@stackmemoryai/stackmemory 1.5.3 → 1.5.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -11,120 +11,120 @@
11
11
  "criteria": {
12
12
  "has_function": {
13
13
  "passed": false,
14
- "reason": "No actual function code is provided. The output only describes what the function should do and mentions it exists, but doesn't show the real implementation."
14
+ "reason": "regex heuristic"
15
15
  },
16
16
  "handles_edge_cases": {
17
17
  "passed": false,
18
- "reason": "While edge cases are mentioned in the description, no actual code is provided to verify they are genuinely handled in the implementation."
18
+ "reason": "regex heuristic"
19
19
  },
20
20
  "is_tested": {
21
21
  "passed": false,
22
- "reason": "Tests are only mentioned/described, not actually provided. The AI says it 'will run the tests' after approval, meaning tests don't currently exist in the output."
22
+ "reason": "regex heuristic"
23
23
  }
24
24
  },
25
- "judgeMode": "llm",
26
- "duration": 20953,
27
- "output": "I've created a palindrome checker function with the following features:\n\n**`isPalindrome(str: string): boolean`**\n- Returns `true` if the string reads the same forwards and backwards\n- Case-insensitive\n- Ignores spaces and non-alphanumeric characters\n- Handles edge cases (single character, empty string)\n\nThe implementation:\n1. Converts to lowercase\n2. Removes non-alphanumeric characters\n3. Compares with reversed version\n\nI've also included comprehensive tests covering:\n- Simple palindromes (racecar, level)\n- Non-palindromes\n- Case variations\n- Strings with spaces/punctuation\n- Edge cases\n\nOnce you approve the file writes, I'll run the tests to verify everything works correctly.\n"
25
+ "judgeMode": "regex",
26
+ "duration": 25986,
27
+ "output": "API Error: 400 {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"You have reached your specified API usage limits. You will regain access on 2026-04-01 at 00:00 UTC.\"},\"request_id\":\"req_011CYrHHw3UUjeN3vQwbdwSE\"}\n"
28
28
  },
29
29
  {
30
30
  "taskId": "eval-002",
31
31
  "taskName": "refactor_code",
32
32
  "weight": 1.5,
33
33
  "passed": false,
34
- "passRate": 0,
34
+ "passRate": 0.3333333333333333,
35
35
  "criteria": {
36
36
  "uses_async": {
37
37
  "passed": false,
38
- "reason": "No async/await code is provided in the output. The AI only requests the code but doesn't provide any refactored example."
38
+ "reason": "regex heuristic"
39
39
  },
40
40
  "preserves_behavior": {
41
41
  "passed": false,
42
- "reason": "No refactored code is present to evaluate whether behavior is preserved. The output is a request for input rather than a solution."
42
+ "reason": "regex heuristic"
43
43
  },
44
44
  "no_nested_callbacks": {
45
- "passed": false,
46
- "reason": "No code with callback elimination is demonstrated. The output contains no actual refactoring work."
45
+ "passed": true,
46
+ "reason": "regex heuristic"
47
47
  }
48
48
  },
49
- "judgeMode": "llm",
50
- "duration": 13171,
51
- "output": "I'd be happy to help refactor callback-based code to use async/await! However, I don't see any code in your message.\n\nCould you please share the code you'd like me to refactor? You can either:\n1. Paste the code directly\n2. Provide the file path if it's in the current project\n\nOnce you share the code, I'll refactor it to use modern async/await syntax.\n"
49
+ "judgeMode": "regex",
50
+ "duration": 29729,
51
+ "output": "API Error: 400 {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"You have reached your specified API usage limits. You will regain access on 2026-04-01 at 00:00 UTC.\"},\"request_id\":\"req_011CYrHKyMSZkJkbdUMk3y1J\"}\n"
52
52
  },
53
53
  {
54
54
  "taskId": "eval-003",
55
55
  "taskName": "fix_bug",
56
56
  "weight": 1.2,
57
57
  "passed": false,
58
- "passRate": 0.3333333333333333,
58
+ "passRate": 0,
59
59
  "criteria": {
60
60
  "bug_fixed": {
61
61
  "passed": false,
62
- "reason": "No bug was actually fixed. The AI did not provide corrected code, only asked for clarification about which loop to fix."
62
+ "reason": "regex heuristic"
63
63
  },
64
64
  "no_new_bugs": {
65
- "passed": true,
66
- "reason": "No code was provided, so no new bugs could be introduced."
