Vuln Test Site

Intentionally insecure demo app for PG-VS Engine 2 scanner validation. All credentials below are fake test fixtures.

Exposed routes

• /admin — admin panel (200, no auth)
• /debug — debug info JSON
• /.env — fake env file (200)
• /api/users — public data API
• /login — exposed login panel

Loaded test bundles

• secrets-fixtures.js — Stripe/AWS/OpenAI/GitHub-like keys
• supabase-client.js — Supabase URL + anon/service_role JWT
• firebase-client.js — firebaseConfig + collection refs