{
  "ai_economics": {
    "calls": 12,
    "cost_usd": 0.03902475,
    "engineer_baseline_usd": 1000.0,
    "engineer_hourly_usd": 250.0,
    "engineer_hours_avoided": 4.0,
    "estimated": true,
    "reachable_plan_cost_usd": 99.0,
    "source": "repo.db/enzo_attacker_audit",
    "tokens_total": 25598
  },
  "artifacts": [
    {
      "href": "reachable.sarif",
      "label": "Selected SARIF"
    },
    {
      "href": "gl-sast-report.json",
      "label": "GitLab SAST report"
    },
    {
      "href": "remediation-ledger.json",
      "label": "Sanitized remediation ledger"
    },
    {
      "href": "reachable-cache-before-install.json",
      "label": "Run evidence: before-install"
    },
    {
      "href": "reachable-cache-after-install.json",
      "label": "Run evidence: after-install"
    },
    {
      "href": "reachable-cache-after-scan.json",
      "label": "Run evidence: after-scan"
    },
    {
      "href": "EXPECTED.md",
      "label": "Expected issue contract"
    },
    {
      "href": "summary.json",
      "label": "Summary JSON"
    },
    {
      "href": "summary.md",
      "label": "Summary Markdown"
    }
  ],
  "by_family": {},
  "by_level": {},
  "by_reachability": {},
  "by_type": {},
  "compliance": {
    "available": false
  },
  "expected_demo": {
    "after": {
      "branch": "reachable-remediate-2665924351",
      "commit_hash": "bb600c87301c2453ca2cf2bc3fdbaf317fecb86c",
      "commit_short": "bb600c87",
      "critical_count": 0,
      "db_scan_id": 9,
      "duration_seconds": 8.93,
      "high_count": 0,
      "id": 9,
      "low_count": -1,
      "medium_count": 0,
      "reachable_findings": 0,
      "risk_level": "NONE",
      "status": "complete",
      "timestamp": "2026-07-09 21:34:08",
      "total_findings": 3,
      "version": "1.0.0b136"
    },
    "after_ai": {
      "calls": 0,
      "cost_usd": 0.0,
      "duration_seconds": 0.0,
      "tokens_in": 0,
      "tokens_out": 0,
      "tokens_total": 0
    },
    "after_available": true,
    "after_total": 0,
    "available": true,
    "baseline": {
      "branch": "unknown",
      "commit_hash": "1a34bb312a01b993e9f44dba7e5fd91078e8a839",
      "commit_short": "1a34bb31",
      "critical_count": 6,
      "db_scan_id": 1,
      "duration_seconds": 174.59,
      "high_count": 1,
      "id": 1,
      "low_count": -1,
      "medium_count": 4,
      "reachable_findings": 11,
      "risk_level": "CRITICAL",
      "status": "complete",
      "timestamp": "2026-07-09 21:15:54",
      "total_findings": 63,
      "version": "1.0.0b136"
    },
    "baseline_ai": {
      "calls": 12,
      "cost_usd": 0.03902475,
      "duration_seconds": 40.172,
      "tokens_in": 20311,
      "tokens_out": 5287,
      "tokens_total": 25598
    },
    "baseline_found": 17,
    "baseline_missing": 4,
    "clean": false,
    "contract_path": "EXPECTED.md",
    "evidence_source": "repo.db",
    "expected_total": 21,
    "fixed": 17,
    "headline": "The remediation proof scan has no blocking findings, but the baseline contract did not fully match.",
    "name": "reach-testbed-go golden baseline",
    "rows": [
      {
        "actual_exploitability": "NOT ATTACKED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "CRITICAL",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "cwe_id": "CWE-359",
          "description": "HTTP POST with PII payload \u2014 data leakage risk",
          "file_path": "internal/handlers/ai.go",
          "finding_id": "f895ead68ae9705f",
          "id": 62,
          "line_number": 32,
          "prod_status": "PRODUCTION",
          "risk_level": "CRITICAL",
          "rule_id": "reachable.conf.semgrep.go-llm-api-call",
          "scanner": "semgrep",
          "severity": "CRITICAL",
          "signal_type": "ai",
          "title": "HTTP POST with PII payload \u2014 data leakage risk"
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "CRITICAL",
        "family": "ai",
        "found_after": false,
        "found_before": true,
        "kind": "AI / LLM security issue",
        "line": 32,
        "location": "internal/handlers/ai.go:32",
        "match_key": [
          "ai",
          "internal/handlers/ai.go",
          32
        ],
        "path": "internal/handlers/ai.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "AI/LLM unsafe data flow is removed or covered by the underlying code fix.",
        "rule_id": "AI/LLM01-http-post-with-pii-payload-\u2014-data-leakag",
        "signal_description": "HTTP POST with PII payload \u2014 data leakage risk",
        "signal_title": "HTTP POST with PII payload \u2014 data leakage risk",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "NOT ATTACKED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "CRITICAL",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "cwe_id": "CWE-359",
          "description": "HTTP POST with PII payload \u2014 data leakage risk",
          "file_path": "internal/handlers/ai.go",
