simon/fastify-best-practices
Fastify best practices skill
93
1.37x
Quality
97%
Does it follow best practices?
Impact
85%
1.37xAverage score across 4 eval scenarios
Securityby
Passed
No known issues
criteria.jsonevals/scenario-2/
{
"context": "Tests whether the agent uses @fastify/jwt for token handling, @node-rs/argon2 with the correct security parameters for password hashing, Redis-backed rate limiting on auth endpoints, and @fastify/sensible or @fastify/error for HTTP error responses.",
"type": "weighted_checklist",
"checklist": [
{
"name": "@fastify/jwt package",
"description": "Uses the `@fastify/jwt` plugin (not the `jsonwebtoken` package used directly without Fastify integration)",
"max_score": 10
},
{
"name": "request.jwtVerify()",
"description": "JWT token verification is performed via `request.jwtVerify()` (not manual `jwt.verify()` calls)",
"max_score": 10
},
{
"name": "@node-rs/argon2 package",
"description": "Password hashing uses `@node-rs/argon2` (not `bcrypt`, `bcryptjs`, `argon2` npm package, or `crypto.pbkdf2`)",
"max_score": 15
},
{
"name": "argon2 memoryCost param",
"description": "The `hash()` call includes `memoryCost: 65536` in its options",
"max_score": 10
},
{
"name": "argon2 timeCost param",
"description": "The `hash()` call includes `timeCost: 3` in its options",
"max_score": 10
},
{
"name": "argon2 parallelism param",
"description": "The `hash()` call includes `parallelism: 4` in its options",
"max_score": 10
},
{
"name": "Redis-backed rate limiting",
"description": "Rate limiting on the login (or auth) route is configured with a `redis` option/client (not in-memory only) — via `@fastify/rate-limit` with a Redis instance passed as `redis` property",
"max_score": 20
},
{
"name": "@fastify/sensible or @fastify/error",
"description": "Uses either `@fastify/sensible` (reply.unauthorized(), reply.notFound(), etc.) or `@fastify/error` (createError) for HTTP error responses — does NOT use plain `throw new Error()` for HTTP errors",
"max_score": 15
}
]
}