{
  "context": "Hard: distributed rate limiter uses separate Redis GET and SET instead of atomic INCR — concurrent requests can all read the same count and bypass the limit",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Catches non-atomic rate limit check",
      "description": "Identifies that r.get(key), the comparison, and r.set(key, count+1) are three separate Redis operations with no atomicity (no MULTI/EXEC, no Lua script, no INCR). Under concurrent requests, multiple requests can read the same count and all pass the check.",
      "max_score": 15
    },
    {
      "name": "Identifies security impact on brute force protection",
      "description": "Recognizes that the auth_login rate limit (5 req/min for brute force protection) is effectively bypassed under concurrent attack, making the rate limiter security-critical rather than just a performance concern",
      "max_score": 8
    },
    {
      "name": "Risk classified red",
      "description": "PR is classified as red due to security-critical rate limiting with a concurrency flaw",
      "max_score": 10
    }
  ]
}

evals

scenario-1

scenario-2

scenario-3

scenario-4

scenario-5

scenario-6

scenario-7

scenario-8

scenario-9

scenario-10

scenario-11

scenario-12

scenario-13

scenario-14

scenario-15

scenario-16

scenario-17

scenario-18

scenario-19

scenario-20

scenario-21

scenario-22

scenario-23

scenario-24

scenario-25

scenario-26

scenario-27

scenario-28

scenario-29

criteria.json

task.md

scenario-30

scenario-31

scenario-32

scenario-33

scenario-34

scenario-35

scenario-36

scenario-37

scenario-38

scenario-39

scenario-40

scenario-41

scenario-42

scenario-43

rules

skills

README.md

tile.json

tessl-labs/pr-review-guardrails

criteria.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}evals/scenario-29/

criteria.jsonevals/scenario-29/