replit-policy-guardrails
Enforce security and resource policies for Replit-hosted apps: secrets exposure prevention, resource limits, deployment visibility, and database access controls. Use when hardening a Replit app for production, auditing security posture, or setting up guardrails for team development. Trigger with phrases like "replit policy", "replit guardrails", "replit security audit", "replit hardening", "replit best practices check".
Best use case
replit-policy-guardrails is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Enforce security and resource policies for Replit-hosted apps: secrets exposure prevention, resource limits, deployment visibility, and database access controls. Use when hardening a Replit app for production, auditing security posture, or setting up guardrails for team development. Trigger with phrases like "replit policy", "replit guardrails", "replit security audit", "replit hardening", "replit best practices check".
Teams using replit-policy-guardrails should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/replit-policy-guardrails/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How replit-policy-guardrails Compares
| Feature / Agent | replit-policy-guardrails | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Enforce security and resource policies for Replit-hosted apps: secrets exposure prevention, resource limits, deployment visibility, and database access controls. Use when hardening a Replit app for production, auditing security posture, or setting up guardrails for team development. Trigger with phrases like "replit policy", "replit guardrails", "replit security audit", "replit hardening", "replit best practices check".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Replit Policy Guardrails
## Overview
Policy enforcement for Replit-hosted applications. Replit's public-by-default Repls, shared hosting, and resource limits require specific guardrails around secrets exposure, resource consumption, deployment security, and endpoint protection.
## Prerequisites
- Replit account with Deployment access
- Understanding of Replit's security model
- Awareness of Replit's Terms of Service
## Instructions
### Step 1: Secrets Exposure Prevention
Replit Repls are **public by default** on free plans. Source code is visible to anyone.
```python
# CRITICAL POLICY: Never hardcode secrets in source files
# BAD — visible to anyone viewing your Repl
API_KEY = "sk-live-abc123"
DB_PASSWORD = "p@ssw0rd"
# GOOD — use Replit Secrets (AES-256 encrypted)
import os
API_KEY = os.environ.get("API_KEY")
if not API_KEY:
raise RuntimeError("API_KEY not set. Add it in the Secrets tab (lock icon).")
# Startup validation — fail fast if secrets missing
REQUIRED_SECRETS = ["API_KEY", "DATABASE_URL", "JWT_SECRET"]
missing = [s for s in REQUIRED_SECRETS if not os.environ.get(s)]
if missing:
raise RuntimeError(f"Missing required secrets: {missing}")
```
**Automated secret detection:**
```typescript
// Pre-deploy check script: scripts/check-secrets.ts
import { readFileSync, readdirSync, statSync } from 'fs';
import { join } from 'path';
const SECRET_PATTERNS = [
/sk[-_](?:live|test)[-_]\w{20,}/, // API keys
/(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]+['"]/i,
/(?:secret|token)\s*[:=]\s*['"][^'"]{10,}['"]/i,
/-----BEGIN (?:RSA |EC )?PRIVATE KEY-----/,
/eyJ[A-Za-z0-9-_]+\.eyJ[A-Za-z0-9-_]+/, // JWT tokens
];
function scanFile(filepath: string): string[] {
const content = readFileSync(filepath, 'utf-8');
const issues: string[] = [];
SECRET_PATTERNS.forEach((pattern, i) => {
if (pattern.test(content)) {
issues.push(`${filepath}: potential secret found (pattern ${i})`);
}
});
return issues;
}
function scanDirectory(dir: string): string[] {
const issues: string[] = [];
const entries = readdirSync(dir);
for (const entry of entries) {
if (['.git', 'node_modules', '.cache', 'dist'].includes(entry)) continue;
const path = join(dir, entry);
if (statSync(path).isDirectory()) {
issues.push(...scanDirectory(path));
} else if (/\.(ts|js|py|json|env|yaml|yml|toml)$/.test(entry)) {
issues.push(...scanFile(path));
}
}
return issues;
}
const issues = scanDirectory('.');
if (issues.length > 0) {
console.error('SECRET SCAN FAILED:');
issues.forEach(i => console.error(` ${i}`));
process.exit(1);
}
console.log('Secret scan passed: no hardcoded secrets found.');
```
### Step 2: Resource Usage Guards
Replit containers have CPU and memory limits. Guard against runaway processes.
