{
  "ai_economics": {
    "calls": 12,
    "cost_usd": 0.20013,
    "engineer_baseline_usd": 1000.0,
    "engineer_hourly_usd": 250.0,
    "engineer_hours_avoided": 4.0,
    "estimated": true,
    "reachable_plan_cost_usd": 99.0,
    "source": "repo.db/enzo_attacker_audit",
    "tokens_total": 20858
  },
  "artifacts": [
    {
      "href": "reachable.sarif",
      "label": "Selected SARIF"
    },
    {
      "href": "gl-sast-report.json",
      "label": "GitLab SAST report"
    },
    {
      "href": "remediation-ledger.json",
      "label": "Sanitized remediation ledger"
    },
    {
      "href": "reachable-cache-before-install.json",
      "label": "Run evidence: before-install"
    },
    {
      "href": "reachable-cache-after-install.json",
      "label": "Run evidence: after-install"
    },
    {
      "href": "reachable-cache-after-scan.json",
      "label": "Run evidence: after-scan"
    },
    {
      "href": "EXPECTED.md",
      "label": "Expected issue contract"
    },
    {
      "href": "summary.json",
      "label": "Summary JSON"
    },
    {
      "href": "summary.md",
      "label": "Summary Markdown"
    }
  ],
  "by_family": {},
  "by_level": {},
  "by_reachability": {},
  "by_type": {},
  "compliance": {
    "available": false
  },
  "expected_demo": {
    "after": {
      "branch": "reachable-remediate-2616266772",
      "commit_hash": "562ca3c12edef8f4f99cdf8d303b4d514aa68f36",
      "commit_short": "562ca3c1",
      "critical_count": 0,
      "db_scan_id": 48,
      "duration_seconds": 17.76,
      "high_count": 0,
      "id": 48,
      "low_count": 0,
      "medium_count": 0,
      "reachable_findings": 0,
      "risk_level": "NONE",
      "status": "complete",
      "timestamp": "2026-06-20 15:34:22",
      "total_findings": 6,
      "version": "1.0.0b115"
    },
    "after_ai": {
      "calls": 0,
      "cost_usd": 0.0,
      "duration_seconds": 0.0,
      "tokens_in": 0,
      "tokens_out": 0,
      "tokens_total": 0
    },
    "after_available": true,
    "after_total": 0,
    "available": true,
    "baseline": {
      "branch": "reachable-remediate-2616266772",
      "commit_hash": "c0ba76fe94d22e8a37e9fac3893e5ee1bae5fc64",
      "commit_short": "c0ba76fe",
      "critical_count": 6,
      "db_scan_id": 42,
      "duration_seconds": 157.21,
      "high_count": 1,
      "id": 42,
      "low_count": 0,
      "medium_count": 7,
      "reachable_findings": 14,
      "risk_level": "CRITICAL",
      "status": "complete",
      "timestamp": "2026-06-20 15:27:37",
      "total_findings": 26,
      "version": "1.0.0b115"
    },
    "baseline_ai": {
      "calls": 12,
      "cost_usd": 0.20013,
      "duration_seconds": 228.757,
      "tokens_in": 9395,
      "tokens_out": 11463,
      "tokens_total": 20858
    },
    "baseline_found": 18,
    "baseline_missing": 3,
    "clean": false,
    "contract_path": "EXPECTED.md",
    "evidence_source": "repo.db",
    "expected_total": 21,
    "fixed": 18,
    "headline": "The remediation proof scan has no blocking findings, but the baseline contract did not fully match.",
    "name": "reach-testbed-go golden baseline",
    "rows": [
      {
        "actual_exploitability": "NOT ATTACKED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "CRITICAL",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "cwe_id": "CWE-359",
          "description": "HTTP POST with PII payload \u2014 data leakage risk",
          "file_path": "internal/handlers/ai.go",
          "finding_id": "7a3f59c4ba0834d8",
          "id": 449,
          "line_number": 32,
          "prod_status": "PRODUCTION",
          "risk_level": "CRITICAL",
          "rule_id": "reachable.conf.semgrep.go-llm-api-call",
          "scanner": "semgrep",
          "severity": "CRITICAL",
          "signal_type": "ai",
          "title": "HTTP POST with PII payload \u2014 data leakage risk"
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "CRITICAL",
        "family": "ai",
        "found_after": false,
        "found_before": true,
        "kind": "AI / LLM security issue",
        "line": 32,
        "location": "internal/handlers/ai.go:32",
        "match_key": [
          "ai",
          "internal/handlers/ai.go",
          32
        ],
        "path": "internal/handlers/ai.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "AI/LLM unsafe data flow is removed or covered by the underlying code fix.",
        "rule_id": "AI/LLM01-http-post-with-pii-payload-\u2014-data-leakag",
        "signal_description": "HTTP POST with PII payload \u2014 data leakage risk",
        "signal_title": "HTTP POST with PII payload \u2014 data leakage risk",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "NOT ATTACKED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "CRITICAL",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "cwe_id": "CWE-359",
