OpenSkillIndex← back to search
claude-codesecurity

Claude-code-plugins-plus-skills guidewire-security-basics

install
source · Clone the upstream repo
git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/saas-packs/guidewire-pack/skills/guidewire-security-basics" ~/.claude/skills/jeremylongshore-claude-code-plugins-plus-skills-guidewire-security-basics && rm -rf "$T"
manifest: plugins/saas-packs/guidewire-pack/skills/guidewire-security-basics/SKILL.md
tags
#guidewire#security#oauth2#data-protection#api-roles
source content

Guidewire Security Basics

Overview

Guidewire manages insurance policy administration, claims processing, and billing containing policyholder PII (SSNs, driver's license numbers, medical records for claims), financial settlement data, and adjuster notes. A breach exposes claimant personal information, policy terms, and payment histories across the entire insurance book of business. Secure OAuth2 JWT tokens, Cloud API roles, Gosu custom code, and any integration touching policy or claims data.

API Key Management

function createGuidewireClient(): { token: string; baseUrl: string } {
  const clientId = process.env.GUIDEWIRE_CLIENT_ID;
  const clientSecret = process.env.GUIDEWIRE_CLIENT_SECRET;
  const tokenUrl = process.env.GUIDEWIRE_TOKEN_URL;
  if (!clientId || !clientSecret || !tokenUrl) {
    throw new Error("Missing GUIDEWIRE_CLIENT_ID, CLIENT_SECRET, or TOKEN_URL");
  }
  // OAuth2 tokens are short-lived JWTs — never cache beyond expiry
  console.log("Guidewire OAuth2 client initialized for:", tokenUrl);
  return { token: "", baseUrl: process.env.GUIDEWIRE_API_URL! };
}

Webhook Signature Verification

import crypto from "crypto";
import { Request, Response, NextFunction } from "express";

function verifyGuidewireWebhook(req: Request, res: Response, next: NextFunction): void {
  const signature = req.headers["x-guidewire-signature"] as string;
  const secret = process.env.GUIDEWIRE_WEBHOOK_SECRET!;
  const expected = crypto.createHmac("sha256", secret).update(req.body).digest("hex");
  if (!signature || !crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
    res.status(401).send("Invalid signature");
    return;
  }
  next();
}

Input Validation

import { z } from "zod";

const ClaimSchema = z.object({
  claim_number: z.string().regex(/^CLM-\d{8,12}$/),
  policy_number: z.string().regex(/^POL-\d{8,12}$/),
  claimant_id: z.string().uuid(),
  loss_date: z.string().regex(/^\d{4}-\d{2}-\d{2}$/),
  loss_type: z.enum(["auto", "property", "liability", "workers_comp", "medical"]),
  reserve_amount: z.number().nonnegative().max(10_000_000),
});

function validateClaimData(data: unknown) {
  return ClaimSchema.parse(data);
}

Data Protection

const GUIDEWIRE_PII_FIELDS = ["ssn", "drivers_license", "medical_records", "bank_account", "claimant_dob", "adjuster_notes"];

function redactGuidewireLog(record: Record<string, unknown>): Record<string, unknown> {
  const redacted = { ...record };
  for (const field of GUIDEWIRE_PII_FIELDS) {
    if (field in redacted) redacted[field] = "[REDACTED]";
  }
  return redacted;
}

Security Checklist

  • OAuth2 client credentials stored in secrets manager
  • JWT tokens treated as short-lived, never cached beyond expiry
  • API roles assigned per-endpoint in GCC (least privilege)
  • Policyholder SSN and medical data never logged
  • SAML SSO enforced for Jutro frontend access
  • Gosu custom code uses 
    ServerUtil
    for auth, never hardcoded credentials
  • PII encrypted in custom entities
  • Claims data access audited per adjuster

Error Handling

VulnerabilityRiskMitigation
Leaked OAuth2 credentialsFull policy and claims data accessSecrets manager + short-lived JWTs
Overly broad API rolesAdjuster accesses unrelated claimsPer-endpoint GCC role scoping
PII in Gosu logsPolicyholder SSN/medical data exposureField-level redaction in custom code
Hardcoded credentials in GosuCredential theft from source code
ServerUtil
auth + code review gates
Unencrypted claims dataInsurance regulatory violationEncryption at rest for custom entities

Resources

Next Steps

See 

guidewire-prod-checklist
.