{
  "context": "Tests whether the agent correctly implements rate limiting on token endpoints, enforces HTTPS-only redirect URIs, uses @fastify/oauth2 with proper plugin encapsulation, reads credentials from environment variables, and avoids insecure flow configurations.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "@fastify/oauth2 used",
      "description": "Uses @fastify/oauth2 for OAuth client credentials flow (not a hand-rolled HTTP request to the token endpoint)",
      "max_score": 8
    },
    {
      "name": "fastify-plugin wrapper",
      "description": "OAuth plugin is wrapped with fp() from fastify-plugin",
      "max_score": 8
    },
    {
      "name": "Rate limiting on token route",
      "description": "A rate limiting plugin or middleware is applied to the /token route (e.g. @fastify/rate-limit, or equivalent)",
      "max_score": 15
    },
    {
      "name": "HTTPS enforcement",
      "description": "Code includes a check that rejects or redirects requests that arrive over HTTP (e.g. checks X-Forwarded-Proto or req.protocol)",
      "max_score": 15
    },
    {
      "name": "HTTPS-only redirect URI",
      "description": "Any configured redirect URI or callback URI starts with https:// (not http://)",
      "max_score": 10
    },
    {
      "name": "Credentials from env vars",
      "description": "CLIENT_ID and CLIENT_SECRET are read from process.env (not hardcoded strings)",
      "max_score": 8
    },
    {
      "name": "No implicit flow",
      "description": "Does NOT configure response_type=token or the implicit flow anywhere in the implementation",
      "max_score": 10
    },
    {
      "name": "JWT claim validation",
      "description": "Any token verification includes checks for exp, iss, and aud claims",
      "max_score": 12
    },
    {
      "name": "Rate limit package in dependencies",
      "description": "package.json includes @fastify/rate-limit (or another named rate limiting package) in dependencies",
      "max_score": 14
    }
  ]
}