CtrlK
BlogDocsLog inGet started
Tessl Logo

igmarin/rails-agent-skills

Curated library of 39 AI agent skills for Ruby on Rails development. Organized by category: planning, testing, code-quality, ddd, engines, infrastructure, api, patterns, context, orchestration, and workflows. Includes 5 callable workflow skills (rails-tdd-loop, rails-review-flow, rails-setup-flow, rails-quality-flow, rails-engines-flow) for complete development cycles. Covers code review, architecture, security, testing (RSpec), engines, service objects, DDD patterns, and TDD automation.

95

1.20x
Quality

98%

Does it follow best practices?

Impact

95%

1.20x

Average score across 35 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-34/

{
  "context": "Tests whether the agent correctly implements CanCanCan authorization: Ability class with guest-user guard, accessible_by for index scoping, authorize! in controller actions, and specs covering all three roles (finance, viewer, guest).",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Ability class defined",
      "description": "app/models/ability.rb defines a class Ability that includes CanCan::Ability",
      "max_score": 8
    },
    {
      "name": "Guest-user guard present",
      "description": "The Ability#initialize method contains `user ||= User.new` (or equivalent) to safely handle a nil/unauthenticated user before applying rules",
      "max_score": 10
    },
    {
      "name": "Finance role can manage",
      "description": "The Ability class grants `can :manage, Report` (or explicit create/read/update/destroy) to users with the finance role",
      "max_score": 8
    },
    {
      "name": "Viewer role read-only",
      "description": "The Ability class grants only `:read` (or `:index`/`:show`) to viewer-role users, without create/update/destroy",
      "max_score": 8
    },
    {
      "name": "Guest role blocked",
      "description": "The Ability class does NOT grant any Report permissions to a guest (nil) user — no `can :read, Report` for unauthenticated state",
      "max_score": 8
    },
    {
      "name": "load_and_authorize_resource used",
      "description": "The reports controller uses `load_and_authorize_resource` (or `authorize_resource`) rather than manually calling `authorize! :action, @report` in every action",
      "max_score": 8
    },
    {
      "name": "Index uses accessible_by",
      "description": "The index action uses `Report.accessible_by(current_ability)` or delegates to `load_and_authorize_resource` (which handles scoping) rather than `Report.all`",
      "max_score": 10
    },
    {
      "name": "Finance role tested",
      "description": "The ability spec (or request spec) includes a context for a finance-role user asserting that create/update/destroy actions are permitted",
      "max_score": 8
    },
    {
      "name": "Viewer role tested",
      "description": "The ability spec includes a context for a viewer-role user asserting read is permitted and create/update/destroy are denied",
      "max_score": 8
    },
    {
      "name": "Guest role tested",
      "description": "The ability spec includes a context for a nil user (guest) asserting that all actions are denied",
      "max_score": 8
    },
    {
      "name": "cancancan gem referenced",
      "description": "implementation_notes.md or any output file references adding the `cancancan` gem to the Gemfile as a required setup step",
      "max_score": 6
    },
    {
      "name": "No inline controller logic",
      "description": "The reports controller does NOT contain manual role checks (e.g., `if current_user.role == 'finance'`) inside action methods",
      "max_score": 10
    }
  ]
}

evals

scenario-34

criteria.json

task.md

README.md

tile.json