Auto-declared supplemental vuln_variant stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "vuln_variant/root_cause_equivalence.json",
      "stage": "vuln_variant",
      "role": "root_cause_analysis",
      "destination": "variant_candidate",
      "required_for_verdict": false,
      "publishable": true,
      "reason": "Auto-declared supplemental vuln_variant stage artifact",
      "declared_by": "stage_validator"
    },
    {
      "logical_path": "logs/variant_harness_vulnerable.log",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/variant_harness_fixed.log",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/variant_apisix_vulnerable.log",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/variant_apisix_fixed.log",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/artifacts/variant_results_vulnerable.json",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/artifacts/variant_results_fixed.json",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/artifacts/rsa_public.pem",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/artifacts/ec_public.pem",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/artifacts/ed_public.pem",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/artifacts/variant_harness.py",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "vuln_variant/artifacts/apisix_config.yaml",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/variant_run1.stdout.log",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    },
    {
      "logical_path": "logs/variant_run2.stdout.log",
      "stage": "vuln_variant",
      "role": "proof_log",
      "destination": "variant_candidate",
      "required_for_verdict": true,
      "publishable": true,
      "reason": "Referenced by runtime_manifest.proof_artifacts",
      "declared_by": "runtime_manifest"
    }
  ],
  "rejected": []
}