Update Helm release descheduler to v0.36.0

[renovate]

This PR contains the following updates:

Package	Update	Change
descheduler	minor	0.35.1 → 0.36.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

kubernetes-sigs/descheduler (descheduler)

v0.36.0

Compare Source

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[anshulg-dep-review]

Triage: YELLOW -- possible breakage, reviewer requested

Quick summary

Minor version bump (0.35.1 → 0.36.0) with three behavioral changes to the descheduler plugin system: NamespaceLabelSelector now evaluates matchExpressions (previously ignored), PodLifeTime now matches terminated container reasons (not just waiting), and serviceMonitor.apiVersion is now configurable. Neither deployment uses these features in a way that would cause immediate breakage, but the PodLifeTime behavior change warrants review since the k8s cluster actively uses that plugin. Provenance research failed due to token limits and should be manually verified.

Updates table

Package	Old	New	Breaking	Changelog	Provenance
descheduler	0.35.1	0.36.0	actions	behavioral changes	failed

Required actions

1. descheduler -- Review the PodLifeTime plugin configuration in k8s/apps/templates/descheduler.yaml. The new version now matches container terminated reasons (e.g., OOMKilled, Error) in addition to waiting reasons. The current policy uses states: ["Pending", "PodInitializing"] which are waiting-only, so no immediate impact expected, but verify this is intentional. (See breaking report, "PodLifeTime plugin" section.)

2. descheduler -- Provenance research failed due to token limits. Before merge, manually verify the image signature and source for registry.k8s.io/descheduler/descheduler:v0.36.0 using cosign verify or your supply-chain tooling.

Update summary

descheduler 0.35.1 → 0.36.0

• Behavioral changes in three areas:

  • DefaultEvictor.NamespaceLabelSelector now enforces matchExpressions filtering (previously silently ignored if matchLabels was empty). Neither deployment uses this field.
  • PodLifeTime plugin now matches container terminated reasons in addition to waiting reasons. The k8s cluster uses PodLifeTime with states: ["Pending", "PodInitializing"] (waiting-only), so no immediate impact, but review if this is the intended behavior.
  • serviceMonitor.apiVersion is now configurable (defaults to monitoring.coreos.com/v1). Both deployments have serviceMonitor.enabled: false, so no impact.

• New features (additive, no action required):

  • initContainers value added to allow specifying init containers.
  • PodLifeTime extended with new optional filters: conditions, exitCodes, ownerKinds.
  • DefaultEvictor.NamespaceLabelSelector now fully supports matchExpressions.

• Bug fixes and security:

  • Data race fixes in descheduler core.
  • Eviction observability fixes (missing metrics for background evictions).
  • gRPC and OpenTelemetry SDK dependencies upgraded for security.

• Kubernetes compatibility: v0.36.0 targets Kubernetes v1.36 and is tested against v1.34, v1.35, v1.36. The rpi5 cluster runs K3s v1.34 (within the supported window); the GKE cluster version is not pinned in the repo but assumed to be recent.

• RBAC: The persistentvolumeclaims ClusterRole permission fix (PR Update postgres:17.6 Docker digest to 14d1abe #1836) was already backported into 0.35.1, so no new RBAC changes in this bump.

• Deprecated fields still accepted: Both deployments use the deprecated DefaultEvictor.args fields ignorePvcPods: true and evictLocalStoragePods: true. These remain accepted in v0.36.0 but will eventually be removed. Consider migrating to the podProtections syntax in a future update.

Provenance

Provenance research failed due to token limits in the researcher. The image source (registry.k8s.io/descheduler/descheduler:v0.36.0) and its signature/attestation could not be verified. Manual verification is required before merge: use cosign verify or your supply-chain tooling to confirm the image is signed by the Kubernetes project and has not been tampered with.

