{
  "context": "This criteria evaluates how well the engineer uses koa-helmet's cross-domain policy control functionality to implement a dynamic policy configuration system. The focus is on proper usage of helmet.permittedCrossDomainPolicies() and understanding how to apply security headers in a Koa application context.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Uses permittedCrossDomainPolicies",
      "description": "Implementation uses helmet.permittedCrossDomainPolicies() middleware to set the X-Permitted-Cross-Domain-Policies header",
      "max_score": 25
    },
    {
      "name": "Default policy configuration",
      "description": "Application starts with the most restrictive policy ('none') by default, using helmet.permittedCrossDomainPolicies({ permittedPolicies: 'none' }) or equivalent configuration",
      "max_score": 15
    },
    {
      "name": "Dynamic policy changes",
      "description": "Implements dynamic policy switching by properly applying helmet.permittedCrossDomainPolicies() with different policy values ('none', 'master-only', 'by-content-type', 'all') based on configuration requests",
      "max_score": 25
    },
    {
      "name": "Policy application scope",
      "description": "Ensures the cross-domain policy middleware is applied to all content endpoints so that the X-Permitted-Cross-Domain-Policies header appears in responses",
      "max_score": 15
    },
    {
      "name": "Valid policy values",
      "description": "Correctly validates that only the four valid policy values ('none', 'master-only', 'by-content-type', 'all') are accepted, rejecting invalid values with appropriate error handling",
      "max_score": 10
    },
    {
      "name": "Koa middleware integration",
      "description": "Properly integrates koa-helmet middleware into the Koa application using app.use() with the helmet middleware, demonstrating understanding of Koa's middleware pattern",
      "max_score": 10
    }
  ]
}