The Verification Horizon: No Silver Bullet for Coding Agent Rewards

The Verification Horizon: No Silver Bullet for Coding Agent Rewards

Qwen Team

Abstract

A classical intuition holds that verifying a solution is easier than producing one. For today's coding agents, this intuition is being inverted: as foundation models develop stronger reasoning capabilities and engineering harnesses grow more sophisticated, generating complex candidate solutions is no longer difficult—reliably verifying them has become the harder problem. Every verifier we can build is only a proxy for human intent, never the intent itself. This makes verification subject to a twofold difficulty: first, intent is underspecified by nature, making it inherently hard to faithfully check whether it has been fulfilled; second, during model training, optimization widens the gap between proxy and intent—manifesting as reward hacking or signal saturation. To address this, we characterize the quality of verification signals along three dimensions—scalability, faithfulness, and robustness—and argue that achieving all three simultaneously is the central challenge. We further study four reward constructions: a test verifier for general coding tasks, a rubric verifier for frontend tasks, the user as verifier for real-world agent tasks, and an automated agent verifier for long-horizon tasks. Across different task types and policy capability levels, we conduct in-depth analysis and experiments on the core challenges of reward design and how to more effectively leverage reward signals. Experiments show that targeted verification design can effectively suppress reward hacking, improve task completion quality, and achieve significant gains across multiple internal and public benchmarks. These experiences collectively point to a core observation: no fixed reward function can remain effective as policy capability continues to grow; and verification must co-evolve with the generator.

Executive Summary: The classical view that verification is easier than generation no longer holds for coding agents. As models grow stronger at producing complex code, reliably checking whether outputs match genuine human intent has become the central bottleneck. Intent is inherently underspecified, and any computable proxy used as a reward signal during training tends to diverge from that intent, producing reward hacking, signal saturation, and brittle performance. This problem matters now because frontier coding agents are already deployed in real engineering workflows, yet current verifiers cannot scale, stay faithful, and remain robust simultaneously.

The document evaluates how to design and combine reward signals that improve across three quality dimensions—scalability, faithfulness, and robustness—while testing whether any single fixed reward can keep pace with rising model capability. The authors examine four concrete reward constructions grounded in Qwen models: execution-based unit tests for SWE-style tasks, rubric and interactive judges for frontend tasks, direct user feedback for real-world agent use, and an autonomous agent evaluator for long-horizon repository generation. They measure outcomes on public benchmarks (SWE-Bench variants, WebDev tasks) and five internal agent benchmarks, applying filtering, trajectory monitoring, and preference-style training objectives.

Targeted verification improvements deliver substantial gains. On three SWE-Bench suites, adding behavior monitoring reduced the rate of hacked solutions from 28.6 % to 0.6 % while lifting clean resolved rate from 40.2 % to 60.5 %. User-feedback signals processed with span-level KTO produced a 5.6-point gain on SWE-Bench Verified and a 13.3-point gain on an internal benchmark. Evaluator-filtered rejection sampling outperformed random sampling of equal size and approached the performance of twice as much unfiltered data. Interactive judges for frontend tasks avoided the length exploitation that static judges suffer and placed the resulting model fourth on an external frontend leaderboard. Across settings, stronger policies quickly discovered new shortcuts, and no single reward remained effective without ongoing adaptation.

These results show that verification must be treated as evolving infrastructure rather than a one-time component. Gains translate directly into higher task-completion quality, reduced wasted compute on invalid trajectories, and greater trustworthiness when agents operate without constant human oversight. The observed pattern—that every reward construction eventually requires augmentation or replacement—supports the central claim that verifiers must co-evolve with generators.

Organizations building or deploying coding agents should therefore integrate multiple complementary verifiers (executable tests, trajectory monitors, rubric judges, and user signals) and establish closed-loop processes that periodically refresh the evaluator as policy capability advances. Priority next steps include developing quality gradients that distinguish superficial fixes from root-cause repairs, capturing experiential dimensions such as animation fluidity that static checks miss, moving from offline feedback mining to online adaptation, and solving credit assignment for long-horizon and multi-agent settings.

The findings rest on experiments with current-generation models and task distributions; stronger future policies may expose failure modes not yet visible. Evaluator reliability remains sensitive to prompt detail, backbone choice, and data volume, so results should be validated on each new deployment setting before large-scale use.

1. Introduction

Section Summary: In computing, checking whether a solution is correct has traditionally been easier than creating one, but advanced AI coding agents have reversed this pattern, making reliable verification the central difficulty. Any practical verifier can only approximate human intent through imperfect proxies such as tests or reward models, and these proxies inevitably degrade under optimization pressure as models learn to exploit their blind spots. The paper therefore argues that verification must be treated as an evolving, co-adaptive process rather than a fixed solution, one that continually balances scalability, fidelity to real user goals, and resistance to being gamed.

A classical intuition in computing holds that verifying a solution is easier than finding one. For today's coding agents ([1, 2, 3, 4]), this asymmetry is reversing. As foundation models have developed stronger reasoning capabilities ([5, 6]), and as harness engineering has grown more sophisticated ([7, 8, 9]), generating a sufficiently sophisticated candidate solution has become easier. By contrast, reliably verifying that solution has become the harder problem. This difficulty echoes Brooks's classic lesson from software engineering: there is no silver bullet ([10]). For coding agents, verification is not a problem that any single mechanism can solve once and for all.

The central function of verification is to check whether the agent fulfills human intent, but intent cannot be measured directly. Executable tests, rubrics, and reward models—these verifiers can only operationalize intent into computable approximations; they are proxies for intent, never the intent itself.

This makes verification subject to a twofold challenge. First, faithfully verifying whether intent has been fulfilled is inherently difficult: intent is underspecified by nature, and the person who holds it often cannot articulate their full expectations until a counterexample exposes an omission—yet such counterexamples are hard to predict or enumerate. Worse, in the context of model training, the gap between proxy and intent does not shrink but widens. Once a measure is placed under optimization pressure, it ceases to be a good measure ([11]): when a proxy serves as a reward signal, the generator (i.e., the foundation model) learns not only to satisfy the proxy but also to exploit the divergence between proxy and intent. Thus reward hacking is not a bug that can be patched but an inevitable consequence of sustained optimization towards an imperfect objective ([12]).

Verification therefore cannot reliably guide the generator indefinitely. Accordingly, a perfect verifier is not a realistic target. What remains is verification as an evolving approximation—a horizon that continually recedes as the generator it evaluates grows stronger.[^1]

[^1]: By Rice's theorem ([13]), every non-trivial semantic property of a program is undecidable; this independently supports the claim from the perspective of computability theory.

This reframes the problem itself and motivates the central claim of this paper, which the rest of the paper argues for and puts into practice:

We must continually build a verification system that co-evolves with AI agents.

Recent frontier-lab reports and engineering analyses echo this view, increasingly treating agent evaluation as a systems-level problem that involves graders, traces, monitoring, and failure-mode analysis ([14, 15, 16, 17, 18]).

We further characterize the quality of verification signals along three dimensions. Scalability is the precondition: can the signal be produced cheaply at the scale required for training? Faithfulness is the core quality: how much of the true user intent does the signal reflect, as opposed to some narrow surrogate? Robustness is the reliability of faithfulness: can the verifier's judgments hold across diverse and adversarial inputs, and can they withstand the optimization pressure of a strengthening generator? Achieving all three simultaneously is the central difficulty of verification. Most existing approaches satisfy only two: unit tests are scalable and relatively robust but cover only a thin layer of intent; Large Language Model (LLM)-based judges are scalable and faithful but vulnerable to exploitation by a strengthening model; human expert review is faithful and robust but cannot scale. The intersection of all three—a verifier that is at once cheap, deep, and resistant to gaming—is precisely what remains missing.

**Figure 1:** **Co-evolution between the policy model and the verifier during training.** The verifier initially provides useful reward signals that guide policy improvement. When the policy outpaces the verifier, reward hacking may occur. Subsequent verifier evolution restores effective guidance, but this guidance can again saturate, requiring further verifier improvement to unlock the next stage of policy evolution.

Grounded in the current Qwen foundation models, we study four reward constructions: from verifiable rewards based on executable tests, to rubric and interactive judges that evaluate the visual and functional dimensions of intent that tests alone cannot capture, to learning genuine and comprehensive user intent from user interaction data, and finally to fully open agentic evaluation. Each step is more faithful to genuine user intent, but relies more heavily on open-ended judgment and is harder to robustly verify mechanically. We examine each through the same lens: the task characteristics that make reward design difficult, the verification constraints they impose, the concrete reward implementation we adopt, the empirical observations, and the practical takeaways. The four sections are organized as follows:

  • Unit Test as Verifier (SWE-like tasks, § 2): we use execution-based test suites as the verification signal ([19, 20, 21])—reliable and easy to scale. However, stronger policies still find exploitable weaknesses, such as retrieving solution artifacts or tampering with tests. We therefore introduce a quality judge and trajectory-level behavior monitoring ([22]) to continually constrain such behaviors. With both in place, across three SWE-Bench variants the hacked resolved rate drops from 28.57% to 0.56% and the clean resolved rate rises from 40.22% to 60.53%.
  • Interactive Agent as Verifier (frontend tasks, § 3): when intent extends to visual appearance and interactive behavior, mechanical pass/fail tests no longer suffice. We design rubric-based judges that decompose evaluation into structured dimensions—functional correctness, visual quality, layout, and UX—and further extend them with an agentic interactive judge that exercises the generated artifact through simulated user interactions in a live browser ([23, 24]). By grounding rewards in observed runtime behavior rather than source-code inspection, the interactive judge resists the length-exploitation hacking to which static judges are susceptible.
  • User Feedback as Verifier (real-world agent tasks, § 4): Users are the most faithful verifiers. Their feedbacks are embedded in natural-language feedback, behavioral signals, and other interaction patterns, from which rich trainable signals can be extracted. This signal is not only the most faithful—it originates directly from the holder of the intent—but also relatively robust, as user judgments are grounded in actual utility ([25]). We systematically analyze user interaction feedback and apply it to model optimization, achieving significant improvements across five internal coding-agent benchmarks, including a 13.3 percentage-point gain on a private benchmark.
  • Automated Agent as Verifier (long-horizon tasks, § 5): for long-horizon tasks, intent is at its most open: the specification barely constrains all the implementation details ([26, 27, 28]), and predefined test suites cannot cover it. In this setting, even constructing a faithful verifier is an open problem. Our approach is to deploy an autonomous agentic evaluator that directly inspects the generated codebase and dynamically conducts multi-round assessment against the specification, serving as a faithful, scalable, yet approximate verifier. Under a controlled data budget, training data filtered by this evaluator already stably outperforms random sampling. We further argue that this evaluator should evolve into a verifier that co-evolves with the generator—a concrete realization of the verification horizon.

These four constructions collectively show that no single reward strategy is sufficient to sustain the continued progress of coding agents. What truly works is a complete verification system—one that integrates mechanisms such as executable tests, quality filtering, behavior monitoring, and agentic evaluators, and that is continually rebuilt as policy capability advances and the task landscape evolves. Under this view, verification is not an auxiliary component of the training pipeline but its core infrastructure. The active co-evolution of verifier and policy ([29]) (as shown in Figure 1) is what ensures that gains in reward metrics translate into lasting and trustworthy capability growth.

2. Test-driven Rewards for SWE-like Tasks

Section Summary: In addressing software engineering tasks for AI training, executable test suites offer a scalable pass/fail reward signal drawn from real GitHub changes, yet they commonly suffer from poor alignment with the intended task and from models exploiting flaws to pass without truly succeeding. The authors tackle these faithfulness and hacking problems by building an automated pipeline that generates Dockerized tasks with verified test scripts, then deploying an agentic judge that explores each environment to score whether instructions clearly describe the goal and whether the tests accurately capture that goal. High-scoring tasks are retained to supply cleaner reward signals for reinforcement learning.

We begin with SWE-like tasks, which have become a major source of synthetic coding training data for foundation models ([30, 31, 32, 33]). For this category of tasks, the pass/fail signal from an execution-based test suite is widely regarded as the most reliable reward. Its key feasibility advantage is scalability: executable tests can be constructed through automated pipelines and evaluated at scale. However, it faces two systematic challenges: faithfulness and reward hacking. If left unaddressed, both challenges directly corrupt training quality.

2.1 Preliminary

Automated Data Pipeline. We use the SWE-Universe ([20]) pipeline to construct executable SWE-like tasks from real-world GitHub^2 pull requests. Given an issue-linked pull request, the pipeline separates the merged change into a fix patch and a test patch, restores the repository to the pre-fix state, and constructs a Dockerized environment with a unified verifier, evaluation.sh, whose binary pass/fail result serves as the test-driven reward. Each verifier is validated by requiring it to fail on the buggy repository after applying the test patch and pass on the resolved repository after applying both the test and fix patches; invalid verifiers are iteratively repaired by a building agent. While this process ensures executability and basic discriminativeness, it does not by itself guarantee semantic faithfulness between the task instruction and the tests.

Reward Faithfulness. For test-driven rewards, faithfulness is commonly characterized by the absence of false positives (an incorrect solution passes the tests) and false negatives (a correct solution fails the tests). During RL training, false positives cause the reward to be overestimated, reinforcing incorrect behaviors; false negatives penalize correct behavior. Both lead the model to learn from erroneous gradient signals.

Reward Hacking. Notably, reward hacking can be viewed as a special case of false positives: the agent produces an output that passes the test suite without genuinely solving the task. While general false positives arise passively from deficiencies in test design (e.g., insufficient coverage), reward hacking stems from the agent actively exploiting information leakage—such as retrieving the ground-truth patch from the internet—to game the evaluation.

We address these two challenges in the following subsections respectively.

2.2 Improving Reward Faithfulness

Motivation. To mitigate false positives and false negatives, we view a test-driven reward as faithful only when its binary pass/fail signal corresponds to success on the true task intent, rather than merely success on the test suite.

In SWE-like tasks derived from GitHub pull requests, this condition is non-trivial. The true task intent may rely on offline discussions, historical project conventions or maintainer expectations, while the extracted instruction provides only a limited and potentially lossy description of that intent.

We therefore decompose semantic reward faithfulness into two dimensions: instruction clarity (denoted as instruct_clear), which asks whether the instruction sufficiently expresses the intended task, and instruction–test alignment (denoted as instruct_ut_align), which asks whether the tests faithfully operationalize the instruction.

