@prism-d1/cli 1.0.26 → 1.0.28

package/dist/assets/eval-harness/README.md

@@ -0,0 +1,114 @@
+# Eval Harness
+
+Evaluate AI-generated code against rubrics using Amazon Bedrock. Runs per-file, calculates weighted scores client-side, and integrates with the PRISM eval gate workflow.
+
+## Install
+
+```bash
+# Workshop mode — empty rubrics, create your own
+bash prism-cli bootstrapper install-eval-harness
+
+# Production mode — includes all 5 rubrics
+bash prism-cli bootstrapper install-eval-harness --with-rubrics
+
+# Non-interactive
+bash prism-cli bootstrapper install-eval-harness --model us.anthropic.claude-haiku-4-5-20251001-v1:0 --threshold 0.82 --with-rubrics
+```
+
+This installs into your repo:
+- `.prism/.prism/eval-harness/run-eval.sh` — evaluation script
+- `.prism/.prism/eval-harness/eval-config.json` — model, threshold, region
+- `.prism/.prism/eval-harness/rubrics/` — rubric JSON files
+- `.github/workflows/prism-eval-gate.yml` — CI workflow
+
+## Usage
+
+```bash
+# Evaluate a single file
+./.prism/.prism/eval-harness/run-eval.sh .prism/.prism/eval-harness/rubrics/code-quality.json src/handler.ts
+
+# With a spec file (for spec-compliance rubric)
+./.prism/.prism/eval-harness/run-eval.sh .prism/.prism/eval-harness/rubrics/spec-compliance.json src/api.ts --spec specs/api.md
+```
+
+### Output
+
+```
+correctness: 0.9 — Handles all inputs correctly including edge cases
+readability: 0.85 — Clear naming, minor style inconsistency in helper
+...
+
+Score: 0.8720
+Result: PASS
+Hallucinations: 0
+```
+
+Exit codes: `0` = pass, `1` = fail, `2` = error.
+
+## Configuration
+
+`eval-config.json`:
+
+| Field | Description | Default |
+|---|---|---|
+| `pass_threshold` | Minimum score to pass (0-1) | `0.82` |
+| `eval_model_id` | Bedrock model for evaluation | `us.anthropic.claude-haiku-4-5-20251001-v1:0` |
+| `aws_region` | AWS region | `us-west-2` |
+| `event_bus` | EventBridge bus name | `prism-d1-metrics` |
+| `emit_to_eventbridge` | Emit events (workflow handles this) | `true` |
+
+## Rubrics
+
+Five production rubrics are available:
+
+| Rubric | Auto-selected when file path matches |
+|---|---|
+| `code-quality.json` | Default fallback |
+| `api-response-quality.json` | `api`, `handler`, `route`, `controller` |
+| `agent-quality.json` | `agent`, `assistant`, `orchestrat`, `workflow`, `chain` |
+| `security-compliance.json` | `auth`, `security`, `guard`, `policy`, `iam`, `crypto` |
+| `spec-compliance.json` | Used when commit has `Spec-Ref:` trailer |
+
+### Creating a Custom Rubric
+
+```json
+{
+  "rubric_name": "my-rubric",
+  "criteria": [
+    {
+      "name": "criterion_name",
+      "weight": 0.30,
+      "description": "What this measures",
+      "scoring": "How to score 0.0-1.0"
+    }
+  ]
+}
+```
+
+Weights must sum to 1.0. The script calculates the weighted average client-side (does not trust the LLM to do math).
+
+## CI Workflow
+
+The `prism-eval-gate.yml` workflow:
+
+1. Detects commits with `AI-Origin:` trailers
+2. Identifies changed source files from those commits
+3. Auto-selects a rubric per file based on path
+4. Runs `run-eval.sh` per file
+5. Posts a PR comment with per-file scores
+6. Waits for AWS Security Agent review (if installed)
+7. Emits `prism.d1.eval` event to EventBridge
+8. Fails the check if any file scores below threshold or Security Agent finds issues
+
+### Requirements
+
+- OIDC provider configured for GitHub Actions
+- IAM role with `bedrock:InvokeModel` + `events:PutEvents`
+- Repository secret `PRISM_METRICS_ROLE_ARN`
+- `.prism/config.json` with `team_id`
+
+## Uninstall
+
+```bash
+bash prism-cli bootstrapper install-eval-harness --uninstall
+```

