{
  "context": "Tests whether the agent correctly implements refresh token rotation using the @fastify/oauth2 API, replaces the stored refresh token on every use, handles the null-refresh-token fallback case, and stores tokens in secure HttpOnly cookies rather than localStorage.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Correct refresh method",
      "description": "Uses getNewAccessTokenUsingRefreshTokenFlow() from the @fastify/oauth2 instance to request new tokens",
      "max_score": 14
    },
    {
      "name": "Refresh token replaced",
      "description": "After a successful refresh, the stored refresh token is updated with the new value (not the old token reused unconditionally)",
      "max_score": 14
    },
    {
      "name": "Null refresh token fallback",
      "description": "If the provider does not return a new refresh token (null/undefined), falls back to the previous refresh token (e.g. newToken.token.refresh_token ?? refreshToken)",
      "max_score": 12
    },
    {
      "name": "Tokens stored in session",
      "description": "Access and refresh tokens are stored in a server-side session object (not returned directly to the browser as JSON for client-side storage)",
      "max_score": 12
    },
    {
      "name": "HttpOnly cookie attribute",
      "description": "Cookie configuration includes httpOnly: true (or HttpOnly attribute set)",
      "max_score": 12
    },
    {
      "name": "Secure cookie attribute",
      "description": "Cookie configuration includes secure: true (or Secure attribute set)",
      "max_score": 12
    },
    {
      "name": "SameSite=Strict cookie attribute",
      "description": "Cookie configuration includes sameSite: 'Strict' (or SameSite=Strict attribute)",
      "max_score": 12
    },
    {
      "name": "No localStorage usage",
      "description": "Does NOT use localStorage.setItem or window.localStorage anywhere in the implementation",
      "max_score": 12
    }
  ]
}