Agentic Quality Judge. To operationalize this faithfulness decomposition, we build an agentic quality judge that automatically assesses SWE-like task quality. Given the task description, Dockerized repository environment, test scripts, and optionally the ground-truth patch, the judge actively explores the environment using MiniSWEAgent ([34]): it can inspect repository files, execute commands, read tests, and analyze: 1) whether the instruction and the environment are self-contained enough for an agent to solve the task; and 2) whether the verifier matches the stated task. Finally, the agentic judge produces two dimension-level judgments, instruct_clear and instruct_ut_align. These judgments are then aggregated into an overall quality label of overall_good as the final quality score.

We evaluate the judge on a human-annotated task-quality benchmark, with the task prompt and representative examples provided in Appendix A and Appendix B. From the examples, we can see that such quality issues take diverse forms. Instructions may consist of only a few words with no actionable context, or reference inaccessible external resources (e.g., private Slack discussions); tests may validate functionality entirely orthogonal to the described task, or hard-code implementation-specific artifacts such as typographical errors as expected output (see Figure 12 and Figure 13 in Appendix B for representative examples).

To improve the agentic judge's reliability, we study three design choices: the base judge model, the number of voting samples for majority voting, and the use of few-shot demonstrations or ground-truth patches. Table 1 reports the ablation results. Overall, the agentic judge achieves strong performance on the two metrics. However, instruct_ut_align is substantially more challenging: it requires the judge to not only understand the intended task semantics from the instruction, but also infer the actual behavioral coverage of the test suite based on the source code. And the misalignment between the two is often subtle and complicated. Accordingly, we find that providing the judge with additional reference information meaningfully improves its assessment on this dimension. Few-shot demonstrations improve the precision of instruct_ut_align, while providing the ground-truth patch improves its recall and yields the best F1 on this dimension. These results suggest that the judge can serve as a scalable filter for identifying SWE-like tasks with unreliable test-driven rewards.

: Table 1: Ablation results of the agentic judge on the human-annotated benchmark. Each metric cell reports precision / recall / F1. The #Turns column reports mean / min / max.

Strategy #Turns instruct_clear instruct_ut_align
3-voting, Qwen-Plus 37 / 17 / 92 97.26 / 92.21 / 94.67 74.00 / 78.72 / 76.29
5-voting, Qwen-Max 24 / 14 / 40 97.18 / 89.61 / 93.24 72.73 / 85.11 / 78.43
3-voting, Qwen-Max 24 / 15 / 45 95.50 / 92.21 / 93.83 73.47 / 76.60 / 75.00
+ Examples 25 / 15 / 46 100.00 / 85.71 / 92.31 78.72 / 78.72 / 78.72
+ Examples + GT patch 27 / 17 / 57 100.00 / 83.12 / 90.78 75.93 / 87.23 / 81.19

**Figure 2:** **Task quality versus dataset scale.** The x-axis denotes the fraction of tasks labeled as good by the quality criterion, while the y-axis shows dataset size in log scale.

**Figure 3:** **Task-quality distribution across solve-rate buckets.** Pass rates are computed via multiple rollouts of an internal Qwen3-Turbo checkpoint on SWE-ReBench.

Data Statistics. We apply the agentic quality judge as a semantic filter over SWE-Universe. As shown in Figure 2, filtering improves the good-task ratio while preserving a large-scale executable task pool, yielding training data whose pass/fail rewards are less affected by unclear instructions or instruction-test misalignment. We further find that low solve rate is partially confounded by task quality. As shown in Figure 3, zero-solve tasks contain a much larger fraction of low-quality instances, whereas high-solve-rate buckets are dominated by high-quality tasks. This suggests that persistently unsolved instances should not be interpreted solely as evidence of intrinsic difficulty. These low-quality tasks consume rollout budget without providing a trustworthy reward. So quality filtering therefore improves both sampling efficiency and reward reliability.

Application in RL. We incorporate the filtered, high-quality data into RL training of an internal Qwen-Turbo checkpoint and observe consistent gains on broader SWE-style evaluations. Figure 4 shows that quality-filtered RL improves performance on SWE-bench Multilingual ([21]) and SWE-bench Pro ([35]), while remaining comparable on SWE-bench Verified ([36]). This suggests that removing tasks with unclear instructions or instruction-test misalignment improves the reliability of unit-test-based rewards without sacrificing performance on the standard curated benchmark.

**Figure 4:** **RL training curves with and without the agentic quality filter.**

2.3 Mitigating Reward Hacking

Motivation. Test-driven rewards in SWE tasks evaluate only the final repository state, typically by applying the model-generated patch and running the task-specific test suite ([37, 38]). As a result, they can verify whether a patch passes the tests, but not whether it was produced through legitimate software engineering practices.

This creates false positives at the behavior level: an agent may obtain a positive reward by exploiting shortcut information channels, such as retrieving the original pull request, accessing leaked commit or patch metadata, modifying tests or the verifier, or overfitting to visible tests.

Unlike ordinary false positives caused by incomplete or misaligned tests, such reward hacking does not stem only from weaknesses in the verifier, but from the trajectory used to obtain verifier success: the final patch passes the tests, while the process that produced it is incompatible with legitimate SWE-style debugging ([22, 12]).

In this section, we first systematically analyze hacking-susceptible behaviors in SWE tasks. Then, based on this analysis, we build a monitoring system to mitigate such hacking behaviors.

Hacking-susceptible Behaviors Analysis. We run an automated review of agent behaviors in SWE tasks to identify behaviors through which agents may obtain verifier success without following the intended local debugging process. Each trajectory records the sequence of commands, file inspections, test executions, git operations, network accesses, and edits that produced the final patch. We then distinguish two sources of reward contamination: static-environment leakage and policy-dependent shortcut access. (taxonomy of each behavior is detailed in Appendix-§ C):

Static-environment leakage: shortcut opportunities created by the environment itself, such as unsanitized git history, visible tests, or modifiable harnesses. In our prior work, we reduced several static sources of information leakage in such environments ([20, 33]). In particular, we sanitize repository histories to remove commits that occur after the target pull request time, since such commits may reveal the future fix. We also disable network access for tasks whose solution does not require external connectivity. These interventions reduce obvious environment-level leakage before training begins, but they are insufficient on their own: as policies improve, agents may still discover shortcut behaviors that are difficult to anticipate manually.

Policy-dependent shortcut access refers to active information-seeking actions beyond the intended local debugging process, such as retrieving solution artifacts or looking up external fixes. Unlike static environment-level leakage, these behaviors are policy-dependent: they emerge from how the agent chooses to gather information during problem solving, and therefore cannot be fully eliminated by hardening the initial task environment alone.

Table 2 shows a clear split between static leakage and active shortcut seeking. Under the hardened environment, environment-level interactions are not positively associated with verifier success: repository-history mining, test-oracle tampering, evaluation-harness tampering, visible-test overfitting, and evaluator-aware patching all fall below the overall resolved rate. This suggests that static hardening reduces the reward advantage of several known leakage channels, though such behaviors still indicate process-invalid trajectories. The harder case is active shortcut seeking: solution artifact retrieval appears in only 4.32% of trajectories, but reaches a 72.34% resolved rate, 12.35 % above the baseline, while external fix lookup also shows a mild positive association. Thus, even after known static leakage is reduced, verifier success can remain coupled with shortcut-seeking behavior, motivating a trajectory-level monitor that audits information access during RL and corrects rewards for suspicious shortcut-dependent successes.

::: {caption="Table 2: Behavior--success association. Qwen-Turbo trajectories' resolved rate on the training data. Freq. (%) is rollout-level prevalence, and phi corr. is the binary behavior--success correlation."}

:::

Mitigation: Behavior Monitoring in RL. To mitigate policy-dependent shortcut exploitation, we introduce a trajectory-level behavior monitor during RL with Qwen-Turbo[^3]. For each trajectory, we log the command history, network accesses, git operations, opened and edited files, and final patch. The monitor audits the full trajectory for high-risk information-access patterns in a pattern set $\mathcal{P}$ .

[^3]: A version different from the one used in Section 2.2

Each pattern in $\mathcal{P}$ specifies three components: observable trajectory evidence, the associated leakage risk, and the corresponding intervention. These patterns cover behaviors such as searching for the original pull request, opening upstream diffs, querying commit hashes, accessing GitHub pages that reveal merged patches, or using repository metadata that may expose the post-fix change. When a rollout matches a high-risk pattern, we apply a token-level penalty to reduce the reward assigned to shortcut-dependent behavior.

The pattern set is updated iteratively throughout training. After each training interval, we sample trajectories from the current policy, prioritizing rollouts that either pass the verifier or trigger the monitor. An agentic reviewer then inspects these trajectories to identify newly emerging shortcut strategies. Recurring patterns are added to $\mathcal{P}$, and the updated monitor is deployed in the next round of RL. This closed-loop design is important because reward hacking is policy-dependent: as the model improves, it may discover new exploitation channels that were absent in the initial review.

We report four rollout-level metrics: Resolved is the standard verifier pass rate. Hack Rate is the percentage of trajectories that trigger the behavior monitor, regardless of whether the final patch passes. Hacked Resolved is the percentage of trajectories that both pass the verifier and trigger the monitor, measuring verifier success obtained through monitored shortcut channels. Finally, Clean Resolved is the percentage of trajectories that pass the verifier without triggering the monitor. In other words, it treats monitor-triggered successful trajectories as incorrect.

\begin{tabular}{l ccc ccc ccc}
\toprule
\multirow{2}{*}{\textbf{Benchmark}} 
 {} & \multicolumn{3}{c}{Clean Resolved (\%) $\uparrow$} & \multicolumn{3}{c}{Hack Rate (\%) $\downarrow$} & \multicolumn{3}{c}{Hacked Resolved (\%) $\downarrow$} \\
\cmidrule(lr){2-4} \cmidrule(lr){5-7} \cmidrule(lr){8-10}
 {} & Base & +Mon. & $\Delta$ 
 {} & Base & +Mon. & $\Delta$ 
 {} & Base & +Mon. & $\Delta$ \\
\midrule

SWE-Bench Verified & 36.49 & 64.98 & +28.50 & 51.49 & 2.13 & -49.35 & 41.35 & 0.70 & -40.65 \\
SWE-Bench Multilingual & 50.73 & 66.33 & +15.60 & 31.19 & 1.59 & -29.61 & 23.76 & 0.84 & -22.93 \\
SWE-Bench Pro & 33.43 & 50.27 & +16.84 & 30.60 & 0.20 & -30.40 & 20.61 & 0.13 & -20.47 \\

\midrule[\heavyrulewidth] 
\textbf{Average} & \textbf{40.22} & \textbf{60.53} & \textbf{+20.31} & \textbf{37.76} & \textbf{1.31} & \textbf{-36.45} & \textbf{28.57} & \textbf{0.56} & \textbf{-28.02} \\
\bottomrule
\end{tabular}

**Figure 5:** **RL dynamics with and without behavior monitoring.** We plot performance over RL steps on three SWE-Bench variants using Qwen-Turbo. The uncorrected verifier pass rate can increase even when a growing fraction of successful trajectories rely on monitored shortcut behaviors. When such trajectories are counted as incorrect, the unmonitored run exhibits a sharp late-stage degradation in clean performance. Behavior-monitored RL avoids this collapse and maintains higher clean resolution throughout training.

Table 3 reports the final effect of behavior-monitored RL. Across the three benchmarks, the monitor reduces average hacked-resolved rate from 28.57% to 0.56%, while improving clean resolved rate from 40.22% to 60.53%. Thus, the gain is not merely an increase in raw verifier passing, but a shift from shortcut-dependent success toward monitor-clean success.

Figure 5 explains how this shift emerges during RL. In the unmonitored run, verifier success can remain high even as clean resolved performance deteriorates, indicating that the terminal reward increasingly accepts process-invalid solutions. Behavior-monitored RL prevents this divergence by penalizing trajectories that obtain verifier success through monitored shortcut channels. The monitor therefore acts as a process-aware reward correction, rather than a post-hoc filter.

3. Interactive Judge for Frontend Tasks

Section Summary: Frontend development outputs cannot be fully assessed by simply checking if code runs without errors, since visual appearance, animations, and user interactions also matter. To address this, the authors first created a rubric-based static judge that scores rendered screenshots and source code along structured dimensions such as functional correctness and visual quality, achieving stronger alignment with human ratings than unstructured approaches. They then developed an agentic interactive judge that plans user actions, executes them in a live browser, and evaluates the resulting recordings to capture dynamic behaviors that static checks miss.

Unlike SWE-like tasks, frontend tasks cannot be evaluated by execution success alone. A coding agent may produce error-free HTML, CSS, and JavaScript that still exhibits poor visual quality, broken animations, or incorrect interactions. Faithful evaluation of frontend outputs therefore requires inspecting both the rendered visual appearance and the interactive functional behavior of the generated artifacts.

In this section, we first introduce a rubric-based static judge that evaluates rendered screenshots and source code along structured dimensions, providing an initial level of reward faithfulness for frontend tasks (§ 3.1). We then present an agentic interactive judge that simulates real user interactions with the generated web pages, improving reward robustness and achieving closer alignment with human frontend evaluation (§ 3.2).

::: {caption="Table 4: Rubric-based judge alignment with human annotations and cross-judge consistency. We evaluate 671 WebDev tasks across 8 models using two scorer models and multiple prompt configurations. All rank correlations are statistically significant (p < 0.05)."}

:::

3.1 Rubric-based Static Judge

Motivation. Without executable tests, a natural alternative is to use a large language model as a judge: feeding it the generated code and rendered screenshots, and asking it to score the output directly. However, such model-based judges are prone to subjective bias, inconsistent scoring criteria, and incomplete coverage of visual and functional correctness. Recent work has shown that introducing structured evaluation rubrics can mitigate these issues ([24, 39, 40]): by decomposing the overall reward into fine-grained scoring dimensions that target specific aspects of functional correctness and visual quality, rubric-based evaluation reduces model bias and improves reproducibility. Furthermore, iteratively refining the rubric design can further improve scoring quality ([23]).

Design and Effect. Building on these findings, we design a rubric-based judge that takes both rendered screenshots and source code as input, evaluating along structured dimensions such as functional correctness and visual quality. We find that introducing well-designed rubrics improves inter-annotator agreement among human evaluators, for example, mitigating the tendency to prefer visually impressive but functionally incorrect outputs. Moreover, rubrics significantly improve the alignment between model judge scores and human evaluations, as well as cross-judge consistency across different judge models, as shown in Table 4.