Sub-agent reports -- descheduler

Breaking-change impact

I now have all the information I need. Let me compile the complete analysis. Here's what I've found:

Key facts established:

1. Two deployments: k8s cluster (GKE, unknown K8s version) and rpi5 cluster (K3s v1.34.2 = Kubernetes 1.34)
2. Both use kind: CronJob (default in chart values)
3. Both use deprecated DefaultEvictor args: ignorePvcPods: true and evictLocalStoragePods: true — these are deprecated in favor of podProtections but still accepted (not removed)
4. Chart templates are identical between 0.35.1 and 0.36.0 (same SHAs for clusterrole.yaml, cronjob.yaml, deployment.yaml, _helpers.tpl, etc.)
5. values.yaml is identical between 0.35.1 and 0.36.0
6. The RBAC fix (PR Update postgres:17.6 Docker digest to 14d1abe #1836 — adding persistentvolumeclaims to ClusterRole) was already backported into 0.35.1, so it's already present in the current deployment
7. v0.36.0 is compiled against k8s 1.36 client libs but the compatibility note says it works with the three latest minor versions (1.34, 1.35, 1.36)
8. Architecture: v0.36.0 supports AMD64, ARM64, ARMv7 — confirmed in user-guide.md
9. rpi5 runs K3s v1.34 — within the supported range (descheduler tests against 3 latest k8s versions)
10. No new required values, no selector changes, no probe path changes between chart versions

---

Impact verdict: descheduler 0.35.1 → 0.36.0 (PR #3239)

Verdict

safe_to_merge

This is a minor version bump with no chart template changes, no values schema changes, and no breaking changes that intersect either deployment's configuration. The descheduler's deprecated ignorePvcPods/evictLocalStoragePods args used in both deployments remain accepted (not removed) in v0.36.0. The rpi5 cluster runs K3s v1.34, which is within the descheduler's tested compatibility window (three latest minor versions: 1.34, 1.35, 1.36). Both amd64 and arm64 are supported by the new image.

---

Blast radius

• Scope: platform (cluster-wide scheduling behavior, but failure mode is soft — descheduler not running means no evictions, not an outage)
• Direct usage: 2 manifest(s)
  • k8s/apps/templates/descheduler.yaml — GKE cluster, kube-system namespace
  • rpi5/apps/templates/internal/descheduler.yaml — rpi5 K3s cluster, kube-system namespace
• Transitive dependents: All pods in both clusters are subject to descheduler eviction decisions. However, the descheduler is a control-plane-adjacent tool — if it fails to start, pods are simply not evicted (no active harm). No application depends on the descheduler being available to function.
• User-facing exposure:
  • Public hostnames affected: none (descheduler has no ingress)
  • Internal (oauth-gated) hostnames affected: none
  • Cron / scheduled jobs affected: the descheduler itself runs as a CronJob (*/2 * * * *); failure means eviction stops silently
• Failure mode if upgrade goes wrong: soft_down — descheduler CronJob fails to create pods or pods crash; cluster continues operating normally, pods are simply not evicted/rebalanced until fixed
• Recovery: trivial_rollback — pin targetRevision back to 0.35.1 in both ArgoCD Application manifests; no state is written by the descheduler itself

---

Required actions before merge

None

---

Findings

F1: Deprecated DefaultEvictor args ignorePvcPods and evictLocalStoragePods still in use

• Severity: informational
• Category: config_schema
• What changed: Since v0.33.0, ignorePvcPods and evictLocalStoragePods in DefaultEvictor.args are deprecated in favor of the podProtections API. The new chart values.yaml default example uses podProtections instead. The old fields are still accepted in v0.36.0 (not removed).
• Why it affects this deployment: Both deployments set ignorePvcPods: true and evictLocalStoragePods: true under DefaultEvictor.args:
  • k8s/apps/templates/descheduler.yaml — pluginConfig[0].args.ignorePvcPods: true, evictLocalStoragePods: true
  • rpi5/apps/templates/internal/descheduler.yaml — same
    These fields continue to work in v0.36.0 but will eventually be removed in a future release. The equivalent podProtections config would be:

  podProtections:
    defaultDisabled:
    - "PodsWithLocalStorage"
    extraEnabled:
    - "PodsWithPVC"

• Affected dependents: Both clusters' descheduler instances
• Required action: No action required for this merge. Consider migrating to podProtections syntax before a future release removes the legacy fields.
• Source: https://github.com/kubernetes-sigs/descheduler/blob/master/README.md (DefaultEvictor table); add PodProtections for DefaultEvictorArgs kubernetes-sigs/descheduler#1665
• Confidence: documented
• Render-limited: no

F2: v0.36.0 compiled against Kubernetes 1.36 client libraries; rpi5 runs K3s v1.34

