{
  "context": "Evaluates whether the solution leverages express-rate-limit's draft-8 features to emit named quotas with hashed partitions and combined headers when multiple limiters guard the same endpoint. Emphasizes configuring the library rather than hand-rolling headers or counters.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Draft8 headers",
      "description": "Configures each rateLimit middleware with standardHeaders set to \"draft-8\" (and legacyHeaders disabled) so responses carry RateLimit and RateLimit-Policy output from express-rate-limit.",
      "max_score": 20
    },
    {
      "name": "Quota identifiers",
      "description": "Assigns explicit identifier values on both limiters so draft-8 RateLimit-Policy entries expose the intended quota names.",
      "max_score": 20
    },
    {
      "name": "Multi-limiter stack",
      "description": "Applies two distinct rateLimit middlewares to the /quota route (route-wide and per-user windows) and ensures both sets of draft-8 headers are appended rather than overwritten.",
      "max_score": 20
    },
    {
      "name": "Partition tokens",
      "description": "Relies on the draft-8 partition hashing emitted by express-rate-limit (no manual header hacks) so RateLimit entries include partition tokens instead of exposing the raw client identifier/IP.",
      "max_score": 20
    },
    {
      "name": "Quota windows",
      "description": "Configures rateLimit options to match the spec windows (20/minute route-wide, 3/10s per user keyed by X-User-ID) so header metadata and enforcement align with those limits.",
      "max_score": 20
    }
  ]
}