{
  "context": "Evaluates whether the agent writes an HTTP API authorization policy that avoids importing input at the top level and uses data-driven role lookups with helper rules.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "No top-level input import",
      "description": "The policy does NOT use `import input` or `import input as <alias>` — input fields are referenced directly",
      "max_score": 20
    },
    {
      "name": "Default deny",
      "description": "The policy contains `default allow := false` so access is denied unless explicitly permitted",
      "max_score": 10
    },
    {
      "name": "Public health endpoint",
      "description": "A rule allows any request matching `GET /api/health` regardless of user identity",
      "max_score": 15
    },
    {
      "name": "Data-driven role lookup",
      "description": "A helper rule resolves the current user's role from `data.user_roles` rather than hardcoding roles",
      "max_score": 15
    },
    {
      "name": "Helper rule for permitted methods",
      "description": "A helper rule resolves the set of permitted HTTP methods for the user's role from `data.role_permissions`",
      "max_score": 10
    },
    {
      "name": "Test for public endpoint",
      "description": "A test verifies that `GET /api/health` is allowed without a recognised user",
      "max_score": 10
    },
    {
      "name": "Tests for authorized users",
      "description": "Tests verify that users with appropriate roles can perform permitted actions",
      "max_score": 10
    },
    {
      "name": "Tests for unauthorized users",
      "description": "Tests verify that a readonly user cannot POST and an unknown user is denied",
      "max_score": 10
    }
  ]
}