package/dist/assets/eval-harness/eval-config.json

@@ -0,0 +1,10 @@
+{
+  "pass_threshold": 0.82,
+  "model_id": "anthropic.claude-sonnet-4-20250514",
+  "eval_model_id": "anthropic.claude-sonnet-4-20250514",
+  "event_bus": "prism-d1-metrics",
+  "aws_region": "us-west-2",
+  "rubrics_dir": "rubrics",
+  "output_dir": ".prism/eval-results",
+  "emit_to_eventbridge": true
+}

package/dist/assets/eval-harness/rubrics/agent-quality.json

@@ -0,0 +1,79 @@
+{
+  "rubric_name": "agent-quality",
+  "version": "1.0.0",
+  "description": "Evaluates the quality of agentic workflow outputs — task completion, tool efficiency, guardrail adherence, reasoning clarity, and error recovery.",
+  "criteria": [
+    {
+      "name": "task_completion",
+      "weight": 0.30,
+      "description": "Did the agent achieve the stated goal completely and correctly?",
+      "scoring": {
+        "5": "Goal fully achieved. All required outputs produced with correct content. No manual follow-up needed.",
+        "4": "Goal achieved with minor gaps. Outputs are correct but may be missing optional enhancements.",
+        "3": "Goal partially achieved. Core deliverable produced but with notable omissions or inaccuracies.",
+        "2": "Goal mostly unmet. Agent produced some output but missed the primary objective.",
+        "1": "Goal not achieved. Agent failed to produce a meaningful result or produced entirely wrong output."
+      },
+      "threshold": 4
+    },
+    {
+      "name": "tool_usage_efficiency",
+      "weight": 0.20,
+      "description": "Were tools called efficiently without unnecessary steps, redundant invocations, or wasted iterations?",
+      "scoring": {
+        "5": "Optimal tool usage. Every invocation was necessary and well-targeted. No redundant calls or unnecessary retries.",
+        "4": "Efficient tool usage with minor redundancy. One or two calls could have been avoided.",
+        "3": "Acceptable efficiency. Some unnecessary tool calls or suboptimal ordering, but did not significantly impact outcome.",
+        "2": "Inefficient. Multiple redundant calls, unnecessary retries, or poor tool selection that wasted tokens and time.",
+        "1": "Highly inefficient. Excessive tool calls, looping behavior, or called tools irrelevant to the task."
+      },
+      "threshold": 3
+    },
+    {
+      "name": "guardrail_compliance",
+      "weight": 0.20,
+      "description": "Did the agent stay within defined boundaries — prohibited actions, data access scopes, and safety constraints?",
+      "scoring": {
+        "5": "Perfect compliance. Agent operated strictly within all defined guardrails. No boundary violations.",
+        "4": "Near-perfect compliance. Agent stayed within guardrails with only cosmetic deviations (e.g., verbose output).",
+        "3": "Mostly compliant. Minor guardrail stretch that did not cause harm but should be tightened.",
+        "2": "Guardrail violation occurred. Agent performed a restricted action or accessed out-of-scope data.",
+        "1": "Serious guardrail breach. Agent took prohibited actions, accessed sensitive data, or made irreversible changes without approval."
+      },
+      "threshold": 5
+    },
+    {
+      "name": "reasoning_trace_quality",
+      "weight": 0.15,
+      "description": "Is the reasoning chain clear, coherent, and auditable? Can a human reviewer follow the agent's decision-making?",
+      "scoring": {
+        "5": "Reasoning trace is complete, step-by-step, and clearly explains every decision. Fully auditable.",
+        "4": "Reasoning trace is clear for most steps. Minor gaps in explaining tool selection or branching decisions.",
+        "3": "Reasoning trace present but incomplete. Some steps lack explanation or context.",
+        "2": "Reasoning trace is sparse or confusing. Difficult to understand why certain actions were taken.",
+        "1": "No meaningful reasoning trace. Agent actions are opaque and unauditable."
+      },
+      "threshold": 3
+    },
+    {
+      "name": "error_recovery",
+      "weight": 0.15,
+      "description": "Did the agent handle failures gracefully — retrying, falling back, or reporting errors without crashing or looping?",
+      "scoring": {
+        "5": "Excellent error handling. Agent retried appropriately, used fallback strategies, and reported failures clearly.",
+        "4": "Good error handling. Agent recovered from failures with minor issues (e.g., slightly verbose error reporting).",
+        "3": "Adequate error handling. Agent recovered from common failures but may have struggled with unusual error conditions.",
+        "2": "Poor error handling. Agent crashed, looped, or silently dropped errors for some failure modes.",
+        "1": "No error handling. Agent failed on first error with no retry, fallback, or meaningful error message."
+      },
+      "threshold": 3
+    }
+  ],
+  "pass_threshold": 0.82,
+  "output_format": {
+    "overall_score": "float 0-1 (weighted average of criteria scores normalized to 0-1)",
+    "criteria_scores": "object mapping criteria name to { score: 1-5, reasoning: string }",
+    "pass": "boolean",
+    "summary": "string"
+  }
+}

