{
  "context": "Tests whether the agent implements JWT authentication following NestJS security rules: correct token lifetimes, hashed refresh token storage, secrets from config (not hardcoded), no sensitive data in JWT payload, proper guard registration, and rate limiting on auth endpoints.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Short access token TTL",
      "description": "Access token expiry is set to 15 minutes (or similarly short duration — not hours or days)",
      "max_score": 10
    },
    {
      "name": "Long refresh token TTL",
      "description": "Refresh token expiry is set to 7 days (or a longer duration clearly distinct from access token TTL)",
      "max_score": 8
    },
    {
      "name": "No hardcoded secrets",
      "description": "JWT secrets are read from ConfigService or environment variables — no string literals for secrets in source files",
      "max_score": 10
    },
    {
      "name": "Config validation at startup",
      "description": "ConfigModule is set up with a Joi (or equivalent) validation schema that validates JWT-related env vars at application startup",
      "max_score": 8
    },
    {
      "name": "Hashed refresh token storage",
      "description": "Refresh tokens are stored in the database after being hashed (e.g., bcrypt/argon2/SHA-256) — raw refresh tokens are NOT persisted",
      "max_score": 10
    },
    {
      "name": "Safe JWT payload",
      "description": "JWT payload contains only non-sensitive fields (e.g., sub/userId, email, roles) — does NOT include passwordHash, full user object, or other sensitive data",
      "max_score": 8
    },
    {
      "name": "Passport strategy used",
      "description": "A Passport JWT strategy (from @nestjs/passport / passport-jwt) is used for token validation, not manual token parsing in controllers/services",
      "max_score": 8
    },
    {
      "name": "Guard via APP_GUARD or decorator",
      "description": "JwtAuthGuard is registered globally via APP_GUARD token OR applied with @UseGuards() on the controller/routes — not as manual checks inside controller methods",
      "max_score": 8
    },
    {
      "name": "Rate limiting on auth endpoint",
      "description": "A throttler (e.g., @nestjs/throttler) or @Throttle() decorator is applied to the login endpoint to limit request rate",
      "max_score": 8
    },
    {
      "name": "Constructor injection used",
      "description": "All services and the guard use constructor injection for their dependencies — no @Inject() on class properties",
      "max_score": 6
    },
    {
      "name": "Namespaced config",
      "description": "Auth configuration is registered as a namespaced config using registerAs() (e.g., registerAs('auth', ...)) rather than flat env access",
      "max_score": 8
    },
    {
      "name": "Session invalidation on password change",
      "description": "Implementation includes logic to invalidate refresh tokens when a user changes their password (e.g., checking token issue time vs password change time, or deleting stored refresh tokens)",
      "max_score": 8
    }
  ]
}