          "finding_id": "790dcdecd808a868",
          "id": 29,
          "line_number": 51,
          "prod_status": "PRODUCTION",
          "risk_level": "CRITICAL",
          "rule_id": "reachable.conf.semgrep.go-llm-api-call",
          "scanner": "semgrep",
          "severity": "CRITICAL",
          "signal_type": "ai",
          "title": "HTTP POST with PII payload \u2014 data leakage risk"
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "CRITICAL",
        "family": "ai",
        "found_after": false,
        "found_before": true,
        "kind": "AI / LLM security issue",
        "line": 51,
        "location": "internal/handlers/ai.go:51",
        "match_key": [
          "ai",
          "internal/handlers/ai.go",
          51
        ],
        "path": "internal/handlers/ai.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "AI/LLM unsafe data flow is removed or covered by the underlying code fix.",
        "rule_id": "AI/LLM01-http-post-with-pii-payload-\u2014-data-leakag",
        "signal_description": "HTTP POST with PII payload \u2014 data leakage risk",
        "signal_title": "HTTP POST with PII payload \u2014 data leakage risk",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "CRITICAL",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-07-09 21:18:31",
            "error": null,
            "exploitable": "1",
            "model_used": "gpt-5.4-mini",
            "severity": "CRITICAL"
          },
          "cwe_id": "CWE-78",
          "description": "OS command injection via exec.Command with shell",
          "file_path": "internal/handlers/cwe.go",
          "finding_id": "06bbff0372f0e794",
          "id": 5,
          "line_number": 12,
          "prod_status": "PRODUCTION",
          "risk_level": "CRITICAL",
          "rule_id": "reachable.conf.semgrep.go-cmdi-exec-regex",
          "scanner": "semgrep",
          "severity": "CRITICAL",
          "signal_type": "cwe",
          "title": "OS command injection via exec.Command with shell"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "CRITICAL",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Command injection",
        "line": 12,
        "location": "internal/handlers/cwe.go:12",
        "match_key": [
          "cwe",
          "internal/handlers/cwe.go",
          12
        ],
        "path": "internal/handlers/cwe.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Agent removed command-execution risk and proof scan confirms the sink is gone.",
        "rule_id": "CWE/78",
        "signal_description": "OS command injection via exec.Command with shell",
        "signal_title": "OS command injection via exec.Command with shell",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "CRITICAL",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-07-09 21:18:32",
            "error": null,
            "exploitable": "1",
            "model_used": "gpt-5.4-mini",
            "severity": "MEDIUM"
          },
          "cwe_id": "CWE-319",
          "description": "User-controlled URL passed to HTTP client without TLS scheme validation \u2014 sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is \"https\" before making the request.\n",
          "file_path": "internal/handlers/suspicious.go",
          "finding_id": "f0caf75fa8a92d5f",
          "id": 6,
          "line_number": 13,
          "prod_status": "PRODUCTION",
          "risk_level": "CRITICAL",
          "rule_id": "reachable.conf.semgrep.go-user-controlled-url-no-tls",
          "scanner": "semgrep",
          "severity": "CRITICAL",
          "signal_type": "cwe",
          "title": "User-controlled URL passed to HTTP client without TLS scheme validation \u2014 sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is \"https\" before making the request.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "CRITICAL",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Cleartext network exposure",
        "line": 13,
        "location": "internal/handlers/suspicious.go:13",
        "match_key": [
          "cwe",
          "internal/handlers/suspicious.go",
          13
        ],
        "path": "internal/handlers/suspicious.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Expected vulnerable fixture row is no longer present in the proof scan.",
        "rule_id": "CWE/319",
        "signal_description": "User-controlled URL passed to HTTP client without TLS scheme validation \u2014 sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is \"https\" before making the request.\n",
        "signal_title": "User-controlled URL passed to HTTP client without TLS scheme validation \u2014 sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is \"https\" before making the request.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "NOT ATTACKED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "CRITICAL",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "cwe_id": "CWE-532",
          "description": "PII data (SSN, DOB, credit card) in Go log output",
