{
  "certificate_id": "8c60b593c88ee0acd4cc3a1d67fa54f52912d0e313cdec22e550c34544a6e11c",
  "claim_boundary": "Guard verifies evidence availability and policy conditions; it does not prove the change is bug-free.",
  "decision": {
    "advisory_obligation_count": 0,
    "blocking_obligation_count": 0,
    "human_merge_authority_retained": true,
    "merge_allowed_by_guard": true,
    "status": "evidence_satisfied"
  },
  "engine_version": "1.1.0",
  "evidence": {
    "approvals": {
      "approved_individual_owners": [
        "@alexanderluzdh"
      ],
      "missing_individual_owners": [],
      "report_sha256": "39b3f3ce8f77ac4284d1132885e4c483dbff332945d615678575614626104a51",
      "review_count": 1,
      "team_owners_not_locally_verifiable": []
    },
    "counterfactual": {
      "candidate_test_count": 2,
      "claim_boundary": "A verified result means a selected test passed on the PR head and failed against a focused mutation of changed Python logic. It does not prove complete correctness, mutation equivalence, or isolation from a malicious repository test process.",
      "engine": "focused_python_counterfactual_v1",
      "executed_test_count": 3,
      "killed_mutant_count": 1,
      "status": "causally_verified",
      "targets": [
        {
          "candidate_tests": [
            "tests/auth/test_session.py::test_first_token_use_is_accepted",
            "tests/auth/test_session.py::test_replayed_token_is_rejected"
          ],
          "changed_lines": [
            1,
            9,
            10
          ],
          "executions": [
            {
              "head": {
                "return_code": 0,
                "status": "passed"
              },
              "mutants": [
                {
                  "killed": false,
                  "kind": "invert_if_condition",
                  "line": 9,
                  "mutation_id": "965cb52975c18a1d",
                  "result": {
                    "return_code": 1,
                    "status": "test_failed"
                  }
                },
                {
                  "killed": true,
                  "kind": "force_compare_true",
                  "line": 9,
                  "mutation_id": "1235a4822d1926c5",
                  "result": {
                    "return_code": 1,
                    "status": "test_failed"
                  }
                }
              ],
              "test": "tests/auth/test_session.py::test_first_token_use_is_accepted"
            }
          ],
          "mutation_ids": [
            "965cb52975c18a1d",
            "1235a4822d1926c5",
            "98eb2a0a13fe6057",
            "fcbe4badc6877869"
          ],
          "path": "src/auth/session.py",
          "verified": true
        }
      ],
      "verified_targets": [
        "src/auth/session.py"
      ]
    },
    "dependencies": {
      "osv": {
        "dependency_manifest_changes": [],
        "report_sha256": "926758ee302bc08be9e5df0729dbc48f822fd93c83af4b7d4ae495cedf961de4",
        "repository_vulnerability_count": 18,
        "scope_boundary": "Repository findings are historical context and do not block a diff without dependency-manifest changes.",
        "status": "available",
        "vulnerabilities": [
          {
            "id": "PYSEC-2026-215",
            "package": "idna",
            "summary": null,
            "version": "3.11"
          },
          {
            "id": "GHSA-65pc-fj4g-8rjx",
            "package": "idna",
            "summary": "Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix",
            "version": "3.11"
          },
          {
            "id": "PYSEC-2026-1845",
            "package": "pytest",
            "summary": "pytest has vulnerable tmpdir handling",
            "version": "9.0.2"
          },
          {
            "id": "GHSA-6w46-j5rx-g56g",
            "package": "pytest",
            "summary": "pytest has vulnerable tmpdir handling",
            "version": "9.0.2"
          },
          {
            "id": "PYSEC-2026-161",
            "package": "starlette",
            "summary": "BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks",
            "version": "1.0.0"
          },
          {
            "id": "PYSEC-2026-248",
            "package": "starlette",
            "summary": null,
            "version": "1.0.0"
          },
          {
            "id": "PYSEC-2026-249",
            "package": "starlette",
            "summary": null,
            "version": "1.0.0"
          },
          {
            "id": "GHSA-82w8-qh3p-5jfq",
            "package": "starlette",
            "summary": "Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS",
            "version": "1.0.0"
          },
          {
            "id": "GHSA-86qp-5c8j-p5mr",
            "package": "starlette",
            "summary": "Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks",
            "version": "1.0.0"
          },