          "description": "HTTP POST with PII payload \u2014 data leakage risk",
          "file_path": "internal/handlers/ai.go",
          "finding_id": "4c74c9810a87e3e6",
          "id": 442,
          "line_number": 51,
          "prod_status": "PRODUCTION",
          "risk_level": "CRITICAL",
          "rule_id": "reachable.conf.semgrep.go-llm-api-call",
          "scanner": "semgrep",
          "severity": "CRITICAL",
          "signal_type": "ai",
          "title": "HTTP POST with PII payload \u2014 data leakage risk"
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "CRITICAL",
        "family": "ai",
        "found_after": false,
        "found_before": true,
        "kind": "AI / LLM security issue",
        "line": 51,
        "location": "internal/handlers/ai.go:51",
        "match_key": [
          "ai",
          "internal/handlers/ai.go",
          51
        ],
        "path": "internal/handlers/ai.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "AI/LLM unsafe data flow is removed or covered by the underlying code fix.",
        "rule_id": "AI/LLM01-http-post-with-pii-payload-\u2014-data-leakag",
        "signal_description": "HTTP POST with PII payload \u2014 data leakage risk",
        "signal_title": "HTTP POST with PII payload \u2014 data leakage risk",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "CRITICAL",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-20 15:28:36",
            "error": null,
            "exploitable": "1",
            "model_used": "claude-sonnet-4-5-20250929",
            "severity": "CRITICAL"
          },
          "cwe_id": "CWE-78",
          "description": "OS command injection via exec.Command with shell",
          "file_path": "internal/handlers/cwe.go",
          "finding_id": "a65c6a7d81b892f2",
          "id": 441,
          "line_number": 12,
          "prod_status": "PRODUCTION",
          "risk_level": "CRITICAL",
          "rule_id": "reachable.conf.semgrep.go-cmdi-exec-regex",
          "scanner": "semgrep",
          "severity": "CRITICAL",
          "signal_type": "cwe",
          "title": "OS command injection via exec.Command with shell"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "CRITICAL",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Command injection",
        "line": 12,
        "location": "internal/handlers/cwe.go:12",
        "match_key": [
          "cwe",
          "internal/handlers/cwe.go",
          12
        ],
        "path": "internal/handlers/cwe.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Agent removed command-execution risk and proof scan confirms the sink is gone.",
        "rule_id": "CWE/78",
        "signal_description": "OS command injection via exec.Command with shell",
        "signal_title": "OS command injection via exec.Command with shell",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "CRITICAL",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-20 15:28:36",
            "error": null,
            "exploitable": "1",
            "model_used": "claude-sonnet-4-5-20250929",
            "severity": "HIGH"
          },
          "cwe_id": "CWE-319",
          "description": "User-controlled URL passed to HTTP client without TLS scheme validation \u2014 sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is \"https\" before making the request.\n",
          "file_path": "internal/handlers/suspicious.go",
          "finding_id": "e830079d1363253b",
          "id": 458,
          "line_number": 13,
          "prod_status": "PRODUCTION",
          "risk_level": "CRITICAL",
          "rule_id": "reachable.conf.semgrep.go-user-controlled-url-no-tls",
          "scanner": "semgrep",
          "severity": "CRITICAL",
          "signal_type": "cwe",
          "title": "User-controlled URL passed to HTTP client without TLS scheme validation \u2014 sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is \"https\" before making the request.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "CRITICAL",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Cleartext network exposure",
        "line": 13,
        "location": "internal/handlers/suspicious.go:13",
        "match_key": [
          "cwe",
          "internal/handlers/suspicious.go",
          13
        ],
        "path": "internal/handlers/suspicious.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Expected vulnerable fixture row is no longer present in the proof scan.",
        "rule_id": "CWE/319",
        "signal_description": "User-controlled URL passed to HTTP client without TLS scheme validation \u2014 sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is \"https\" before making the request.\n",