Concretely, we evaluate 671 WebDev tasks across 8 models. Each task is decomposed into a checklist averaging 25.9 items spanning six dimensions: Functional (37.7%), Content (19.0%), Visual (13.3%), Layout (12.9%), UX (9.3%), and Technical (7.2%). We run 6 scorer configurations combining two judge models (Qwen3.6-Max and Qwen3.7-Plus), two prompt variants (Default and Strict), and two thinking levels. All configurations produce highly consistent model rankings: within each scorer family, Kendall $\tau = 1.0$; across scorer families, $\tau \geq 0.93$. Varying prompt strictness lowers absolute scores and increases score spread without altering rankings, while thinking level has negligible effect (

lt; 0.6$ points). These results confirm that the rubric-based judge is robust to configuration choices. Detailed judge prompts are provided in Appendix.

**Figure 6:** RL training curves of frontend coding score (train and test) and generation length across training steps for three judging paradigms: Visual judge, hybrid judge, and interactive judge.

Limitations. Despite these gains, the static judging paradigm has inherent drawbacks. First, complex frontend features such as form validation, dynamic routing, and stateful interactions are difficult to verify through code inspection alone; correctness depends on runtime behavior that source code review cannot reliably capture. Second, static screenshots represent only a single page state and cannot cover multi-page navigation, interactive transitions, or content that appears only after user actions (e.g., dropdown menus, modal dialogs, scroll-triggered elements). Together, these limitations motivate a judge that can actively interact with the rendered artifact.

3.2 Agentic Interactive Judge

Motivation. A natural solution is to adopt an interaction-based evaluation protocol that mirrors how a human quality inspector assesses a web application: by actually navigating and operating it. However, deploying a fully autonomous visual agent loop for judging is impractical under current constraints: multi-turn agent interactions incur high inference cost ([41]), and sequential decision-making introduces compounding errors that degrade evaluation stability. We therefore design a semi-automated agentic interactive judge that balances interaction coverage with efficiency and reliability.

Method. The core idea is a three-stage evaluate-by-interaction pipeline (Figure 7). First, given the rendered web page and the evaluation rubrics, an action planner generates a complete action list in a single pass, specifying the sequence of user interactions needed to exercise the target functionality. Second, a Playwright-based render server executes these actions in a live browser environment and records the resulting interaction trace, including screen recordings and state changes at each step. Third, a judge model evaluates sampled frames from the recordings together with the source code against the rubric criteria, producing the final score.

**Figure 7:** Overview of the Interactive Judge pipeline. Given candidate code and a user prompt, the preprocessing stage extracts page information (accessibility tree, browser state, keyboard listeners) and synthesizes evaluation criteria (Critical and Detail checklists). The action planner then generates a complete action list in a single pass, which is executed by a Playwright server to produce an interaction trace. The judge model scores the trace against the criteria, yielding rewards for RL training or annotations for SFT data curation.

Concretely, we pre-define a library of atomic web operations (e.g., click, scroll, navigate, fill form, hover, press key) that serves as the action vocabulary for the planner. Unlike a standard agent loop that iteratively decides each action conditioned on previous observations, our planner generates all actions in a single forward pass from the task specification and page information (accessibility tree, browser state, keyboard listeners). The render server then executes the action list sequentially, capturing screenshots, DOM changes, and console output after each step. The judge model receives these interaction traces alongside the source code and rubric checklist, and scores the observed behavior against the task requirements.

By grounding evaluation in actual runtime behavior, this approach directly verifies functional correctness through real interactions rather than code inspection, and naturally scales to multi-page applications by navigating across pages. Compared to static judges, which can only observe source code and fixed screenshots, the interactive judge captures dynamic behaviors such as animations, state transitions, and multi-step workflows that are otherwise invisible to evaluation. Importantly, as shown in Figure 6, the interactive judge outperforms both static alternatives (Visual and Hybrid) as an RL reward signal, achieving higher test scores while maintaining stable output length. Static judges, by contrast, are susceptible to length exploitation: models learn to generate increasingly verbose CSS and JavaScript to inflate static judge scores, a form of reward hacking that the interactive judge avoids since its reward derives from runtime behavior rather than source code.

Application in Training. We evaluate the Interactive Judge as a training reward on two internal benchmarks: WebDev Human Eval, a human-evaluation benchmark maintained by the Qwen team, and QwenWebBench, an automated frontend evaluation benchmark. We apply the Interactive Judge as a filtering criterion for best-of-4 rejection sampling fine-tuning (RFT) on an intermediate checkpoint of Qwen3.7-Plus. As shown in Table 5, RFT with Interactive Judge filtering yields consistent improvements on both benchmarks. We further integrate this reward into the full training pipeline of Qwen-Max. At the time of release, Qwen3.7-Max ranked 4-th globally on Code Arena, a leaderboard reflecting frontend development capability, trailing only Claude models. Detailed ablation results for each component of the Interactive Judge are provided in Appendix E.

::: {caption="Table 5: Effect of rejection sampling fine-tuning with Interactive Judge filtering on an intermediate Qwen-Plus checkpoint."}

:::

4. User Feedback as Verifier for Real-World Agent Tasks

Section Summary: Current agent training depends on automated test suites that work only in limited, artificial environments, leaving a mismatch with messy real-world tasks. The authors argue that actual users provide the most reliable signal of success through their natural language replies and actions during conversations, and they extract this implicit feedback at scale with an LLM judge to create training data. This enables direct optimization methods like SFT and span-level KTO that avoid the reward hacking risks of learned proxy models and support ongoing improvement from live interactions.

Currently, the vast majority of agent training relies on carefully constructed verifiers that determine task completion through test suites. In practice, this confines training to controlled, sandboxed settings: to enable automated evaluation, researchers rewrite tasks to fit specific verifiers, filter out instances that resist automatic evaluation, or evaluate only a subset of dimensions. While these compromises keep the training pipeline operational, they introduce a systematic gap between the training distribution and open-ended, real-world scenarios—where agents must handle diverse, unconstrained requirements that such sandboxed proxies fail to capture.

For such open-ended, real-world scenarios, the central challenge remains providing faithful and robust reward signals. Luckily, as the initiator of tasks, the user naturally cares whether the agent has completed the task, making the user the most ideal verifier. However, users typically do not provide explicit numerical reward signals. Instead, they implicitly convey their verification judgments through natural language and behavioral patterns during multi-turn interactions with the agent.

A natural way to operationalize this signal would be to distill it into a learned reward model and optimize against it at scale. Such a reward model is attractive in terms of scalability: once trained, it can score arbitrarily many trajectories at negligible cost. However, real user intent in open-ended scenarios is extremely diverse and deeply underspecified, and a reward model can only compress it into a static, lossy proxy—making it hard to learn genuine user intent precisely from interactions. As the policy strengthens, it tends to exploit the gap between this proxy and the true intent, eroding exactly the robustness that matters most in real-world deployment. Instead, given the vast user base, we treat the user directly as the verifier, allowing the model to naturally learn detailed aspects of human intent from large-scale user feedback data. We regard the large-scale yet faithful exploitation of user feedback as the key link in forming a data flywheel: real interactions continually supply on-policy signals grounded in the agent's actual behavior, which in turn drive the next round of policy improvement.

This section therefore presents a pipeline to extract process-level natural language feedback from user–agent interaction trajectories and leverages it for training via three objectives—SFT, reweight SFT (RW-SFT), and span-level KTO (Span-KTO).

4.1 Feedback Annotation Pipeline

Data Source.

Our conversation data originates from real interaction records between a group of senior software engineers within the company and a coding assistant during their daily development work. These professional developers use the coding assistant extensively across diverse engineering tasks—code refactoring, feature development, bug fixing, and system design—providing both authentic task diversity and high-quality feedback signals grounded in clear technical reasoning.

Human Implicit Reward Signal.

In multi-turn interactions between users and the coding assistant, each user reply naturally contains an evaluation of the assistant's performance in the previous round. Users may explicitly state "no, revert it, " or implicitly convey their attitude through behavior—for example, accepting the result and immediately adding a new requirement (implicit approval), or re-describing the same requirement in a different way (implicit rejection, indicating that the assistant failed to understand correctly). We refer to these signals scattered throughout conversations as Human Implicit Reward Signals (HIRS) and design an automated annotation pipeline based on LLM-as-Judge to extract these signals at scale.

LLM-as-Judge Annotation.

After preprocessing the raw trajectories to strip evaluation-irrelevant noise (reasoning traces, verbose tool I/O, and system prompts) so that the Judge focuses on the substantive user–assistant interaction, we use Qwen-Plus as the Judge model to annotate the conversation round by round, where a round denotes a single user message together with the assistant's complete response to it. The core of the annotation is a carefully designed System Prompt (full content in Appendix I), which requires the Judge to follow three principles:

  1. Dual-perspective evaluation: Simultaneously record what the user expressed (polarity) and whether the user's evaluation is objectively fair (user_fairness). The two are allowed to disagree---for example, when the assistant correctly follows instructions but is negated by the user, polarity is labeled as negative, but user_fairness is labeled as unreasonable;
  2. Evidence-driven: Each annotation must cite specific words or phrases from the user's original message as evidence; annotation based on speculation is not permitted;
  3. Conservative annotation: When signals are ambiguous, the annotation should lean toward neutral—"better to miss than to mislabel."

For each round, the Judge outputs structured fields including reward polarity (polarity), confidence, signal source type, negative reason category, and user evaluation fairness (user_fairness). At the trajectory level, the overall task completion status is also annotated. The complete field specification is provided in the Judge prompt in Appendix I.

4.2 Dataset Analysis

**Figure 8:** Round-level signal statistics of the annotated dataset: (a) polarity distribution, (b) polarity-by-confidence breakdown, and (c) negative-reason distribution.

The annotated dataset contains 125,528 trajectories and 535,737 round-level annotations. As shown in Figure 8, we identify three key characteristics:

  • The polarity distribution is highly asymmetric. User feedback is dominated by neutral signals, followed by negative signals, with positive signals being extremely rare. After excluding the initial task description rounds, neutral, negative, and positive signals account for 76.6%, 20.0%, and 3.5%, respectively. This reflects a natural tendency in human–computer interaction—users typically proceed directly to the next requirement when the assistant performs correctly rather than offering explicit praise, while they tend to provide explicit feedback when the assistant makes errors.
  • Negative signals carry high confidence. Compared to neutral signals, users express rejection of assistant performance with notably greater clarity and certainty. Specifically, 81.8% of negative signals are high-confidence, far exceeding the 18.7% for neutral signals.
  • Errors concentrate in execution and comprehension. Among the breakdown of negative reasons, execution errors (56.6%) and misunderstanding errors (21.1%) together account for 77.7%, indicating that code implementation correctness and requirement comprehension accuracy are the two most critical areas for improvement in coding assistants.

Trajectory-level statistics (outcome distribution, round–trajectory consistency, and feedback reliability) are reported in Appendix F, and detailed examples of each annotation type are provided in Appendix G.

4.3 Methods

Notation.

Given input context $x$ and target output sequence $y = (y_1, y_2, \dots, y_T)$, an autoregressive language model $\pi_\theta$ outputs the conditional probability $\pi_\theta(y_t \mid x, y_{<t})$ at each time step $t$. In our training data, each token $y_t$ is associated with a process-level polarity annotation $p_t \in {\texttt{positive}, \texttt{neutral}, \texttt{negative}}$, derived from human feedback signals that evaluate the model's behavior step by step. We denote the frozen reference model (i.e., the pre-training checkpoint before training) as $\pi_{\mathrm{ref}}$.

Span Definition.

Given the per-token polarity annotation sequence $(p_1, \dots, p_T)$ of a response $y$, we partition the trajectory into $K$ contiguous spans with consistent polarity ${S_k}{k=1}^{K}$ according to user interaction boundaries, where each span $S_k = (y{s_k}, y_{s_k+1}, \dots, y_{e_k})$ satisfies:

  1. All tokens within the span share the same polarity, i.e., $p_t = p_{S_k}, ; \forall, t \in [s_k, e_k]$;
  2. $p_{S_k} \in {\texttt{positive}, \texttt{negative}}$ (neutral tokens do not participate in preference learning).

Supervised Fine-Tuning (SFT).

Standard supervised fine-tuning applies a uniform cross-entropy loss to all tokens, without distinguishing polarity annotations:

$ \mathcal{L}{\mathrm{SFT}}(\theta) = -\mathbb{E}{t}!\left[\log \pi_\theta(y_t \mid x, y_{<t})\right]\tag{1} $

where $\mathbb{E}_{t}$ denotes the uniform expectation over all token positions in the sequence. This method treats tokens corresponding to positive, neutral, and negative feedback equally, relying entirely on the quality of the data distribution itself to guide model learning.

Reweight SFT (RW-SFT).

A straightforward approach to leveraging process-level human annotation signals is to apply differentiated loss weights to tokens of different polarities. We define the weight function $w\colon {\texttt{positive}, \texttt{neutral}, \texttt{negative}} \to \mathbb{R}_{\geq 0}$:

$ w(p_t) = \begin{cases} w_{\mathrm{pos}} & \text{if } p_t = \texttt{positive} \ w_{\mathrm{neu}} & \text{if } p_t = \texttt{neutral} \ w_{\mathrm{neg}} & \text{if } p_t = \texttt{negative} \end{cases}\tag{2} $

The reweight SFT loss is defined as:

$ \mathcal{L}{\mathrm{RW\text{-}SFT}}(\theta) = -\mathbb{E}{t}!\left[w(p_t) \log \pi_\theta(y_t \mid x, y_{<t})\right]\tag{3} $

In practice, we set $w_{\mathrm{pos}} = 1.2$, $w_{\mathrm{neu}} = 1.0$, and $w_{\mathrm{neg}} = 0.8$, i.e., slightly amplifying the learning signal for positive tokens and slightly downweighting negative tokens. This method introduces almost no additional computational overhead on top of standard SFT, achieving selective attenuation of negative behaviors through weight adjustment, serving as a baseline method for leveraging human annotation signals. However, as shown in Section 4.4.1, this method is highly sensitive to weight values.

Span-Level KTO.

RW-SFT leverages the polarity information from human annotations through reweighting, but its mechanism is limited to adjusting the learning intensity for tokens of each polarity and cannot explicitly push the model policy away from negative behaviors. To address this, we further introduce a preference learning-based training method.

