{
  "context": "Evaluates whether the solution configures express-rate-limit to enforce per-route quotas while selectively skipping or counting requests based on outcomes. Checks focus on correct use of skip logic and counter-adjustment options for the health, login, and download flows described in the spec.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Limiter setup",
      "description": "Constructs per-route middleware with express-rate-limit's rateLimit factory so /login enforces 5/minute and /reports/:id/download enforces 3/minute per client.",
      "max_score": 20
    },
    {
      "name": "Health skip",
      "description": "Applies the library's skip option (or a dedicated limiter with skip returning true) so /health requests never increment counters and never trigger 429 even when other routes are exhausted.",
      "max_score": 20
    },
    {
      "name": "Login failure counting",
      "description": "Uses skipSuccessfulRequests (with the default or customized requestWasSuccessful predicate) so only /login responses finishing with status >=400 consume attempts, and 6th failure returns 429 after five counted failures.",
      "max_score": 25
    },
    {
      "name": "MFA redirect handling",
      "description": "Customizes requestWasSuccessful to treat 302 responses carrying x-mfa-required: true as unsuccessful so they decrement the /login quota, while 302 responses without that header remain uncounted successes.",
      "max_score": 15
    },
    {
      "name": "Download error ignore",
      "description": "Enables skipFailedRequests on the download limiter so only successful responses reduce the 3-per-minute quota and the fourth success triggers a 429 after three counted successes.",
      "max_score": 20
    }
  ]
}