        "signal_title": "User-controlled URL passed to HTTP client without TLS scheme validation \u2014 sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is \"https\" before making the request.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "NOT ATTACKED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "CRITICAL",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "cwe_id": "CWE-532",
          "description": "PII data (SSN, DOB, credit card) in Go log output",
          "file_path": "internal/handlers/dlp.go",
          "finding_id": "4e5409dcc3180515",
          "id": 457,
          "line_number": 13,
          "prod_status": "PRODUCTION",
          "risk_level": "CRITICAL",
          "rule_id": "reachable.conf.semgrep.go-pii-to-log-regex",
          "scanner": "semgrep",
          "severity": "CRITICAL",
          "signal_type": "dlp",
          "title": "PII data (SSN, DOB, credit card) in Go log output"
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "CRITICAL",
        "family": "dlp",
        "found_after": false,
        "found_before": true,
        "kind": "PII / sensitive data exposure",
        "line": 13,
        "location": "internal/handlers/dlp.go:13",
        "match_key": [
          "dlp",
          "internal/handlers/dlp.go",
          13
        ],
        "path": "internal/handlers/dlp.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Synthetic PII exposure is removed from logs or outbound data paths.",
        "rule_id": "DLP/6fd2031f2cff0e06",
        "signal_description": "PII data (SSN, DOB, credit card) in Go log output",
        "signal_title": "PII data (SSN, DOB, credit card) in Go log output",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "NOT ATTACKED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "CRITICAL",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "cwe_id": "CWE-359",
          "description": "HTTP POST with PII payload \u2014 data leakage risk",
          "file_path": "internal/handlers/dlp.go",
          "finding_id": "07904faffe2a1ee4",
          "id": 450,
          "line_number": 15,
          "prod_status": "PRODUCTION",
          "risk_level": "CRITICAL",
          "rule_id": "reachable.conf.semgrep.go-pii-to-http-regex",
          "scanner": "semgrep",
          "severity": "CRITICAL",
          "signal_type": "dlp",
          "title": "HTTP POST with PII payload \u2014 data leakage risk"
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "CRITICAL",
        "family": "dlp",
        "found_after": false,
        "found_before": true,
        "kind": "PII / sensitive data exposure",
        "line": 15,
        "location": "internal/handlers/dlp.go:15",
        "match_key": [
          "dlp",
          "internal/handlers/dlp.go",
          15
        ],
        "path": "internal/handlers/dlp.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Synthetic PII exposure is removed from logs or outbound data paths.",
        "rule_id": "DLP/f22dde2c0a9e3739",
        "signal_description": "HTTP POST with PII payload \u2014 data leakage risk",
        "signal_title": "HTTP POST with PII payload \u2014 data leakage risk",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "NOT ATTACKED",
        "actual_reachability": "NOT_REACHABLE",
        "actual_risk": "LOW",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "NOT_REACHABLE",
          "description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.",
          "display_id": "GO-2022-1059",
          "file_path": "internal/handlers/cve.go",
          "finding_id": "cc8d13f1e2b18f04",
          "id": 445,
          "line_number": 0,
          "package_name": "golang.org/x/text",
          "package_version": "v0.3.7",
          "prod_status": "UNKNOWN",
          "remediation_kind": "dependency_upgrade",
          "remediation_target": "0.3.8",
          "risk_level": "LOW",
          "scanner": "grype",
          "severity": "HIGH",
          "signal_type": "cve",
          "title": "GO-2022-1059"
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "HIGH",
        "family": "cve",
        "found_after": false,
        "found_before": true,
        "kind": "Vulnerable dependency",
        "line": 0,
        "location": "internal/handlers/cve.go",
        "match_key": [
          "cve",
          "internal/handlers/cve.go",
          0
        ],
        "path": "internal/handlers/cve.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Dependency risk removed or upgraded; build manager no longer has to chase the vulnerable library manually.",
        "rule_id": "CVE/CVE-2022-32149",
        "signal_description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.",