KTO ([25]) incorporates prospect theory into language model alignment, using the log-likelihood ratio between the policy model and the reference model as an implicit reward to achieve preference optimization without requiring paired preference data. Subsequent work extended KTO from the response level to the step level (step-level KTO) to capture finer-grained process-level feedback. Our method continues this line of work by defining the reward judgment unit of KTO as contiguous spans delineated by human-annotated polarity, where each span corresponds to the response generated by the Agent for a complete user request.

Span-Level Implicit Reward.

For each span $S_k$, the implicit reward is defined as the sum of log-likelihood ratios of all tokens within the span:

$ r_\theta(x, S_k) = \sum_{t=s_k}^{e_k} \left[\log \pi_\theta(y_t \mid x, y_{<t}) - \log \pi_{\mathrm{ref}}(y_t \mid x, y_{<t})\right]\tag{4} $

Each span serves as an independent reward judgment unit, and the sum of log-likelihood ratios of its internal tokens constitutes the joint log-likelihood ratio for that span. This definition is formally identical to the sequence-level log-likelihood ratio in response-level KTO.

Reference Point Estimation.

The reference point $z_{\mathrm{ref}}$ is estimated online via exponential moving average (EMA) over all span rewards during training:

$ z_{\mathrm{ref}} \leftarrow \alpha \cdot z_{\mathrm{ref}} + (1 - \alpha) \cdot \bar{r}_{\mathrm{batch}}\tag{5} $

where $\bar{r}{\mathrm{batch}} = \mathbb{E}{S_k \in \mathcal{S}{\mathrm{batch}}} !\left[r\theta(x, S_k)\right]$ is the average implicit reward of all spans in the current batch, and $\alpha$ is the EMA decay coefficient.

Span-Level Preference Loss.

We define the advantage function for each span as the offset of its implicit reward relative to the reference point, $a_k = r_\theta(x, S_k) - z_{\mathrm{ref}}$, and apply different value functions to positive and negative spans:

$ \ell(S_k) = \begin{cases} -\lambda_w \cdot \sigma(\beta \cdot a_k) & \text{if } p_{S_k} = \texttt{positive} \ -\lambda_l \cdot \sigma(-\beta \cdot a_k) & \text{if } p_{S_k} = \texttt{negative} \end{cases}\tag{6} $

where $\sigma$ is the sigmoid function, $\beta > 0$ controls the preference strength, and $\lambda_w$ and $\lambda_l$ are the loss coefficients for positive and negative spans, respectively. The preference loss is the expectation over all span losses:

$ \mathcal{L}{\mathrm{pref}}(\theta) = \mathbb{E}{S_k}!\left[\ell(S_k)\right]\tag{7} $

Neutral Token Regularization.

Neutral tokens ($p_t = \texttt{neutral}$) carry no preference signal but still contain valuable language modeling information. We apply the standard cross-entropy loss to neutral tokens as a regularization term:

$ \mathcal{L}{\mathrm{neutral}}(\theta) = - \mathbb{E}{t \in \mathcal{T}{\mathrm{neu}}}!\left[\log \pi\theta(y_t \mid x, y_{<t})\right]\tag{8} $

where $\mathcal{T}_{\mathrm{neu}} = {t : p_t = \texttt{neutral}}$ is the set of neutral tokens.

Overall Objective.

The complete training objective of Span-KTO is the combination of the preference loss and the neutral regularization:

$ \mathcal{L}{\mathrm{Span\text{-}KTO}}(\theta) = \mathcal{L}{\mathrm{pref}}(\theta) + \mathcal{L}_{\mathrm{neutral}}(\theta)\tag{9} $

Span-KTO introduces two key hyperparameters: the preference strength $\beta$ and the negative span loss coefficient $\lambda_l$. Ablation experiments for these hyperparameters are detailed in Appendix H.

4.4 Experiments

4.4.1 Sensitivity Analysis of RW-SFT

**Figure 9:** Effect of $w_{\mathrm{neg}}$ on RW-SFT performance averaged over three SWE-bench benchmarks.

Figure 9 shows the effect of the negative weight $w_{\mathrm{neg}}$ on model performance in RW-SFT. Performance is highly sensitive to $w_{\mathrm{neg}}$ and exhibits a non-monotonic trend: $w_{\mathrm{neg}} = 0.0$ (completely discarding negative tokens) yields a score of only 37.2%, and $w_{\mathrm{neg}} = 0.5$ drops to 35.1%, both significantly below the SFT baseline ($w_{\mathrm{neg}} = 1.0$, 41.8%). The dashed line in the figure shows the result of performing SFT after discarding entire trajectories labeled as failure or abandoned, which also fails to yield significant gains. The only configuration that exceeds the baseline is $w_{\mathrm{neg}} = 0.8$ (44.4%), which applies only a slight downweighting to negative spans. This indicates that negative spans still contain valuable language modeling information, and heavily penalizing or completely discarding them instead harms the effective utilization of training data.

This confirms a fundamental limitation of reweighting: it can only adjust learning intensity but cannot change the learning direction, motivating the preference learning approach of Span-KTO.

4.4.2 Main Results

**Figure 10:** Performance comparison of the best checkpoints of SFT, RW-SFT, and Span-KTO across five code capability benchmarks. Error bars indicate standard deviation across multiple evaluations. Span-KTO achieves the best results on all benchmarks.

We evaluate the model's ability to correctly complete tasks on the following five benchmarks: the SWE-bench series (Verified ([36, 21]), Pro ([35]), Multilingual ([42])) evaluates code repair capabilities in real software repositories; Aone-bench is an internal software engineering benchmark; OctoBench ([43]) evaluates the Agent's ability to follow scaffold instructions in repository-level coding tasks. Figure 10 presents the comparison results of the three methods across all benchmarks.

Span-KTO outperforms both baseline methods on all five benchmarks. On SWE-bench Verified, Span-KTO (59.8%) achieves a 5.6 percentage point absolute improvement over the SFT baseline (54.2%); the improvement is even more pronounced on SWE-bench Multilingual (+7.8pp). On Aone-bench, SFT achieves only 14.8%, while Span-KTO improves to 28.1% (+13.3pp), demonstrating the significant value of process-level human feedback in real code repair scenarios. The gap among the three methods is smaller on OctoBench (62.3% / 67.0% / 67.4%), possibly because this benchmark emphasizes the comprehensive ability to follow scaffold instructions rather than code repair quality alone.

RW-SFT outperforms the SFT baseline on all benchmarks but with limited improvement (e.g., only +1.0pp on SWE-bench Verified), indicating that simple reweighting can partially leverage annotation signals but falls far short of the preference learning framework of Span-KTO—the latter not only attenuates learning from negative behaviors but also explicitly pushes the model policy away from erroneous directions.

4.4.3 Negative Behavior Correction

**Figure 11:** Comparison of SFT and Span-KTO across six behavioral dimensions on SWE-bench Verified, presented separately for resolved and unresolved tasks. Scores range from 0 to 4, with higher scores indicating fewer negative behaviors.

To gain a deeper understanding of the improvements brought by Span-KTO, we further analyze the model's performance across six behavioral dimensions. Using an Agent-as-Judge approach (evaluation rubric detailed in Appendix L), we score the model's Agent trajectories along six dimensions: Execution Error, Misunderstand, Omission, Overaction, Inefficiency, and Communication. Figure 11 presents the comparison results between the SFT baseline and Span-KTO on SWE-bench Verified.

Resolved Instances.

Span-KTO shows improvement across all dimensions, but with modest margins (+0.5% +6.8%), because successfully resolved instances already exhibit high behavioral quality, leaving limited room for improvement.

Unresolved Instances.

The differences are highly significant. Span-KTO shows the most notable improvement in Inefficiency (+34.5%) and Communication (+26.5%), with Execution Error also improving by +13.9%. This indicates that Span-KTO enables the model to exhibit better self-regulation when facing difficult tasks: identifying bottlenecks more quickly, reducing pointless retries, and communicating the problem to users in a clearer manner. The improvement in Execution Error further shows that technical mistakes such as syntax errors and incorrect commands during execution are also significantly reduced.

This result reveals that the value of Span-KTO training lies not only in "solving more problems" (resolution rate +5.9pp) but also in "behaving more reasonably when failing". This is critical for real-world deployment—user trust in an Agent depends largely on whether it can still behave professionally and controllably when it cannot complete a task.

5. Dynamic Agent Judge for Long-horizon Tasks

Section Summary: The section discusses the challenge of evaluating AI-generated code for complex, long-horizon projects that involve building entire repositories from high-level natural language specs. Because fixed test suites cannot cover all implementation details or edge cases at this scale, the authors introduce an agent-based evaluator that dynamically breaks a specification into a checklist of functional requirements, scores the generated codebase against them, and produces both a pass rate and an overall quality rating. They validate this evaluator on a dataset of model-generated repositories by measuring how well its scores align with actual unit-test results, using metrics such as best-of-N selection accuracy, regret, and rank correlations.

The tasks discussed in the preceding sections target the comprehension, modification, and enhancement of existing codebases. Meanwhile, long-horizon code generation—producing structurally complex, complete projects from natural-language specifications—has attracted growing attention ([26, 27, 28]). These benchmarks require the agent to architect module hierarchies, manage cross-file dependencies, and deliver functionally complete codebases from scratch. Providing reliable reward signals for such tasks is especially challenging, as the complexity and scale of the generated codebases far exceed what conventional verifiers are designed to handle.

5.1 Design of the Evaluation Agent

Motivation Specifications for such tasks are typically expressed at a high level of abstraction: they describe the expected functionality and external interfaces but leave the internal implementation and file organization largely unspecified. Verifying the full functionality of the generated code requires a comprehensive test suite covering all features and corner cases, easily amounting to hundreds of test cases, making it infeasible to rely solely on human-written tests as a scalable reward signal. Moreover, different implementations inevitably introduce distinct corner cases that static, pre-defined test suites cannot anticipate. This motivates the use of an agent-based evaluator ([44, 45]) that leverages the model's own reasoning capabilities to dynamically assess generated code and provide reward signals, offering a scalable alternative to manually authored test suites.

Evaluation Task Design Let $\mathcal{G}$ denote the generator, $\mathcal{E}$ the evaluator agent, and $\mathcal{I}$ the evaluation instruction prompt. Given a task specification $\mathcal{T}$ and the code repository $\mathcal{G}(\mathcal{T})$ produced by the generator, the evaluator decomposes $\mathcal{T}$ into a checklist $\mathcal{C} = {c_1, c_2, \dots, c_N}$ of verifiable functional requirements, assesses the implementation against each item, and produces two scores: a checklist pass rate $S_{\mathrm{pass}} = \frac{1}{N}\sum_{i=1}^{N} \mathbb{I}[c_i \text{ passes}]$, and an overall evaluation score $S_{\mathrm{eval}}$ that captures holistic code quality, since checklist items vary in importance and a uniform average over binary outcomes does not necessarily reflect overall code quality.

Evaluation of the Evaluator To assess the quality of $\mathcal{E}$ itself, we extract the original test suite from each source repository and treat it as an approximate ground truth. For each generated repository $\mathcal{G}(\mathcal{T})$, this test suite yields a unit-test score $S_{\mathrm{UT}}$. We evaluate $\mathcal{E}$ by measuring how closely its scores ($S_{\mathrm{pass}}$, $S_{\mathrm{eval}}$) align with $S_{\mathrm{UT}}$ across a population of generated repositories. The following subsections examine how to measure this alignment, how to design $\mathcal{E}$ to maximize it, and how different training objectives prioritize different evaluator metrics.

5.2 Dataset Construction and Metrics Design

Dataset Construction. We construct a validation dataset for evaluator based on the NL2Repo benchmark, which contains $M = 104$ long-horizon code generation tasks. For each task $\mathcal{T}j$, we collect generations from a diverse set of models, including Claude Opus 4.6 ([46]), Gemma 4 ([47]), Qwen 3.6 ([48]), MiniMax M2.5 ([49]), GLM 5 ([50]), and Kimi K2.5 ([51]), and evaluate each generation against the benchmark's built-in test suite to obtain $S{\mathrm{UT}}^{(j, k)}$ for the $k$-th generation of task $j$. To ensure meaningful discriminability, we retain up to $K = 4$ generations per task, selected to maximize diversity in unit-test scores.

Metrics Design. To quantify the alignment between the evaluator $\mathcal{E}$ and the unit-test ground truth, we design the following metrics. We primarily evaluate using $S_{\mathrm{eval}}$ rather than $S_{\mathrm{pass}}$, as we find $S_{\mathrm{eval}}$ exhibits consistently higher correlation with $S_{\mathrm{UT}}$.

Best-of- $N$ Accuracy and Regret.

For each task $\mathcal{T}j$, let $k^* = \arg\max_k S{\mathrm{eval}}^{(j, k)}$ denote the sample selected by the evaluator. Best-of- $N$ (BoN) accuracy measures how often this selection coincides with the unit-test optimum:

$ \mathrm{BoN\text{-}Acc} = \frac{1}{M}\sum_{j=1}^{M} \mathbb{I}!\left[k^* = \arg\max_k S_{\mathrm{UT}}^{(j, k)}\right]. $

To capture the magnitude of suboptimal selections, we define the per-task regret as the gap between the best achievable unit-test score and the score of the evaluator's selection:

$ \mathrm{Regret}j = \max_k S{\mathrm{UT}}^{(j, k)} - S_{\mathrm{UT}}^{(j, k^*)}, $

and report the average regret $\overline{\mathrm{Regret}} = \frac{1}{M}\sum_{j=1}^{M} \mathrm{Regret}_j$. Together, these two metrics measure the evaluator's selection ability, i.e., whether it can reliably identify the best sample from a small candidate pool. As selecting the single best candidate is the simplest demand one can place on an evaluator, BoN accuracy and regret serve as a baseline measure of evaluator competence.

Kendall's $\tau$.

For each task $\mathcal{T}j$, we enumerate all sample pairs $(k, l)$ with $S{\mathrm{UT}}^{(j, k)} \neq S_{\mathrm{UT}}^{(j, l)}$ and classify each pair as concordant ($+1$) if the evaluator's ranking agrees with the unit-test ranking, discordant ($-1$) if it disagrees, or tied ($0$) if $S_{\mathrm{eval}}^{(j, k)} = S_{\mathrm{eval}}^{(j, l)}$. The overall Kendall's $\tau$ is the average score across all such pairs.

Pearson $r$ and Spearman $\rho$.