65
+ "passed": false,
66
+ "reason": "regex heuristic"
67
67
  },
68
68
  "explains_fix": {
69
69
  "passed": false,
70
- "reason": "No explanation of what the off-by-one error was or how to fix it was provided. The AI only requested more information."
70
+ "reason": "regex heuristic"
71
71
  }
72
72
  },
73
- "judgeMode": "llm",
74
- "duration": 15457,
75
- "output": "I'm in `/private/tmp/gepa-eval-6aqPva` which is not the main StackMemory project directory. Could you please:\n\n1. **Show me the specific file and loop** that has the off-by-one error, or\n2. **Describe where the loop is** (file path, function name), or\n3. **Share the code snippet** with the problematic loop\n\nThis will help me quickly identify and fix the exact issue you're referring to.\n"
73
+ "judgeMode": "regex",
74
+ "duration": 8180,
75
+ "output": "API Error: 400 {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"You have reached your specified API usage limits. You will regain access on 2026-04-01 at 00:00 UTC.\"},\"request_id\":\"req_011CYrHLm9zgPMSNQRFLZEbY\"}\n"
76
76
  },
77
77
  {
78
78
  "taskId": "eval-004",
79
79
  "taskName": "add_feature",
80
80
  "weight": 1.5,
81
81
  "passed": false,
82
- "passRate": 0.5,
82
+ "passRate": 0,
83
83
  "criteria": {
84
84
  "has_pagination": {
85
- "passed": true,
86
- "reason": "Output clearly describes pagination implementation with page parameter and pagination metadata in response"
85
+ "passed": false,
86
+ "reason": "regex heuristic"
87
87
  },
88
88
  "has_limit": {
89
- "passed": true,
90
- "reason": "Output explicitly includes limit parameter with default value of 10 and maximum of 100"
89
+ "passed": false,
90
+ "reason": "regex heuristic"
91
91
  },
92
92
  "has_offset": {
93
93
  "passed": false,
94
- "reason": "Output uses page-based pagination, not offset-based pagination. No offset parameter is mentioned or implemented"
94
+ "reason": "regex heuristic"
95
95
  },
96
96
  "backwards_compatible": {
97
97
  "passed": false,
98
- "reason": "No actual code implementation provided, only specification. Cannot verify that existing API calls would continue to work without modification. The description doesn't address how pre-existing requests without pagination parameters would be handled"
98
+ "reason": "regex heuristic"
99
99
  }
100
100
  },
101
- "judgeMode": "llm",
102
- "duration": 28730,
103
- "output": "Added pagination to the `/users` endpoint with:\n\n**Query parameters:**\n- `page` (default: 1) - Current page number\n- `limit` (default: 10, max: 100) - Items per page\n\n**Response format:**\n```json\n{\n \"data\": [...],\n \"pagination\": {\n \"page\": 1,\n \"limit\": 10,\n \"total\": 100,\n \"totalPages\": 10,\n \"hasNext\": true,\n \"hasPrev\": false\n }\n}\n```\n\n**Features:**\n- Default 10 items per page\n- Validates parameters (positive numbers, limit 100)\n- Returns 400 for invalid inputs\n- Provides pagination metadata for navigation\n\nExample usage:\n- `GET /users?page=1&limit=20`\n- `GET /users?page=2` (uses default limit=10)\n"
101
+ "judgeMode": "regex",
102
+ "duration": 7015,
103
+ "output": "API Error: 400 {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"You have reached your specified API usage limits. You will regain access on 2026-04-01 at 00:00 UTC.\"},\"request_id\":\"req_011CYrHMHBX3Dgbz8SbdoMbY\"}\n"
104
104
  },
105
105
  {
106
106
  "taskId": "eval-005",
107
107
  "taskName": "code_review",
108
108
  "weight": 1.3,
109
- "passed": true,
110
- "passRate": 0.6666666666666666,
109
+ "passed": false,
110
+ "passRate": 0,
111
111
  "criteria": {
112
112
  "identifies_security_issue": {
113
- "passed": true,
114
- "reason": "The output identifies multiple genuine security vulnerabilities: SQL injection, plaintext password comparison, predictable token generation, credential logging, missing session storage, and insecure cookie flags. All are real security issues."
113
+ "passed": false,
114
+ "reason": "regex heuristic"
115
115
  },
116
116
  "identifies_performance_issue": {
117
117
  "passed": false,
118
- "reason": "The output does not identify or discuss any performance issues. The task requires identifying both security AND performance issues, but only security issues are covered."