        "signal_title": "GO-2022-1059",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "",
        "actual_reachability": "",
        "actual_risk": "",
        "after_signal": {},
        "baseline_signal": {},
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "MEDIUM",
        "family": "ai",
        "found_after": false,
        "found_before": false,
        "kind": "AI / LLM security issue",
        "line": 11,
        "location": "internal/handlers/cwe.go:11",
        "match_key": [
          "ai",
          "internal/handlers/cwe.go",
          11
        ],
        "path": "internal/handlers/cwe.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "AI/LLM unsafe data flow is removed or covered by the underlying code fix.",
        "rule_id": "AI/LLM05-unguarded-data-flow-from-http_param-to-c",
        "signal_description": "",
        "signal_title": "",
        "status": "baseline_missing",
        "status_label": "Expected baseline row was not detected"
      },
      {
        "actual_exploitability": "",
        "actual_reachability": "",
        "actual_risk": "",
        "after_signal": {},
        "baseline_signal": {},
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "MEDIUM",
        "family": "ai",
        "found_after": false,
        "found_before": false,
        "kind": "AI / LLM security issue",
        "line": 13,
        "location": "internal/handlers/suspicious.go:13",
        "match_key": [
          "ai",
          "internal/handlers/suspicious.go",
          13
        ],
        "path": "internal/handlers/suspicious.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "AI/LLM unsafe data flow is removed or covered by the underlying code fix.",
        "rule_id": "AI/LLM05-unguarded-data-flow-from-http_param-to-c",
        "signal_description": "",
        "signal_title": "",
        "status": "baseline_missing",
        "status_label": "Expected baseline row was not detected"
      },
      {
        "actual_exploitability": "",
        "actual_reachability": "",
        "actual_risk": "",
        "after_signal": {},
        "baseline_signal": {},
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "MEDIUM",
        "family": "ai",
        "found_after": false,
        "found_before": false,
        "kind": "AI / LLM security issue",
        "line": 22,
        "location": "internal/handlers/cwe.go:22",
        "match_key": [
          "ai",
          "internal/handlers/cwe.go",
          22
        ],
        "path": "internal/handlers/cwe.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "AI/LLM unsafe data flow is removed or covered by the underlying code fix.",
        "rule_id": "AI/LLM05-unguarded-data-flow-from-http_param-to-c",
        "signal_description": "",
        "signal_title": "",
        "status": "baseline_missing",
        "status_label": "Expected baseline row was not detected"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-20 15:29:34",
            "error": null,
            "exploitable": "0",
            "model_used": "claude-sonnet-4-5-20250929",
            "severity": "LOW"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/cve.go",
          "finding_id": "46af85a195072c39",
          "id": 459,
          "line_number": 38,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "defended",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 38,
        "location": "internal/handlers/cve.go:38",
        "match_key": [
          "cwe",
          "internal/handlers/cve.go",
          38
        ],
        "path": "internal/handlers/cve.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-20 15:30:14",
            "error": null,
            "exploitable": "0",
            "model_used": "claude-sonnet-4-5-20250929",
            "severity": "LOW"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/cve.go",
          "finding_id": "bed79f7984471e6d",
          "id": 463,
          "line_number": 22,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 22,
        "location": "internal/handlers/cve.go:22",
        "match_key": [
          "cwe",
          "internal/handlers/cve.go",
          22
        ],
        "path": "internal/handlers/cve.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-20 15:28:54",
            "error": null,
            "exploitable": "1",
            "model_used": "claude-sonnet-4-5-20250929",
            "severity": "LOW"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/ai.go",
          "finding_id": "d7624bc58e5a9df2",
          "id": 447,
          "line_number": 21,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 21,
        "location": "internal/handlers/ai.go:21",
        "match_key": [
          "cwe",
          "internal/handlers/ai.go",
          21