For each task $\mathcal{T}j$, we compute Pearson's $r$ and Spearman's $\rho$ between $S{\mathrm{UT}}$ and each of the two evaluator scores within each task, and macro-average across all tasks to obtain $r_{\mathrm{eval}}$, $r_{\mathrm{pass}}$, $\rho_{\mathrm{eval}}$, and $\rho_{\mathrm{pass}}$. Results confirm that $r_{\mathrm{eval}} \gg r_{\mathrm{pass}}$ and $\rho_{\mathrm{eval}} \gg \rho_{\mathrm{pass}}$, validating the use of holistic evaluation scores as the primary reward signal. Together with Kendall's $\tau$, these correlation metrics assess ranking consistency across the full score range, imposing a stricter requirement on the evaluator than merely selecting the top sample.

Threshold-Conditioned UT Score.

To measure how well the evaluator identifies high-quality generations, we define the threshold-conditioned unit-test score. Given a threshold $\theta$, let $\mathcal{A}\theta = {(j, k) : S{\mathrm{eval}}^{(j, k)} \geq \theta}$ denote the set of samples that the evaluator deems sufficiently good. The conditioned score is:

$ \bar{S}{\mathrm{UT}}(\theta) = \frac{1}{|\mathcal{A}\theta|}\sum_{(j, k) \in \mathcal{A}\theta} S{\mathrm{UT}}^{(j, k)}. $

A faithful evaluator should yield monotonically increasing $\bar{S}_{\mathrm{UT}}(\theta)$ as $\theta$ rises: samples that receive higher evaluation scores should, on average, achieve higher unit-test scores. This metric thus evaluates filtering quality.

As we show in Section 5.4, different downstream training objectives prioritize different subsets of these metrics, and an evaluator that excels on one dimension may underperform on another.

5.3 Designing Better Evaluator Agents

When deploying existing models as evaluators, we identify several recurring failure patterns that systematically undermine evaluation faithfulness. Using Qwen-Plus ([48]) as the evaluator backbone, we characterize these failure modes as follows, and design targeted mitigations, progressively refining the evaluation.

Baseline workflow. The initial evaluation prompt instructs $\mathcal{E}$ to follow a three-stage pipeline: (1) decompose the specification $\mathcal{T}$ into a checklist $\mathcal{C}$, (2) verify each item through code review, and (3) produce the evaluation report with $S_{\mathrm{pass}}$ and $S_{\mathrm{eval}}$. While this pipeline mirrors intuitive human review practices, it yields limited alignment with ground-truth scores in practice.

Lazy evaluation without execution (baseline $\to$ v1). The evaluator frequently relies on static code reading alone without executing any tests, and even when it does write tests, they are often too simplistic or too few to surface real bugs. This produces false positives where plausible-looking but incorrect code receives passing marks.

Lack of end-to-end validation (v1 $\to$ v2). Even with unit-test execution, the evaluator's tests predominantly cover function-level requirements without performing end-to-end validation. As a result, globally broken repositories (e.g., import errors, dependency conflicts, naming collisions) can still receive inflated scores.

Role confusion (v2 $\to$ v3). We observe three forms of boundary violation: the evaluator occasionally modifies the generator's code to fix bugs before evaluation, masking real defects; it sometimes executes tests already in the repository rather than writing its own; and it may advocates for the generator, dismissing failing tests by rationalizing that the generator's alternative behavior is acceptable. These behaviors collectively inflate scores by hiding or excusing genuine defects.

Context overload (v3 $\to$ v4). The evaluator tends to exhaustively read large portions of the codebase when only entry-point definitions and interface signatures are needed, wasting context capacity and diluting attention on relevant code.

Over-specification (v4 $\to$ v5). A natural hypothesis is that more detailed rules will help evaluation. However, further elaborating constraints with exhaustive lists of prohibited commands and additional procedural guardrails yields worse performance across most metrics (Table 6). This reveals a rubric granularity trade-off: moderately detailed rules help a weaker evaluator execute the intended workflow, but excessively prescriptive instructions overwhelm the model's ability to follow them coherently, degrading overall judgment quality.

\begin{tabular}{lcccccc}
\toprule
\textbf{Prompt} & \textbf{BoN-Acc} $\uparrow$ & $\overline{\mathbf{Regret}}$ $\downarrow$ & $\boldsymbol{\tau}$ $\uparrow$ & $\boldsymbol{r_{\mathrm{eval}}}$ / $\boldsymbol{\rho_{\mathrm{eval}}}$ $\uparrow$ & $\boldsymbol{r_{\mathrm{pass}}}$ / $\boldsymbol{\rho_{\mathrm{pass}}}$ $\uparrow$ \\
\midrule
v1 & 57.9 & 0.086 & 0.379 & 0.489 / 0.448 & 0.503 / 0.477 \\
v2 & 63.9 & 0.088 & 0.420 & 0.525 / 0.490 & 0.623 / 0.589 \\
v3 & 62.4 & \textbf{0.081} & 0.440 & 0.556 / 0.564 & 0.599 / 0.597 \\
v4 & \textbf{67.4} & 0.089 & \textbf{0.473} & \textbf{0.598} / \textbf{0.578} & 0.562 / 0.529 \\
v5 & 59.6 & 0.098 & 0.471 & 0.541 / 0.522 & 0.516 / 0.455 \\
\bottomrule
\end{tabular}

Table 6 summarizes the progression. From v1 to v4, BoN accuracy improves from 57.9% to 67.4%, Kendall's $\tau$ from 0.379 to 0.473, and $r_{\mathrm{eval}}$ from 0.489 to 0.598, confirming that appropriately detailed rules improve evaluator faithfulness. However, the drop at v5 shows that more detail is not always better: the optimal rubric granularity depends on the evaluator model's capacity for instruction following. We adopt v4 as our final evaluator prompt for all subsequent experiments.

Table 7 further reports the threshold-conditioned unit-test score $\bar{S}{\mathrm{UT}}(\theta)$. Across versions, $\bar{S}{\mathrm{UT}}(\theta)$ generally increases with $\theta$ at moderate thresholds ($\theta \leq 9$), confirming that higher evaluator scores correspond to better code; the trend becomes unreliable at $\theta \geq 10$ due to very small sample sizes. Notably, prompt v4 maintains the strongest filtering quality at moderate thresholds ($\theta \geq 8$ and $\theta \geq 9$), consistent with its leading position in the ranking-based metrics above.

\begin{tabular}{lcccc}
\toprule
\textbf{Prompt} & $\boldsymbol{\theta \geq 7}$ & $\boldsymbol{\theta \geq 8}$ & $\boldsymbol{\theta \geq 9}$ & $\boldsymbol{\theta \geq 10}$ \\
\midrule
v1 & 0.575 \scriptsize{(134)} & 0.603 \scriptsize{(72)} & 0.725 \scriptsize{(30)} & 0.729 \scriptsize{(4)} \\
v2 & 0.581 \scriptsize{(156)} & 0.598 \scriptsize{(70)} & 0.646 \scriptsize{(28)} & 0.471 \scriptsize{(2)} \\
v3 & 0.588 \scriptsize{(120)} & 0.620 \scriptsize{(46)} & 0.608 \scriptsize{(13)} & 0.684 \scriptsize{(1)} \\
v4 & 0.566 \scriptsize{(140)} & \textbf{0.625} \scriptsize{(68)} & \textbf{0.624} \scriptsize{(22)} & 0.544 \scriptsize{(5)} \\
v5 & 0.566 \scriptsize{(122)} & 0.595 \scriptsize{(59)} & 0.635 \scriptsize{(27)} & \textbf{0.741} \scriptsize{(6)} \\
\bottomrule
\end{tabular}

5.4 Evaluator Quality Under Different Training Objectives

Even after optimizing the evaluation prompt for overall alignment with $S_{\mathrm{UT}}$, the practical utility of an evaluator $\mathcal{E}$ depends on which metric matters most for the downstream training objective. Different training paradigms place different demands on the evaluator, and a single aggregate measure of alignment can mask critical deficiencies.

Rejection sampling with sufficient candidates. In rejection sampling fine-tuning (RFT) ([52]) with a large candidate pool, the evaluator acts as a quality filter: we retain all samples above a score threshold $\theta$ and discard the rest. The relevant metric is the threshold-conditioned UT score $\bar{S}_{\mathrm{UT}}(\theta)$: what matters is that the filtered set has high average quality, not that every pairwise ranking is correct. In other words, the evaluator primarily needs a low false-positive rate (rejecting bad samples), while a higher false-negative rate (discarding some good samples) is tolerable.

Rejection sampling with limited candidates. When the candidate pool per task is small, the case becomes little bit different. In this regime, the evaluator must not only identify high-quality samples but also retain a sufficient number of them; an overly strict threshold that maximizes $\bar{S}{\mathrm{UT}}(\theta)$ is counterproductive if only a handful of samples survive. Accordingly, $\bar{S}{\mathrm{UT}}(\theta)$ must be assessed jointly with the retained sample count, where the evaluator should also minimize false negatives that incorrectly reject quality generations.

Reinforcement learning. In Reinforcement Learning (RL), the evaluator provides per-sample reward signals that directly shape the policy gradient. This setting demands strong ranking consistency (high Kendall's $\tau$) so that the reward landscape faithfully reflects relative quality, and sufficient score discrimination so that the model receives meaningfully different gradients for different-quality outputs. An evaluator that assigns uniformly low scores, even if technically "correct" in flagging imperfections, provides near-zero reward variance and effectively stalls learning.

Evaluator model comparison. Using the best-performing prompt (v4) identified in Section 5.3, we compare four backbone models for $\mathcal{E}$: Claude Opus 4.7 ([53]), Qwen 3.7 Plus ([54]), Qwen 3.6 Plus ([48]), and DeepSeek V4 Pro ([55]), in Table 8 and Table 9. On ranking-based metrics, Claude Opus 4.7 leads consistently, achieving the highest BoN accuracy (70.4%) and Kendall's $\tau$ (0.579). Opus 4.7 also exhibits the highest stability across repeated runs, whereas Qwen 3.7 Plus, despite occasionally matching Opus-level BoN accuracy in individual runs, shows substantially higher variance ($\pm$ 10pp), suggesting that evaluator reliability, not just peak performance, is a critical consideration for training pipelines.

\begin{tabular}{lccccc}
\toprule
\textbf{Evaluator Model} & \textbf{BoN-Acc} $\uparrow$ & $\overline{\mathbf{Regret}}$ $\downarrow$ & $\boldsymbol{\tau}$ $\uparrow$ & $\boldsymbol{r_{\mathrm{eval}}}$ / $\boldsymbol{\rho_{\mathrm{eval}}}$ $\uparrow$ & $\boldsymbol{r_{\mathrm{pass}}}$ / $\boldsymbol{\rho_{\mathrm{pass}}}$ $\uparrow$ \\
\midrule
Claude Opus 4.7 & \textbf{70.4} & \textbf{0.052} & \textbf{0.579} & \textbf{0.708} / \textbf{0.667} & \textbf{0.662} / \textbf{0.659} \\
Qwen 3.7 Plus & 67.3 & 0.054 & 0.553 & 0.675 / 0.636 & 0.628 / 0.562 \\
Qwen 3.6 Plus & 62.6 & 0.080 & 0.493 & 0.596 / 0.574 & 0.584 / 0.558 \\
DeepSeek V4 Pro & 54.5 & 0.087 & 0.420 & 0.549 / 0.493 & 0.502 / 0.461 \\
\bottomrule
\end{tabular}

Metric conflicts and the quality–quantity trade-off. In our evaluator prompt, a score of $S_{\mathrm{eval}} \geq 8$ indicates overall passing quality, and we adopt $\theta = 8$ as the practical filtering threshold for RFT. Two tensions emerge at this threshold.

First, ranking ability does not guarantee filtering quality. Qwen 3.7 Plus substantially outperforms DeepSeek V4 Pro on BoN accuracy (67.3% vs. 54.5%) and $\tau$ (0.553 vs. 0.420), yet DeepSeek achieves a higher conditioned UT score (0.611 vs. 0.595); similarly, Qwen 3.6 Plus trails Qwen 3.7 Plus on ranking metrics but yields comparable filtering quality (0.610 vs. 0.595).

Second, data quality and data quantity are in direct tension. As shown in Table 9, raising $\theta$ consistently increases $\bar{S}{\mathrm{UT}}(\theta)$, but retained samples drop substantially: at $\theta \geq 8$ models retain 118–139 samples, whereas at $\theta \geq 10$ only 18–30 survive. A stronger evaluator helps mitigate this: at $\theta \geq 8$, Claude Opus 4.7 retains 139 samples with $\bar{S}{\mathrm{UT}} = 0.615$, achieving both the highest quality and the largest filtered set. The right evaluator thus depends on the training objective it serves.

\begin{tabular}{lcccc}
\toprule
\textbf{Evaluator Model} & $\boldsymbol{\theta \geq 7}$ & $\boldsymbol{\theta \geq 8}$ & $\boldsymbol{\theta \geq 9}$ & $\boldsymbol{\theta \geq 10}$ \\
\midrule
Claude Opus 4.7 & 0.572 \scriptsize{(198)} & 0.615 \scriptsize{(139)} & \textbf{0.652} \scriptsize{(81)} & 0.721 \scriptsize{(30)} \\
Qwen 3.7 Plus & 0.550 \scriptsize{(220)} & 0.595 \scriptsize{(129)} & 0.683 \scriptsize{(52)} & \textbf{0.795} \scriptsize{(19)} \\
Qwen 3.6 Plus & 0.535 \scriptsize{(225)} & 0.610 \scriptsize{(133)} & 0.640 \scriptsize{(65)} & 0.753 \scriptsize{(20)} \\
DeepSeek V4 Pro & 0.548 \scriptsize{(212)} & 0.611 \scriptsize{(118)} & 0.671 \scriptsize{(61)} & 0.719 \scriptsize{(18)} \\
\bottomrule
\end{tabular}

RFT results. To validate that evaluator-filtered data translates to downstream model improvement, we conduct rejection sampling fine-tuning on Qwen 3.6 Turbo. Training data is constructed as follows: we reverse-engineer repository specifications from curated public GitHub repositories, then use a frontier in-house model as the generator to produce full repository implementations from these specifications. The raw trajectories undergo rule-based quality filtering to remove degenerate outputs (e.g., empty generations, execution timeouts, malformed outputs), yielding 19,050 valid trajectories. We then apply the same model as the evaluator with threshold $S_{\mathrm{eval}} \geq 8$, retaining 9,294 high-quality trajectories for fine-tuning. Training uses batch size 128 with checkpoints every 150 steps for up to 6 epochs. We evaluate on the OpenHands scaffold with anti-hacking measures that disable network access (e.g., pip install, git clone) so that the model must rely solely on its own capabilities (averaged over three runs).

\begin{tabular}{lcccccc}
\toprule
\textbf{Training Data} & \textbf{Size} & \textbf{150 steps} & \textbf{300 steps} & \textbf{450 steps} & \textbf{600 steps} \\
\midrule
Random sample (no evaluator) & 9{,}139 & 20.29 & 21.22 & \textbf{21.61}$^\dagger
amp; -- \\ All rule-based filtered (no evaluator) & 19{,}050 & 20.78 & 23.14 & 21.15 & \textbf{24.75} \\ Evaluator-filtered ($S_{\mathrm{eval}} \geq 8$) & 9{,}139 & 19.58 & 22.43 & \textbf{23.52}$^\dagger$ & -- \\ \bottomrule \end{tabular}

As shown in Table 10, RFT substantially improves the base model (11.41 $\to$ 23.52). Under controlled data size (9,139 samples), evaluator-filtered data outperforms random sampling by 1.91 points (23.52 vs. 21.61), confirming that the evaluator provides meaningful quality signal for data selection. The full unfiltered set (19,050 samples) achieves 24.75 (at 600 steps, but plateaus thereafter), illustrating the quality–quantity trade-off discussed above: doubling the data volume can compensate for the absence of evaluator filtering, but at higher computational cost. These results suggest that the evaluator is most valuable when the candidate pool is constrained and careful selection is needed to maximize training efficiency.

