{
  "context": "Tests whether the agent identifies the `pull_request_target` + checkout-of-PR-head vulnerability and script injection via direct title interpolation, then rewrites the workflow using safe patterns. Criteria map directly to the pull_request_target anti-pattern and injection prevention instructions.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "No pull_request_target + head checkout",
      "description": "The output does NOT combine `pull_request_target` with a checkout step that uses `ref: ${{ github.event.pull_request.head.sha }}` or any PR head ref",
      "max_score": 20
    },
    {
      "name": "PR title via env var",
      "description": "When the PR title (or other user-supplied event field) is used in a `run:` step, it is passed through an environment variable rather than interpolated directly with `${{ }}` inside the shell script",
      "max_score": 18
    },
    {
      "name": "Secrets not exposed to fork code",
      "description": "The coverage upload step (or equivalent secret-using step) runs in a context where untrusted fork code from the PR has NOT been checked out and executed",
      "max_score": 18
    },
    {
      "name": "SHA-pinned actions",
      "description": "All `uses:` steps in the output reference actions via full 40-character SHA",
      "max_score": 12
    },
    {
      "name": "Top-level permissions block",
      "description": "The workflow(s) produced include a `permissions:` block",
      "max_score": 10
    },
    {
      "name": "Minimal write permissions scoped",
      "description": "Write permissions (e.g., `pull-requests: write`) are granted only at the job level that needs them, not as a global `write-all`",
      "max_score": 12
    },
    {
      "name": "Concurrency block present",
      "description": "At least one workflow file contains a `concurrency:` block with `cancel-in-progress: true`",
      "max_score": 10
    }
  ]
}