windsurf-policy-guardrails

@jeremylongshore/windsurf-policy-guardrails

jeremylongshore

1,004

123 forks

Updated 1/18/2026

View on GitHub

Implement Windsurf lint rules, policy enforcement, and automated guardrails. Use when setting up code quality rules for Windsurf integrations, implementing pre-commit hooks, or configuring CI policy checks for Windsurf best practices. Trigger with phrases like "windsurf policy", "windsurf lint", "windsurf guardrails", "windsurf best practices check", "windsurf eslint".

Installation

$skills install @jeremylongshore/windsurf-policy-guardrails

Claude Code

Cursor

Copilot

Codex

Antigravity

Details

Repositoryjeremylongshore/claude-code-plugins-plus-skills

Pathplugins/saas-packs/windsurf-pack/skills/windsurf-policy-guardrails/SKILL.md

Branchmain

Scoped Name@jeremylongshore/windsurf-policy-guardrails

Usage

After installing, this skill will be available to your AI coding assistant.

Verify installation:

skills list

Skill Instructions

name: windsurf-policy-guardrails description: | Implement Windsurf lint rules, policy enforcement, and automated guardrails. Use when setting up code quality rules for Windsurf integrations, implementing pre-commit hooks, or configuring CI policy checks for Windsurf best practices. Trigger with phrases like "windsurf policy", "windsurf lint", "windsurf guardrails", "windsurf best practices check", "windsurf eslint". allowed-tools: Read, Write, Edit, Bash(npx:*) version: 1.0.0 license: MIT author: Jeremy Longshore jeremy@intentsolutions.io

Windsurf Policy & Guardrails

Overview

Automated policy enforcement and guardrails for Windsurf integrations.

Prerequisites

ESLint configured in project
Pre-commit hooks infrastructure
CI/CD pipeline with policy checks
TypeScript for type enforcement

ESLint Rules

Custom Windsurf Plugin

// eslint-plugin-windsurf/rules/no-hardcoded-keys.js
module.exports = {
  meta: {
    type: 'problem',
    docs: {
      description: 'Disallow hardcoded Windsurf API keys',
    },
    fixable: 'code',
  },
  create(context) {
    return {
      Literal(node) {
        if (typeof node.value === 'string') {
          if (node.value.match(/^sk_(live|test)_[a-zA-Z0-9]{24,}/)) {
            context.report({
              node,
              message: 'Hardcoded Windsurf API key detected',
            });
          }
        }
      },
    };
  },
};

ESLint Configuration

// .eslintrc.js
module.exports = {
  plugins: ['windsurf'],
  rules: {
    'windsurf/no-hardcoded-keys': 'error',
    'windsurf/require-error-handling': 'warn',
    'windsurf/use-typed-client': 'warn',
  },
};

Pre-Commit Hooks

# .pre-commit-config.yaml
repos:
  - repo: local
    hooks:
      - id: windsurf-secrets-check
        name: Check for Windsurf secrets
        entry: bash -c 'git diff --cached --name-only | xargs grep -l "sk_live_" && exit 1 || exit 0'
        language: system
        pass_filenames: false

      - id: windsurf-config-validate
        name: Validate Windsurf configuration
        entry: node scripts/validate-windsurf-config.js
        language: node
        files: '\.windsurf\.json$'

TypeScript Strict Patterns

// Enforce typed configuration
interface WindsurfStrictConfig {
  apiKey: string;  // Required
  environment: 'development' | 'staging' | 'production';  // Enum
  timeout: number;  // Required number, not optional
  retries: number;
}

// Disallow any in Windsurf code
// @ts-expect-error - Using any is forbidden
const client = new Client({ apiKey: any });

// Prefer this
const client = new WindsurfClient(config satisfies WindsurfStrictConfig);

Architecture Decision Records

ADR Template

# ADR-001: Windsurf Client Initialization

## Status
Accepted

## Context
We need to decide how to initialize the Windsurf client across our application.

## Decision
We will use the singleton pattern with lazy initialization.

## Consequences
- Pro: Single client instance, connection reuse
- Pro: Easy to mock in tests
- Con: Global state requires careful lifecycle management

## Enforcement
- ESLint rule: windsurf/use-singleton-client
- CI check: grep for "new WindsurfClient(" outside allowed files

Policy-as-Code (OPA)

