{
  "context": "Evaluates whether the agent correctly implements a data-driven RBAC policy in Rego using helper rules to separate role lookup from the allow decision.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Correct package name",
      "description": "The policy file uses `package policy.rbac`",
      "max_score": 5
    },
    {
      "name": "Default deny",
      "description": "The policy contains `default allow := false` so access is denied unless explicitly permitted",
      "max_score": 10
    },
    {
      "name": "Data-driven role-permission lookup",
      "description": "Permissions are resolved from `data.user_roles` and `data.role_permissions` rather than being hardcoded in the allow rule",
      "max_score": 15
    },
    {
      "name": "user_has_role helper rule",
      "description": "A helper rule `user_has_role` (or equivalent) yields roles assigned to the current user via `data.user_roles`",
      "max_score": 15
    },
    {
      "name": "Allow rule uses helper rules",
      "description": "The `allow` rule delegates to helper rules rather than duplicating lookup logic inline",
      "max_score": 15
    },
    {
      "name": "Test package naming convention",
      "description": "The test file uses `package policy.rbac_test` (the `_test` suffix convention)",
      "max_score": 5
    },
    {
      "name": "Tests for authorized users",
      "description": "Tests verify that admin, editor, and viewer users can perform their permitted actions",
      "max_score": 20
    },
    {
      "name": "Tests for unauthorized users",
      "description": "Tests verify that a viewer cannot write and a user with no roles is denied",
      "max_score": 10
    },
    {
      "name": "Tests pass",
      "description": "All tests pass when running `opa test . -v`",
      "max_score": 5
    }
  ]
}