{
  "context": "Agent performs Stage 9 mandatory security checks against a rendered Deployment that is missing multiple security hardening fields.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Pod securityContext checks",
      "description": "Agent identifies that runAsNonRoot, runAsUser, and fsGroup are all absent from the pod spec and marks each as a failure.",
      "max_score": 20
    },
    {
      "name": "Container securityContext checks",
      "description": "Agent identifies that allowPrivilegeEscalation:false, readOnlyRootFilesystem, and capabilities.drop:[ALL] are all absent and marks each as a failure.",
      "max_score": 20
    },
    {
      "name": "Resource limits missing",
      "description": "Agent identifies that memory requests and all resource limits (cpu and memory) are absent. Only cpu request is present.",
      "max_score": 15
    },
    {
      "name": ":latest tag flagged",
      "description": "Agent flags the image tag :latest as a Warning and proposes pinning to a specific digest or version tag.",
      "max_score": 15
    },
    {
      "name": "Missing probes identified",
      "description": "Agent identifies that neither livenessProbe nor readinessProbe is defined and classifies this as a Warning.",
      "max_score": 15
    },
    {
      "name": "Proposed fixes with before/after blocks",
      "description": "Agent provides at least one before/after YAML code block for a proposed fix and maintains read-only posture (no files modified).",
      "max_score": 15
    }
  ]
}

tile.json

pantheon-ai/helm-toolkit

criteria.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}validator/evals/scenario-2/

criteria.jsonvalidator/evals/scenario-2/