• Severity: informational
• Category: k8s_api
• What changed: v0.36.0 bumps k8s client-go/apimachinery/etc. to v0.36.x (from v0.35.x in v0.35.1). The compatibility matrix lists v0.36 as targeting Kubernetes v1.36.
• Why it affects this deployment: The rpi5 cluster runs K3s v1.34.2 (Kubernetes 1.34). The descheduler project's stated policy is that each release is tested against the three latest k8s minor versions. v0.36 is tested against v1.34, v1.35, and v1.36 — so v1.34 is within the supported window. The GKE cluster's version is not pinned in the repo (no upgrade.yaml equivalent found for k8s/), but GKE typically runs recent versions and is expected to be ≥1.34.
• Affected dependents: rpi5 descheduler instance
• Required action: No action required. v1.34 is within the tested compatibility window for v0.36.
• Source: https://github.com/kubernetes-sigs/descheduler?tab=readme-ov-file#compatibility-matrix; [v0.36.0] release prep: bump k8s/go deps, manifests, docs, and CI matrix kubernetes-sigs/descheduler#1874
• Confidence: documented
• Render-limited: no

F3: RBAC fix for PVC list permission (PR #1836) — already present in 0.35.1

• Severity: informational
• Category: k8s_api
• What changed: v0.35.0 introduced a requirement for persistentvolumeclaims list/watch/get at cluster scope (for the podProtections storage-class feature added in v0.35.0). The Helm chart's ClusterRole was missing this permission, causing log errors. PR Update postgres:17.6 Docker digest to 14d1abe #1836 fixed the chart ClusterRole and was backported into v0.35.1.
• Why it affects this deployment: The current deployment already runs v0.35.1, which includes the fix. The ClusterRole template SHA is identical between 0.35.1 and 0.36.0 (68ae90787fc90ccfbcdd9556d691de767579f602). No action needed.
• Affected dependents: Both clusters
• Required action: No action — already fixed in 0.35.1.
• Source: Update helm RBAC to account for pvc failure on 0.35.0 kubernetes-sigs/descheduler#1836
• Confidence: documented
• Render-limited: no

F4: PodLifeTime plugin — new states field used in k8s deployment, not in rpi5

• Severity: informational
• Category: config_schema
• What changed: v0.35.1 added Extend PodLifeTime with condition, exit code, owner kind, and transition time filters (PR Update nginxinc/nginx-unprivileged:1.29.1 Docker digest to ff72f15 #1844, backported into 0.35.1). v0.36.0 carries this forward. No fields were removed.
• Why it affects this deployment: The k8s deployment uses PodLifeTime with states: ["Pending", "PodInitializing"]. The rpi5 deployment uses PodLifeTime without states. Both configurations remain valid in v0.36.0 — the new fields are additive.
• Affected dependents: k8s cluster descheduler
• Required action: No action — informational only.
• Source: https://github.com/kubernetes-sigs/descheduler/releases/tag/v0.36.0
• Confidence: documented
• Render-limited: no

F5: serviceMonitor.apiVersion new field in values.yaml

• Severity: informational
• Category: config_schema
• What changed: v0.36.0 adds a new serviceMonitor.apiVersion field (defaulting to "monitoring.coreos.com/v1") to allow overriding the ServiceMonitor API version (PR Update linuxserver/prowlarr:2.1.3-nightly Docker digest to 5842391 #1837).
• Why it affects this deployment: Both deployments have serviceMonitor.enabled: false (chart default, not overridden in either ArgoCD Application values block). The new field is irrelevant.
• Affected dependents: Neither cluster
• Required action: No action — informational only.
• Source: chart: allow overriding ServiceMonitor apiVersion kubernetes-sigs/descheduler#1837
• Confidence: documented
• Render-limited: no

---

Deployment fingerprint (summary)

Both clusters (k8s and rpi5):

