Claude-code-plugins-plus-skills shopify-policy-guardrails

install

source · Clone the upstream repo

git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/saas-packs/shopify-pack/skills/shopify-policy-guardrails" ~/.claude/skills/jeremylongshore-claude-code-plugins-plus-skills-shopify-policy-guardrails && rm -rf "$T"

manifest: plugins/saas-packs/shopify-pack/skills/shopify-policy-guardrails/SKILL.md

Shopify Policy & Guardrails

Overview

Automated policy enforcement for Shopify apps: secret detection, query cost budgets, App Store compliance checks, and CI policy validation.

Prerequisites

ESLint configured in project
Pre-commit hooks infrastructure
CI/CD pipeline with GitHub Actions
Shopify app with
```
shopify.app.toml
```

Instructions

Step 1: Secret Detection Rules

Custom ESLint rule that catches hardcoded Shopify tokens (

shpat_*

shpss_*

) and API secrets in string literals and template literals.

See Secret Detection ESLint for the complete rule implementation.

Step 2: Query Cost Budget Enforcement

Static analysis of GraphQL queries enforcing budgets: max 100 items per

first:

param, max 3 levels of nesting, and max 500 estimated cost. Runs at build/test time.

See Query Cost Budget for the complete implementation.

Step 3: Pre-Commit Hooks

Git hooks that scan staged changes for Shopify tokens and block

.env

files from being committed.

# .pre-commit-config.yaml
repos:
  - repo: local
    hooks:
      - id: shopify-token-scan
        name: Scan for Shopify tokens
        language: system
        entry: bash -c '
          if git diff --cached --diff-filter=d | grep -E "shpat_[a-f0-9]{32}|shpss_[a-f0-9]{32}" ; then
            echo "ERROR: Shopify access token detected in staged changes"
            exit 1
          fi'
        pass_filenames: false

      - id: shopify-env-check
        name: Check .env not staged
        language: system
        entry: bash -c '
          if git diff --cached --name-only | grep -E "^\.env$|^\.env\.local$|^\.env\.production$" ; then
            echo "ERROR: .env file staged for commit"
            exit 1
          fi'
        pass_filenames: false

Step 4: App Store Compliance Checker

Pre-submission script that validates all three GDPR webhooks, token hygiene, CSP headers, and API version stability.

See Compliance Checker for the complete implementation.

Step 5: CI Policy Pipeline

GitHub Actions workflow enforcing token scanning, GDPR webhook configuration, and API version stability on every push and PR.

See CI Policy Pipeline for the complete workflow.

Output

ESLint rules catching hardcoded tokens
Query cost budgets enforced
Pre-commit hooks blocking secret leaks
App Store compliance checker
CI policy pipeline preventing violations

Error Handling

Issue	Cause	Solution
False positive on token	Base64 string matched	Narrow regex pattern
Query cost estimate wrong	Complex variable nesting	Use actual debug header in tests
Pre-commit bypassed	`--no-verify` flag	Enforce in CI as backup
App Store rejection	Missing GDPR webhook	Run compliance checker before submit

Examples

Quick Policy Scan

# One-liner: check for token leaks in staged changes
git diff --cached | grep -E "shpat_|shpss_" && echo "TOKEN LEAK!" || echo "Clean"

# Check GDPR compliance
grep -c "customers/data_request\|customers/redact\|shop/redact" shopify.app.toml
# Should output: 3