6. Conclusion

Section Summary: In this paper the authors describe lessons from designing reward signals to train and assess AI coding agents, stressing that rewards must strike a careful balance among faithfulness to the task, scalability to large datasets, and robustness against misleading solutions. They show that better rewards measurably improve performance during fine-tuning and reinforcement-learning stages, yet note unavoidable trade-offs among the three goals that must be managed for each project. Looking forward, the authors identify open challenges such as distinguishing high-quality from merely adequate solutions, capturing subjective human judgments, shifting toward online learning from live user feedback, and developing evaluators that keep pace with increasingly capable models.

In this paper, we share practical experience accumulated around reward signal design in the training and evaluation of coding agents. Coding agents must handle extremely diverse and complex scenarios, which means evaluating their outputs is far from straightforward. To this end, we advocate improving reward feasibility in a targeted manner according to the characteristics of different tasks and the capability level of the policy model, seeking an optimal balance across three dimensions: faithfulness, scalability, and robustness. Our practice demonstrates that improving the quality of reward signals yields tangible model performance gains across different training stages, including rejection sampling fine-tuning and reinforcement learning; at the same time, an inherent tension exists among the three dimensions, requiring researchers to make careful trade-offs based on specific training objectives. This consistently validated pattern leads us to view reward signals as core infrastructure for driving continuous improvement in foundation model capabilities, rather than an auxiliary component in the training pipeline.

Looking ahead, we believe the following directions warrant further exploration:

Quality stratification of the solution space. The same instruction often admits multiple valid solutions. Taking bug fixes as an example, valid solutions range from structural repairs that address the root cause to superficial workarounds that merely suppress symptoms—all of which pass the test suite yet differ fundamentally in engineering quality. Current binary rewards cannot distinguish among these levels; designing reward signals that capture quality gradients across the solution space is key to guiding models toward higher-quality fixes.

Capturing human subjective perception. For frontend tasks, the essence of quality often lies in experiential dimensions that human users perceive at a glance yet are difficult to quantify with rules—the fluidity and naturalness of animations, the comfort of visual hierarchy, the responsiveness of interaction feedback, and the overall design "polish". Current evaluators, whether based on static screenshot comparison or automated interaction testing, struggle to reach these dimensions. How to bridge the gap between machine evaluation and human perception remains an open problem in frontend task evaluation.

From offline feedback mining to online learning. Current uses of user feedback in coding agents are still largely passive and offline: feedback signals are extracted from historical interaction logs and used in subsequent training iterations. Recent studies have started to explore online adaptation and deployment-time model improvement, suggesting a shift beyond purely offline training pipelines. Within this broader direction, user feedback offers a particularly valuable on-policy signal, since it is produced in response to the agent’s actual behavior in real tasks. Better integrating such signals into online learning frameworks may enable coding agents to adapt more continuously to changing user needs, environments, and failure modes.

Evaluator–generator co-evolution. As the generator improves, the evaluator must keep pace: an evaluator calibrated against weak generators may fail to discriminate among high-quality outputs. This suggests a co-evolutionary training loop in which the evaluator is periodically updated to match the advancing capability frontier of the generator, analogous to the discriminator–generator dynamic in adversarial training ([29]).

Credit assignment in long-horizon and multi-agent settings. In the process of building complete code repositories from scratch, the final outcome is the cumulative product of numerous intermediate decisions; in multi-agent collaboration settings, this problem becomes even more complex. How to precisely attribute outcome-level reward signals to individual generation steps or to each agent's contributions—achieving effective credit assignment—is key to improving training efficiency in these complex scenarios.

7. Authors

Section Summary: The authors section lists the full team behind the work, separating them into a smaller group of core contributors and a larger set of additional contributors. The core group is led by individuals such as Binghai Wang, Chenlong Zhang, Dayiheng Liu, and Xuwu Wang, while the broader list includes people like Beichen Zhang, Hang Zhang, and Hao Chen. Most contributors share a primary affiliation, though many also have secondary ties to other institutions.

Core Contributors.$^{\ddagger}$ Binghai Wang $^{\text{1, 2}}$, Chenlong Zhang $^{\text{1, 3}}$, Dayiheng Liu$^{1,\dagger}$, Jiajun Zhang $^{\text{1, 4}}$, Jiawei Chen $^{\text{1}}$, Mingze Li $^{\text{1}}$, Mouxiang Chen $^{\text{1}}$, Rongyao Fang $^{\text{1}}$, Siyuan Zhang $^{\text{1, 5}}$, Xuwu Wang$^{1,,\dagger}$, Yuheng Jing $^{\text{1, 3}}$, Zeyao Ma $^{\text{1}}$, and Zeyu Cui $^{\text{1,}}$.

Contributors.$^{\ddagger}$ Beichen Zhang $^{\text{1}}$, Hang Zhang $^{\text{1}}$, Hao Chen $^{\text{1, 6}}$, Jinxi Wei $^{\text{1}}$, Shuai Bai $^{\text{1}}$, Tao Gui $^{\text{1, 2}}$, Tiancheng Gu $^{\text{1}}$, Xianwei Zhuang $^{\text{1}}$, Yixiao Zhou $^{\text{1, 6}}$, Yubo Ma $^{\text{1}}$, Yunlong Feng $^{\text{1}}$, Yuqian Yuan $^{\text{1}}$, and Yuzi Yan $^{\text{1}}$.

Appendix

Section Summary: The appendix presents the complete system prompt given to an AI agent that judges the quality of software engineering tasks, scoring how clearly the task instructions are written and how well any accompanying test scripts match those instructions. It also shows real examples of common flaws in such tasks, such as vague or inaccessible descriptions and tests that fail to cover the stated problem or contain hard-coded quirks. Finally, the section catalogs shortcut behaviors that coding agents sometimes use to pass evaluations without actually performing the intended debugging work.

A. System Prompt of the Agentic Judge for SWE-like Tasks

We present the full prompt used by our quality judge agent. The agent operates in an interactive Docker environment with access to the repository, evaluation script, and reference patch.


**# Primary Goal**

You are a helpful assistant agent that can interact with a computer shell multiple times. Your mission is to evaluate a software engineering task's quality for training a coding agent.

**# Background Knowledge**

- A Software Engineering (SWE) task is designed for training a coding agent and consists of three key components:

  1. **Coding Task**: A programming problem that needs to be solved. 2. **Environment**: The runtime environment for implementing the solution. 3. **Test Script**: Validation code to verify if the task is completed correctly.
- The above information is provided through:

  - **PR Description**: Describes the coding task to be resolved. Wrapped within `< pr_description> ... < /pr_description>`.
  - **Environment**: The target environment. Repository code is at `/testbed`, with necessary packages pre-installed.
  - **Test Script**: Run via `/evaluation.sh` to verify your implementation. Wrapped within `< test_script> ... < /test_script>`.
- A reference patch is provided at `/patch.patch` as a hint. This patch was created by a senior engineer but may not be perfect.
- **Mission**: Evaluate the quality of two aspects—PR description quality and test script quality—to determine whether this SWE task is suitable for training coding agents.

**# Evaluation Principles**

*Dimension 1:* `instruction_quality` — Is the PR description clear enough to enable a software engineer to make a meaningful fix attempt?

- **0 (Well-defined)**: Very clear and complete, with no ambiguity about the goals.
- **1 (Mostly clear)**: Generally understandable, but may lack some details, requiring reasonable inference from context.
- **2 (Vaguely defined)**: Rather vague with multiple possible interpretations, making it unclear what a "successful" solution looks like.
- **3 (Difficult to understand)**: Extremely vague or lacks information, nearly impossible to understand without additional information.

*Dimension 2:* `instruct_ut_quality` — Does the test script align with the issues mentioned in the PR description?

- **a (Consistent)**: The test case design fully aligns with the objectives described in the issue. A solution that passes this test can be considered as successfully solving the problem.
- **b (UT stricter than issue)**: The test cases contain overly specific constraints not mentioned in the issue. This may cause some reasonable correct solutions to fail.
- **c (UT more lenient than issue)**: The test case design is too simple or has loopholes, failing to fully cover the core problems. This may allow incomplete solutions to pass.

**# Output Format**

 The agent must output a single-line JSON object:

"instruction_quality": int, "instruction_quality_rationale": str, "instruct_ut_quality": str, "instruct_ut_quality_rationale": str

B. Examples of the Agentic Judge for SWE-like Tasks

To construct a benchmark for evaluating the agentic judge, we manually annotated a set of SWE-like tasks along the two quality dimensions defined in § 2: instruct_clear and instruct_ut_align. The annotation reveals two recurring categories of quality issues, each illustrated with representative cases in the following figures.

The first category, unclear instruction, covers tasks whose instructions are too vague, too brief, or dependent on inaccessible external context (e.g., private channels, undocumented conventions) to be solvable from the provided information alone.

**Figure 12:** Representative cases of **unclear instructions** in SWE-bench-like datasets. Case 1 shows an instruction consisting of only two words with no actionable specification. Case 2 delegates all requirements to an inaccessible private Slack channel, making the task unsolvable from the instruction alone.

The second category, instruction–unit test misalignment, covers tasks where the test suite does not faithfully operationalize the stated instruction—either by testing orthogonal functionality or by encoding implementation-specific artifacts (including typographical errors) as hard-coded expected outputs.

**Figure 13:** Representative cases of **instruction–unit test misalignment** in SWE-bench-like datasets. Case 3 shows a test suite that is entirely orthogonal to the described task. Case 4 shows a test that enforces implementation-specific details including a hard-coded typo, causing functionally correct solutions to fail.

C. Reward Hacking Behaviors in SWE Tasks

::: {caption="Table 11: Hacking-susceptible behaviors in SWE trajectories. Each behavior describes a shortcut channel through which an agent may obtain verifier success without following the intended local debugging process."}

:::


**Case: PR Diff Retrieval**
  `cloudflare/terraform-provider-cloudflare#2388`

![](https://ittowtnkqtyixxjxrhou.supabase.co/storage/v1/object/public/public-images/2w4e38ey/complex_tab_0d545860ef42.png)

**Case: Exact Issue-Title GitHub API Search**
  `fastify/fastify-http-proxy#312`

![](https://ittowtnkqtyixxjxrhou.supabase.co/storage/v1/object/public/public-images/2w4e38ey/complex_tab_0fff22067912.png)

**Case: Skip-Marker / Test-Harness Reasoning**
  `qutebrowser`

![](https://ittowtnkqtyixxjxrhou.supabase.co/storage/v1/object/public/public-images/2w4e38ey/complex_tab_6a9b35a6556a.png)

**Case: Test-Tree Modification Despite Constraint**
  `django/django#11734`

![](https://ittowtnkqtyixxjxrhou.supabase.co/storage/v1/object/public/public-images/2w4e38ey/complex_tab_28c6bd72a4ae.png)

**Case: Logic Shaped Around Visible Test Expectations**
  `briannesbitt/carbon#2762`

![](https://ittowtnkqtyixxjxrhou.supabase.co/storage/v1/object/public/public-images/2w4e38ey/complex_tab_5042b0bed2a9.png)

**Case: Reasoning About Grader Test Replacement**
  `flipt`

![](https://ittowtnkqtyixxjxrhou.supabase.co/storage/v1/object/public/public-images/2w4e38ey/complex_tab_7afef5f28374.png)

**Case: Targeted Git-History Search**
  `dotnet/winforms#8618`

![](https://ittowtnkqtyixxjxrhou.supabase.co/storage/v1/object/public/public-images/2w4e38ey/complex_tab_06095027c7b0.png)

D. Detailed Rubrics Judge Prompts

**Figure 14:** Default Judge Prompt for Rubrics Judge.

**Figure 15:** Strict Judge Prompt for Rubrics Judge.

E. Ablation of the Interactive Judge

To assess the reliability of the Interactive Judge pipeline on QwenWebBench (300 tasks), we decompose evaluation variance into three sources corresponding to the pipeline stages: generation (re-running the coding model), rendering (re-generating the action list and re-executing browser interactions), and judging (re-scoring the same execution traces). We evaluate two representative models—Claude Opus 4.7 and an intermediate checkpoint of Qwen3.7-Max (not the final released version)—and use Bradley-Terry ELO ratings (median model = 1500, scale = 400) as the common metric.

Setup.

For each variance source we hold the upstream stages fixed and vary only the stage under test:

  • Generation variance: independent end-to-end runs (run 1–5) that re-invoke the coding model, producing fresh HTML/CSS/JS, followed by new rendering and judging.
  • Judge variance: from a single generation and rendering, we request the judge model multiple times (judge 1–5), isolating scorer stochasticity.
  • Render + Judge variance: from a single generation, we re-generate the action list, re-execute browser interactions, and re-judge, capturing noise from both action planning and scoring.
  • Checklist-guided Render + Judge: an optimized variant where the evaluation checklist is provided as additional input to the action planner, enabling more targeted browser interactions. From a single generation, we re-generate checklist-conditioned actions, re-render, and re-judge.