        ],
        "path": "internal/handlers/ai.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-20 15:29:13",
            "error": null,
            "exploitable": "0",
            "model_used": "claude-sonnet-4-5-20250929",
            "severity": "LOW"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/cve.go",
          "finding_id": "12f37d37cbdaada2",
          "id": 451,
          "line_number": 16,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "defended",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 16,
        "location": "internal/handlers/cve.go:16",
        "match_key": [
          "cwe",
          "internal/handlers/cve.go",
          16
        ],
        "path": "internal/handlers/cve.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-20 15:29:35",
            "error": null,
            "exploitable": "1",
            "model_used": "claude-sonnet-4-5-20250929",
            "severity": "CRITICAL"
          },
          "cwe_id": "CWE-918",
          "description": "http.Get / http.Client.Do called with a URL derived from user input \u2014 CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.\n",
          "file_path": "internal/handlers/suspicious.go",
          "finding_id": "fcbeb9f6aac74745",
          "id": 456,
          "line_number": 14,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-ssrf-http-get-tainted-url",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "http.Get / http.Client.Do called with a URL derived from user input \u2014 CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Server-side request forgery",
        "line": 14,
        "location": "internal/handlers/suspicious.go:14",
        "match_key": [
          "cwe",
          "internal/handlers/suspicious.go",
          14
        ],
        "path": "internal/handlers/suspicious.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Agent removed arbitrary outbound fetch behavior that could become SSRF.",
        "rule_id": "CWE/918",
        "signal_description": "http.Get / http.Client.Do called with a URL derived from user input \u2014 CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.\n",
        "signal_title": "http.Get / http.Client.Do called with a URL derived from user input \u2014 CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-20 15:29:56",
            "error": null,
            "exploitable": "1",
            "model_used": "claude-sonnet-4-5-20250929",
            "severity": "MEDIUM"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/suspicious.go",
          "finding_id": "746deba1fd5686a3",
          "id": 460,
          "line_number": 16,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 16,
        "location": "internal/handlers/suspicious.go:16",
        "match_key": [
          "cwe",
          "internal/handlers/suspicious.go",
          16
        ],
        "path": "internal/handlers/suspicious.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-20 15:30:10",
            "error": null,
            "exploitable": "1",
            "model_used": "claude-sonnet-4-5-20250929",
            "severity": "LOW"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/ai.go",
          "finding_id": "e027315b8f84ff30",
          "id": 462,
          "line_number": 39,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 39,
        "location": "internal/handlers/ai.go:39",
        "match_key": [
          "cwe",
          "internal/handlers/ai.go",
          39
        ],
        "path": "internal/handlers/ai.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-20 15:29:14",
            "error": null,
            "exploitable": "1",
            "model_used": "claude-sonnet-4-5-20250929",
            "severity": "MEDIUM"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/suspicious.go",
          "finding_id": "d35b8bc042380ab6",
          "id": 448,
          "line_number": 24,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "defended",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 24,
        "location": "internal/handlers/suspicious.go:24",
        "match_key": [
          "cwe",
          "internal/handlers/suspicious.go",
          24
        ],
        "path": "internal/handlers/suspicious.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-20 15:28:53",
            "error": null,
            "exploitable": "1",
            "model_used": "claude-sonnet-4-5-20250929",
            "severity": "LOW"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/ai.go",
          "finding_id": "91fee2ded8554316",
          "id": 440,
          "line_number": 61,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 61,
        "location": "internal/handlers/ai.go:61",
        "match_key": [
          "cwe",
