simon/skills
Auto-generated tile from GitHub (10 skills)
92
1.16x
Quality
94%
Does it follow best practices?
Impact
92%
1.16xAverage score across 44 eval scenarios
Securityby
Advisory
Suggest reviewing before use
criteria.jsonevals/scenario-7/
{
"context": "Tests whether the agent registers @fastify/cors with an explicit origin allowlist (not a wildcard) with credentials enabled, and registers @fastify/helmet with HSTS, CSP, and frame-protection configured.",
"type": "weighted_checklist",
"checklist": [
{
"name": "@fastify/cors registered",
"description": "The code imports from '@fastify/cors' and calls app.register(cors, ...) with a configuration object",
"max_score": 10
},
{
"name": "No wildcard CORS origin",
"description": "The CORS origin option is NOT set to the string '*' or boolean true — it is an array of URLs, a function, or a RegExp-based allowlist",
"max_score": 15
},
{
"name": "CORS credentials enabled",
"description": "The CORS configuration includes `credentials: true`",
"max_score": 8
},
{
"name": "CORS maxAge configured",
"description": "The CORS configuration includes a numeric `maxAge` value (pre-flight cache duration in seconds)",
"max_score": 5
},
{
"name": "@fastify/helmet registered",
"description": "The code imports from '@fastify/helmet' and calls app.register(helmet, ...) with a configuration object",
"max_score": 15
},
{
"name": "HSTS configured",
"description": "The helmet config includes a `hsts` key with at least a numeric `maxAge` property",
"max_score": 12
},
{
"name": "Content-Security-Policy configured",
"description": "The helmet config includes a `contentSecurityPolicy` key with a `directives` object containing at least a `defaultSrc` entry",
"max_score": 12
},
{
"name": "Frame protection configured",
"description": "The helmet config includes a `frameguard` key with an `action` property set to 'deny' or 'sameorigin'",
"max_score": 8
},
{
"name": "Security documented",
"description": "A file named architecture-notes.md (or security-notes.md) exists and describes at minimum which CORS origins are allowed and what the HSTS policy is",
"max_score": 10
},
{
"name": "No manual security headers",
"description": "The code does NOT manually set X-Frame-Options, X-Content-Type-Options, or Strict-Transport-Security headers via reply.header() — relies on @fastify/helmet instead",
"max_score": 5
}
]
}evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
scenario-6
scenario-7
scenario-8
scenario-9
scenario-10
scenario-11
scenario-12
scenario-13
scenario-14
scenario-15
scenario-16
scenario-17
scenario-18
scenario-19
scenario-20
scenario-21
scenario-22
scenario-23
scenario-24
scenario-25
scenario-26
scenario-27
scenario-28
scenario-29
scenario-30
scenario-31
scenario-32
scenario-33
scenario-34
scenario-35
scenario-36
scenario-37
scenario-38
scenario-39
scenario-40
scenario-41
scenario-42
scenario-43
scenario-44
skills
documentation
fastify
init
linting-neostandard-eslint9
node
nodejs-core
rules
build-system.mdchild-process-internals.mdcommit-messages.mdcontributing.mdcrypto-internals.mddebugging-native.mdfs-internals.mdlibuv-async-io.mdlibuv-event-loop.mdlibuv-thread-pool.mdmemory-debugging.mdnapi.mdnative-memory.mdnet-internals.mdnode-addon-api.mdprofiling-v8.mdstreams-internals.mdv8-garbage-collection.mdv8-hidden-classes.mdv8-jit-compilation.mdworker-threads-internals.md
oauth
octocat
snipgrapher