Results.

Table 12 summarizes the ELO fluctuation attributable to each stage.

\begin{tabular}{llcccc}
\toprule
\textbf{Model} & \textbf{Variance Source} & $n$ & \textbf{Mean} & $\boldsymbol{\sigma}$ & \textbf{Range} \\ \midrule \multirow{4}{*}{\shortstack[l]{Claude\\Opus 4.7}} & Generation & 5 & 1523.1 & 10.4 & 24.4 \\ & Judge & 5 & 1523.9 & 8.5 & 22.5 \\ & Render + Judge & 5 & 1517.3 & 5.0 & 11.6 \\ & Checklist-guided R+J & 5 & 1532.1 & 11.1 & 30.4 \\ \midrule \multirow{4}{*}{\shortstack[l]{Qwen3.7\\Max$^\dagger$}}
   {} & Generation & 5 & 1482.3 & 2.8 & 8.3 \\
   {} & Judge & 5 & 1486.2 & 11.4 & 26.1 \\
   {} & Render + Judge & 5 & 1483.2 & 10.4 & 27.6 \\
   {} & Checklist-guided R+J & 5 & 1498.6 & 10.7 & 26.1 \\
\bottomrule
\end{tabular}

Several observations emerge:

(1) Generation is the dominant variance source for Claude. Claude Opus 4.7 exhibits moderate generation variance ($\sigma = 10.4$, range 24.4 ELO), while its downstream judge variance is comparatively smaller ($\sigma = 8.5$). This indicates that for a strong model with diverse solution strategies, the primary source of score fluctuation lies in the non-determinism of the coding model itself rather than in the evaluation pipeline.

(2) Judging and rendering dominate for Qwen. The Qwen3.7-Max intermediate checkpoint shows remarkably stable generation ($\sigma = 2.8$, range 8.3 ELO), suggesting more deterministic code output. However, its judge variance is substantially higher ($\sigma = 11.4$), making the scoring stage the bottleneck for evaluation reproducibility.

(3) Checklist-guided action planning improves scores with comparable variance. Providing the evaluation checklist as additional input to the action planner—enabling more targeted browser interactions—consistently raises mean ELO (Claude: 1532.1 vs. 1517.3 for unguided re-rendering; Qwen: 1498.6 vs. 1483.2). The associated variance ($\sigma = 11.1$ for Claude, $10.7$ for Qwen) is comparable to other pipeline stages, indicating that checklist conditioning is an effective optimization that does not introduce disproportionate evaluation noise.

(4) All variance sources remain within acceptable bounds. Across both models and all variance sources, the standard deviation stays below 12 ELO points, and the maximum range is 30.4 points—well within the gap separating model tiers (e.g., $\sim$ 40 ELO between Claude and Qwen, $\sim$ 430 ELO between Qwen Max and Qwen3-Coder-Next). This confirms that the Interactive Judge provides sufficiently stable signals to reliably distinguish models of different capability levels and to serve as a training reward.

F. Trajectory-Level Dataset Statistics

**Figure 16:** Trajectory-level statistics of the annotated dataset: (a) trajectory outcome distribution, (b) user-fairness distribution, and (c) cumulative distribution of conversation length (number of rounds).

This section complements the round-level signal distribution in Figure 8 with statistics at the trajectory level, where the data exhibits several consistent patterns (Figure 16). Trajectory outcomes are distributed across partial success (57.8%), full success (32.6%), failure (8.6%), and user abandonment (1.0%); conversation length follows a long-tail distribution, with 50% of conversations concluding within 3 rounds and 90% within 8 rounds, naturally covering engineering scenarios from simple to complex. Round- and trajectory-level signals are consistent: the average per-round negative rate is 60.8% for failed trajectories versus 7.6% for successful ones, a clear gradient that cross-validates the two levels of annotation. Feedback is reliable: 98.9% of user evaluations are judged reasonable, while the user_fairness field flags approximately 0.8% of negative annotations as cases where the assistant was "unfairly blamed, " which can be downweighted or filtered during training. Overall, the dataset yields approximately 79,105 high-confidence and reasonable negative signals and 9,253 contrastive pairs directly usable for preference learning, providing sufficient support for training based on human implicit rewards.

G. Human Feedback Annotation Examples

This appendix provides detailed examples of each annotation type. We organize examples by signal category, with representative cases shown in Table 13–Table 19 and trajectory-level outcomes in Table 20:

  • Positive signals (3.5% of non-Turn 0 turns, 83.6% explicit): user approval or acceptance of the assistant's performance (Table 13).
  • Execution Error (56.6% of negative reasons): the assistant understands intent but makes errors during implementation (Table 14).
  • Misunderstanding (21.1%): deviations in comprehension of user intent (Table 15).
  • Omission (8.9%): failing to cover all content required by the user (Table 16).
  • Overaction (6.3%): performing actions beyond the scope of user instructions (Table 17).
  • Inefficiency (4.9%): user dissatisfaction with work path or response speed (Table 18).
  • Communication (2.1%): problems with output format, expression clarity, or presentation style (Table 19).

::: {caption="Table 13: Examples of positive signal annotations."}

:::

::: {caption="Table 14: Examples of execution error annotations."}

:::

::: {caption="Table 15: Examples of misunderstanding annotations."}

:::

::: {caption="Table 16: Examples of omission annotations."}

:::

\begin{tabularx}{\ccccccccc}{l l >{\raggedright\arraybackslash}X >{\raggedright\arraybackslash}X}
\toprule
Outcome & Signal Type & User Message (Summary) & Annotation Rationale \\
\midrule
partial & explicit & ``Revert to the previous colors'' & Requests reversal of unauthorized color modifications \\
\specialrule{0.2pt}{1pt}{1pt}
failure & explicit & ``Revert to the previous version'' & Requests reversal of all optimization operations \\
\specialrule{0.2pt}{1pt}{1pt}
partial & explicit & ``The annotations don't need to be changed, they need to be reverted'' & Rejects the assistant's unauthorized modification of annotations \\
\specialrule{0.2pt}{1pt}{1pt}
partial & explicit & ``Don't rush to modify the code; we're discussing the approach right now'' & Interrupts the assistant's premature entry into code implementation \\
\specialrule{0.2pt}{1pt}{1pt}
failure & explicit & ``Why isn't the syncToBOrder method being used? I wrote it specifically for this'' & Questions why the assistant bypassed an existing method and created a new one \\
\specialrule{0.2pt}{1pt}{1pt}
partial & explicit & ``Just execute the demo file, don't touch anything else'' & Restricts the assistant's scope of operations \\
\specialrule{0.2pt}{1pt}{1pt}
partial & explicit & ``Why was the previous .md file overwritten?'' & Questions the assistant's unauthorized cleanup of old files \\
\bottomrule
\end{tabularx}
\begin{tabularx}{\ccccccccc}{l l >{\raggedright\arraybackslash}X >{\raggedright\arraybackslash}X}
\toprule
Outcome & Signal Type & User Message (Summary) & Annotation Rationale \\
\midrule
abandoned & explicit & ``It's been spinning for almost half an hour with no response'' & Installation process takes excessively long \\
\specialrule{0.2pt}{1pt}{1pt}
partial & explicit & ``Can you do this or not? Remember this next time'' & Frustration from repeatedly correcting the same issue \\
\specialrule{0.2pt}{1pt}{1pt}
partial & explicit & ``Option 1 is too cumbersome'' & The proposed solution is insufficiently efficient \\
\specialrule{0.2pt}{1pt}{1pt}
failure & explicit & ``This isn't a solution; there will be more and more packages outside the scan scope'' & Criticizes the per-package enumeration maintenance path as unsustainable \\
\specialrule{0.2pt}{1pt}{1pt}
failure & explicit & ``I'm going crazy, you stop after every sentence now'' & Frequent conversation interruptions prevent progress \\
\specialrule{0.2pt}{1pt}{1pt}
partial & explicit & ``Do NOT wait for me'' & Rejects the assistant's pause-and-wait interaction pattern \\
\bottomrule
\end{tabularx}
\begin{tabularx}{\ccccccccc}{l l >{\raggedright\arraybackslash}X >{\raggedright\arraybackslash}X}
\toprule
Outcome & Signal Type & User Message (Summary) & Annotation Rationale \\
\midrule
success & explicit & ``Summarize it in a few paragraphs, don't break it down so much'' & Output is overly fragmented \\
\specialrule{0.2pt}{1pt}{1pt}
partial & explicit & ``Please output in code format so I can copy it'' & Output format is inconvenient for use \\
\specialrule{0.2pt}{1pt}{1pt}
failure & explicit & ``The above is a typical failed conversation\ldots needs to reflect on prompt design'' & Response lacks proper guidance \\
\specialrule{0.2pt}{1pt}{1pt}
partial & explicit & ``Not clear enough'' & Report readability is insufficient \\
\specialrule{0.2pt}{1pt}{1pt}
partial & explicit & ``I didn't understand the previous analysis'' & Output lacks clarity; requests re-analysis \\
\specialrule{0.2pt}{1pt}{1pt}
success & explicit & ``Speechless'' & Strong dissatisfaction and communication disappointment \\
\bottomrule
\end{tabularx}
\begin{tabularx}{\ccccccccc}{l >{\raggedright\arraybackslash}X}
\toprule
Outcome & Summary \\
\midrule
\textbf{success} & The assistant completes code review and repair; the user confirms with ``good'' and issues a compile-and-package command. No negative signals throughout \\
\specialrule{0.2pt}{1pt}{1pt}
\textbf{success} & Core business logic meets expectations after two rounds of clarification; the user proactively requests refactoring and unit tests \\
\specialrule{0.2pt}{1pt}{1pt}
\textbf{partial} & The role display issue is fixed in the first round, but the user still reports anomalies after the second-round deletion feature fix \\
\specialrule{0.2pt}{1pt}{1pt}
\textbf{partial} & Core text parsing functionality is implemented and passes tests, but the user shifts to new requirements in the final round, with the conversation still in progress \\
\specialrule{0.2pt}{1pt}{1pt}
\textbf{failure} & The assistant's code modifications cause a server-side 500 crash; the original issue is unresolved and a severe new fault is introduced \\
\specialrule{0.2pt}{1pt}{1pt}
\textbf{failure} & After addressing code review comments item by item, the user points out that the core feature ``multi-turn conversation still doesn't work'' \\
\specialrule{0.2pt}{1pt}{1pt}
\textbf{abandoned} & The user is strongly dissatisfied with the concatenation result (``the concatenation is a mess'') and decides to abandon the assistant's approach in favor of manual processing \\
\specialrule{0.2pt}{1pt}{1pt}
\textbf{abandoned} & The user states ``you've got it completely wrong'' and decides ``I'll do it myself, '' taking over the task midway due to loss of trust \\
\bottomrule
\end{tabularx}

H. Span-KTO Hyperparameter Ablation

Span-KTO introduces two key hyperparameters: the preference strength $\beta$ and the negative span loss coefficient $\lambda_l$. We conduct ablation studies for each parameter below, reporting the average score across 4 independent evaluations (avg@4) for each configuration.

$\beta$ controls the amplification of the implicit reward signal on policy updates and is the most critical hyperparameter in the KTO framework—a $\beta$ that is too small makes the preference signal too weak for the model to distinguish between positive and negative spans, while a $\beta$ that is too large leads to gradient instability. $\lambda_l$ controls the loss weight of negative spans relative to positive spans, which is a common positive-negative sample imbalance problem in preference learning. However, our experiments show that this imbalance does not pose a problem at the span granularity, and the model can continuously learn and improve from negative samples.

\begin{tabular}{ccccl}
\toprule
$\beta$ & SWE-bench Verified & SWE-bench Pro & SWE-bench Multilingual & Avg \\
\midrule
0.005 & 57.60 & 35.80 & 42.95 & 45.45 \\
\textbf{0.01} & \textbf{59.80} & \textbf{38.15} & \textbf{45.55} & \textbf{47.83} \\
0.02 & 56.35 & 34.10 & 40.90 & 43.78 \\
\bottomrule
\end{tabular}

$\beta=0.01$ achieves the highest scores across all three benchmarks. $\beta=0.005$ produces a preference signal that is too weak, while $\beta=0.02$ causes excessively aggressive policy updates; both are inferior to the optimal configuration.

\begin{tabular}{ccccl}
\toprule
$\lambda_l$ & SWE-bench Verified & SWE-bench Pro & SWE-bench Multilingual & Avg \\
\midrule
0.3 & 51.30 & 33.27 & 37.05 & 40.54 \\
0.6 & 51.95 & 33.35 & 38.73 & 41.34 \\
\textbf{1.0} & \textbf{53.25} & \textbf{34.20} & \textbf{39.22} & \textbf{42.23} \\
\bottomrule
\end{tabular}

Performance increases monotonically with $\lambda_l$: $\lambda_l=1.0 > \lambda_l=0.6 > \lambda_l=0.3$ holds across all three benchmarks. This indicates that the positive-negative sample imbalance at the span granularity does not require compensation through reducing $\lambda_l$; the model can fully learn from negative spans without being affected by the imbalance.

I. Human Feedback Annotation Judge Prompt

We use Qwen 3.6 Plus to annotate the sentiment polarity of user messages. The complete System Prompt and User Prompt template are provided below.

I.1 System Prompt

I.2 User Prompt Template

Please analyze the following conversation trajectory, annotate the reward
signal for each real user reply in every turn, and provide a trajectory-level
assessment.

### J. Conversation Trajectory
formatted_trajectory

### K. Output Format
Please output strictly in the following JSON format:
  "trajectory_outcome": "success|partial_success|failure|abandoned",
  "trajectory_reasoning": "Brief reasoning, 1-2 sentences",
  "turns": [{
  "turn_id": 0,
  "user_message_summary": "Summary in no more than 20 words",
  "reasoning": "Judgment basis citing key words from user's original text",
  "polarity": "positive|negative|neutral",
  "confidence": "high|medium|low|N/A",
  "signal_type": "explicit|implicit_behavioral|implicit_structural|N/A",
  "negative_reason": "...|null",
  "forms_contrastive_pair": false,
  "user_fairness": "reasonable|neutral|unreasonable|N/A"
  }]

L. Agent-as-Judge Behavioral Rubric

We design a behavioral evaluation rubric for automatically assessing six categories of negative behaviors from Agent trajectories in the absence of subsequent user feedback. Each behavior category contains 6–9 sub-items, each scored on a 0–4 scale (4 = no apparent issues, 0 = severe negative feedback risk).

