{
  "context": "Evaluates whether the solution uses josepy's CLI/JWS helpers to produce and validate compact JSON Web Signatures with forced protected algorithms and key-type-aware verification. Focus is on leveraging josepy.jws.CLI sign/verify behavior, compact serialization, and the JWK loaders tied to the --kty hint.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "CLI signing",
      "description": "Uses josepy's CLI entrypoint (e.g., josepy.jws.CLI.sign or invoking the jws sign command) to generate tokens rather than hand-rolling JOSE serialization.",
      "max_score": 25
    },
    {
      "name": "Compact mode",
      "description": "Signs in compact format via josepy (using --compact or JWS.to_compact) so the package handles serialization and protected header construction.",
      "max_score": 25
    },
    {
      "name": "Protected alg",
      "description": "Relies on josepy's protection logic (compact mode forcing alg into the protected header or explicit --protect alg) so the compact token's first segment decodes to include alg.",
      "max_score": 25
    },
    {
      "name": "Key-type verification",
      "description": "Verifies using josepy's key-type-driven loader (e.g., jws verify --kty RSA/EC/oct or josepy.jws.CLI.verify) to select the matching JWK subclass and rejects mismatched types.",
      "max_score": 25
    }
  ]
}