          "file_path": "internal/handlers/dlp.go",
          "finding_id": "8d0597a572b2fa6a",
          "id": 13,
          "line_number": 13,
          "prod_status": "PRODUCTION",
          "risk_level": "CRITICAL",
          "rule_id": "reachable.conf.semgrep.go-pii-to-log-regex",
          "scanner": "semgrep",
          "severity": "CRITICAL",
          "signal_type": "dlp",
          "title": "PII data (SSN, DOB, credit card) in Go log output"
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "CRITICAL",
        "family": "dlp",
        "found_after": false,
        "found_before": true,
        "kind": "PII / sensitive data exposure",
        "line": 13,
        "location": "internal/handlers/dlp.go:13",
        "match_key": [
          "dlp",
          "internal/handlers/dlp.go",
          13
        ],
        "path": "internal/handlers/dlp.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Synthetic PII exposure is removed from logs or outbound data paths.",
        "rule_id": "DLP/6fd2031f2cff0e06",
        "signal_description": "PII data (SSN, DOB, credit card) in Go log output",
        "signal_title": "PII data (SSN, DOB, credit card) in Go log output",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "NOT ATTACKED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "CRITICAL",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "cwe_id": "CWE-359",
          "description": "HTTP POST with PII payload \u2014 data leakage risk",
          "file_path": "internal/handlers/dlp.go",
          "finding_id": "0e34f1f7e26a0682",
          "id": 63,
          "line_number": 15,
          "prod_status": "PRODUCTION",
          "risk_level": "CRITICAL",
          "rule_id": "reachable.conf.semgrep.go-pii-to-http-regex",
          "scanner": "semgrep",
          "severity": "CRITICAL",
          "signal_type": "dlp",
          "title": "HTTP POST with PII payload \u2014 data leakage risk"
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "CRITICAL",
        "family": "dlp",
        "found_after": false,
        "found_before": true,
        "kind": "PII / sensitive data exposure",
        "line": 15,
        "location": "internal/handlers/dlp.go:15",
        "match_key": [
          "dlp",
          "internal/handlers/dlp.go",
          15
        ],
        "path": "internal/handlers/dlp.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Synthetic PII exposure is removed from logs or outbound data paths.",
        "rule_id": "DLP/f22dde2c0a9e3739",
        "signal_description": "HTTP POST with PII payload \u2014 data leakage risk",
        "signal_title": "HTTP POST with PII payload \u2014 data leakage risk",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "",
        "actual_reachability": "",
        "actual_risk": "",
        "after_signal": {},
        "baseline_signal": {},
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "HIGH",
        "family": "cve",
        "found_after": false,
        "found_before": false,
        "kind": "Vulnerable dependency",
        "line": 0,
        "location": "internal/handlers/cve.go",
        "match_key": [
          "cve",
          "internal/handlers/cve.go",
          0
        ],
        "path": "internal/handlers/cve.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Dependency risk removed or upgraded; build manager no longer has to chase the vulnerable library manually.",
        "rule_id": "CVE/CVE-2022-32149",
        "signal_description": "",
        "signal_title": "",
        "status": "baseline_missing",
        "status_label": "Expected baseline row was not detected"
      },
      {
        "actual_exploitability": "",
        "actual_reachability": "",
        "actual_risk": "",
        "after_signal": {},
        "baseline_signal": {},
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "MEDIUM",
        "family": "ai",
        "found_after": false,
        "found_before": false,
        "kind": "AI / LLM security issue",
        "line": 11,
        "location": "internal/handlers/cwe.go:11",
        "match_key": [
          "ai",
          "internal/handlers/cwe.go",
          11
        ],
        "path": "internal/handlers/cwe.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "AI/LLM unsafe data flow is removed or covered by the underlying code fix.",
        "rule_id": "AI/LLM05-unguarded-data-flow-from-http_param-to-c",
        "signal_description": "",
        "signal_title": "",
        "status": "baseline_missing",
        "status_label": "Expected baseline row was not detected"
      },
      {
        "actual_exploitability": "",
        "actual_reachability": "",
        "actual_risk": "",
        "after_signal": {},
        "baseline_signal": {},
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "MEDIUM",
        "family": "ai",
        "found_after": false,
        "found_before": false,
        "kind": "AI / LLM security issue",
