Test fixture
Secure code changes, vulnerability recognition, and safe defaults.
The model receives the prompt (and optional system message). The run uses scorer rubric_json_metrics with the JSON configuration below. Pass/fail and partial credit are determined entirely by that scorer against the model output; no human grading.
Return JSON only with keys verdict, risk, mitigation. Review JWT validation that decodes tokens without verifying algorithm, signature, issuer, audience, or expiration.
{
"metrics": {
"correct": {
"checks": [
{
"contains": [
"JWT"
]
},
{
"contains": [
"signature"
]
},
{
"contains": [
"algorithm"
]
},
{
"contains": [
"issuer"
]
},
{
"contains": [
"audience"
]
}
]
},
"hidden": {
"checks": [
{
"contains": [
"expiration"
]
},
{
"contains": [
"kid"
]
},
{
"contains": [
"JWKS"
]
},
{
"contains": [
"alg none"
]
},
{
"contains": [
"clock skew"
]
}
]
}
}
}temperature
0
max_tokens
420
timeout (s)
120
type
scored
file
sec-jwt-validator.json