{
  "host": "staging-target.nanotesting.com",
  "purpose": "internal smoke target for Nano Testing scanners",
  "expected_findings": [
    {"scanner": "sensitive_paths", "path": "/.env",         "severity": "high"},
    {"scanner": "sensitive_paths", "path": "/.git/config",  "severity": "high"},
    {"scanner": "sensitive_paths", "path": "/.git/HEAD",    "severity": "high"},
    {"scanner": "api_discovery",   "path": "/openapi.json", "severity": "info"},
    {"scanner": "api_discovery",   "path": "/swagger.json", "severity": "info"},
    {"scanner": "graphql",         "path": "/graphql",      "severity": "low"},
    {"scanner": "open_redirect",   "path": "/redirect",     "severity": "medium"},
    {"scanner": "tech_fingerprint","path": "/legacy/",      "severity": "info"},
    {"scanner": "security_headers","path": "/",             "severity": "medium"},
    {"scanner": "idor",            "path": "/api/leaky",    "severity": "high",  "note": "Cross-account access. Both sessions get the same body."},
    {"scanner": "idor",            "path": "/api/me",       "severity": "none",  "note": "Negative control. Per-user body should NOT fire the classifier."}
  ]
}