{
  "context": "Tests whether the agent implements JWT validation and route protection according to the Fastify OAuth skill's prescribed packages, algorithm choices, claim validation requirements, hook patterns, and refresh token rotation semantics.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "@fastify/jwt package",
      "description": "Imports or requires '@fastify/jwt' for JWT operations (not jsonwebtoken, jose, or another JWT library as the primary verification mechanism)",
      "max_score": 10
    },
    {
      "name": "Asymmetric algorithm used",
      "description": "JWT verification is configured to use RS256 or ES256 (asymmetric algorithm), NOT HS256 (symmetric secret)",
      "max_score": 15
    },
    {
      "name": "exp claim validated",
      "description": "The hook explicitly checks the exp claim and returns a 401 response when the token is expired (not relying solely on jwtVerify's default behavior without an explicit check)",
      "max_score": 10
    },
    {
      "name": "iss claim validated",
      "description": "The hook explicitly compares payload.iss to the expected issuer (e.g. process.env.EXPECTED_ISSUER) and returns 401 on mismatch",
      "max_score": 10
    },
    {
      "name": "aud claim validated",
      "description": "The hook explicitly compares payload.aud to the expected audience (e.g. process.env.EXPECTED_AUDIENCE) and returns 401 on mismatch — audience validation is NOT skipped",
      "max_score": 15
    },
    {
      "name": "onRequest hook pattern",
      "description": "Route protection is implemented via fastify.addHook('onRequest', verifyToken) rather than per-route preHandler or manual calls inside route handlers",
      "max_score": 10
    },
    {
      "name": "401 with error field",
      "description": "All validation failure paths return HTTP 401 with a JSON body containing an 'error' field (e.g. { error: 'invalid_token' } or { error: 'token_expired' })",
      "max_score": 10
    },
    {
      "name": "Refresh token rotation",
      "description": "The refresh utility returns the new refresh_token from the response if present, and falls back to the old refresh token using the ?? operator or equivalent null-coalescing logic",
      "max_score": 15
    },
    {
      "name": "sub claim used",
      "description": "The sub claim from the validated token payload is accessed and used (e.g. returned in the /me route or stored in request context)",
      "max_score": 5
    }
  ]
}

evals

scenario-1

scenario-2

scenario-3

scenario-4

scenario-5

scenario-6

scenario-7

scenario-8

scenario-9

scenario-10

scenario-11

scenario-12

scenario-13

scenario-14

scenario-15

scenario-16

scenario-17

scenario-18

scenario-19

scenario-20

scenario-21

scenario-22

scenario-23

scenario-24

scenario-25

scenario-26

scenario-27

scenario-28

scenario-29

scenario-30

scenario-31

criteria.json

task.md

scenario-32

scenario-33

scenario-34

scenario-35

scenario-36

scenario-37

scenario-38

scenario-39

scenario-40

scenario-41

scenario-42

scenario-43

scenario-44

skills

README.md

tile.json

simon/skills

criteria.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}evals/scenario-31/

criteria.jsonevals/scenario-31/