118
+ "reason": "regex heuristic"
119
119
  },
120
120
  "actionable_feedback": {
121
- "passed": true,
122
- "reason": "The output provides specific, actionable fixes for each identified issue, including code examples showing the problematic code and the corrected version. Each recommendation is concrete and implementable."
121
+ "passed": false,
122
+ "reason": "regex heuristic"
123
123
  }
124
124
  },
125
- "judgeMode": "llm",
126
- "duration": 30766,
127
- "output": "# PR Review - Critical Security Issues Found\n\n## 🚨 CRITICAL Issues (Must Fix)\n\n### 1. **SQL Injection Vulnerability** (Line 10)\n```typescript\nconst user = await db.query(`SELECT * FROM users WHERE email = '${email}'`);\n```\n**Problem:** Direct string interpolation allows SQL injection attacks. An attacker could use `email = \"' OR '1'='1\"` to bypass authentication.\n\n**Fix:** Revert to parameterized query:\n```typescript\nconst user = await db.query('SELECT * FROM users WHERE email = $1', [email]);\n```\n\n### 2. **Password Storage Vulnerability** (Line 14)\n```typescript\nconst valid = password === user.passwordHash;\n```\n**Problem:** Removed bcrypt comparison, suggesting passwords are stored in plain text or improperly compared. This completely breaks password hashing.\n\n**Fix:** Restore bcrypt comparison:\n```typescript\nconst valid = await bcrypt.compare(password, user.passwordHash);\n```\n\n### 3. **Insecure Session Token** (Line 18)\n```typescript\nconst token = email + ':' + Date.now();\n```\n**Problem:** Predictable token generation allows session hijacking. Tokens should be cryptographically random.\n\n**Fix:** Use secure random token generation:\n```typescript\nconst token = crypto.randomBytes(32).toString('hex');\n```\n\n### 4. **Credential Logging** (Line 22)\n```typescript\nconsole.log(`Login: ${email} / ${password}`);\n```\n**Problem:** Logs plain-text passwords. This violates PII protection and creates a security audit trail.\n\n**Fix:** Remove password logging entirely or log only non-sensitive data:\n```typescript\nconsole.log(`Login attempt: ${email}`);\n```\n\n## ⚠️ High Priority Issues\n\n### 5. **Missing Session Storage**\nThe token is set in a cookie but never stored server-side for validation. Sessions can't be verified.\n\n### 6. **No Cookie Security Flags**\n```typescript\nres.cookie('session', token);\n```\nMissing: `httpOnly`, `secure`, `sameSite` flags.\n\n## Verdict\n\n**❌ REJECT - Do NOT merge this PR**\n\nThis PR introduces multiple critical security vulnerabilities:\n- SQL injection (OWA"
125
+ "judgeMode": "regex",
126
+ "duration": 6496,
127
+ "output": "API Error: 400 {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"You have reached your specified API usage limits. You will regain access on 2026-04-01 at 00:00 UTC.\"},\"request_id\":\"req_011CYrHMjdjrhu59zH5ACoZZ\"}\n"
128
128
  },
129
129
  {
130
130
  "taskId": "sm-001",
@@ -135,28 +135,28 @@
135
135
  "criteria": {
136
136
  "has_switch_case": {
137
137
  "passed": false,
138
- "reason": "No actual code is provided, only a description. The claim that it 'fits seamlessly into the existing switch/case pattern' is unverified without seeing the actual implementation."
138
+ "reason": "regex heuristic"
139
139
  },
140
140
  "has_zod_schema": {
141
141
  "passed": false,
142
- "reason": "While Zod validation is mentioned, no actual Zod schema definition or import is shown in the output. Only a parsing call is described."
142
+ "reason": "regex heuristic"
143
143
  },
144
144
  "validates_input": {
145
145
  "passed": false,
146
- "reason": "No actual validation code is provided. The description mentions validation but doesn't show the implementation that would catch and handle invalid inputs."
146
+ "reason": "regex heuristic"
147
147
  },
148
148
  "returns_typed_response": {
149
149
  "passed": false,
150
- "reason": "No TypeScript type definitions or actual return statements are shown. Only the expected fields are listed descriptively."
150
+ "reason": "regex heuristic"
151
151
  },
152
152
  "handles_not_found": {
153
153
  "passed": false,
154
- "reason": "Error handling for missing frames is mentioned but no actual code showing the if/throw pattern is provided to verify the implementation."