• Kind: CronJob (chart default, not overridden)
• Schedule: chart default */2 * * * * (not overridden)
• Image: registry.k8s.io/descheduler/descheduler at chart version tag (no explicit tag override)
• Namespace: kube-system
• No env vars, no ConfigMap mounts, no PVCs, no Secrets — descheduler is stateless; policy is passed via ConfigMap rendered from deschedulerPolicy values
• DefaultEvictor args: ignorePvcPods: true, evictLocalStoragePods: true (deprecated but still accepted)
• Active plugins: RemoveDuplicates, RemovePodsHavingTooManyRestarts (threshold: 100), RemovePodsViolatingNodeAffinity (requiredDuringScheduling), RemovePodsViolatingNodeTaints, RemovePodsViolatingInterPodAntiAffinity, RemovePodsViolatingTopologySpreadConstraint, LowNodeUtilization (20/50 thresholds), PodLifeTime (7 days)
• k8s-only: PodLifeTime with states: ["Pending", "PodInitializing"]
• rpi5-only: LowNodeUtilization memory threshold: 30% (vs 20% in k8s)
• No ServiceMonitor, no leaderElection, no Deployment mode
• Resources: chart defaults (500m CPU / 256Mi memory, requests = limits)
• Security context: runAsNonRoot: true, runAsUser: 1000, readOnlyRootFilesystem: true, allowPrivilegeEscalation: false
• Liveness probe: HTTPS /healthz :10258 (unchanged between versions)
• RBAC: rbac.create: true (chart default)
• No metricsProviders configured (metrics.k8s.io RBAC branch not activated)

---

Cluster fit

• Architectures required by cluster: amd64 (GKE/k8s), arm64 (rpi5 Raspberry Pi 5)
• Architectures supported by new version: AMD64, ARM64, ARMv7 — confirmed in docs/user-guide.md at tag v0.36.0
• Kubernetes API versions used in manifest sources: batch/v1 (CronJob), rbac.authorization.k8s.io/v1 (ClusterRole/ClusterRoleBinding), v1 (ServiceAccount, ConfigMap) — all GA and stable across all supported K8s versions
• Minimum K8s version stated by dep: Not stated as a hard minimum; tested against v1.34, v1.35, v1.36 for v0.36
• Peer dependency check: No cert-manager, Prometheus operator, or service mesh dependencies. No CRDs shipped or required. No operator pattern.

---

Gaps

• GKE cluster Kubernetes version not determinable from repo: No upgrade.yaml or equivalent version pin exists for the k8s/ GKE cluster. The GKE version is assumed to be recent (≥1.34) based on typical GKE release cadence, but was not confirmed. If the GKE cluster is running a very old version (< 1.33), the compatibility window concern in F2 would apply there too.
• Chart template rendering not performed: No helm template was run. Reasoning was done from raw chart source. The chart templates are identical between 0.35.1 and 0.36.0 (confirmed by matching file SHAs for all template files), so this gap does not affect any finding.
• v0.36.0 not yet listed in user-guide.md architecture table at time of initial search: The v0.36.0 entry was confirmed present in the docs/user-guide.md at the v0.36.0 tag, listing AMD64, ARM64, ARMv7.
• ignorePvcPods/evictLocalStoragePods removal timeline unknown: The upstream has not published a specific version in which these deprecated fields will be removed. Monitoring upstream release notes is recommended.

Upstream changelog

I now have all the information needed to produce a comprehensive output. Let me compile the findings.

