{
  "context": "Tests whether the agent hardens a TypeScript HTTP boundary while preserving ownership, contracts, security, and focused proof. The starter route has unchecked inputs, unsafe SQL, nullable data leakage, weak naming, and missing tests.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Existing conventions",
      "description": "Reads and follows the provided local project instructions and nearby conventions, including named exports and the existing validation dependency.",
      "max_score": 8
    },
    {
      "name": "Boundary schema",
      "description": "Adds a runtime schema for the incoming request payload at the route or domain boundary, and infers the TypeScript type from that schema rather than duplicating it by hand.",
      "max_score": 10
    },
    {
      "name": "Parse once",
      "description": "Parses untrusted data once at the boundary and passes a trusted typed value inward without repeated validation or defensive optional chaining in domain code.",
      "max_score": 8
    },
    {
      "name": "Unknown narrowed",
      "description": "Uses unknown or schema parsing for boundary data and does not use any or broad type assertions for the payload.",
      "max_score": 8
    },
    {
      "name": "Null normalized",
      "description": "Normalizes external null values to internal undefined for optional notes or coupon fields while preserving any externally meaningful raw value where audit data is stored.",
      "max_score": 8
    },
    {
      "name": "Thin route",
      "description": "Keeps framework glue thin by moving meaningful order-fulfillment logic into named domain-owned functions near the order feature rather than a generic utils or services file.",
      "max_score": 8
    },
    {
      "name": "Typed outcomes",
      "description": "Uses a local discriminated union or equivalent named outcome for expected domain results such as duplicate event, invalid order, or fulfilled order instead of returning null or undefined as failure signals.",
      "max_score": 10
    },
    {
      "name": "Secure query",
      "description": "Uses the provided query builder or parameterized database call and does not concatenate request data into SQL.",
      "max_score": 8
    },
    {
      "name": "Auth nearby",
      "description": "Performs webhook signature or tenant authorization checks close to the protected fulfillment operation and fails closed when the signature or tenant is missing or ambiguous.",
      "max_score": 8
    },
    {
      "name": "Domain constants",
      "description": "Moves business-rule literals such as retry count, timeout, event name, or maximum line items into an owner-level constants file with meaning-based names.",
      "max_score": 6
    },
    {
      "name": "Focused tests",
      "description": "Adds focused tests for parsing, null normalization, unsafe inputs, duplicate-event behavior, and query safety without relying on broad snapshots.",
      "max_score": 10
    },
    {
      "name": "Check evidence",
      "description": "Includes a short change note that states what deterministic checks were run, or if a check could not run, what was manually verified and what risk remains.",
      "max_score": 8
    }
  ]
}