{
  "entrypoint_kind": "endpoint",
  "entrypoint_detail": "POST /api/v2/manifest/bake/KUSTOMIZE on a real Rosco Spring Boot HTTP endpoint",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "rosco-web",
    "rosco-manifests",
    "spring-boot-test-http-server",
    "wiremock-clouddriver-artifact-peer"
  ],
  "proof_artifacts": [
    "logs/reproduction_steps.log",
    "logs/vulnerable_attempt_1.log",
    "logs/vulnerable_attempt_2.log",
    "logs/fixed_attempt_1.log",
    "logs/fixed_attempt_2.log",
    "repro/vulnerable_attempt_1.evidence.txt",
    "repro/vulnerable_attempt_2.evidence.txt",
    "repro/fixed_attempt_1.evidence.txt",
    "repro/fixed_attempt_2.evidence.txt"
  ],
  "notes": "Confirmed: vulnerable Rosco Kustomize bake endpoint executes attacker-controlled YAML tag payload twice; fixed commit rejects the tag twice without payload execution. Fixed commit f5cec213f8cf207843ed5a6929395960a1ca094f, vulnerable parent d7d131a1b1fcb831256034f1e8d023f6e9dc4fc3."
}