package/dist/assets/eval-harness/rubrics/api-response-quality.json

@@ -0,0 +1,45 @@
+{
+  "rubric_name": "api_spec_compliance",
+  "description": "Evaluates whether API endpoint implementations match their specs",
+  "global_threshold": 0.8,
+  "criteria": [
+    {
+      "name": "acceptance_criteria_coverage",
+      "description": "Every acceptance criterion in the spec must have a corresponding implementation. Check each Given/When/Then statement and verify the code handles that exact scenario.",
+      "scoring": "Count the acceptance criteria in the spec. For each one, determine if the code implements it (1) or not (0). Score = implemented / total.",
+      "threshold": 1.0,
+      "weight": 0.35,
+      "requires_spec": true
+    },
+    {
+      "name": "api_contract_fidelity",
+      "description": "The implemented endpoint must match the spec's API contract exactly: correct HTTP method, path, request body schema, response body schema, and status codes.",
+      "scoring": "Check 5 elements: method, path, request schema, response schema, status codes. Score 0.2 for each correct element.",
+      "threshold": 0.8,
+      "weight": 0.25,
+      "requires_spec": true
+    },
+    {
+      "name": "error_handling",
+      "description": "All error cases defined in the spec must be handled with the correct HTTP status code and response format (RFC 7807 Problem Details).",
+      "scoring": "For each error case in the spec, check: (a) is it handled? (b) correct status code? (c) Problem Details format? Score = correct_checks / (total_error_cases * 3)",
+      "threshold": 0.7,
+      "weight": 0.20,
+      "requires_spec": true
+    },
+    {
+      "name": "no_hallucinated_dependencies",
+      "description": "The code must not import modules, call functions, or reference APIs that do not exist in the project. Every import must resolve to a real file or installed package.",
+      "scoring": "Binary: 1.0 if all imports and function calls reference real modules/packages, 0.0 if any hallucinated dependency is found.",
+      "threshold": 1.0,
+      "weight": 0.10
+    },
+    {
+      "name": "type_safety",
+      "description": "The code must use proper TypeScript types. No 'any' types, no type assertions without justification, all function parameters and return types annotated.",
+      "scoring": "Count type violations: any usage, missing annotations, unsafe assertions. Score = max(0, 1.0 - (violations * 0.1))",
+      "threshold": 0.8,
+      "weight": 0.10
+    }
+  ]
+}