        "line": 13,
        "location": "internal/handlers/suspicious.go:13",
        "match_key": [
          "ai",
          "internal/handlers/suspicious.go",
          13
        ],
        "path": "internal/handlers/suspicious.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "AI/LLM unsafe data flow is removed or covered by the underlying code fix.",
        "rule_id": "AI/LLM05-unguarded-data-flow-from-http_param-to-c",
        "signal_description": "",
        "signal_title": "",
        "status": "baseline_missing",
        "status_label": "Expected baseline row was not detected"
      },
      {
        "actual_exploitability": "",
        "actual_reachability": "",
        "actual_risk": "",
        "after_signal": {},
        "baseline_signal": {},
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "MEDIUM",
        "family": "ai",
        "found_after": false,
        "found_before": false,
        "kind": "AI / LLM security issue",
        "line": 22,
        "location": "internal/handlers/cwe.go:22",
        "match_key": [
          "ai",
          "internal/handlers/cwe.go",
          22
        ],
        "path": "internal/handlers/cwe.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "AI/LLM unsafe data flow is removed or covered by the underlying code fix.",
        "rule_id": "AI/LLM05-unguarded-data-flow-from-http_param-to-c",
        "signal_description": "",
        "signal_title": "",
        "status": "baseline_missing",
        "status_label": "Expected baseline row was not detected"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-07-09 21:18:38",
            "error": null,
            "exploitable": "0",
            "model_used": "gpt-5.4-mini",
            "severity": "INFO"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/cve.go",
          "finding_id": "12b1de75488e3dc4",
          "id": 15,
          "line_number": 38,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "defended",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 38,
        "location": "internal/handlers/cve.go:38",
        "match_key": [
          "cwe",
          "internal/handlers/cve.go",
          38
        ],
        "path": "internal/handlers/cve.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-07-09 21:18:39",
            "error": null,
            "exploitable": "0",
            "model_used": "gpt-5.4-mini",
            "severity": "INFO"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/cve.go",
          "finding_id": "f3b8ca8a4b0db984",
          "id": 20,
          "line_number": 22,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 22,
        "location": "internal/handlers/cve.go:22",
        "match_key": [
          "cwe",
          "internal/handlers/cve.go",
          22
        ],
        "path": "internal/handlers/cve.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-07-09 21:18:42",
            "error": null,
            "exploitable": "1",
            "model_used": "gpt-5.4-mini",
            "severity": "LOW"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/ai.go",
          "finding_id": "79a613526423f510",
          "id": 35,
          "line_number": 21,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 21,
        "location": "internal/handlers/ai.go:21",
        "match_key": [
          "cwe",
          "internal/handlers/ai.go",
          21
        ],
        "path": "internal/handlers/ai.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-07-09 21:18:49",
            "error": null,
            "exploitable": "0",
            "model_used": "gpt-5.4-mini",
            "severity": "INFO"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/cve.go",
          "finding_id": "73965dcf7f7ad485",
          "id": 59,
          "line_number": 16,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "defended",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 16,
        "location": "internal/handlers/cve.go:16",
        "match_key": [
          "cwe",
          "internal/handlers/cve.go",
          16
        ],
        "path": "internal/handlers/cve.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-07-09 21:18:48",
            "error": null,
            "exploitable": "1",
            "model_used": "gpt-5.4-mini",
            "severity": "HIGH"
          },
          "cwe_id": "CWE-918",
          "description": "http.Get / http.Client.Do called with a URL derived from user input \u2014 CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.\n",
          "file_path": "internal/handlers/suspicious.go",
          "finding_id": "efb6692c9963cb9c",
          "id": 53,
          "line_number": 14,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-ssrf-http-get-tainted-url",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "http.Get / http.Client.Do called with a URL derived from user input \u2014 CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Server-side request forgery",
        "line": 14,