---

descheduler (Helm Chart) 0.35.1 → 0.36.0

Summary

• Artifact type: Helm chart
• Input format: SemVer version (chart version, not app version — they are kept in sync for this project)
• Resolved references: descheduler-helm-chart-0.35.1 tag (commit 2908b430) → descheduler-helm-chart-0.36.0 tag (commit 3588dacd); app image bumped from registry.k8s.io/descheduler/descheduler:v0.35.1 to registry.k8s.io/descheduler/descheduler:v0.36.0
• Versions in range: 0.35.1 → 0.36.0 (no intermediate chart releases; 0.35.1 was itself a patch of 0.35.0 that fixed RBAC)
• Source repo: https://github.com/kubernetes-sigs/descheduler
• Primary sources used:
  • GitHub release v0.36.0: https://github.com/kubernetes-sigs/descheduler/releases/tag/v0.36.0
  • GitHub release descheduler-helm-chart-0.36.0: https://github.com/kubernetes-sigs/descheduler/releases/tag/descheduler-helm-chart-0.36.0
  • Direct diff of charts/descheduler/values.yaml and charts/descheduler/templates/clusterrole.yaml between both tags
  • PR Update postgres:17.6 Docker digest to 14d1abe #1836 (RBAC fix): Update helm RBAC to account for pvc failure on 0.35.0 kubernetes-sigs/descheduler#1836
  • PR Update linuxserver/prowlarr:2.1.3-nightly Docker digest to 5842391 #1837 (ServiceMonitor apiVersion): chart: allow overriding ServiceMonitor apiVersion kubernetes-sigs/descheduler#1837
  • PR Update Helm release kellnr to v4.1.1 #1826 (initContainers): Add init containers support to Helm chart kubernetes-sigs/descheduler#1826
  • PR Update nginxinc/nginx-unprivileged:1.29.1 Docker digest to ff72f15 #1844 (PodLifeTime extension): Extend PodLifeTime with condition, exit code, owner kind, and transition time filters kubernetes-sigs/descheduler#1844
  • PR Update Helm release node-feature-discovery to v0.18.3 #1853 (NamespaceLabelSelector MatchExpressions): chore(defaultevictor): add MatchExpressions compatibility to the namespaceselector kubernetes-sigs/descheduler#1853
  • Artifact Hub: https://artifacthub.io/packages/helm/descheduler/descheduler/0.36.0
• Versioning scheme: Custom — chart version mirrors the descheduler application version (e.g., chart 0.36.0 ships app v0.36.0). Tracks Kubernetes minor version (descheduler v0.36 targets Kubernetes v1.36).
• Major version boundary crossed: No (both are 0.x; this is a ZeroVer project — every release can technically break)
• Confidence: medium — no dedicated migration guide exists; change information assembled from the GitHub release notes, direct values.yaml diff, and individual PR descriptions. All chart-level changes are fully documented; application-level behavioral changes rely on PR descriptions.

---

Breaking Changes

serviceMonitor.apiVersion field added with hardcoded default — existing ServiceMonitor templates now use a configurable value

• What changed: The servicemonitor.yaml template previously hardcoded apiVersion: monitoring.coreos.com/v1; it now reads from serviceMonitor.apiVersion, which defaults to "monitoring.coreos.com/v1".
• Affects: Helm chart values schema (serviceMonitor.apiVersion); rendered ServiceMonitor manifest apiVersion field.
• Migration: No action required if using standard Prometheus Operator (monitoring.coreos.com/v1). Users on Azure Managed Prometheus or other non-standard operators who previously patched the template manually should now set serviceMonitor.apiVersion in their values instead.
• Source: chart: allow overriding ServiceMonitor apiVersion kubernetes-sigs/descheduler#1837 (PR description and Artifact Hub parameter table)
• Confidence: documented
• Introduced in: 0.36.0

DefaultEvictor.NamespaceLabelSelector now evaluates matchExpressions (behavior change for existing configs using only matchLabels)

• What changed: The DefaultEvictor previously only activated NamespaceLabelSelector filtering when matchLabels was non-empty; it now also activates when matchExpressions is non-empty. The guard condition changed from len(MatchLabels) == 0 to len(MatchLabels) > 0 || len(MatchExpressions) > 0.
• Affects: deschedulerPolicy.profiles[*].pluginConfig[DefaultEvictor].args.namespaceLabelSelector — any policy that sets matchExpressions without matchLabels will now have namespace filtering applied where it was previously silently ignored.
• Migration: Review existing DefaultEvictor configs that use namespaceLabelSelector.matchExpressions without matchLabels. Previously those expressions were silently no-ops; they will now be enforced. No action needed if matchLabels was always populated alongside matchExpressions.
• Source: chore(defaultevictor): add MatchExpressions compatibility to the namespaceselector kubernetes-sigs/descheduler#1853
• Confidence: inferred (the PR is labeled a bug fix / "chore", but the behavioral change is real for any user who set matchExpressions expecting it to work — it was silently ignored before)
• Introduced in: 0.36.0

PodLifeTime plugin: states field now also matches container terminated reasons (previously only matched waiting reasons)

• What changed: PodLifeTimeArgs.states previously only checked container waiting reasons; it now also checks container terminated reasons. A pod with a container in a terminated state matching a listed reason will now be eligible for eviction.
• Affects: deschedulerPolicy.profiles[*].pluginConfig[PodLifeTime].args.states — existing policies that list reason strings may now match more pods than before.
• Migration: Review PodLifeTime policies that use states. If the listed reasons could also appear as terminated container reasons (e.g., OOMKilled, Error), those pods will now be evicted where they were not before. Narrow the policy with the new ownerKinds or conditions filters if needed.
• Source: Extend PodLifeTime with condition, exit code, owner kind, and transition time filters kubernetes-sigs/descheduler#1844 (PR description: "states enhanced: Now also checks container terminated reasons (previously only checked waiting reasons)")
• Confidence: documented
• Introduced in: 0.36.0