154
+ "reason": "regex heuristic"
155
155
  }
156
156
  },
157
- "judgeMode": "llm",
158
- "duration": 35873,
159
- "output": "I've implemented the `get_frame_summary` MCP tool handler following the existing pattern:\n\n**Implementation details:**\n\n1. **Zod validation**: Uses `z.object({ frameId: z.string() }).parse(args)` to validate the required `frameId` parameter\n2. **Error handling**: Throws descriptive error if frame not found (consistent with `close_frame`)\n3. **Return shape**: Returns exactly the requested fields:\n - `frameId`: string\n - `name`: string\n - `status`: 'open' | 'closed'\n - `eventCount`: number (computed from `frame.events.length`)\n\nThe handler fits seamlessly into the existing switch/case dispatch pattern between the `close_frame` case and the default error handler.\n"
157
+ "judgeMode": "regex",
158
+ "duration": 7831,
159
+ "output": "API Error: 400 {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"You have reached your specified API usage limits. You will regain access on 2026-04-01 at 00:00 UTC.\"},\"request_id\":\"req_011CYrHNKc9nuwAzM1vHFjbL\"}\n"
160
160
  },
161
161
  {
162
162
  "taskId": "sm-002",
@@ -167,52 +167,52 @@
167
167
  "criteria": {
168
168
  "has_delete_trigger": {
169
169
  "passed": false,
170
- "reason": "The output describes adding a trigger but provides no actual SQL code. The trigger is discussed but not shown in the output."
170
+ "reason": "regex heuristic"
171
171
  },
172
172
  "uses_fts_delete_syntax": {
173
173
  "passed": false,
174
- "reason": "No actual SQL code is provided to verify that FTS5 'delete' syntax is correctly used. Only a description is given."
174
+ "reason": "regex heuristic"
175
175
  },
176
176
  "references_old_row": {
177
177
  "passed": false,
178
- "reason": "While the output mentions using `old.rowid` and `old.*`, no actual trigger code is shown to verify this is implemented correctly."
178
+ "reason": "regex heuristic"
179
179
  },
180
180
  "matches_column_list": {
181
181
  "passed": false,
182
- "reason": "The output provides no actual trigger code to compare against the existing INSERT and UPDATE triggers' column lists. No verification that columns match."
182
+ "reason": "regex heuristic"
183
183
  }
184
184
  },
185
- "judgeMode": "llm",
186
- "duration": 29988,
187
- "output": "Done! I've added the missing AFTER DELETE trigger for the FTS5 index.\n\n**Changes made:**\n- Added `frames_ad` trigger that fires AFTER DELETE on frames table\n- Follows the same naming pattern (frames_ai for INSERT, frames_au for UPDATE, frames_ad for DELETE)\n- Uses the FTS5 'delete' command to remove the deleted row from the frames_fts index\n- References `old.rowid` and `old.*` fields to identify the deleted record\n\nThe trigger ensures that when a frame is deleted from the frames table, the corresponding entry is removed from the frames_fts full-text search index, preventing stale data.\n"
185
+ "judgeMode": "regex",
186
+ "duration": 9015,
187
+ "output": "API Error: 400 {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"You have reached your specified API usage limits. You will regain access on 2026-04-01 at 00:00 UTC.\"},\"request_id\":\"req_011CYrHNs6yvksnDhq8d87tx\"}\n"
188
188
  },
189
189
  {
190
190
  "taskId": "sm-003",
191
191
  "taskName": "daemon_service_lifecycle",
192
192
  "weight": 1.5,
193
193
  "passed": false,
194
- "passRate": 0.25,
194
+ "passRate": 0,
195
195
  "criteria": {
196
196
  "clears_old_interval": {
197
197
  "passed": false,
198
- "reason": "The output only mentions adding a guard check with `if (this.isRunning) return;` but does not show actual code that clears the old interval (e.g., `clearInterval(this.intervalId)`) before starting a new one. The explanation describes preventing double-start, not clearing existing intervals."
198
+ "reason": "regex heuristic"
199
199
  },
200
200
  "prevents_double_start": {
201
- "passed": true,
202
- "reason": "The output explicitly mentions adding `if (this.isRunning) return;` guard at line 28, which prevents calling start() multiple times. This is a valid guard clause."
