CtrlK
BlogDocsLog inGet started
Tessl Logo

igmarin/rails-agent-skills

Curated library of 39 AI agent skills for Ruby on Rails development. Organized by category: planning, testing, code-quality, ddd, engines, infrastructure, api, patterns, context, orchestration, and workflows. Includes 5 callable workflow skills (rails-tdd-loop, rails-review-flow, rails-setup-flow, rails-quality-flow, rails-engines-flow) for complete development cycles. Covers code review, architecture, security, testing (RSpec), engines, service objects, DDD patterns, and TDD automation.

95

1.20x
Quality

98%

Does it follow best practices?

Impact

95%

1.20x

Average score across 35 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-33/

{
  "context": "Tests whether the agent replaces presence-only authorization checks with proper Pundit policy objects, removes inline logic from controllers, covers all four roles in both policy and request specs, and uses policy_scope for index actions.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Policy class replaces inline logic",
      "description": "app/policies/project_policy.rb exists and contains authorization logic for update? and destroy? methods",
      "max_score": 8
    },
    {
      "name": "No presence-only checks remain",
      "description": "The refactored controller does NOT contain `if current_user.present?` as the sole authorization gate for update or destroy actions",
      "max_score": 10
    },
    {
      "name": "authorize called in controller",
      "description": "The update and destroy actions call `authorize @project` rather than performing any manual permission check",
      "max_score": 10
    },
    {
      "name": "Index uses policy_scope",
      "description": "The index action uses `policy_scope(Project)` instead of `Project.all`",
      "max_score": 8
    },
    {
      "name": "Policy class inherits ApplicationPolicy",
      "description": "ProjectPolicy inherits from ApplicationPolicy (not directly from Object or another base)",
      "max_score": 6
    },
    {
      "name": "Admin role permitted in policy",
      "description": "The policy grants admin users permission to update? and destroy? any project",
      "max_score": 8
    },
    {
      "name": "Owner role permitted in policy",
      "description": "The policy grants the project owner permission to update? and destroy? their own project",
      "max_score": 8
    },
    {
      "name": "Non-owner role denied in policy",
      "description": "The policy denies update? and destroy? to an authenticated user who is not the owner and not an admin",
      "max_score": 8
    },
    {
      "name": "Guest role tested in specs",
      "description": "The policy spec or request spec includes a case for a nil/unauthenticated user asserting denial of update or destroy",
      "max_score": 8
    },
    {
      "name": "permit_action matchers in policy spec",
      "description": "The policy spec uses `permit_action` / `not_to permit_action` matchers to assert permissions",
      "max_score": 8
    },
    {
      "name": "Request spec covers multiple roles",
      "description": "The request spec covers at least two distinct roles (e.g., owner vs non-owner) for a mutating action (PATCH/DELETE)",
      "max_score": 8
    },
    {
      "name": "implementation_notes identifies flaw",
      "description": "implementation_notes.md identifies that presence-only checks (`current_user.present?`) were the core security flaw",
      "max_score": 10
    }
  ]
}

evals

scenario-33

criteria.json

task.md

README.md

tile.json