package/dist/assets/eval-harness/rubrics/code-quality.json

@@ -0,0 +1,98 @@
+{
+  "rubric_name": "code-quality",
+  "version": "1.0.0",
+  "description": "Evaluates the overall quality of generated or modified code.",
+  "criteria": [
+    {
+      "name": "correctness",
+      "weight": 0.25,
+      "description": "Code produces correct results for all specified inputs and edge cases.",
+      "scoring": {
+        "5": "Correct for all inputs including edge cases. Handles all specified error conditions.",
+        "4": "Correct for all normal inputs. Minor edge case gaps.",
+        "3": "Correct for happy path. Some error conditions unhandled.",
+        "2": "Partially correct. Fails for some normal inputs.",
+        "1": "Fundamentally incorrect. Does not produce expected results."
+      }
+    },
+    {
+      "name": "readability",
+      "weight": 0.15,
+      "description": "Code is easy to read, understand, and maintain.",
+      "scoring": {
+        "5": "Clear naming, consistent style, appropriate comments, well-structured. A new developer could understand it quickly.",
+        "4": "Generally readable with minor style inconsistencies.",
+        "3": "Readable but requires some effort. Missing context in complex sections.",
+        "2": "Hard to follow. Inconsistent naming or structure.",
+        "1": "Very difficult to read. No clear structure or naming convention."
+      }
+    },
+    {
+      "name": "maintainability",
+      "weight": 0.15,
+      "description": "Code is modular, follows SOLID principles, and is easy to extend.",
+      "scoring": {
+        "5": "Well-decomposed into small functions/classes. Clear separation of concerns. Easy to extend.",
+        "4": "Good structure with minor coupling issues.",
+        "3": "Reasonable structure but some tight coupling or large functions.",
+        "2": "Monolithic or tightly coupled. Changes would require touching many files.",
+        "1": "No modularity. Everything in one function or deeply entangled."
+      }
+    },
+    {
+      "name": "error_handling",
+      "weight": 0.15,
+      "description": "Errors are handled gracefully without swallowing, leaking, or crashing.",
+      "scoring": {
+        "5": "All error paths handled with appropriate actions. No swallowed errors. Clear error propagation.",
+        "4": "Most errors handled. Minor gaps in edge case error handling.",
+        "3": "Common errors handled. Some paths may swallow or ignore errors.",
+        "2": "Inconsistent error handling. Some unhandled exceptions.",
+        "1": "Minimal or no error handling."
+      }
+    },
+    {
+      "name": "testing",
+      "weight": 0.15,
+      "description": "Code is accompanied by meaningful tests.",
+      "scoring": {
+        "5": "Comprehensive tests covering happy path, errors, and edge cases. Tests are readable and maintainable.",
+        "4": "Good test coverage with minor gaps in edge cases.",
+        "3": "Basic tests covering happy path and some error cases.",
+        "2": "Minimal tests. Only happy path or superficial assertions.",
+        "1": "No tests."
+      }
+    },
+    {
+      "name": "performance",
+      "weight": 0.10,
+      "description": "Code does not introduce unnecessary performance issues.",
+      "scoring": {
+        "5": "Efficient algorithms and data structures. No N+1 queries, unnecessary allocations, or blocking calls.",
+        "4": "Generally efficient with minor optimization opportunities.",
+        "3": "Acceptable performance but some inefficiencies (e.g., redundant computations).",
+        "2": "Noticeable performance issues that would affect production.",
+        "1": "Severe performance problems (infinite loops, O(n^3) where O(n) suffices, etc.)."
+      }
+    },
+    {
+      "name": "documentation",
+      "weight": 0.05,
+      "description": "Public interfaces are documented; complex logic has explanatory comments.",
+      "scoring": {
+        "5": "All public functions/methods documented. Complex logic explained. No obvious missing docs.",
+        "4": "Most public interfaces documented. Minor gaps.",
+        "3": "Some documentation present but incomplete.",
+        "2": "Minimal documentation.",
+        "1": "No documentation."
+      }
+    }
+  ],
+  "pass_threshold": 0.82,
+  "output_format": {
+    "overall_score": "float 0-1 (weighted average of criteria scores normalized to 0-1)",
+    "criteria_scores": "object mapping criteria name to { score: 1-5, reasoning: string }",
+    "pass": "boolean",
+    "summary": "string"
+  }
+}

