CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/api-idempotency

Idempotent API design — safe retries for POST endpoints, idempotency keys,

93

10.00x
Quality

90%

Does it follow best practices?

Impact

100%

10.00x

Average score across 4 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-2/

{
  "context": "Tests whether the agent proactively adds idempotency protection to a checkout form and POST endpoint, even though the task description does not mention duplicates, retries, or idempotency. A skilled agent should recognize that a POST endpoint creating orders needs idempotency protection.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Idempotency-Key header sent by client",
      "description": "The client-side JavaScript generates a unique key (UUID or similar) and sends it as an 'Idempotency-Key' header (or similar idempotency header) in the POST request to /api/orders",
      "max_score": 18
    },
    {
      "name": "Server checks idempotency key",
      "description": "The server reads an idempotency key from the request (header or body) and checks whether it has already processed a request with that key, returning the cached/existing response if so",
      "max_score": 18
    },
    {
      "name": "Submit button disabled during request",
      "description": "The submit button is disabled while the POST request is in flight to prevent double-clicks from creating duplicate orders",
      "max_score": 16
    },
    {
      "name": "Button re-enabled in finally block",
      "description": "The submit button is re-enabled in a finally block (or equivalent guaranteed cleanup) so it works again after both success and failure",
      "max_score": 12
    },
    {
      "name": "Server-side duplicate prevention",
      "description": "The server has some mechanism to prevent duplicate order creation from retried requests — either an idempotency store/cache, a database unique constraint on a key, or middleware that deduplicates based on a client-supplied identifier",
      "max_score": 18
    },
    {
      "name": "5xx errors not cached",
      "description": "If the server implements idempotency caching, 5xx server errors are NOT cached — they allow the client to retry",
      "max_score": 10
    },
    {
      "name": "TTL on cached entries",
      "description": "If the server implements idempotency caching, cached entries have a TTL/expiry so they don't accumulate forever",
      "max_score": 8
    }
  ]
}

evals

scenario-2

criteria.json

task.md

tile.json