{
  "context": "Evaluate a generated Go + Docker Makefile for version embedding, Docker target correctness, and security",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Modern header present",
      "description": "Makefile begins with SHELL := bash, .ONESHELL:, .SHELLFLAGS := -eu -o pipefail -c, .DELETE_ON_ERROR:, .SUFFIXES:, and both MAKEFLAGS += lines",
      "max_score": 10
    },
    {
      "name": "Version and commit ldflags",
      "description": "The build recipe passes -ldflags with -X flags embedding both VERSION and the git commit hash using $(shell git rev-parse --short HEAD) or equivalent",
      "max_score": 15
    },
    {
      "name": "REGISTRY variable uses ?=",
      "description": "REGISTRY is declared with ?= so callers can override it; VERSION also uses ?= or is overridable",
      "max_score": 10
    },
    {
      "name": "docker-push depends on docker-build",
      "description": "docker-push lists docker-build as a prerequisite, ensuring build completes before push",
      "max_score": 15
    },
    {
      "name": "docker-push error handling",
      "description": "docker-push recipe uses || { echo ...; exit 1; } or equivalent for both the versioned and :latest tag push operations",
      "max_score": 15
    },
    {
      "name": "Parallel safety for Docker targets",
      "description": "Either .NOTPARALLEL is declared for docker targets, or dependency ordering prevents parallel execution of docker-build and docker-push",
      "max_score": 10
    },
    {
      "name": "No hardcoded credentials",
      "description": "Makefile contains no tokens, passwords, or secret values; any authentication is delegated to environment variables or external tooling",
      "max_score": 15
    },
    {
      "name": ".PHONY completeness",
      "description": "All non-file targets including docker-build, docker-push, docker-run, all, build, test, clean, and help are listed in .PHONY",
      "max_score": 10
    }
  ]
}