{
  "context": "Tests whether the agent uses @fastify/jwt for authentication, @node-rs/argon2 for password hashing, @fastify/rate-limit with a Redis backend for distributed rate limiting, and close-with-grace for graceful shutdown.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "@fastify/jwt used",
      "description": "JWT registration uses fastifyJwt imported from '@fastify/jwt', not a third-party JWT library like 'jsonwebtoken' directly",
      "max_score": 10
    },
    {
      "name": "jwtVerify for auth",
      "description": "Protected routes call request.jwtVerify() (the @fastify/jwt method) to authenticate, not a manual JWT decode",
      "max_score": 8
    },
    {
      "name": "@node-rs/argon2 used",
      "description": "Password hashing imports hash() and/or verify() from '@node-rs/argon2', not bcrypt, bcryptjs, or any other hashing library",
      "max_score": 12
    },
    {
      "name": "Argon2 parameters set",
      "description": "The argon2 hash() call includes at least one of: memoryCost, timeCost, or parallelism parameters explicitly",
      "max_score": 8
    },
    {
      "name": "Rate limiting on auth routes",
      "description": "The login and/or registration routes are protected with @fastify/rate-limit (the plugin is registered)",
      "max_score": 8
    },
    {
      "name": "Redis backend for rate limit",
      "description": "The @fastify/rate-limit registration passes a Redis client instance (e.g., from 'ioredis' or 'redis') as the redis option — NOT in-memory only",
      "max_score": 12
    },
    {
      "name": "Redis rationale documented",
      "description": "architecture-notes.md states that Redis is used for rate limiting to ensure it works across multiple instances / distributed deployments",
      "max_score": 8
    },
    {
      "name": "close-with-grace used",
      "description": "src/server.ts imports and calls closeWithGrace() from the 'close-with-grace' package for graceful shutdown",
      "max_score": 12
    },
    {
      "name": "app.close() in shutdown",
      "description": "The closeWithGrace callback calls app.close() or await app.close() to finish in-flight requests before the process exits",
      "max_score": 8
    },
    {
      "name": "fp() for auth plugin",
      "description": "The authentication plugin (JWT registration, authenticate decorator) is wrapped with fp() from 'fastify-plugin' so it is available to sibling plugins and routes",
      "max_score": 8
    },
    {
      "name": "Argon2 rationale documented",
      "description": "architecture-notes.md mentions argon2 (or @node-rs/argon2) and gives a reason for choosing it (e.g. memory-hard, more secure than bcrypt)",
      "max_score": 6
    }
  ]
}

evals

scenario-1

scenario-2

criteria.json

task.md

scenario-3

scenario-4

scenario-5

scenario-6

scenario-7

scenario-8

scenario-9

scenario-10

scenario-11

scenario-12

scenario-13

scenario-14

scenario-15

scenario-16

scenario-17

scenario-18

scenario-19

scenario-20

scenario-21

scenario-22

scenario-23

scenario-24

scenario-25

scenario-26

scenario-27

scenario-28

scenario-29

scenario-30

scenario-31

scenario-32

scenario-33

scenario-34

scenario-35

scenario-36

scenario-37

scenario-38

scenario-39

scenario-40

scenario-41

scenario-42

scenario-43

scenario-44

skills

README.md

tile.json

simon/skills

criteria.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}evals/scenario-2/

criteria.jsonevals/scenario-2/