package/dist/assets/eval-harness/rubrics/security-compliance.json

@@ -0,0 +1,145 @@
+{
+  "rubric_name": "security-compliance",
+  "version": "2.0.0",
+  "description": "Evaluates code for security best practices and compliance requirements. Aligned with AWS AI-DLC Security Baseline (SECURITY-01 through SECURITY-08).",
+  "criteria": [
+    {
+      "name": "authentication_authorization",
+      "weight": 0.16,
+      "description": "Access control is properly implemented and enforced.",
+      "references": ["SECURITY-01"],
+      "scoring": {
+        "5": "All endpoints enforce authentication. Authorization checks verify resource ownership. No privilege escalation paths.",
+        "4": "Auth properly implemented with minor gaps in edge case authorization.",
+        "3": "Basic auth present but some endpoints or operations lack proper authorization checks.",
+        "2": "Auth inconsistently applied. Some endpoints accessible without proper credentials.",
+        "1": "No authentication or authorization. Resources accessible by anyone."
+      }
+    },
+    {
+      "name": "injection_prevention",
+      "weight": 0.16,
+      "description": "Code is protected against injection attacks (SQL, NoSQL, command, XSS). All API parameters validated for type, length, and format.",
+      "references": ["SECURITY-05"],
+      "scoring": {
+        "5": "All queries use parameterized statements. All user input validated (type, length, format) and sanitized for output context. Request body size limits configured.",
+        "4": "Parameterized queries used consistently. Input validation present with minor gaps in format checking.",
+        "3": "Most queries parameterized but some string interpolation present. Inconsistent input validation.",
+        "2": "Inconsistent use of parameterized queries. Missing input validation on some endpoints.",
+        "1": "Raw string concatenation in queries or commands. No input validation."
+      }
+    },
+    {
+      "name": "secret_management",
+      "weight": 0.15,
+      "description": "Secrets are stored securely and never exposed in code, logs, or errors.",
+      "references": ["SECURITY-03", "SECURITY-07"],
+      "scoring": {
+        "5": "No secrets in code. Credentials from Secrets Manager/SSM. Secrets excluded from logs and error responses. No PII in log output.",
+        "4": "Secrets properly managed with minor logging gaps.",
+        "3": "Secrets not in code but may appear in verbose logs or error messages.",
+        "2": "Some secrets hard-coded or in configuration files.",
+        "1": "Secrets visible in source code, logs, or error responses."
+      }
+    },
+    {
+      "name": "data_protection",
+      "weight": 0.15,
+      "description": "Sensitive data is encrypted in transit (TLS 1.2+) and at rest (KMS). PII is handled per policy.",
+      "references": ["SECURITY-01"],
+      "scoring": {
+        "5": "All data encrypted in transit (TLS 1.2+). Sensitive data encrypted at rest with KMS. PII identified and handled per policy. No unnecessary data retention. Object storage rejects non-TLS requests.",
+        "4": "Encryption properly configured. Minor gaps in PII handling or data retention.",
+        "3": "Basic encryption present. PII handling incomplete. Some stores missing encryption config.",
+        "2": "Encryption inconsistent. Some sensitive data unprotected.",
+        "1": "No encryption. Sensitive data stored or transmitted in plaintext."
+      }
+    },
+    {
+      "name": "least_privilege",
+      "weight": 0.10,
+      "description": "IAM roles and permissions follow least-privilege principle with specific resource ARNs and actions.",
+      "references": ["SECURITY-06"],
+      "scoring": {
+        "5": "All IAM policies scoped to specific resources and actions. No wildcard permissions. Roles are service-specific. Read and write permissions separated.",
+        "4": "Mostly least-privilege. Minor over-permission in non-critical areas.",
+        "3": "Some wildcard actions or broad resource scopes present. No documented exceptions.",
+        "2": "Over-permissive policies. Wildcard actions on broad resource sets.",
+        "1": "Admin-level permissions or *:* policies."
+      }
+    },
+    {
+      "name": "error_information_leakage",
+      "weight": 0.07,
+      "description": "Error responses do not leak internal implementation details, stack traces, or technology identifiers.",
+      "references": ["SECURITY-07"],
+      "scoring": {
+        "5": "All errors return generic messages to clients. Stack traces, file paths, version numbers, and internal details logged server-side only. No technology identifiers in responses.",
+        "4": "Errors generally safe. Minor information leakage in edge cases.",
+        "3": "Some error responses include internal details like file paths or library names.",
+        "2": "Stack traces or database errors exposed to clients in some cases.",
+        "1": "Detailed stack traces, SQL errors, or internal paths exposed to clients."
+      }
+    },
+    {
+      "name": "http_security_headers",
+      "weight": 0.04,
+      "description": "HTTP security headers are set on all HTML-serving endpoints (CSP, HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy).",
+      "references": ["SECURITY-04"],
+      "scoring": {
+        "5": "All required headers set: CSP (no inline or eval directives), HSTS (max-age >= 31536000), X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin.",
+        "4": "Most headers set. Minor gaps in CSP strictness.",
+        "3": "Some security headers present. CSP or HSTS missing.",
+        "2": "Only 1-2 security headers configured.",
+        "1": "No security headers set."
+      }
+    },
+    {
+      "name": "structured_logging",
+      "weight": 0.04,
+      "description": "Application uses structured logging with correlation IDs, directed to a centralized log service.",
+      "references": ["SECURITY-02", "SECURITY-03"],
+      "scoring": {
+        "5": "Structured logging framework configured. Every log entry has timestamp, correlation ID, log level. Output directed to CloudWatch/centralized service. Access logging enabled on all network intermediaries.",
+        "4": "Structured logging present. Minor gaps in correlation ID propagation.",
+        "3": "Logging present but not structured. Missing correlation IDs or centralized routing.",
+        "2": "Ad-hoc console.log/print used as primary logging. No centralized routing.",
+        "1": "No logging infrastructure. Ad-hoc print statements only."
+      }
+    },
+    {
+      "name": "dependency_security",
+      "weight": 0.04,
+      "description": "No known vulnerable dependencies. Versions pinned. Unused dependencies removed.",
+      "references": ["SECURITY-08"],
+      "scoring": {
+        "5": "No known vulnerabilities in dependencies. All versions pinned in lockfile. Unused dependencies removed. Transitive deps reviewed.",
+        "4": "No critical vulnerabilities. Versions mostly pinned. Minor unused deps remain.",
+        "3": "Some moderate vulnerabilities present. Lockfile exists but not all versions pinned.",
+        "2": "Known vulnerabilities in dependencies. No lockfile or unpinned versions.",
+        "1": "Critical vulnerabilities in dependencies. No dependency management."
+      }
+    },
+    {
+      "name": "security_agent_findings",
+      "weight": 0.09,
+      "description": "No unresolved Critical/High findings from AWS Security Agent on this codebase.",
+      "references": ["SECURITY-09"],
+      "scoring": {
+        "5": "No open findings from Security Agent. All historical findings remediated within SLA.",
+        "4": "No Critical/High findings. Minor (LOW/MEDIUM) findings with active remediation plans.",
+        "3": "Open HIGH findings with remediation in progress. No Critical.",
+        "2": "Open CRITICAL findings or HIGH findings past remediation SLA.",
+        "1": "Multiple CRITICAL findings or validated pen test exploits unresolved."
+      }
+    }
+  ],
+  "pass_threshold": 0.82,
+  "output_format": {
+    "overall_score": "float 0-1 (weighted average of criteria scores normalized to 0-1)",
+    "criteria_scores": "object mapping criteria name to { score: 1-5, reasoning: string }",
+    "pass": "boolean",
+    "summary": "string",
+    "security_findings": "array of { rule_id: string, severity: string, description: string }"
+  }
+}

