Claude-skill-registry clay-policy-guardrails
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/clay-policy-guardrails" ~/.claude/skills/majiayu000-claude-skill-registry-clay-policy-guardrails && rm -rf "$T"
manifest:
skills/data/clay-policy-guardrails/SKILL.mdsource content
Clay Policy & Guardrails
Overview
Automated policy enforcement and guardrails for Clay integrations.
Prerequisites
- ESLint configured in project
- Pre-commit hooks infrastructure
- CI/CD pipeline with policy checks
- TypeScript for type enforcement
ESLint Rules
Custom Clay Plugin
// eslint-plugin-clay/rules/no-hardcoded-keys.js module.exports = { meta: { type: 'problem', docs: { description: 'Disallow hardcoded Clay API keys', }, fixable: 'code', }, create(context) { return { Literal(node) { if (typeof node.value === 'string') { if (node.value.match(/^sk_(live|test)_[a-zA-Z0-9]{24,}/)) { context.report({ node, message: 'Hardcoded Clay API key detected', }); } } }, }; }, };
ESLint Configuration
// .eslintrc.js module.exports = { plugins: ['clay'], rules: { 'clay/no-hardcoded-keys': 'error', 'clay/require-error-handling': 'warn', 'clay/use-typed-client': 'warn', }, };
Pre-Commit Hooks
# .pre-commit-config.yaml repos: - repo: local hooks: - id: clay-secrets-check name: Check for Clay secrets entry: bash -c 'git diff --cached --name-only | xargs grep -l "sk_live_" && exit 1 || exit 0' language: system pass_filenames: false - id: clay-config-validate name: Validate Clay configuration entry: node scripts/validate-clay-config.js language: node files: '\.clay\.json$'
TypeScript Strict Patterns
// Enforce typed configuration interface ClayStrictConfig { apiKey: string; // Required environment: 'development' | 'staging' | 'production'; // Enum timeout: number; // Required number, not optional retries: number; } // Disallow any in Clay code // @ts-expect-error - Using any is forbidden const client = new Client({ apiKey: any }); // Prefer this const client = new ClayClient(config satisfies ClayStrictConfig);
Architecture Decision Records
ADR Template
# ADR-001: Clay Client Initialization ## Status Accepted ## Context We need to decide how to initialize the Clay client across our application. ## Decision We will use the singleton pattern with lazy initialization. ## Consequences - Pro: Single client instance, connection reuse - Pro: Easy to mock in tests - Con: Global state requires careful lifecycle management ## Enforcement - ESLint rule: clay/use-singleton-client - CI check: grep for "new ClayClient(" outside allowed files
Policy-as-Code (OPA)
# clay-policy.rego package clay # Deny production API keys in non-production environments deny[msg] { input.environment != "production" startswith(input.apiKey, "sk_live_") msg := "Production API keys not allowed in non-production environment" } # Require minimum timeout deny[msg] { input.timeout < 10000 msg := sprintf("Timeout too low: %d < 10000ms minimum", [input.timeout]) } # Require retry configuration deny[msg] { not input.retries msg := "Retry configuration is required" }
CI Policy Checks
# .github/workflows/clay-policy.yml name: Clay Policy Check on: [push, pull_request] jobs: policy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Check for hardcoded secrets run: | if grep -rE "sk_(live|test)_[a-zA-Z0-9]{24,}" --include="*.ts" --include="*.js" .; then echo "ERROR: Hardcoded Clay keys found" exit 1 fi - name: Validate configuration schema run: | npx ajv validate -s clay-config.schema.json -d config/clay/*.json - name: Run ESLint Clay rules run: npx eslint --plugin clay --rule 'clay/no-hardcoded-keys: error' src/
Runtime Guardrails
// Prevent dangerous operations in production const BLOCKED_IN_PROD = ['deleteAll', 'resetData', 'migrateDown']; function guardClayOperation(operation: string): void { const isProd = process.env.NODE_ENV === 'production'; if (isProd && BLOCKED_IN_PROD.includes(operation)) { throw new Error(`Operation '${operation}' blocked in production`); } } // Rate limit protection function guardRateLimits(requestsInWindow: number): void { const limit = parseInt(process.env.CLAY_RATE_LIMIT || '100'); if (requestsInWindow > limit * 0.9) { console.warn('Approaching Clay rate limit'); } if (requestsInWindow >= limit) { throw new Error('Clay rate limit exceeded - request blocked'); } }
Instructions
Step 1: Create ESLint Rules
Implement custom lint rules for Clay patterns.
Step 2: Configure Pre-Commit Hooks
Set up hooks to catch issues before commit.
Step 3: Add CI Policy Checks
Implement policy-as-code in CI pipeline.
Step 4: Enable Runtime Guardrails
Add production safeguards for dangerous operations.
Output
- ESLint plugin with Clay rules
- Pre-commit hooks blocking secrets
- CI policy checks passing
- Runtime guardrails active
Error Handling
| Issue | Cause | Solution |
|---|---|---|
| ESLint rule not firing | Wrong config | Check plugin registration |
| Pre-commit skipped | --no-verify | Enforce in CI |
| Policy false positive | Regex too broad | Narrow pattern match |
| Guardrail triggered | Actual issue | Fix or whitelist |
Examples
Quick ESLint Check
npx eslint --plugin clay --rule 'clay/no-hardcoded-keys: error' src/
Resources
Next Steps
For architecture blueprints, see
clay-architecture-variants