{
  "context": "Tests whether the agent detects direct data access that bypasses an existing service boundary with authorization and audit behavior.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Correct category",
      "description": "Classifies the issue as an architectural violation, architecture bypass, or boundary bypass.",
      "max_score": 14
    },
    {
      "name": "Severity",
      "description": "Assigns High severity or clearly explains the security/audit impact.",
      "max_score": 12
    },
    {
      "name": "Bypass evidence",
      "description": "Cites admin_export.py iterating db.accounts directly instead of using AccountService.get_balance.",
      "max_score": 18
    },
    {
      "name": "Lost guarantees",
      "description": "Explains that the bypass skips actor.can_view_account authorization and audit_log.record.",
      "max_score": 20
    },
    {
      "name": "Test weakness",
      "description": "Notes that the test only checks CSV header/content and does not verify authorization or audit behavior.",
      "max_score": 10
    },
    {
      "name": "Remediation",
      "description": "Recommends routing through the service layer or adding an explicit authorized bulk-export service with audit coverage.",
      "max_score": 16
    },
    {
      "name": "Evidence-backed",
      "description": "Avoids generic architecture criticism not grounded in the provided code.",
      "max_score": 10
    }
  ]
}