tessl-labs/fastify-best-practices
Fastify patterns — always apply schema-first validation, plugin encapsulation, structured error handling, hooks lifecycle, decorators, TypeScript type providers, production hardening (CORS, helmet, rate limiting), pino logging, graceful shutdown, and correct async handler patterns
89
2.75x
Quality
89%
Does it follow best practices?
Impact
91%
2.75xAverage score across 5 eval scenarios
Securityby
Passed
No known issues
criteria.jsonevals/scenario-4/
{
"context": "Tests whether the agent proactively applies Fastify production hardening when building a microservice. The task mentions Docker deployment but says nothing about CORS, helmet, rate limiting, graceful shutdown, logging configuration, or security headers. The agent should apply these production patterns on its own.",
"type": "weighted_checklist",
"checklist": [
{
"name": "cors-with-explicit-origins",
"description": "Agent registers @fastify/cors with explicit origin configuration (not allowing all origins by default), since the service sits behind an API gateway. The agent was NOT told to configure CORS.",
"max_score": 10
},
{
"name": "helmet-for-security-headers",
"description": "Agent registers @fastify/helmet to set security headers (CSP, X-Frame-Options, etc.). The agent was NOT told about security headers.",
"max_score": 10
},
{
"name": "rate-limiting",
"description": "Agent registers @fastify/rate-limit with max requests and time window configuration to prevent abuse. The agent was NOT told about rate limiting.",
"max_score": 10
},
{
"name": "pino-logger-configured",
"description": "Fastify is instantiated with a logger configuration (not just logger: true but with level configuration). Code uses request.log and app.log throughout, never console.log. The agent was NOT told about logging configuration.",
"max_score": 10
},
{
"name": "graceful-shutdown-with-signals",
"description": "Server startup handles SIGINT and SIGTERM signals by calling app.close() to drain in-flight requests before exiting. Critical for Docker/container deployments. The agent was NOT told about graceful shutdown.",
"max_score": 12
},
{
"name": "listen-host-0000",
"description": "app.listen() is called with host: '0.0.0.0' so the server is reachable from outside the container. The agent was NOT told about container networking.",
"max_score": 8
},
{
"name": "body-schemas-on-routes",
"description": "POST and PATCH routes define JSON Schema for request bodies with type constraints and additionalProperties: false. The agent was NOT told to add validation.",
"max_score": 10
},
{
"name": "response-schemas-defined",
"description": "Routes define response schemas for fast serialization and to prevent data leaks. The agent was NOT told about response schemas.",
"max_score": 8
},
{
"name": "routes-in-plugins",
"description": "Notification routes and health routes are organized as separate Fastify plugins registered with app.register(). The agent was NOT told about plugin organization.",
"max_score": 8
},
{
"name": "custom-error-handler",
"description": "A custom error handler is set via setErrorHandler with structured responses distinguishing validation errors from application errors. The agent was NOT told about error handling.",
"max_score": 8
},
{
"name": "onclose-cleanup",
"description": "Agent registers onClose hooks for resource cleanup, even if just logging the shutdown. Demonstrates awareness of the Fastify lifecycle. The agent was NOT told about onClose hooks.",
"max_score": 6
}
]
}evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
skills
fastify-best-practices
verifiers