        "location": "internal/handlers/suspicious.go:14",
        "match_key": [
          "cwe",
          "internal/handlers/suspicious.go",
          14
        ],
        "path": "internal/handlers/suspicious.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Agent removed arbitrary outbound fetch behavior that could become SSRF.",
        "rule_id": "CWE/918",
        "signal_description": "http.Get / http.Client.Do called with a URL derived from user input \u2014 CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.\n",
        "signal_title": "http.Get / http.Client.Do called with a URL derived from user input \u2014 CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-07-09 21:18:42",
            "error": null,
            "exploitable": "0",
            "model_used": "gpt-5.4-mini",
            "severity": "INFO"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/suspicious.go",
          "finding_id": "3689b5c89aeed241",
          "id": 34,
          "line_number": 16,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 16,
        "location": "internal/handlers/suspicious.go:16",
        "match_key": [
          "cwe",
          "internal/handlers/suspicious.go",
          16
        ],
        "path": "internal/handlers/suspicious.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-07-09 21:18:34",
            "error": null,
            "exploitable": "1",
            "model_used": "gpt-5.4-mini",
            "severity": "LOW"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/ai.go",
          "finding_id": "c0abd641b66ce298",
          "id": 1,
          "line_number": 39,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 39,
        "location": "internal/handlers/ai.go:39",
        "match_key": [
          "cwe",
          "internal/handlers/ai.go",
          39
        ],
        "path": "internal/handlers/ai.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-07-09 21:18:46",
            "error": null,
            "exploitable": "0",
            "model_used": "gpt-5.4-mini",
            "severity": "INFO"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/suspicious.go",
          "finding_id": "3aa3051fcfe75fd8",
          "id": 52,
          "line_number": 24,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "defended",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 24,
        "location": "internal/handlers/suspicious.go:24",
        "match_key": [
          "cwe",
          "internal/handlers/suspicious.go",
          24
        ],
        "path": "internal/handlers/suspicious.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-07-09 21:18:45",
            "error": null,
            "exploitable": "0",
            "model_used": "gpt-5.4-mini",
            "severity": "INFO"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/ai.go",
          "finding_id": "68735df0c8e03380",
          "id": 50,
          "line_number": 61,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 61,
        "location": "internal/handlers/ai.go:61",
        "match_key": [
          "cwe",
          "internal/handlers/ai.go",
          61
        ],
        "path": "internal/handlers/ai.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-07-09 21:18:35",
            "error": null,
            "exploitable": "1",
            "model_used": "gpt-5.4-mini",
            "severity": "LOW"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/suspicious.go",
          "finding_id": "5fe3c7c9a2961851",
          "id": 7,
          "line_number": 30,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 30,
        "location": "internal/handlers/suspicious.go:30",
        "match_key": [
          "cwe",
          "internal/handlers/suspicious.go",
          30
        ],
        "path": "internal/handlers/suspicious.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "NOT ATTACKED",
        "actual_reachability": "NOT_REACHABLE",
        "actual_risk": "INFO",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "NOT_REACHABLE",
          "cwe_id": "CWE-798",
          "description": "Token detected. Use a secrets manager (Vault, AWS Secrets Manager) for storage. Prefer short-lived tokens with automatic refresh. Implement proper token scoping and rotation.",
          "display_id": "secret-token-handlers-secrets",
          "file_path": "internal/handlers/secrets.go",
          "finding_id": "ac7375dceffd3a19",
          "id": 27,
          "line_number": 11,
          "prod_status": "UNKNOWN",
          "remediation_kind": "secret_rotation",
          "risk_level": "INFO",
          "rule_id": "reachable.conf.semgrep.hardcoded-github-token",
          "scanner": "semgrep",
          "secret_type": "token",
          "severity": "LOW",
          "signal_type": "secret",
          "title": "Token detected. Use a secrets manager (Vault, AWS Secrets Manager) for storage. Prefer short-lived tokens with automatic refresh. Implement proper token scoping and rotation."
