{
  "context": "Tests whether the agent redacts the body of a private key block in a stack trace, while leaving the BEGIN/END markers and surrounding diagnostic lines intact.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "BEGIN marker preserved",
      "description": "The `-----BEGIN RSA PRIVATE KEY-----` line is present in the output exactly as-is.",
      "max_score": 8
    },
    {
      "name": "END marker preserved",
      "description": "The `-----END RSA PRIVATE KEY-----` line is present in the output exactly as-is.",
      "max_score": 8
    },
    {
      "name": "Key body redacted",
      "description": "All four base64 lines that made up the body of the original RSA key are removed. The output does not contain any of `MIIEowIBAAKCAQ`, `Db49S92AMbxe`, `gd+Tpd+JZRHmAOgy`, or `1YxTOfXof4D6`.",
      "max_score": 14
    },
    {
      "name": "Body replaced with single placeholder",
      "description": "Between the BEGIN and END marker lines there is exactly one placeholder line (e.g. `[REDACTED]`) — the original four-line body is not preserved or padded with multiple placeholders.",
      "max_score": 8
    },
    {
      "name": "Stack trace lines preserved",
      "description": "The lines `SSHException: Private key file is encrypted`, `File \"deploy.py\", line 42, in connect`, and the `key = paramiko.RSAKey.from_private_key(...)` line all appear in the output unchanged.",
      "max_score": 10
    },
    {
      "name": "Server fingerprint preserved",
      "description": "The `Server fingerprint: SHA256:...` line is preserved unchanged — fingerprints of public host keys are not secrets.",
      "max_score": 6
    },
    {
      "name": "No extra commentary",
      "description": "The output contains only the redacted snippet — no preamble like 'Here is the safe version' and no trailing summary.",
      "max_score": 6
    }
  ]
}