Claude-code-plugins-plus windsurf-data-handling
install
source · Clone the upstream repo
git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/saas-packs/windsurf-pack/skills/windsurf-data-handling" ~/.claude/skills/jeremylongshore-claude-code-plugins-plus-windsurf-data-handling && rm -rf "$T"
manifest:
plugins/saas-packs/windsurf-pack/skills/windsurf-data-handling/SKILL.mdsource content
Windsurf Data Handling
Overview
Control what code and data Windsurf's AI (Cascade, Supercomplete) can access. Covers file exclusion patterns, telemetry controls, Codeium's data processing model, and compliance configuration for regulated environments.
Prerequisites
- Windsurf IDE installed
- Understanding of Codeium's data processing model
- Identified sensitive files and directories in workspace
Instructions
Step 1: Understand Codeium's Data Model
# What happens with your code in Windsurf data_flow: indexed_locally: what: "File contents, structure, dependencies" where: "Local machine only" purpose: "Supercomplete context, Cascade awareness" retention: "Persists until re-indexed" sent_to_cloud: what: "Cascade prompts, code snippets around cursor" where: "Codeium cloud (or self-hosted for Enterprise)" purpose: "AI model inference" retention: "Zero-data retention for ALL paid plans" never_processed: what: "Files in .codeiumignore, .gitignore, node_modules" where: "N/A" purpose: "N/A" compliance: certifications: ["SOC 2 Type II", "FedRAMP High"] hipaa: "BAA available for Enterprise customers" data_retention: "Zero for paid plans, configurable for Enterprise" deployment: "Cloud, Hybrid, or Self-Hosted options"
Step 2: Configure .codeiumignore for Data Protection
# .codeiumignore — files Windsurf AI will NEVER see or index # Uses gitignore syntax. Default: .gitignore and node_modules excluded. # ===== SECRETS ===== .env .env.* .env.local credentials.json serviceAccountKey.json *.pem *.key *.p12 *.pfx .aws/ .gcloud/ .azure/ vault-config.* # ===== CUSTOMER DATA ===== data/customers/ data/exports/ data/backups/ *.sql *.sql.gz *.dump fixtures/production-* # ===== INFRASTRUCTURE SECRETS ===== terraform.tfstate terraform.tfstate.backup *.tfvars *.auto.tfvars ansible/vault* # ===== COMPLIANCE BOUNDARIES ===== # PCI zone — credit card processing code src/pci/ # HIPAA zone — health data processing src/hipaa/ # Financial data reports/financial/
Step 3: Disable Telemetry (Regulated Environments)
// settings.json — maximum privacy configuration { "codeium.enableTelemetry": false, "codeium.enableSnippetTelemetry": false, "telemetry.telemetryLevel": "off", "update.showReleaseNotes": false }
Step 4: Configure Autocomplete Data Boundaries
// Disable Supercomplete for sensitive file types { "codeium.autocomplete.languages": { "plaintext": false, "env": false, "dotenv": false, "properties": false, "ini": false, "yaml": false, "json": false } }
Rationale: YAML and JSON files often contain configuration with secrets. Disabling Supercomplete for these types prevents the AI from seeing or suggesting content based on config files.
Step 5: Safe Cascade Usage with Sensitive Code
## Rules for using Cascade in regulated codebases 1. NEVER paste secrets into Cascade chat - BAD: "My API key is sk-abc123, why isn't it working?" - GOOD: "I'm getting auth errors. The key is set in .env as API_KEY." 2. NEVER ask Cascade to read excluded files - BAD: "Read .env and tell me what's configured" - GOOD: "What environment variables does src/config.ts expect?" 3. Use .windsurfrules to enforce safety patterns - "Always use process.env for secrets, never hardcode" - "Never log PII fields: email, phone, ssn, creditCard" 4. Mark compliance boundaries in .windsurfrules - "Files in src/pci/ handle credit card data — extra review required" - "Files in src/hipaa/ handle health data — never log patient info"
Step 6: Enterprise Self-Hosted Deployment
For maximum data control:
# Enterprise deployment options deployment_modes: cloud: data_flow: "Code snippets → Codeium cloud → AI response" retention: "Zero-data retention (default for paid plans)" suitable_for: "Most teams" hybrid: data_flow: "Code stays on-prem, only prompts sent to cloud" retention: "Configurable" suitable_for: "Teams with data residency requirements" self_hosted: data_flow: "Everything on-prem or in your cloud" retention: "You control" suitable_for: "Highly regulated (finance, healthcare, government)" requires: "Enterprise plan + infrastructure team"
Data Privacy Audit Checklist
-
covers all secret files and customer data.codeiumignore - Telemetry disabled (if required by policy)
- Autocomplete disabled for secret-containing file types
-
includes data handling coding standards.windsurfrules - Team trained: never paste secrets into Cascade
- Enterprise: deployment mode matches compliance requirements
- Enterprise: SSO configured, personal accounts blocked
- Regular audit: verify no new sensitive files outside ignore patterns
Error Handling
| Issue | Cause | Solution |
|---|---|---|
| AI suggests hardcoded secrets | Secret was in indexed file | Add to |
| PII appears in AI suggestions | Customer data in indexed directory | Exclude data directories |
| Telemetry still sending | Setting not applied | Verify in Settings UI, restart Windsurf |
| Compliance audit finding | Missing ignore patterns | Audit with |
Examples
Quick Privacy Audit
set -euo pipefail echo "=== Windsurf Data Privacy Audit ===" echo "Has .codeiumignore: $([ -f .codeiumignore ] && echo 'YES' || echo 'NO')" echo "Potential exposed secrets:" find . -type f \ -not -path '*/node_modules/*' -not -path '*/.git/*' \ \( -name '*.env*' -o -name '*.key' -o -name '*.pem' -o -name 'credentials*' \) \ 2>/dev/null | while read f; do grep -q "$(basename "$f")" .codeiumignore 2>/dev/null && echo " $f: PROTECTED" || echo " $f: EXPOSED" done
Resources
Next Steps
For enterprise access controls, see
windsurf-enterprise-rbac