simon/skills
Auto-generated tile from GitHub (10 skills)
92
1.16x
Quality
94%
Does it follow best practices?
Impact
92%
1.16xAverage score across 44 eval scenarios
Securityby
Advisory
Suggest reviewing before use
criteria.jsonevals/scenario-22/
{
"context": "Tests whether the agent implements the Fastify OAuth2 authorization code flow using the prescribed plugin, security options, and token handling patterns. Criteria focus on package choices, PKCE configuration, CSRF protection via state, and safe token storage — not general correctness.",
"type": "weighted_checklist",
"checklist": [
{
"name": "@fastify/oauth2 package",
"description": "Uses @fastify/oauth2 as the OAuth2 plugin (imports or requires '@fastify/oauth2'), not an alternative library such as passport or oauth2-server",
"max_score": 10
},
{
"name": "fastify-plugin wrapping",
"description": "The oauth plugin file wraps the plugin function with fp() from 'fastify-plugin' (e.g. export default fp(async function...))",
"max_score": 10
},
{
"name": "PKCE S256 method",
"description": "PKCE is configured with exactly 'S256' as the method (pkce: 'S256') in the oauth2 registration options",
"max_score": 15
},
{
"name": "State generation uses randomUUID",
"description": "generateStateFunction uses crypto.randomUUID() to generate the state value and stores it in the session (req.session.state or equivalent)",
"max_score": 10
},
{
"name": "State validation in checkStateFunction",
"description": "checkStateFunction compares req.query.state to the session-stored state and calls callback with an Error on mismatch",
"max_score": 10
},
{
"name": "getAccessTokenFromAuthorizationCodeFlow",
"description": "The callback route uses fastify.oauth2.getAccessTokenFromAuthorizationCodeFlow(request) to exchange the authorization code",
"max_score": 10
},
{
"name": "HTTPS callbackUri",
"description": "The callbackUri value (in config or environment usage) references an https:// scheme, not http://",
"max_score": 10
},
{
"name": "Tokens stored in session",
"description": "Both access token and refresh token are stored in the server-side session (request.session.set or request.session.*), NOT assigned to any client-side storage mechanism",
"max_score": 10
},
{
"name": "No raw token logging",
"description": "No console.log, fastify.log, request.log, or similar logger call passes the raw access_token or refresh_token string directly as an argument or interpolated string",
"max_score": 10
},
{
"name": "No implicit flow",
"description": "The implementation does NOT use response_type=token or implement the implicit grant flow anywhere in the code",
"max_score": 5
}
]
}evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
scenario-6
scenario-7
scenario-8
scenario-9
scenario-10
scenario-11
scenario-12
scenario-13
scenario-14
scenario-15
scenario-16
scenario-17
scenario-18
scenario-19
scenario-20
scenario-21
scenario-22
scenario-23
scenario-24
scenario-25
scenario-26
scenario-27
scenario-28
scenario-29
scenario-30
scenario-31
scenario-32
scenario-33
scenario-34
scenario-35
scenario-36
scenario-37
scenario-38
scenario-39
scenario-40
scenario-41
scenario-42
scenario-43
scenario-44
skills
documentation
fastify
init
linting-neostandard-eslint9
node
nodejs-core
rules
build-system.mdchild-process-internals.mdcommit-messages.mdcontributing.mdcrypto-internals.mddebugging-native.mdfs-internals.mdlibuv-async-io.mdlibuv-event-loop.mdlibuv-thread-pool.mdmemory-debugging.mdnapi.mdnative-memory.mdnet-internals.mdnode-addon-api.mdprofiling-v8.mdstreams-internals.mdv8-garbage-collection.mdv8-hidden-classes.mdv8-jit-compilation.mdworker-threads-internals.md
oauth
octocat
snipgrapher