package/dist/assets/eval-harness/rubrics/spec-compliance.json

@@ -0,0 +1,67 @@
+{
+  "rubric_name": "spec-compliance",
+  "version": "1.0.0",
+  "description": "Evaluates whether generated code faithfully implements the requirements defined in a spec.",
+  "criteria": [
+    {
+      "name": "requirement_coverage",
+      "weight": 0.35,
+      "description": "All requirements and acceptance criteria from the spec are implemented.",
+      "scoring": {
+        "5": "Every requirement and acceptance criterion is implemented. No gaps.",
+        "4": "All major requirements implemented. Minor acceptance criteria partially addressed.",
+        "3": "Most requirements implemented. Some acceptance criteria missing.",
+        "2": "Significant requirements missing. Only happy path covered.",
+        "1": "Most requirements unimplemented or fundamentally misunderstood."
+      },
+      "requires_spec": true
+    },
+    {
+      "name": "interface_adherence",
+      "weight": 0.25,
+      "description": "Code matches the interfaces, signatures, and contracts defined in the spec.",
+      "scoring": {
+        "5": "All function signatures, API contracts, and data structures exactly match the spec.",
+        "4": "Interfaces match with minor naming or type differences that don't break contracts.",
+        "3": "Most interfaces match. Some deviations from spec'd contracts.",
+        "2": "Significant deviations from specified interfaces.",
+        "1": "Interfaces bear little resemblance to the spec."
+      },
+      "requires_spec": true
+    },
+    {
+      "name": "edge_case_handling",
+      "weight": 0.20,
+      "description": "Edge cases and error scenarios described in the spec are handled.",
+      "scoring": {
+        "5": "All edge cases and error scenarios from the spec are handled gracefully.",
+        "4": "Most edge cases handled. Minor spec-defined scenarios missed.",
+        "3": "Common edge cases handled. Some spec-defined error paths missing.",
+        "2": "Only happy path. Most spec-defined edge cases unhandled.",
+        "1": "No edge case handling despite spec requirements."
+      },
+      "requires_spec": true
+    },
+    {
+      "name": "spec_intent_fidelity",
+      "weight": 0.20,
+      "description": "Implementation captures the intent and spirit of the spec, not just the letter.",
+      "scoring": {
+        "5": "Implementation fully captures the spec's intent, including implied behaviors and user expectations.",
+        "4": "Captures intent well. Minor misalignment with spec's broader goals.",
+        "3": "Technically meets requirements but misses some of the spec's intent.",
+        "2": "Follows spec literally but misses the underlying purpose.",
+        "1": "Implementation contradicts the spec's intent."
+      },
+      "requires_spec": true
+    }
+  ],
+  "pass_threshold": 0.82,
+  "output_format": {
+    "overall_score": "float 0-1 (weighted average of criteria scores normalized to 0-1)",
+    "criteria_scores": "object mapping criteria name to { score: 1-5, reasoning: string }",
+    "pass": "boolean",
+    "summary": "string",
+    "spec_gaps": "array of strings describing unimplemented requirements"
+  }
+}