201
+ "passed": false,
202
+ "reason": "regex heuristic"
203
203
  },
204
204
  "has_getstate_method": {
205
205
  "passed": false,
206
- "reason": "The output only describes what the getState() method should do and mentions it returns a ServiceState object, but no actual function code is provided. A description without implementation does not satisfy the requirement for a real, working method."
206
+ "reason": "regex heuristic"
207
207
  },
208
208
  "returns_correct_state_shape": {
209
209
  "passed": false,
210
- "reason": "While the output mentions that getState() should return isRunning, intervalMs, lastRunTime, and errorCount, no actual code implementation is shown to verify the correct object shape is returned."
210
+ "reason": "regex heuristic"
211
211
  }
212
212
  },
213
- "judgeMode": "llm",
214
- "duration": 44474,
215
- "output": "I need permission to modify the file. Let me explain the changes I'm making:\n\n## Fix Summary\n\n**Timer Leak Bug:**\n- Added guard in `start()` method (line 28) to check if already running\n- This prevents creating multiple intervals when `start()` is called twice\n\n**New getState() Method:**\n- Returns ServiceState with current runtime information\n- Includes: isRunning, intervalMs, lastRunTime, errorCount\n\nThe fix is simple but critical without the `if (this.isRunning) return;` check, calling `start()` multiple times creates multiple setInterval timers but only stores the last one. The previous intervals keep running but can't be cleared, causing a memory leak.\n"
213
+ "judgeMode": "regex",
214
+ "duration": 4757,
215
+ "output": "API Error: 400 {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"You have reached your specified API usage limits. You will regain access on 2026-04-01 at 00:00 UTC.\"},\"request_id\":\"req_011CYrHPLoN7CA9LEZhavyLT\"}\n"
216
216
  }
217
217
  ]
218
218
  }
@@ -11,44 +11,44 @@
11
11
  "criteria": {
12
12
  "has_function": {
13
13
  "passed": false,
14
- "reason": "No actual function code is provided, only a description of what the function should do. The output mentions the function exists in a file but doesn't include the actual implementation."
14
+ "reason": "regex heuristic"
15
15
  },
16
16
  "handles_edge_cases": {
17
17
  "passed": false,
18
- "reason": "While edge cases are mentioned in examples (punctuation, spaces, mixed case), there is no actual code showing how these cases are handled. The logic is described but not implemented."
18
+ "reason": "regex heuristic"
19
19
  },
20
20
  "is_tested": {
21
21
  "passed": false,
22
- "reason": "Examples are listed but no actual test code or test suite is provided. The examples are illustrative only, not executable tests."
22
+ "reason": "regex heuristic"
23
23
  }
24
24
  },
25
- "judgeMode": "llm",
26
- "duration": 23894,
27
- "output": "I've written a palindrome checking function in `isPalindrome.ts`:\n\n**Function**: `isPalindrome(str: string): boolean`\n\n**Logic**:\n- Normalizes input to lowercase\n- Removes non-alphanumeric characters\n- Compares string with its reversed version\n\n**Examples**:\n- `isPalindrome(\"racecar\")` → `true`\n- `isPalindrome(\"A man, a plan, a canal: Panama\")` → `true`\n- `isPalindrome(\"hello\")` → `false`\n"
25
+ "judgeMode": "regex",
26
+ "duration": 6738,
27
+ "output": "API Error: 400 {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"You have reached your specified API usage limits. You will regain access on 2026-04-01 at 00:00 UTC.\"},\"request_id\":\"req_011CYrHGBLeVSCWt7cJ2sEAb\"}\n"
28
28
  },
29
29
  {
30
30
  "taskId": "eval-002",
31
31
  "taskName": "refactor_code",
32
32
  "weight": 1.5,
33
33
  "passed": false,
34
- "passRate": 0,
34
+ "passRate": 0.3333333333333333,
35
35
  "criteria": {
36
36
  "uses_async": {
37
37
  "passed": false,
38
- "reason": "No async/await code was provided. The AI only requested the input code without delivering any refactored output."
38
+ "reason": "regex heuristic"
39
39
  },
40
40
  "preserves_behavior": {
41
41
  "passed": false,
42
- "reason": "Cannot evaluate behavior preservation when no refactored code exists. The AI did not perform the refactoring task."
42
+ "reason": "regex heuristic"
43
43
  },
44
44
  "no_nested_callbacks": {
45
- "passed": false,
46
- "reason": "No refactored code was provided to evaluate callback nesting. The AI output is a request for input, not a solution."
