{
  "context": "Agent applies the Security Checklist to a root.hcl with missing state encryption, missing DynamoDB locking, hardcoded AWS credentials, and a non-sensitive password variable.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Missing encrypt=true identified",
      "description": "Agent identifies that the remote_state config block is missing 'encrypt = true' and marks this as FAIL, explaining that S3 server-side encryption will not be enforced.",
      "max_score": 20
    },
    {
      "name": "Missing DynamoDB state locking identified",
      "description": "Agent identifies that the remote_state config has no dynamodb_table entry and marks this as FAIL, explaining the risk of concurrent state modifications.",
      "max_score": 20
    },
    {
      "name": "Hardcoded AWS credentials identified",
      "description": "Agent identifies the AKIA* access_key and secret_key in the provider generate block as hardcoded credentials, marks as FAIL (Critical), and recommends using assume_role instead.",
      "max_score": 25
    },
    {
      "name": "Missing sensitive=true on password variable",
      "description": "Agent identifies the db_password variable lacks sensitive=true and marks as FAIL, explaining that Terraform will print the value in plan output.",
      "max_score": 20
    },
    {
      "name": "Corrected HCL snippets provided for all failures",
      "description": "Agent provides corrected HCL for at least the remote_state block (adding encrypt and dynamodb_table) and the provider block (replacing static credentials with assume_role).",
      "max_score": 15
    }
  ]
}

pantheon-ai/terragrunt-toolkit

criteria.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}validator/evals/scenario-3/

criteria.jsonvalidator/evals/scenario-3/