          "internal/handlers/ai.go",
          61
        ],
        "path": "internal/handlers/ai.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-20 15:29:56",
            "error": null,
            "exploitable": "1",
            "model_used": "claude-sonnet-4-5-20250929",
            "severity": "MEDIUM"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/suspicious.go",
          "finding_id": "9c2179dffe64f020",
          "id": 461,
          "line_number": 30,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 30,
        "location": "internal/handlers/suspicious.go:30",
        "match_key": [
          "cwe",
          "internal/handlers/suspicious.go",
          30
        ],
        "path": "internal/handlers/suspicious.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "NOT ATTACKED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "description": "Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.: ghp_***00",
          "display_id": "secret-github-pat-handlers-secrets",
          "file_path": "internal/handlers/secrets.go",
          "finding_id": "2f3ed00131d5bd53",
          "id": 455,
          "line_number": 11,
          "prod_status": "UNKNOWN",
          "remediation_kind": "secret_rotation",
          "risk_level": "MEDIUM",
          "rule_id": "secrets.gitleaks.github-pat",
          "scanner": "semgrep",
          "secret_type": "github-pat",
          "severity": "MEDIUM",
          "signal_type": "secret",
          "title": "Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.: ghp_***00"
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "MEDIUM",
        "family": "secret",
        "found_after": false,
        "found_before": true,
        "kind": "Secret exposure",
        "line": 11,
        "location": "internal/handlers/secrets.go:11",
        "match_key": [
          "secret",
          "internal/handlers/secrets.go",
          11
        ],
        "path": "internal/handlers/secrets.go",
        "problem_ref": "EXPECTED.md#expected-findings-table",
        "prod_status": "UNKNOWN",
        "remediation_action": "Synthetic secret exposure is removed from production-actionable posture.",
        "rule_id": "SECRET/github-pat",
        "signal_description": "Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.: ghp_***00",
        "signal_title": "Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.: ghp_***00",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      }
    ],
    "still_present": 0,
    "verified_with_reachable": "1.0.0b97"
  },
  "ledger_error": null,
  "proof": {
    "by_state": {},
    "defended_after_reattack": 0,
    "failed": 0,
    "needs_review": 0,
    "profile_count": 0,
    "profile_kinds": [],
    "run_count": 0,
    "skipped_policy": 0,
    "source": "none",
    "verified_exploitable": 0
  },
  "ref": "main",
  "remediation": {
    "attempt_count": 0,
    "message": "Structured proof verdict: The remediation proof scan has no blocking findings, but the baseline contract did not fully match.",
    "proof_scan": {
      "by_level": {},
      "exists": true,
      "label": "after-final",
      "path": ".reachable/ci-artifacts/reachable-after-final.sarif",
      "results": 0,
      "top_rules": []
    },
    "scan_count": 2,
    "selected_rule_count": 0,
    "selected_rules": [],
    "status": "needs_review"
  },
  "repo": "sthenos-security-public/reach-testbed-gitlab-go",
  "run_evidence": {
    "artifacts": [
      {
        "href": "reachable-cache-before-install.json",
        "label": "Run evidence: before-install"
      },
      {
        "href": "reachable-cache-after-install.json",
        "label": "Run evidence: after-install"
      },
      {
        "href": "reachable-cache-after-scan.json",
        "label": "Run evidence: after-scan"
      }
    ],
    "available": true,
    "phases": {
      "after-install": {
        "cache_matched_key": "gitlab:82851787:latest",
        "cache_primary_key": "",
        "cache_restored": false,
        "cache_source": "gitlab-cache",
        "created_at": "2026-06-20T15:27:33.707831+00:00",
        "install_mode": "installed",
        "installed_version": "REACHABLE 1.0.0b115",
        "latest_repo_db": {
          "ai_bom_entries_count": 0,
          "latest_scan": {
            "branch": "unknown",
            "commit_hash": "c0ba76fe94d22e8a37e9fac3893e5ee1bae5fc64",
            "commit_short": "c0ba76fe",
            "id": 41,
            "reachable_findings": 15,
            "status": "complete",
            "timestamp": "2026-06-20 15:21:41",
            "total_findings": 26,
            "version": "1.0.0b115"
          },
          "scans_count": 41,
          "schema_version": 58,
          "signals_count": 181,