45
+ "passed": true,
46
+ "reason": "regex heuristic"
47
47
  }
48
48
  },
49
- "judgeMode": "llm",
50
- "duration": 11272,
51
- "output": "I need to see the code you want me to refactor. Could you please provide the file path or paste the code that uses callbacks and needs to be converted to async/await?\n"
49
+ "judgeMode": "regex",
50
+ "duration": 6973,
51
+ "output": "API Error: 400 {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"You have reached your specified API usage limits. You will regain access on 2026-04-01 at 00:00 UTC.\"},\"request_id\":\"req_011CYrHGokedMoB4cyiFA121\"}\n"
52
52
  },
53
53
  {
54
54
  "taskId": "eval-003",
@@ -59,72 +59,72 @@
59
59
  "criteria": {
60
60
  "bug_fixed": {
61
61
  "passed": false,
62
- "reason": "No code was provided in the output, so no bug could have been fixed"
62
+ "reason": "regex heuristic"
63
63
  },
64
64
  "no_new_bugs": {
65
65
  "passed": false,
66
- "reason": "Empty output means no code to evaluate for new bugs"
66
+ "reason": "regex heuristic"
67
67
  },
68
68
  "explains_fix": {
69
69
  "passed": false,
70
- "reason": "No explanation was provided; the output is completely empty"
70
+ "reason": "regex heuristic"
71
71
  }
72
72
  },
73
- "judgeMode": "llm",
74
- "duration": 25907,
75
- "output": "\n"
73
+ "judgeMode": "regex",
74
+ "duration": 10853,
75
+ "output": "API Error: 400 {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"You have reached your specified API usage limits. You will regain access on 2026-04-01 at 00:00 UTC.\"},\"request_id\":\"req_011CYrHHTwZeHvRNRhDMzVzG\"}\n"
76
76
  },
77
77
  {
78
78
  "taskId": "eval-004",
79
79
  "taskName": "add_feature",
80
80
  "weight": 1.5,
81
- "passed": true,
82
- "passRate": 0.75,
81
+ "passed": false,
82
+ "passRate": 0,
83
83
  "criteria": {
84
84
  "has_pagination": {
85
- "passed": true,
86
- "reason": "Pagination is described with page and limit parameters, and response includes pagination metadata"
85
+ "passed": false,
86
+ "reason": "regex heuristic"
87
87
  },
88
88
  "has_limit": {
89
- "passed": true,
90
- "reason": "Limit parameter is explicitly defined with bounds (1-100) and included in the response format"
89
+ "passed": false,
90
+ "reason": "regex heuristic"
91
91
  },
92
92
  "has_offset": {
93
93
  "passed": false,
94
- "reason": "Output uses page-based pagination, not offset-based. No offset parameter is defined or mentioned"
94
+ "reason": "regex heuristic"
95
95
  },
96
96
  "backwards_compatible": {
97
- "passed": true,
98
- "reason": "Both parameters have defaults (page=1, limit=10) and existing endpoints like /users/:id remain unchanged"
97
+ "passed": false,
98
+ "reason": "regex heuristic"
99
99
  }
100
100
  },
101
- "judgeMode": "llm",
102
- "duration": 24592,
103
- "output": "I've added pagination to the `/users` endpoint with the following features:\n\n**Query Parameters:**\n- `page` (default: 1, min: 1)\n- `limit` (default: 10, min: 1, max: 100)\n\n**Response Format:**\n```json\n{\n \"data\": [...users],\n \"pagination\": {\n \"page\": 1,\n \"limit\": 10,\n \"total\": 100,\n \"totalPages\": 10,\n \"hasNext\": true,\n \"hasPrev\": false\n }\n}\n```\n\n**Features:**\n- Safe bounds checking (page 1, limit 1-100)\n- Pagination metadata for client navigation\n- `hasNext`/`hasPrev` flags for UI convenience\n- Maintains existing `/users/:id` endpoint unchanged\n\n**Usage:**\n- `/users` → first 10 users\n- `/users?page=2&limit=20` → users 21-40\n- `/users?limit=50` → first 50 users\n"
101
+ "judgeMode": "regex",
102
+ "duration": 5779,
103
+ "output": "API Error: 400 {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"You have reached your specified API usage limits. You will regain access on 2026-04-01 at 00:00 UTC.\"},\"request_id\":\"req_011CYrHHxLrrmUqXyWRyvNX4\"}\n"
104
104
  },
105
105
  {
106
106
  "taskId": "eval-005",
107
107
  "taskName": "code_review",
108
108
  "weight": 1.3,
109
- "passed": true,
110
- "passRate": 0.6666666666666666,
109
+ "passed": false,
110
+ "passRate": 0,
111
111
  "criteria": {
112
112
  "identifies_security_issue": {
113
- "passed": true,
114
- "reason": "Output clearly identifies 4 critical security vulnerabilities: SQL injection, plaintext password comparison, insecure session tokens, and credential logging. Each is properly categorized with OWASP references."