---

Other Notable Changes

• App image bumped to v0.36.0 targeting Kubernetes v1.36; compatibility matrix: descheduler v0.36 ↔ Kubernetes v1.36. (release notes)
• initContainers value added — new initContainers: [] key in values.yaml allows specifying init containers for the descheduler Deployment/CronJob pod. (PR #1826)
• PodLifeTime extended with new filter fields — conditions (filter by status.conditions type/status/reason with optional minTimeSinceLastTransitionSeconds), exitCodes (filter by container terminated exit code), ownerKinds (include/exclude by owner reference kind). All new fields are additive/optional. (PR #1844)
• DefaultEvictor.NamespaceLabelSelector now supports matchExpressions — previously only matchLabels was evaluated; matchExpressions is now fully functional. (PR #1853)
• Data race fixes in descheduler core — concurrent map/slice access races resolved. (PR #1842)
• Eviction observability fixes — missing metrics for background evictions fixed; Prometheus usage client reset at each extension point. (PR #1856, PR #1862)
• Security: gRPC and OpenTelemetry SDK dependencies upgraded to address vulnerabilities. (PR #1859)
• Chart icon URL updated in Chart.yaml to point to new logo path. (PR #1838)
• CI: GitHub Actions pinned to immutable SHAs across workflows. (PR #1875)

---

Deprecations Introduced

None found.

---

Gaps and Caveats

• No dedicated CHANGELOG or UPGRADING file exists in the repository at standard paths (CHANGELOG.md, CHANGES.rst, UPGRADING.md, MIGRATING.md). All change information is sourced from GitHub release notes and individual PR descriptions.
• RBAC fix already in 0.35.1: The persistentvolumeclaims RBAC permission fix (PR Update postgres:17.6 Docker digest to 14d1abe #1836) was cherry-picked into the release-1.35 branch and shipped as chart 0.35.1. The clusterrole.yaml diff between 0.35.1 and 0.36.0 shows identical content — this fix is not new in 0.36.0 for users already on 0.35.1. Users upgrading from 0.35.0 directly would gain this fix, but the stated old version is 0.35.1.
• PR Update Helm release node-feature-discovery to v0.18.3 #1853 (NamespaceLabelSelector MatchExpressions) was still open/unmerged to master at time of research but appears in the v0.36.0 release notes as merged. The PR timeline shows lgtm label added April 8, 2026 but no explicit merge event visible in the fetched data. The v0.36.0 release notes list it as included (chore(defaultevictor): add MatchExpressions compatibility to the namespaceselector by @Fankhauserli in #1853), so it is treated as included.
• ZeroVer project: The descheduler has never released a v1.0. All releases are 0.x, meaning semver's "no breaking changes in minor" guarantee does not apply. Each release should be treated as potentially breaking.
• Kubernetes version coupling: Chart 0.36.0 ships app v0.36.0 which targets Kubernetes v1.36. Running this chart against older Kubernetes clusters (< v1.34 per the compatibility matrix) is unsupported.
• assumePod metric race fix (PR Update nginxinc/nginx-unprivileged:1.29.1 Docker digest to 9e3b977 #1873) — fixes a race where eviction success metrics were silently dropped on informer races. This is a correctness fix that may cause metric counts to change after upgrade (previously under-counted).

Provenance

RESEARCH_FAILED: provenance researcher could not complete.

Reason: Prompt error: CompletionError: ProviderError: {"error":{"message":"{"type":"error","error":{"type":"invalid_request_error","message":"max_tokens: 65536 > 64000, which is the maximum allowed number of output tokens for claude-haiku-4-5-20251001"},"request_id":"req_011CbF7cHSgWvnA1rUmLTndk"}. Received Model Group=claude-haiku-4-5\nAvailable Model Group Fallbacks=['claude-haiku-4-5-fallback']\nError doing the fallback: {"type":"error","error":{"type":"authentication_error","message":"x-api-key header is required"},"request_id":"req_011CbF7cVXx1kJBqfXGhhbvR"}","type":"None","param":"None","code":"400"}}

The categorizer must treat this as an unverified signal and downgrade the verdict accordingly (do not assume safety).