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "MEDIUM",
        "family": "secret",
        "found_after": false,
        "found_before": true,
        "kind": "Secret exposure",
        "line": 11,
        "location": "internal/handlers/secrets.go:11",
        "match_key": [
          "secret",
          "internal/handlers/secrets.go",
          11
        ],
        "path": "internal/handlers/secrets.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "UNKNOWN",
        "remediation_action": "Synthetic secret exposure is removed from production-actionable posture.",
        "rule_id": "SECRET/github-pat",
        "signal_description": "Token detected. Use a secrets manager (Vault, AWS Secrets Manager) for storage. Prefer short-lived tokens with automatic refresh. Implement proper token scoping and rotation.",
        "signal_title": "Token detected. Use a secrets manager (Vault, AWS Secrets Manager) for storage. Prefer short-lived tokens with automatic refresh. Implement proper token scoping and rotation.",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      }
    ],
    "still_present": 0,
    "verified_with_reachable": "1.0.0b97"
  },
  "ledger_error": null,
  "proof": {
    "by_state": {},
    "defended_after_reattack": 0,
    "failed": 0,
    "needs_review": 0,
    "profile_count": 0,
    "profile_kinds": [],
    "run_count": 0,
    "skipped_policy": 0,
    "source": "none",
    "verified_exploitable": 0
  },
  "ref": "main",
  "remediation": {
    "attempt_count": 0,
    "message": "Structured proof verdict: The remediation proof scan has no blocking findings, but the baseline contract did not fully match.",
    "proof_scan": {
      "by_level": {},
      "exists": true,
      "label": "after-final",
      "path": ".reachable/ci-artifacts/reachable-after-final.sarif",
      "results": 0,
      "top_rules": []
    },
    "scan_count": 2,
    "selected_rule_count": 0,
    "selected_rules": [],
    "status": "needs_review"
  },
  "repo": "sthenos-security-public/reach-testbed-gitlab-catalog",
  "run_evidence": {
    "artifacts": [
      {
        "href": "reachable-cache-before-install.json",
        "label": "Run evidence: before-install"
      },
      {
        "href": "reachable-cache-after-install.json",
        "label": "Run evidence: after-install"
      },
      {
        "href": "reachable-cache-after-scan.json",
        "label": "Run evidence: after-scan"
      }
    ],
    "available": true,
    "phases": {
      "after-install": {
        "cache_matched_key": "gitlab:83430001:latest",
        "cache_primary_key": "",
        "cache_restored": false,
        "cache_source": "gitlab-cache",
        "created_at": "2026-07-09T21:15:53.845515+00:00",
        "install_mode": "installed",
        "installed_version": "REACHABLE 1.0.0b136",
        "latest_repo_db": {},
        "latest_repo_db_hash": "",
        "latest_repo_db_size_kb": 0,
        "phase": "after-install",
        "provider": "gitlab_ci",
        "reachable_home_exists": true,
        "reachable_home_size_kb": 4,
        "repo_db_count": 0,
        "scan_session_count": 0,
        "schema_version": 1,
        "target_version": "latest"
      },
      "after-scan": {
        "cache_matched_key": "gitlab:83430001:latest",
        "cache_primary_key": "",
        "cache_restored": false,
        "cache_source": "gitlab-cache",