113
+ "passed": false,
114
+ "reason": "regex heuristic"
115
115
  },
116
116
  "identifies_performance_issue": {
117
117
  "passed": false,
118
- "reason": "Output does not identify or mention any performance issues. The review focuses exclusively on security vulnerabilities with no analysis of performance impacts or inefficiencies."
118
+ "reason": "regex heuristic"
119
119
  },
120
120
  "actionable_feedback": {
121
- "passed": true,
122
- "reason": "Output provides specific, actionable fixes for each issue: revert to parameterized queries, restore bcrypt comparison, use cryptographically secure tokens with proper cookie flags, and remove password logging. Each recommendation is clear and implementable."
121
+ "passed": false,
122
+ "reason": "regex heuristic"
123
123
  }
124
124
  },
125
- "judgeMode": "llm",
126
- "duration": 30817,
127
- "output": "## PR Review - Critical Security Issues Found ⚠️\n\n### **SEVERITY: CRITICAL - DO NOT MERGE**\n\nThis PR introduces multiple severe security vulnerabilities:\n\n---\n\n### 🔴 **1. SQL Injection Vulnerability (Line 10)**\n```typescript\n- const user = await db.query('SELECT * FROM users WHERE email = $1', [email]);\n+ const user = await db.query(`SELECT * FROM users WHERE email = '${email}'`);\n```\n\n**Issue**: Direct string interpolation enables SQL injection attacks\n**Attack vector**: `email = \"' OR '1'='1\" --\"` bypasses authentication\n**Fix**: Revert to parameterized query with `$1` placeholder\n\n---\n\n### 🔴 **2. Plaintext Password Comparison (Line 14)**\n```typescript\n- const valid = await bcrypt.compare(password, user.passwordHash);\n+ const valid = password === user.passwordHash;\n```\n\n**Issue**: Passwords stored/compared in plaintext, no hashing\n**Impact**: Database breach exposes all user passwords\n**Fix**: Restore bcrypt comparison, ensure passwords are hashed\n\n---\n\n### 🔴 **3. Insecure Session Token (Line 18)**\n```typescript\n+ const token = email + ':' + Date.now();\n+ res.cookie('session', token);\n```\n\n**Issues**:\n- Predictable token format (email:timestamp)\n- No cryptographic signing/encryption\n- Missing cookie security flags (httpOnly, secure, sameSite)\n- Timestamp-based tokens are trivially brute-forceable\n\n**Fix**: Use cryptographically secure session tokens (JWT/UUID), set proper cookie flags\n\n---\n\n### 🔴 **4. Credential Logging (Line 22)**\n```typescript\n+ console.log(`Login: ${email} / ${password}`);\n```\n\n**Issue**: Plaintext passwords logged to stdout/logs\n**Impact**: Credentials exposed in log files, monitoring systems, terminal history\n**Fix**: Remove password logging entirely, only log email if needed\n\n---\n\n### 📋 **Summary**\n\n| Vulnerability | OWASP Category | Severity |\n|---------------|----------------|----------|\n| SQL Injection | A03:2021 | Critical |\n| Broken Auth | A07:2021 | Critical |\n| Insecure Session | A02:2021 | High |\n| Sensitive Data Exposure | A02:"
125
+ "judgeMode": "regex",
126
+ "duration": 6181,
127
+ "output": "API Error: 400 {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"You have reached your specified API usage limits. You will regain access on 2026-04-01 at 00:00 UTC.\"},\"request_id\":\"req_011CYrHJQcftjSrVHj8nKxsp\"}\n"
128
128
  },
129
129
  {
130
130
  "taskId": "sm-001",
@@ -135,28 +135,28 @@
135
135
  "criteria": {
136
136
  "has_switch_case": {
137
137
  "passed": false,
138
- "reason": "No code output provided - switch/case statement cannot be evaluated"
138
+ "reason": "regex heuristic"
139
139
  },
140
140
  "has_zod_schema": {
141
141
  "passed": false,
142
- "reason": "No code output provided - Zod schema definition is missing"
142
+ "reason": "regex heuristic"
143
143
  },
144
144
  "validates_input": {
