{
  "context": "Tests whether the agent correctly sets up the @fastify/oauth2 plugin with proper PKCE, state validation, and token handling. The agent must use the right packages, configure PKCE with S256, implement CSRF-safe state management, and use the correct API method to exchange the authorization code.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "@fastify/oauth2 package",
      "description": "Uses @fastify/oauth2 as the OAuth plugin (present in package.json or import statements), not an alternative like passport, grant, or a custom implementation",
      "max_score": 10
    },
    {
      "name": "fastify-plugin wrapper",
      "description": "The oauth plugin file wraps the registration function with fastify-plugin (fp), ensuring decorators are not encapsulated",
      "max_score": 10
    },
    {
      "name": "PKCE S256 method",
      "description": "Sets pkce: 'S256' in the @fastify/oauth2 registration options (not 'plain', not omitted)",
      "max_score": 15
    },
    {
      "name": "State generation",
      "description": "Implements generateStateFunction that stores a random value (e.g. crypto.randomUUID()) in the session",
      "max_score": 10
    },
    {
      "name": "State validation",
      "description": "Implements checkStateFunction that compares the returned state against the session-stored value and calls back with an error on mismatch",
      "max_score": 10
    },
    {
      "name": "Authorization code exchange method",
      "description": "Uses getAccessTokenFromAuthorizationCodeFlow(request) to exchange the code in the callback route",
      "max_score": 15
    },
    {
      "name": "No raw token logging",
      "description": "The callback route does NOT log or expose the raw token object (no console.log(tokenResponse) or similar)",
      "max_score": 10
    },
    {
      "name": "Session token storage",
      "description": "Stores accessToken and refreshToken in the Fastify session (not in a response body or cookie set manually)",
      "max_score": 10
    },
    {
      "name": "Correct dependency set",
      "description": "package.json (or equivalent) includes @fastify/cookie and @fastify/session in addition to @fastify/oauth2 and fastify-plugin",
      "max_score": 10
    }
  ]
}

evals

scenario-1

scenario-2

scenario-3

scenario-4

scenario-5

scenario-6

scenario-7

scenario-8

scenario-9

scenario-10

scenario-11

scenario-12

scenario-13

scenario-14

scenario-15

scenario-16

scenario-17

scenario-18

scenario-19

scenario-20

scenario-21

scenario-22

scenario-23

scenario-24

scenario-25

scenario-26

scenario-27

scenario-28

scenario-29

scenario-30

scenario-31

scenario-32

scenario-33

scenario-34

scenario-35

criteria.json

task.md

scenario-36

scenario-37

scenario-38

scenario-39

scenario-40

scenario-41

scenario-42

scenario-43

scenario-44

skills

README.md

tile.json

simon/skills

criteria.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}evals/scenario-35/

criteria.jsonevals/scenario-35/