{
  "context": "This criteria evaluates how well an engineer uses the oauth-sign package's HMAC-SHA256 signature generation capability to implement OAuth 1.0a request signing. The focus is on correct usage of the hmacsign256 function and proper handling of OAuth signature parameters.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Uses hmacsign256 function",
      "description": "The implementation correctly imports and uses the oauth-sign package's hmacsign256 function (not hmacsign or other methods) for generating HMAC-SHA256 signatures.",
      "max_score": 40
    },
    {
      "name": "Correct parameter order",
      "description": "Passes parameters to hmacsign256 in the correct order: httpMethod, base_uri, params, consumer_secret, token_secret.",
      "max_score": 20
    },
    {
      "name": "Proper HTTP method handling",
      "description": "Correctly passes the HTTP method (GET, POST, etc.) as the first parameter to hmacsign256, preserving the exact case and format.",
      "max_score": 10
    },
    {
      "name": "URL parameter handling",
      "description": "Correctly passes the base URL (without query parameters) as the base_uri parameter to hmacsign256.",
      "max_score": 10
    },
    {
      "name": "Parameters object handling",
      "description": "Correctly passes the params object containing all OAuth and application parameters to hmacsign256 without manual encoding or preprocessing.",
      "max_score": 10
    },
    {
      "name": "Empty token secret support",
      "description": "Properly handles cases where token_secret is an empty string or undefined, passing it correctly to hmacsign256 (the package handles empty secrets internally).",
      "max_score": 10
    }
  ]
}