{
  "claim_outcome": "alternate_trigger_covered_by_fix",
  "variant_kind": "alternate_entrypoint",
  "alternate_entrypoint": "POST /api/v2/manifest/bake/KUSTOMIZE4",
  "parent_entrypoint": "POST /api/v2/manifest/bake/KUSTOMIZE",
  "shared_sink": "KustomizationFileReader.convert (SnakeYAML load + Jackson convertValue)",
  "reproduced_on_vulnerable": true,
  "reproduced_on_fixed": false,
  "is_bypass": false,
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "end_to_end_target_reached": true,
  "blocking_mitigation": "SafeConstructor + Jackson convertValue in KustomizationFileReader.convert covers the KUSTOMIZE4 dispatch path",
  "notes": "KUSTOMIZE4 alternate bake endpoint reached the same KustomizationFileReader.convert sink. Vulnerable version payload_executed=true; fixed version payload_executed=false. No bypass: the SafeConstructor fix in convert() covers the KUSTOMIZE4 dispatch path (same sink). KUSTOMIZE4 is an alternate trigger of the same root cause, covered by the existing fix."
}
