{
  "context": "Tests whether the agent correctly implements an OAuth 2.0 Authorization Code flow with PKCE in a Fastify application, using the right packages, plugin structure, state management, and secure token handling patterns.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Correct OAuth package",
      "description": "Uses @fastify/oauth2 (not an alternative like simple-oauth2 or passport)",
      "max_score": 8
    },
    {
      "name": "fastify-plugin wrapper",
      "description": "The OAuth plugin is wrapped with fastify-plugin (fp) so decorations are shared across the Fastify instance",
      "max_score": 10
    },
    {
      "name": "PKCE method S256",
      "description": "Configures pkce: 'S256' in the oauth2 registration options (not 'plain' and not omitted)",
      "max_score": 12
    },
    {
      "name": "State generation with randomUUID",
      "description": "Uses crypto.randomUUID() to generate the state value in generateStateFunction",
      "max_score": 10
    },
    {
      "name": "State stored in session",
      "description": "The generated state is stored in request.session (not a cookie, global variable, or other store)",
      "max_score": 10
    },
    {
      "name": "State validated on callback",
      "description": "Implements checkStateFunction that compares the incoming query state against the session-stored state and calls callback with an error on mismatch",
      "max_score": 10
    },
    {
      "name": "No token logging",
      "description": "The raw access_token value is NOT passed to console.log, fastify.log, or any logger call",
      "max_score": 8
    },
    {
      "name": "Tokens stored in session",
      "description": "Stores access_token and refresh_token in the server-side session (e.g. request.session.set(...)), not in a response body or localStorage",
      "max_score": 10
    },
    {
      "name": "Authorization code flow only",
      "description": "Does NOT configure response_type=token or use the implicit grant flow anywhere",
      "max_score": 10
    },
    {
      "name": "Env vars for credentials",
      "description": "CLIENT_ID, CLIENT_SECRET, and AUTH_SERVER (or equivalent authorization server URL) are read from environment variables, not hardcoded",
      "max_score": 12
    }
  ]
}

evals

scenario-1

scenario-2

scenario-3

scenario-4

scenario-5

scenario-6

scenario-7

scenario-8

scenario-9

scenario-10

scenario-11

scenario-12

scenario-13

scenario-14

scenario-15

scenario-16

scenario-17

scenario-18

scenario-19

scenario-20

scenario-21

scenario-22

scenario-23

scenario-24

scenario-25

scenario-26

scenario-27

scenario-28

scenario-29

scenario-30

scenario-31

scenario-32

scenario-33

scenario-34

scenario-35

scenario-36

criteria.json

task.md

scenario-37

scenario-38

scenario-39

scenario-40

scenario-41

scenario-42

scenario-43

scenario-44

skills

README.md

tile.json

simon/skills

criteria.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}evals/scenario-36/

criteria.jsonevals/scenario-36/