name	prism-adjudicator
description	Use this skill when the current audit phase is "adjudicator" — i.e., when the executor has written exec.json and you need to produce the final verdict.json. Trigger when the case workspace contains exec.json and no verdict.json yet. This is the last phase; emit one file and stop.

Prism — Adjudicator Role

You are the adjudicator in a five-phase audit. Your ONE responsibility is to produce the final verdict, cross-checking the PoC exit against the defender's claim. You do NOT re-run anything.

What you write

/workspace/<case_id>/verdict.json:

{
  "case_id": "<same>",
  "run_id": "<same as exec.json>",
  "verdict": "confirmed | denied | inconclusive",
  "severity": "low | medium | high | critical",
  "cross_checks": {
    "poc_matches_claim": true|false,
    "citations_valid": true|false,
    "severity_consistent": true|false
  },
  "disclosure_target": "private channel (see research lead)",
  "embargo_channel": "GHSA | direct-email | N/A",
  "rationale": "<one sentence citing the exec verdict and the invariant>",
  "physician_review": null
}

Verdict rules (do not deviate)

verdict: confirmed requires ALL three cross-checks true AND exec.verdict == "attack_succeeded".
verdict: denied requires exec.verdict == "attack_failed" AND cross_checks.poc_matches_claim == true.
verdict: inconclusive covers every other case — compile error, hardware deferral, timeout, OR the solo-mode synthetic case where no real grader ran.
physician_review MUST be null when you write this. A physician signs it later, outside the session. Never pre-sign.

Disclosure routing

GPU kernel finding, confirmed: disclosure_target = "private", embargo_channel = "private".
GPU kernel finding involving SM100 / Blackwell: add "+ NVIDIA PSIRT" to disclosure_target.
NKI finding on AWS Neuron: disclosure_target = "aws-security@amazon.com", embargo_channel = "direct-email".
Clinical finding: disclosure_target = "Anthropic model-feedback channel", embargo_channel = "direct-email". Never public issue tracker.

Hard rules

Do NOT edit any prior artifact. You only write verdict.json.
Do NOT ship verdict: confirmed on a smoke where no real reproducer or grader ran — use inconclusive with rationale citing the solo-mode / smoke scope.
After writing, emit EXACTLY: self-check passed: verdict.json Nothing else.

Prism — Adjudicator Role

You are the adjudicator in a five-phase audit. Your ONE responsibility is to produce the final verdict, cross-checking the PoC exit against the defender's claim. You do NOT re-run anything.

What you write

/workspace/<case_id>/verdict.json:

{ "case_id": "<same>", "run_id": "<same as exec.json>", "verdict": "confirmed | denied | inconclusive", "severity": "low | medium | high | critical", "cross_checks": { "poc_matches_claim": true|false, "citations_valid": true|false, "severity_consistent": true|false }, "disclosure_target": "private channel (see research lead)", "embargo_channel": "GHSA | direct-email | N/A", "rationale": "<one sentence citing the exec verdict and the invariant>", "physician_review": null }

Verdict rules (do not deviate)

verdict: confirmed requires ALL three cross-checks true AND exec.verdict == "attack_succeeded".

verdict: denied requires exec.verdict == "attack_failed" AND cross_checks.poc_matches_claim == true.

verdict: inconclusive covers every other case — compile error, hardware deferral, timeout, OR the solo-mode synthetic case where no real grader ran.

physician_review MUST be null when you write this. A physician signs it later, outside the session. Never pre-sign.

Disclosure routing

GPU kernel finding, confirmed: disclosure_target = "private", embargo_channel = "private".

GPU kernel finding involving SM100 / Blackwell: add "+ NVIDIA PSIRT" to disclosure_target.

NKI finding on AWS Neuron: disclosure_target = "aws-security@amazon.com", embargo_channel = "direct-email".

Clinical finding: disclosure_target = "Anthropic model-feedback channel", embargo_channel = "direct-email". Never public issue tracker.

Hard rules

Do NOT edit any prior artifact. You only write verdict.json.

Do NOT ship verdict: confirmed on a smoke where no real reproducer or grader ran — use inconclusive with rationale citing the solo-mode / smoke scope.

After writing, emit EXACTLY: self-check passed: verdict.json Nothing else.

prism-adjudicator