          "taint_flows_count": 64
        },
        "latest_repo_db_hash": "c9a28a9ea099790a56d26ea3d6940a33a2ad9da38b59bbc3a3c1861bb8a57851",
        "latest_repo_db_size_kb": 129968,
        "phase": "after-install",
        "provider": "gitlab_ci",
        "reachable_home_exists": true,
        "reachable_home_size_kb": 4,
        "repo_db_count": 1,
        "scan_session_count": 41,
        "schema_version": 1,
        "target_version": "latest"
      },
      "after-scan": {
        "cache_matched_key": "gitlab:82851787:latest",
        "cache_primary_key": "",
        "cache_restored": false,
        "cache_source": "gitlab-cache",
        "created_at": "2026-06-20T15:34:43.097107+00:00",
        "install_mode": "installed",
        "installed_version": "REACHABLE 1.0.0b115",
        "latest_repo_db": {
          "ai_bom_entries_count": 0,
          "latest_scan": {
            "branch": "reachable-remediate-2616266772",
            "commit_hash": "562ca3c12edef8f4f99cdf8d303b4d514aa68f36",
            "commit_short": "562ca3c1",
            "id": 48,
            "reachable_findings": 0,
            "status": "complete",
            "timestamp": "2026-06-20 15:34:22",
            "total_findings": 6,
            "version": "1.0.0b115"
          },
          "scans_count": 48,
          "schema_version": 58,
          "signals_count": 193,
          "taint_flows_count": 64
        },
        "latest_repo_db_hash": "ff6ccfb702d0e6c67600fcedd5a4a7d34f5662b0a06ff5ebfd4550eee50825ef",
        "latest_repo_db_size_kb": 138260,
        "phase": "after-scan",
        "provider": "gitlab_ci",
        "reachable_home_exists": true,
        "reachable_home_size_kb": 4,
        "repo_db_count": 1,
        "scan_session_count": 48,
        "schema_version": 1,
        "target_version": "latest"
      },
      "before-install": {
        "cache_matched_key": "gitlab:82851787:latest",
        "cache_primary_key": "",
        "cache_restored": false,
        "cache_source": "gitlab-cache",
        "created_at": "2026-06-20T15:27:03.458599+00:00",
        "install_mode": "pending",
        "installed_version": "",
        "latest_repo_db": {
          "ai_bom_entries_count": 0,
          "latest_scan": {
            "branch": "unknown",
            "commit_hash": "c0ba76fe94d22e8a37e9fac3893e5ee1bae5fc64",
            "commit_short": "c0ba76fe",
            "id": 41,
            "reachable_findings": 15,
            "status": "complete",
            "timestamp": "2026-06-20 15:21:41",
            "total_findings": 26,
            "version": "1.0.0b115"
          },
          "scans_count": 41,
          "schema_version": 58,
          "signals_count": 181,
          "taint_flows_count": 64
        },
        "latest_repo_db_hash": "c9a28a9ea099790a56d26ea3d6940a33a2ad9da38b59bbc3a3c1861bb8a57851",
        "latest_repo_db_size_kb": 129968,
        "phase": "before-install",
        "provider": "gitlab_ci",
        "reachable_home_exists": true,
        "reachable_home_size_kb": 4,
        "repo_db_count": 1,
        "scan_session_count": 41,
        "schema_version": 1,
        "target_version": "latest"
      }
    },
    "summary": {
      "cache_restored": false,
      "cache_size_kb_after": 4,
      "cache_size_kb_before": 4,
      "cache_source": "gitlab-cache",
      "install_mode": "installed",
      "installed_version": "REACHABLE 1.0.0b115",
      "latest_repo_db_hash": "ff6ccfb702d0e6c67600fcedd5a4a7d34f5662b0a06ff5ebfd4550eee50825ef",
      "latest_scan": {
        "branch": "reachable-remediate-2616266772",
        "commit_hash": "562ca3c12edef8f4f99cdf8d303b4d514aa68f36",
        "commit_short": "562ca3c1",
        "id": 48,
        "reachable_findings": 0,
        "status": "complete",
        "timestamp": "2026-06-20 15:34:22",
        "total_findings": 6,
        "version": "1.0.0b115"
      },
      "repo_db_count_after": 1,
      "repo_db_count_before": 1,
      "repo_db_reused": true,
      "scan_session_count": 48,
      "target_version": "latest"
    }
  },
  "run_id": "2616266772",
  "sarif_error": null,
  "sha": "c0ba76fe94d22e8a37e9fac3893e5ee1bae5fc64",
  "suspicious_package_count": 0,
  "top": [],
  "top_defended": [],
  "top_priority": [],
  "total": 0,
  "verification": {
    "blocking_results": 0,
    "branch": "reachable-remediate-2616266772",
    "clean": false,
    "label": "repo.db expected-contract comparison",
    "message": "The remediation proof scan has no blocking findings, but the baseline contract did not fully match.",
    "mode": "structured baseline/remediation proof",
    "results": 0,
    "run_url": "https://gitlab.com/sthenos-security-public/reach-testbed-gitlab-go/-/pipelines/2616266772",
    "status": "db_needs_review"
  }
}
