{
  "context": "Evaluates whether the solution leverages express-rate-limit's IP-based key generation with IPv6 subnet controls and exposes the dependency's computed key on the request. It checks correct configuration of the middleware factory, IPv6 masking toggles, and use of the provided request metadata hooks.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Middleware setup",
      "description": "Creates the limiter using express-rate-limit's rateLimit middleware factory with the provided options instead of reimplementing request counting.",
      "max_score": 20
    },
    {
      "name": "IPv6 subnet mask",
      "description": "Uses ipKeyGenerator or the ipv6Subnet option from express-rate-limit (default /56) so IPv6 addresses in the same subnet map to the same key as required by the spec.",
      "max_score": 25
    },
    {
      "name": "Subnet disabled",
      "description": "Honors ipv6Subnet: false (or ipKeyGenerator with a false mask) to use full IPv6 addresses for key generation, producing separate buckets for neighboring addresses.",
      "max_score": 20
    },
    {
      "name": "IPv4 isolation",
      "description": "Relies on express-rate-limit's IP-based key generation so IPv4 addresses are kept distinct and do not share counters across different IPv4 clients.",
      "max_score": 15
    },
    {
      "name": "Request metadata",
      "description": "Configures requestPropertyName to expose the dependency's RateLimitInfo on the request (e.g., req.rateLimitKey) and uses its key value rather than computing a separate identifier in handlers.",
      "max_score": 20
    }
  ]
}