kubectl

Kubernetes command-line tool

65% pass rate

3/8 principles met

Spec Coverage

How many of the spec's requirements were verified for this tool. See /coverage for the full matrix.

Level	Total	Verified	Unverified
MUST	28	19	9
SHOULD	21	13	8
MAY	10	10	0

Top Issues

FAIL Version flag works (`--version` plus short alias) Progressive Help Discovery `--version` exited with code 1
FAIL Version flag works (`--version` plus short alias) Progressive Help Discovery `--version` exited with code 1
WARN Quiet mode available Bounded, High-Signal Responses no --quiet/-q flag detected in --help output

All Audits

P1: Non-Interactive by Default

PASS	Non-interactive by default
SKIP	Non-interactive gate flag advertised in --help	target satisfies P1 via alternative gate (help-on-bare or stdin-primary)
SKIP	Flags advertise env-var bindings in --help	target exposes no flags in --help
PASS	Secret-bearing flags expose stdin or *-file companion
WARN	`--help` advertises default values for flags	no default-value annotations found in --help. SHOULD-tier — agents reading help text need to see what value a flag falls back to when omitted (`[default: <value>]` per clap convention).
WARN	Rich-TUI affordance for TTY contexts	no rich-TUI affordance detected (no `--tui`/`--interactive`/`--ui` flag, no spinner/progress/tui mention in --help). MAY-tier — rich TUI in TTY contexts is a nice-to-have, not required.

P2: Structured, Parseable Output

OPT-OUT	Structured output support	no --output/--format flag detected — tool does not ship structured output. Schema-discovery requirements (p2-must-schema-print, p2-should-schema-file) collapse to n/a via antecedent propagation.
N/A	Structured-output CLI exposes its schema at runtime	antecedent `p2-json-output` is opt_out: no --output/--format flag detected — tool does not ship structured output. Schema-discovery requirements (p2-must-schema-print, p2-should-schema-file) collapse to n/a via antecedent propagation.
WARN	--json / --jsonl short aliases for --output	no --json or --jsonl short alias found. Agents and pipelines benefit from short forms alongside the canonical `--output` enum.
WARN	`--raw` flag for pipe-safe unformatted output	no `--raw` flag advertised. MAY-tier — useful for pipelines that want to strip formatting before piping to other tools.
SKIP	`--output` advertises additional formats beyond text/json	no `--output` or `--format` flag advertised; vacuous skip for MAY-tier extra formats.
WARN	Bad invocation exits with structured usage-error code (2)	bad invocation exited with code 1. The 0/1/2/77/78 convention reserves code 2 for usage errors; using a different non-zero code (often 1) blurs the distinction between usage errors and general failure.
SKIP	Errors emit JSON envelope with `error`/`kind`/`message` under `--output json`	binary does not advertise `--output json` in --help; MUST applies only to CLIs that opt into the JSON contract.
SKIP	JSON success and error envelopes share their non-payload key set	binary does not advertise `--output json` in --help; envelope-consistency only applies to CLIs that opt into the JSON contract.

P3: Progressive Help Discovery

PASS	Help flag produces useful output
FAIL	Version flag works (`--version` plus short alias)	`--version` exited with code 1
FAIL	Version flag works (`--version` plus short alias)	`--version` exited with code 1
WARN	`examples` subcommand or `--examples` flag for curated usage patterns	no `examples` subcommand or `--examples` flag found. MAY-tier — a curated usage block keeps agents from hunting through long help text.
WARN	Short `-h` summary differs from `--help` long form	`-h` and `--help` produce byte-identical output. SHOULD-tier — clap renders the short summary on `-h` and the full description on `--help` when `long_about` is set; collapsing them gives agents no concise list-level grep target.
SKIP	Each subcommand's `--help` ships at least one invocation example	binary has no subcommands; MUST applies conditionally to CLIs that use them.
WARN	Help text pairs human and `--output json` example invocations	no paired text + `--output json` example found within 5 lines in top-level or any subcommand `--help`. Pairing keeps agents from reverse-engineering the JSON invocation from the text one.

P4: Fail-Fast, Actionable Errors

PASS	Rejects invalid arguments
PASS	Error messages include a hint or remediation phrase
SKIP	`--output json` produces JSON-formatted errors	binary does not advertise `--output json` in --help; SHOULD applies only to CLIs that opt into the JSON contract.

P5: Safe Retries & Mutation Boundaries

SKIP	Destructive subcommands require `--force` or `--yes`	no destructive subcommands detected; MUST applies conditionally to CLIs with destructive operations.
SKIP	Read and write surfaces are both visible in subcommand list	no recognizable read or write subcommand verbs; the read/write distinction is unobservable from the help surface alone.

P6: Composable, Predictable Command Structure

PASS	Handles SIGPIPE gracefully
WARN	Pager-using CLI ships --no-pager escape hatch	pager referenced in --help but no --no-pager escape hatch advertised
PASS	Respects NO_COLOR
SKIP	Subcommand verbs follow community-standard names	no subcommands parsed from --help
WARN	`--color` flag for explicit color control	no `--color` flag advertised. MAY-tier — `auto\|always\|never` lets agents and pipelines override the TTY-based default.
SKIP	Input-accepting commands read from stdin when no file is given	no input-accepting subcommand detected (process/parse/convert/transform/analyze/validate/format/lint/audit); vacuous skip for the conditional SHOULD.
SKIP	Subcommand naming follows a consistent verb/noun convention	fewer than 2 user-defined subcommands; vacuous skip for the conditional SHOULD.
PASS	Operations are subcommands, not verb-shaped flags

P7: Bounded, High-Signal Responses

WARN	Quiet mode available	no --quiet/-q flag detected in --help output
WARN	`--verbose` flag for diagnostic escalation	no `--verbose` / `-v` flag advertised. SHOULD-tier — agents debugging failures need a way to escalate diagnostic detail.
SKIP	`--limit` / `--max-results` flag for list operations	no list-style subcommand detected (list/ls/search/query/find/show/get); vacuous skip for the list-only SHOULD.
SKIP	Cursor-based pagination flags for list traversal	no list-style subcommand detected; vacuous skip for the list-only MAY.
SKIP	`--timeout` flag for long-running operations	no long-running subcommand detected (serve/daemon/watch/tail/monitor/follow/run/start/stream); vacuous skip for the conditional SHOULD.
WARN	Help text advertises TTY-aware verbosity behavior	no TTY-aware language found in `--help`. MAY-tier — automatic verbosity reduction when stdout is piped or redirected lets agents skip the explicit `--quiet` flag. Behavioral probes cannot simulate a real TTY without a pty crate, so this audit relies on documented intent.

P8: Discoverable Through Agent Skill Bundles

PASS	Skill bundle has install path (`tool skill install [<host>]`)
PASS	`skill install --all` for multi-runtime install
PASS	`skill update` / `skill upgrade` for bundle refresh

Details

Version scored: 1.36.1
Audit date: 2026-06-01 17:34:40 UTC
Duration: 355ms
Platform: linux/x86_64
Mode: command
Anc build: 0.5.0
Install: brew install kubectl

Embed the badge

The badge floor is 70%; this scorecard is at 65% (5 points below). Once the score clears the floor, the embed snippet will appear here. The top issues above are the place to start.

Reproduce this scorecard for kubectl locally and inspect the failing audits:

anc audit --command kubectl --output json

Install anc first if you don't have it. Add --output json to get the same JSON shape committed under scorecards/.