        "created_at": "2026-07-09T21:18:54.446253+00:00",
        "install_mode": "installed",
        "installed_version": "REACHABLE 1.0.0b136",
        "latest_repo_db": {
          "ai_bom_entries_count": 0,
          "latest_scan": {
            "branch": "unknown",
            "commit_hash": "1a34bb312a01b993e9f44dba7e5fd91078e8a839",
            "commit_short": "1a34bb31",
            "id": 1,
            "reachable_findings": 11,
            "status": "complete",
            "timestamp": "2026-07-09 21:15:54",
            "total_findings": 63,
            "version": "1.0.0b136"
          },
          "scans_count": 1,
          "schema_version": 64,
          "signals_count": 64,
          "taint_flows_count": 12
        },
        "latest_repo_db_hash": "2af9d00a433b0de04efbd887768c4e947d1683273e7ba40f711fad184d588aa6",
        "latest_repo_db_size_kb": 29076,
        "phase": "after-scan",
        "provider": "gitlab_ci",
        "reachable_home_exists": true,
        "reachable_home_size_kb": 4,
        "repo_db_count": 1,
        "scan_session_count": 1,
        "schema_version": 1,
        "target_version": "latest"
      },
      "before-install": {
        "cache_matched_key": "gitlab:83430001:latest",
        "cache_primary_key": "",
        "cache_restored": false,
        "cache_source": "gitlab-cache",
        "created_at": "2026-07-09T21:14:23.734362+00:00",
        "install_mode": "pending",
        "installed_version": "",
        "latest_repo_db": {},
        "latest_repo_db_hash": "",
        "latest_repo_db_size_kb": 0,
        "phase": "before-install",
        "provider": "gitlab_ci",
        "reachable_home_exists": true,
        "reachable_home_size_kb": 4,
        "repo_db_count": 0,
        "scan_session_count": 0,
        "schema_version": 1,
        "target_version": "latest"
      }
    },
    "summary": {
      "cache_restored": false,
      "cache_size_kb_after": 4,
      "cache_size_kb_before": 4,
      "cache_source": "gitlab-cache",
      "install_mode": "installed",
      "installed_version": "REACHABLE 1.0.0b136",
      "latest_repo_db_hash": "2af9d00a433b0de04efbd887768c4e947d1683273e7ba40f711fad184d588aa6",
      "latest_scan": {
        "branch": "unknown",
        "commit_hash": "1a34bb312a01b993e9f44dba7e5fd91078e8a839",
        "commit_short": "1a34bb31",
        "id": 1,
        "reachable_findings": 11,
        "status": "complete",
        "timestamp": "2026-07-09 21:15:54",
        "total_findings": 63,
        "version": "1.0.0b136"
      },
      "repo_db_count_after": 1,
      "repo_db_count_before": 0,
      "repo_db_reused": false,
      "scan_session_count": 1,
      "target_version": "latest"
    }
  },
  "run_id": "2665924351",
  "sarif_error": null,
  "sha": "1a34bb312a01b993e9f44dba7e5fd91078e8a839",
  "suspicious_package_count": 0,
  "top": [],
  "top_defended": [],
  "top_priority": [],
  "total": 0,
  "verification": {
    "blocking_results": 0,
    "branch": "reachable-remediate-2665924351",
    "clean": false,
    "label": "repo.db expected-contract comparison",
    "message": "The remediation proof scan has no blocking findings, but the baseline contract did not fully match.",
    "mode": "structured baseline/remediation proof",
    "results": 0,
    "run_url": "https://gitlab.com/sthenos-security-public/reach-testbed-gitlab-catalog/-/pipelines/2665924351",
    "status": "db_needs_review"
  }
}
