{
  "context": "Checks whether the solution leverages python-jose JWS primitives to sign JSON payloads, surface protected headers, and validate signatures as required by the spec. Emphasizes correct API usage for signing, verification, tamper handling, and key ID selection.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "JWS sign",
      "description": "Uses jose.jws.sign with the provided algorithm and protected headers to produce compact JWS output directly from the JSON payload (no manual base64 assembly).",
      "max_score": 25
    },
    {
      "name": "JSON handling",
      "description": "Relies on python-jose to accept a mapping payload (or encoded JSON bytes) so that jose.jws.sign/jose.jws.verify round-trip the original fields without custom serialization beyond what the library offers.",
      "max_score": 20
    },
    {
      "name": "Verify payload",
      "description": "Validates tokens with jose.jws.verify to return the payload for valid signatures, passing the expected algorithm and key so verification mirrors signing.",
      "max_score": 20
    },
    {
      "name": "Key ID routing",
      "description": "Extracts the protected header via jose.jws.get_unverified_header and chooses the correct key from the provided mapping based on kid before calling jose.jws.verify; fails when kid is missing or unknown.",
      "max_score": 20
    },
    {
      "name": "Tamper errors",
      "description": "Relies on jose.jws.verify (or jose.exceptions.* errors it raises) to reject modified tokens and surfaces an explicit signature validation error rather than accepting altered data.",
      "max_score": 15
    }
  ]
}