          {
            "id": "GHSA-jp82-jpqv-5vv3",
            "package": "starlette",
            "summary": "Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname",
            "version": "1.0.0"
          },
          {
            "id": "GHSA-wqp7-x3pw-xc5r",
            "package": "starlette",
            "summary": "Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows",
            "version": "1.0.0"
          },
          {
            "id": "GHSA-x746-7m8f-x49c",
            "package": "starlette",
            "summary": "Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr`",
            "version": "1.0.0"
          },
          {
            "id": "PYSEC-2026-141",
            "package": "urllib3",
            "summary": null,
            "version": "2.6.3"
          },
          {
            "id": "PYSEC-2026-142",
            "package": "urllib3",
            "summary": null,
            "version": "2.6.3"
          },
          {
            "id": "GHSA-mf9v-mfxr-j63j",
            "package": "urllib3",
            "summary": "urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API",
            "version": "2.6.3"
          },
          {
            "id": "GHSA-qccp-gfcp-xxvc",
            "package": "urllib3",
            "summary": "urllib3: Sensitive headers forwarded across origins in proxied low-level redirects",
            "version": "2.6.3"
          },
          {
            "id": "GHSA-4gg8-gxpx-9rph",
            "package": "uv",
            "summary": "uv is vulnerable to arbitrary file write through entry point names",
            "version": "0.11.3"
          },
          {
            "id": "GHSA-pjjw-68hj-v9mw",
            "package": "uv",
            "summary": "uv vulnerable to arbitrary file deletion through RECORD entries",
            "version": "0.11.3"
          }
        ]
      }
    },
    "diff": {
      "available": true,
      "base": "dfdfafb8efd3bcb92c3500392e82c20000a60edb",
      "changed_files": [
        "src/auth/session.py",
        "tests/auth/test_session.py"
      ],
      "diff_bytes": 1261,
      "diff_sha256": "e074142a67efb1c57890a13dbe280242914d4c6652c6fcbaba93a1dabc6dde12",
      "error": null,
      "head": "c7514d38e45744a4496510fcb1cdb1143f2d4646",
      "input_matches_git": true,
      "supplied_changed_files": [
        "src/auth/session.py",
        "tests/auth/test_session.py"
      ]
    },
    "owners": {
      "codeowners_path": ".github/CODEOWNERS",
      "codeowners_sha256": "eaa3b28e962d4e883b57d16feee2815887727c1c230299f85c644a7e0de32b33",
      "files": [
        {
          "owners": [
            "@AlexanderLuzDH"
          ],
          "path": "src/auth/session.py"
        },
        {
          "owners": [],
          "path": "tests/auth/test_session.py"
        }
      ],
      "required_owners": [
        "@AlexanderLuzDH"
      ],
      "rule_count": 2,
      "unowned_files": [
        "tests/auth/test_session.py"
      ]
    },
    "risk_surface_files": {
      "authentication": [
        "src/auth/session.py",
        "tests/auth/test_session.py"
      ]
    },
    "risk_surfaces": [
      "authentication"
    ],
    "security": {
      "semgrep": {
        "blocking_changed_file_findings": 0,
        "changed_file_findings": [],
        "report_sha256": "29a7232d83a9aff418ad12cc70ca47bcac934e7cc7048522437a4954cc8270ef",
        "required_for_source": true,
        "status": "available",
        "total_repository_findings": 7
      }
    },
    "tests": {
      "changed_tests": [
        "tests/auth/test_session.py"
      ],
      "mapped_tests": [
        "tests/auth/test_session.py"
      ],
      "mapping": {
        "src/auth/session.py": [
          "tests/auth/test_session.py"
        ]
      },
      "repository_test_file_count": 45,
      "strategy": "language_aware_name_and_path_correlation_v1",
      "unmapped_source_files": []
    }
  },
  "generated_at": "2026-07-10T13:17:12.074438+00:00",
  "kind": "busleyden_guard_consequence_certificate",
  "proof_obligations": [],
  "provenance": {
    "diff_sha256": "e074142a67efb1c57890a13dbe280242914d4c6652c6fcbaba93a1dabc6dde12",
    "engine_sha256": "01e7aa1459895e02483170252f2d7ce703010095deacc21d3cb5403492b31005",
    "osv_sha256": "926758ee302bc08be9e5df0729dbc48f822fd93c83af4b7d4ae495cedf961de4",
    "policy_sha256": "43d359d8777e40ce58163d881aba040c104f6265153f1d63f43af5e0c1a0c31d",
    "reviews_sha256": "39b3f3ce8f77ac4284d1132885e4c483dbff332945d615678575614626104a51",
    "semgrep_sha256": "29a7232d83a9aff418ad12cc70ca47bcac934e7cc7048522437a4954cc8270ef"
  },
  "schema_version": 2,
  "subject": {
    "base": "dfdfafb8efd3bcb92c3500392e82c20000a60edb",
    "changed_file_count": 2,
    "changed_files": [
      "src/auth/session.py",
      "tests/auth/test_session.py"
    ],
    "head": "c7514d38e45744a4496510fcb1cdb1143f2d4646",
    "pull_number": "3",
    "repository": "AlexanderLuzDH/busleyden-guard-live-proof"
  }
}