# windsurf-policy.rego
package windsurf

# Deny production API keys in non-production environments
deny[msg] {
  input.environment != "production"
  startswith(input.apiKey, "sk_live_")
  msg := "Production API keys not allowed in non-production environment"
}

# Require minimum timeout
deny[msg] {
  input.timeout < 10000
  msg := sprintf("Timeout too low: %d < 10000ms minimum", [input.timeout])
}

# Require retry configuration
deny[msg] {
  not input.retries
  msg := "Retry configuration is required"
}

CI Policy Checks

# .github/workflows/windsurf-policy.yml
name: Windsurf Policy Check

on: [push, pull_request]

jobs:
  policy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Check for hardcoded secrets
        run: |
          if grep -rE "sk_(live|test)_[a-zA-Z0-9]{24,}" --include="*.ts" --include="*.js" .; then
            echo "ERROR: Hardcoded Windsurf keys found"
            exit 1
          fi

      - name: Validate configuration schema
        run: |
          npx ajv validate -s windsurf-config.schema.json -d config/windsurf/*.json

      - name: Run ESLint Windsurf rules
        run: npx eslint --plugin windsurf --rule 'windsurf/no-hardcoded-keys: error' src/

Runtime Guardrails

// Prevent dangerous operations in production
const BLOCKED_IN_PROD = ['deleteAll', 'resetData', 'migrateDown'];

function guardWindsurfOperation(operation: string): void {
  const isProd = process.env.NODE_ENV === 'production';

  if (isProd && BLOCKED_IN_PROD.includes(operation)) {
    throw new Error(`Operation '${operation}' blocked in production`);
  }
}

// Rate limit protection
function guardRateLimits(requestsInWindow: number): void {
  const limit = parseInt(process.env.WINDSURF_RATE_LIMIT || '100');

  if (requestsInWindow > limit * 0.9) {
    console.warn('Approaching Windsurf rate limit');
  }

  if (requestsInWindow >= limit) {
    throw new Error('Windsurf rate limit exceeded - request blocked');
  }
}

Instructions

Step 1: Create ESLint Rules

Implement custom lint rules for Windsurf patterns.

Step 2: Configure Pre-Commit Hooks

Set up hooks to catch issues before commit.

Step 3: Add CI Policy Checks

Implement policy-as-code in CI pipeline.

Step 4: Enable Runtime Guardrails

Add production safeguards for dangerous operations.

Output

ESLint plugin with Windsurf rules
Pre-commit hooks blocking secrets
CI policy checks passing
Runtime guardrails active

Error Handling

Issue	Cause	Solution
ESLint rule not firing	Wrong config	Check plugin registration
Pre-commit skipped	--no-verify	Enforce in CI
Policy false positive	Regex too broad	Narrow pattern match
Guardrail triggered	Actual issue	Fix or whitelist

Examples

Quick ESLint Check

npx eslint --plugin windsurf --rule 'windsurf/no-hardcoded-keys: error' src/

Resources

Next Steps

For architecture blueprints, see windsurf-architecture-variants.

More by jeremylongshore

View all

rabbitmq-queue-setup

1,004

Rabbitmq Queue Setup - Auto-activating skill for Backend Development. Triggers on: rabbitmq queue setup, rabbitmq queue setup Part of the Backend Development skill category.

model-evaluation-suite

1,004

evaluating-machine-learning-models: This skill allows Claude to evaluate machine learning models using a comprehensive suite of metrics. It should be used when the user requests model performance analysis, validation, or testing. Claude can use this skill to assess model accuracy, precision, recall, F1-score, and other relevant metrics. Trigger this skill when the user mentions "evaluate model", "model performance", "testing metrics", "validation results", or requests a comprehensive "model evaluation".

neural-network-builder

1,004

building-neural-networks: This skill allows Claude to construct and configure neural network architectures using the neural-network-builder plugin. It should be used when the user requests the creation of a new neural network, modification of an existing one, or assistance with defining the layers, parameters, and training process. The skill is triggered by requests involving terms like "build a neural network," "define network architecture," "configure layers," or specific mentions of neural network types (e.g., "CNN," "RNN," "transformer").

oauth-callback-handler

1,004

Oauth Callback Handler - Auto-activating skill for API Integration. Triggers on: oauth callback handler, oauth callback handler Part of the API Integration skill category.