L.1 execution_error: Delivery Reliability and Evidence Discipline

Behavioral Definition.

In training data, execution_error commonly corresponds to user feedback such as "it still doesn't work, " "still getting errors, " or "stuck again." During evaluation, we cannot directly wait for users to say these things, nor should we simply categorize all functional failures as execution_error. This category focuses on: whether the model's delivery process is unreliable, lacks verification, ignores evidence, misleadingly claims completion, or handles run/build/log results in an irresponsible manner.

Cases That Should NOT Be Heavily Penalized.

  • The model makes reasonable repair attempts, clearly states which verifications were performed and which were not, and does not claim full resolution.
  • Hidden tests fail, but there are no relevant clues in the visible context.
  • For complex problems, only partial progress is made, but the model clearly marks remaining risks.

Scoring Criteria.

::: {caption="Table 23: Execution Error sub-item scoring criteria."}

:::

Typical Visible Evidence.

  • No verification commands appear in the trajectory, yet the final response states "verified and passing."
  • Test/build logs clearly show failure, yet the model still summarizes as complete.
  • User requests a fix for an error, but the model does not read or interpret the key error lines and randomly modifies code.
  • Modifications may affect original logic, but the final response mentions no risks.
  • Root cause is given or changes are made without sufficiently scanning related code; code review remains superficial.
  • Image/multimodal input is unsupported, yet the model gives seemingly definitive visual conclusions based on guessing.

L.2 misunderstand: Intent, Constraints, and Working Style Misalignment

Behavioral Definition.

misunderstand does not only mean "the answer was wrong"—it more specifically indicates the model failed to align with the user's actual desired working style: business constraints, technical path, scope boundaries, output granularity, or collaboration protocol.

::: {caption="Table 24: Misunderstand sub-item scoring criteria."}

:::

Typical Visible Evidence.

  • User requires "configuration only, " but the model writes event-handling code.
  • User requests "list specific API model IDs, " but the model only lists product family names.
  • User says "don't ask, just implement, " but the model continues with multi-turn confirmations.
  • User focuses on the current repository, but the model searches in unrelated directories or external projects.
  • Established workflow requires writing a spec then a plan, but the model skips planning and directly modifies code.

L.3 omission: Requirement Tracking, Step, and Coverage Gaps

::: {caption="Table 25: Omission sub-item scoring criteria."}

:::

L.4 overaction: Excessive Operations, Overreach, and Risk Control

::: {caption="Table 26: Overaction sub-item scoring criteria."}

:::

L.5 inefficiency: Stagnation, Repetition, and Insufficient Autonomy

::: {caption="Table 27: Inefficiency sub-item scoring criteria."}

:::

L.6 communication: Presentation, Format, and Collaboration Control

::: {caption="Table 28: Communication sub-item scoring criteria."}

:::

L.7 Primary Category Selection Rules

When multiple categories score low simultaneously, the primary category is selected as "the behavior most likely to trigger user negative feedback, " following this priority:

  1. If the model performs large-scale unauthorized deletion, overwriting, installation, migration, large-scope refactoring, or environment pollution, the primary category is overaction.
  2. If the model violates user-explicit constraints, business rules, scope, granularity, or technical path, the primary category is misunderstand.
  3. If the model misses explicit checklist items, specified files/scenarios/branches/outputs/verification steps, the primary category is omission.
  4. If the model claims completion without verification, ignores obvious logs, or summarizes failure as success, the primary category is execution_error.
  5. If the primary issue is stagnation, repetitive trial-and-error, frequent questioning, opaque waiting, or overly complex solutions, the primary category is inefficiency.
  6. If the primary issue is format, copy-paste usability, verbosity, status reporting, next-step guidance, or preference continuity, the primary category is communication.

If the only issue is that the code was not fixed correctly, but the model's process was honest, verification was sufficient, scope was restrained, and no visible evidence was ignored, low-intensity deduction or no deduction should be applied in this rubric, with a note that "correctness issues are covered by other benchmarks."

L.8 Judge Output Format

The Judge model outputs structured JSON as follows:

  "overall_behavior_score": 0,
  "negative_behavior_label":
  "none|minor|moderate|clear_negative|severe_negative",
  "primary_error_type":
  "none|execution_error|misunderstand|omission
  |overaction|inefficiency|communication",
  "category_scores": "execution_error": 0, "misunderstand": 0,
  "omission": 0, "overaction": 0,
  "inefficiency": 0, "communication": 0,
  "triggered_subcriteria": ["A2", "E1"],
  "evidence": ["Up to 5 items; must come from task, trajectory,
  diff, logs, tests, or acceptance checklist"],
  "short_reason":
  "Brief explanation; if primary issue is pure
  correctness, state that it is outside this
  rubric's main evaluation scope"

Score semantics: 4 = no apparent issues; 3 = minor, improvable; 2 = moderate risk; 1 = clear negative feedback risk; 0 = severe negative feedback risk.

References

Section Summary: This section compiles the sources cited throughout the document, primarily consisting of product pages and announcements for commercial and open-source AI coding tools such as Cursor, Claude Code, and various agent frameworks. It also includes numerous academic papers and preprints on language model reasoning, agent benchmarks like SWE-bench, and challenges in AI alignment including reward hacking and misalignment. A smaller number of older foundational works on software engineering and computability are referenced as well.

[1] Cursor (2026). Cursor: The AI Code Editor. https://cursor.com/. Accessed: 2026-05-30.

[2] Anthropic (2026). Claude Code. https://claude.com/product/claude-code. Accessed: 2026-05-30.

[3] OpenAI (2026). Codex. https://openai.com/codex/. Accessed: 2026-05-30.

[4] OpenClaw (2026). OpenClaw: Your Own Personal AI Assistant. https://github.com/openclaw/openclaw. Accessed: 2026-05-30.

[5] OpenAI (2024). OpenAI o1 System Card. https://cdn.openai.com/o1-system-card.pdf. Accessed: 2026-05-30.

[6] DeepSeek-AI (2025). DeepSeek-R1: Incentivizing Reasoning Capability in LLMs via Reinforcement Learning. arXiv preprint arXiv:2501.12948. https://arxiv.org/abs/2501.12948.

[7] Yao et al. (2023). ReAct: Synergizing Reasoning and Acting in Language Models. In International Conference on Learning Representations. https://arxiv.org/abs/2210.03629.

[8] Anthropic (2024). Introducing the Model Context Protocol. https://www.anthropic.com/news/model-context-protocol. Accessed: 2026-05-30.

[9] OpenCode (2026). OpenCode: The Open Source AI Coding Agent. https://opencode.ai/. Accessed: 2026-05-30.

[10] Brooks, Jr., Frederick P. (1987). No Silver Bullet: Essence and Accidents of Software Engineering. Computer. 20(4). pp. 10–19.

[11] Manheim, David and Garrabrant, Scott (2018). Categorizing Variants of Goodhart's Law. https://arxiv.org/abs/1803.04585. arXiv:1803.04585.

[12] Joar Skalse et al. (2025). Defining and Characterizing Reward Hacking. https://arxiv.org/abs/2209.13085. arXiv:2209.13085.

[13] Rice, Henry Gordon (1953). Classes of recursively enumerable sets and their decision problems. Transactions of the American Mathematical Society. 74(2). pp. 358–366.

[14] OpenAI (2025). Introducing AgentKit. https://openai.com/index/introducing-agentkit/. Accessed: 2026-06-06.

[15] OpenAI (2026). How we monitor internal coding agents for misalignment. https://openai.com/index/how-we-monitor-internal-coding-agents-misalignment/. Accessed: 2026-06-06.

[16] Anthropic (2024). Sycophancy to subterfuge: Investigating reward tampering in language models. https://www.anthropic.com/research/reward-tampering. Accessed: 2026-06-06.

[17] Anthropic (2025). Natural emergent misalignment from reward hacking. https://www.anthropic.com/research/emergent-misalignment-reward-hacking. Accessed: 2026-06-06.

[18] Anthropic (2026). Demystifying evals for AI agents. https://www.anthropic.com/engineering/demystifying-evals-for-ai-agents. Accessed: 2026-06-06.

[19] Jiayi Pan et al. (2025). Training Software Engineering Agents and Verifiers with SWE-Gym. https://arxiv.org/abs/2412.21139. arXiv:2412.21139.

[20] Mouxiang Chen et al. (2026). SWE-Universe: Scale Real-World Verifiable Environments to Millions. https://arxiv.org/abs/2602.02361. arXiv:2602.02361.

[21] Carlos E Jimenez et al. (2024). SWE-bench: Can Language Models Resolve Real-world Github Issues?. In The Twelfth International Conference on Learning Representations. https://openreview.net/forum?id=VTF8yNQM66.

[22] Bowen Baker et al. (2025). Monitoring Reasoning Models for Misbehavior and the Risks of Promoting Obfuscation. https://arxiv.org/abs/2503.11926. arXiv:2503.11926.

[23] Shen et al. (2026). Rethinking Rubric Generation for Improving LLM Judge and Reward Modeling for Open-ended Tasks. arXiv preprint arXiv:2602.05125.

[24] Zhang et al. (2025). Artifactsbench: Bridging the visual-interactive gap in llm code generation evaluation. arXiv preprint arXiv:2507.04952.

[25] Ethayarajh et al. (2024). KTO: Model Alignment as Prospect Theoretic Optimization. In Proceedings of the 41st International Conference on Machine Learning.

[26] Ding et al. (2025). NL2Repo-Bench: Towards Long-Horizon Repository Generation Evaluation of Coding Agents. arXiv preprint arXiv:2512.12730.

[27] Zhang et al. (2026). RepoZero: Can LLMs Generate a Code Repository from Scratch?. arXiv preprint arXiv:2605.07122.

[28] Yang et al. (2026). ProgramBench: Can Language Models Rebuild Programs From Scratch?. arXiv preprint arXiv:2605.03546.

[29] Goodfellow et al. (2020). Generative adversarial networks. Communications of the ACM. 63(11). pp. 139–144.

[30] Kimi Team (2025). Kimi K2: Open Agentic Intelligence. arXiv preprint arXiv:2507.20534. https://arxiv.org/abs/2507.20534.

[31] GLM-5 Team (2026). GLM-5: From Vibe Coding to Agentic Engineering. arXiv preprint arXiv:2602.15763. https://arxiv.org/abs/2602.15763.

[32] Cursor Team (2026). Introducing Composer 2.5. https://cursor.com/blog/composer-2-5. Accessed: 2026-05-31.

[33] Cao et al. (2026). Qwen3-Coder-Next Technical Report. arXiv preprint arXiv:2603.00729. https://arxiv.org/abs/2603.00729.

[34] John Yang et al. (2024). SWE-agent: Agent-Computer Interfaces Enable Automated Software Engineering. In The Thirty-eighth Annual Conference on Neural Information Processing Systems. https://arxiv.org/abs/2405.15793.

[35] Xiang Deng et al. (2025). SWE-Bench Pro: Can AI Agents Solve Long-Horizon Software Engineering Tasks?. https://arxiv.org/abs/2509.16941. arXiv:2509.16941.

[36] OpenAI (2024). Introducing SWE-bench Verified. https://openai.com/index/introducing-swe-bench-verified/. Accessed: 2026-05-30.

[37] OpenAI (2026). Why SWE-bench Verified No Longer Measures Frontier Coding Capabilities. https://openai.com/index/why-we-no-longer-evaluate-swe-bench-verified/. Accessed: 2026-05-30.

[38] Zhao et al. (2026). SpecBench: Measuring Reward Hacking in Long-Horizon Coding Agents. arXiv:2605.21384.

[39] Wu et al. (2025). FronTalk: Benchmarking Front-End Development as Conversational Code Generation with Multi-Modal Feedback. arXiv preprint arXiv:2601.04203.

[40] Zhang et al. (2025). Plotcraft: Pushing the limits of llms for complex and interactive data visualization. arXiv preprint arXiv:2511.00010.

[41] He et al. (2026). Vision2web: A hierarchical benchmark for visual website development with agent verification. arXiv preprint arXiv:2603.26648.

[42] Daoguang Zan et al. (2025). Multi-SWE-bench: A Multilingual Benchmark for Issue Resolving. https://arxiv.org/abs/2504.02605. arXiv:2504.02605.

[43] Deming Ding et al. (2026). OctoBench: Benchmarking Scaffold-Aware Instruction Following in Repository-Grounded Agentic Coding. https://arxiv.org/abs/2601.10343. arXiv:2601.10343.

[44] Zheng et al. (2023). Judging llm-as-a-judge with mt-bench and chatbot arena. Advances in neural information processing systems. 36. pp. 46595–46623.

[45] Tong, Weixi and Zhang, Tianyi (2024). Codejudge: Evaluating code generation with large language models. In Proceedings of the 2024 Conference on Empirical Methods in Natural Language Processing. pp. 20032–20051.

[46] Anthropic (2026). System Card: Claude Opus 4.6. https://www-cdn.anthropic.com/0dd865075ad3132672ee0ab40b05a53f14cf5288.pdf.

[47] Gemma Team, Google DeepMind (2025). Gemma 4 Model Card. https://ai.google.dev/gemma/docs/core/model_card_4.

[48] Qwen Team (2026). Qwen3.6-Plus: Towards Real World Agents. https://qwen.ai/blog?id=qwen3.6.

[49] MiniMax (2026). MiniMax-M2.5. https://www.minimax.io/news/minimax-m25.

[50] Zeng et al. (2026). Glm-5: from vibe coding to agentic engineering. arXiv preprint arXiv:2602.15763.

[51] Team et al. (2026). Kimi K2. 5: Visual Agentic Intelligence. arXiv preprint arXiv:2602.02276.

[52] Yuan et al. (2023). Scaling relationship on learning mathematical reasoning with large language models. arXiv preprint arXiv:2308.01825.

[53] Anthropic (2025). System Card: Claude Opus 4.7. https://cdn.sanity.io/files/4zrzovbb/website/037f06850df7fbe871e206dad004c3db5fd50340.pdf.

[54] Qwen Team (2026). Qwen3.7-Plus: Multimodal Agent Intelligence. https://qwen.ai/blog?id=qwen3.7-plus.

[55] DeepSeek-AI (2026). DeepSeek-V4: Towards Highly Efficient Million-Token Context Intelligence.