profile_id: proxy-boundary-generic
match_rules:
  keywords:
    - proxy
    - middleware
    - header trust
vuln_family: proxy-boundary
provisioning_mode: real
artifact_source:
  strategy: official-image-or-source
required_services:
  - app
seed_actions:
  - kind: note
    message: Log reverse-proxy and application headers before any trust-boundary test.
baseline_actions:
  - kind: tool
    tool: site-scope-mapper
    args:
      - "--target"
      - "127.0.0.1"
      - "--evidence-dir"
      - "{evidence_dir}"
      - "--run-id"
      - "{run_id}"
      - "--case-id"
      - "{case_id}"
attack_actions:
  - kind: note
    message: Perform minimal forwarded-header manipulation only inside isolated lab paths.
browser_assertions:
  required: false
success_criteria:
  - Header trust discrepancy is captured with upstream/downstream logs.
cleanup_policy: destroy
destructive_risk: medium
allowed_target_types:
  - lab-local
  - lab-public
  - authorized-third-party