{
  "context": "Evaluates how well the solution uses express-rate-limit to configure global and login middleware according to the spec, relying on the package options for limits, messages, headers, and route wiring. Emphasis is on correct use of rateLimit and its options rather than general Express code quality.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Global defaults",
      "description": "Builds the shared middleware with express-rate-limit's rateLimit using windowMs 60000, limit 5, statusCode 429, and a package-driven response (message or handler using req.rateLimit) that returns the spec's JSON error payload with error/limit/remaining for GET /status.",
      "max_score": 25
    },
    {
      "name": "Shared limiter",
      "description": "Attaches the same rateLimit instance to both GET /status and GET /data so requests on either route increment the same counter and enforce one window per client.",
      "max_score": 15
    },
    {
      "name": "Config overrides",
      "description": "Applies provided config by passing windowMs, limit, statusCode, message/handler response body, and legacyHeaders or standardHeaders into rateLimit options while leaving the caller-supplied config object unmodified.",
      "max_score": 20
    },
    {
      "name": "Login limiter",
      "description": "Creates a separate rateLimit middleware for POST /login with a 15-minute window and limit 3 (or the login config overrides) so login attempts hit their own counter and do not share the global store.",
      "max_score": 20
    },
    {
      "name": "Header & Retry-After",
      "description": "Configures headerMode by toggling rateLimit's legacyHeaders and standardHeaders options and relies on the package to emit the appropriate rate limit headers plus Retry-After when a request is blocked.",
      "max_score": 20
    }
  ]
}