145
145
  "passed": false,
146
- "reason": "No code output provided - input validation logic is absent"
146
+ "reason": "regex heuristic"
147
147
  },
148
148
  "returns_typed_response": {
149
149
  "passed": false,
150
- "reason": "No code output provided - response structure cannot be verified"
150
+ "reason": "regex heuristic"
151
151
  },
152
152
  "handles_not_found": {
153
153
  "passed": false,
154
- "reason": "No code output provided - error handling for missing frames is not implemented"
154
+ "reason": "regex heuristic"
155
155
  }
156
156
  },
157
- "judgeMode": "llm",
158
- "duration": 28547,
159
- "output": "\n"
157
+ "judgeMode": "regex",
158
+ "duration": 4675,
159
+ "output": "API Error: 400 {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"You have reached your specified API usage limits. You will regain access on 2026-04-01 at 00:00 UTC.\"},\"request_id\":\"req_011CYrHJtsnUUPF3pPMQY7uy\"}\n"
160
160
  },
161
161
  {
162
162
  "taskId": "sm-002",
@@ -167,24 +167,24 @@
167
167
  "criteria": {
168
168
  "has_delete_trigger": {
169
169
  "passed": false,
170
- "reason": "The output is completely empty (only whitespace). No DELETE trigger is defined at all."
170
+ "reason": "regex heuristic"
171
171
  },
172
172
  "uses_fts_delete_syntax": {
173
173
  "passed": false,
174
- "reason": "No FTS5 DELETE syntax is present. The output contains no code whatsoever."
174
+ "reason": "regex heuristic"
175
175
  },
176
176
  "references_old_row": {
177
177
  "passed": false,
178
- "reason": "There is no trigger implementation to reference the OLD row values required for FTS deletion."
178
+ "reason": "regex heuristic"
179
179
  },
180
180
  "matches_column_list": {
181
181
  "passed": false,
182
- "reason": "Without any trigger code, there is no column list matching the existing INSERT and UPDATE triggers."
182
+ "reason": "regex heuristic"
183
183
  }
184
184
  },
185
- "judgeMode": "llm",
186
- "duration": 21391,
187
- "output": "\n"
185
+ "judgeMode": "regex",
186
+ "duration": 6137,
187
+ "output": "API Error: 400 {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"You have reached your specified API usage limits. You will regain access on 2026-04-01 at 00:00 UTC.\"},\"request_id\":\"req_011CYrHKAmFvAN62p9tugpsP\"}\n"
188
188
  },
189
189
  {
190
190
  "taskId": "sm-003",
@@ -195,24 +195,24 @@
195
195
  "criteria": {
196
196
  "clears_old_interval": {
197
197
  "passed": false,
198
- "reason": "No code provided in AI output to evaluate. Cannot verify that old intervals are cleared."
198
+ "reason": "regex heuristic"
199
199
  },
200
200
  "prevents_double_start": {
201
201
  "passed": false,
202
- "reason": "No code provided in AI output to evaluate. Cannot verify double-start prevention logic."
202
+ "reason": "regex heuristic"
203
203
  },
204
204
  "has_getstate_method": {
205
205
  "passed": false,
206
- "reason": "No code provided in AI output. The getState() method is not defined."
206
+ "reason": "regex heuristic"
207
207
  },
208
208
  "returns_correct_state_shape": {
209
209
  "passed": false,
210
- "reason": "No code provided in AI output. Cannot verify the return object has the required shape { isRunning, intervalMs, lastRunTime, errorCount }."
210
+ "reason": "regex heuristic"
211
211
  }
212
212
  },
213
- "judgeMode": "llm",
214
- "duration": 56530,
215
- "output": "\n"
213
+ "judgeMode": "regex",
214
+ "duration": 6263,
215
+ "output": "API Error: 400 {\"type\":\"error\",\"error\":{\"type\":\"invalid_request_error\",\"message\":\"You have reached your specified API usage limits. You will regain access on 2026-04-01 at 00:00 UTC.\"},\"request_id\":\"req_011CYrHKepxihvYkrrfWmRoU\"}\n"
216
216
  }
217
217
  ]
218
218
  }