```python
import resource
import signal
import os
# Set memory limit (match your deployment tier)
MEMORY_LIMIT_MB = int(os.environ.get("MEMORY_LIMIT_MB", "512"))
resource.setrlimit(
resource.RLIMIT_AS,
(MEMORY_LIMIT_MB * 1024 * 1024, MEMORY_LIMIT_MB * 1024 * 1024)
)
# Per-request CPU timeout
def timeout_handler(signum, frame):
raise TimeoutError("Request exceeded CPU time limit")
signal.signal(signal.SIGALRM, timeout_handler)
@app.route('/process')
def process_request():
signal.alarm(30) # 30 second max
try:
result = heavy_computation()
return jsonify(result)
except TimeoutError:
return jsonify({"error": "Request timed out"}), 504
finally:
signal.alarm(0)
```
```typescript
// Node.js: memory and request size limits
app.use(express.json({ limit: '1mb' })); // Prevent payload bombs
app.use(express.urlencoded({ limit: '1mb', extended: true }));
// Monitor and alert on high memory
setInterval(() => {
const heapMB = Math.round(process.memoryUsage().heapUsed / 1024 / 1024);
if (heapMB > 400) { // Approaching 512MB limit
console.warn(`HIGH MEMORY: ${heapMB}MB — consider restart`);
}
}, 30000);
```
### Step 3: Endpoint Protection
```typescript
// Protect all data endpoints with authentication
import { Request, Response, NextFunction } from 'express';
function requireAuth(req: Request, res: Response, next: NextFunction) {
const userId = req.headers['x-replit-user-id'];
if (!userId) {
return res.status(401).json({ error: 'Authentication required' });
}
next();
}
// Apply to all API routes
app.use('/api', requireAuth);
// Admin-only routes: check specific user IDs or roles
function requireAdmin(req: Request, res: Response, next: NextFunction) {
const userId = req.headers['x-replit-user-id'] as string;
const adminIds = (process.env.ADMIN_USER_IDS || '').split(',');
if (!adminIds.includes(userId)) {
return res.status(403).json({ error: 'Admin access required' });
}
next();
}
app.use('/admin', requireAuth, requireAdmin);
```
### Step 4: Deployment Visibility Controls
```typescript
// Validate deployment configuration at startup
function validateDeploymentSecurity() {
const warnings: string[] = [];
// Check if running as Deployment vs Repl
if (!process.env.REPL_DEPLOYMENT && process.env.NODE_ENV === 'production') {
warnings.push('WARNING: Production NODE_ENV but not a Deployment. Container may sleep.');
}
// Check debug mode
if (process.env.DEBUG && process.env.NODE_ENV === 'production') {
warnings.push('WARNING: DEBUG enabled in production');
}
// Check CORS
if (process.env.CORS_ORIGIN === '*' && process.env.NODE_ENV === 'production') {
warnings.push('WARNING: CORS allows all origins in production');
}
if (warnings.length) {
warnings.forEach(w => console.warn(w));
}
return { secure: warnings.length === 0, warnings };
}
// Run at startup
const security = validateDeploymentSecurity();
if (!security.secure) {
console.warn('Security warnings detected. Review before production deployment.');
}
```
### Step 5: Security Audit Checklist
```markdown
## Replit Security Audit
### Secrets (Critical)
- [ ] No API keys in source code
- [ ] All secrets in Replit Secrets tab
- [ ] Startup validates required secrets
- [ ] Secret Scanner warnings addressed
### Access Control
- [ ] All data endpoints require authentication
- [ ] Admin routes have role-based access
- [ ] Rate limiting on public endpoints
- [ ] CORS configured for specific origins
### Data Protection
- [ ] Parameterized SQL queries (no string concatenation)
- [ ] Input validation on all user data
- [ ] Error responses don't expose internals
- [ ] Logs don't contain PII or secrets
### Deployment
- [ ] Production uses Deployments (not Repl "Run")
- [ ] NODE_ENV set to "production"
- [ ] Health endpoint doesn't expose secrets
- [ ] Custom domain has SSL (auto-provisioned)
### Resources
- [ ] Memory limits appropriate for tier
- [ ] Request size limits configured
- [ ] Per-request timeout enforced
- [ ] Payload size validation
```
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| Secret leaked in code | Not using Secrets tab | Rotate key, move to Secrets |
| OOM kill | No memory limits | Set resource limits, monitor usage |
| Unauthorized data access | Missing auth middleware | Add requireAuth to all /api routes |
| Debug info in production | Debug mode not disabled | Check NODE_ENV and DEBUG env vars |
## Resources
- [Replit Secrets](https://docs.replit.com/replit-workspace/workspace-features/secrets)
- [Replit Security](https://replit.com/products/security)
- [Secure Vibe Coding](https://blog.replit.com/16-ways-to-vibe-code-securely)
- [Secret Scanner](https://blog.replit.com/secret-scanner)
## Next Steps
For architecture patterns, see `replit-architecture-variants`.Related Skills
windsurf-policy-guardrails
Implement team-wide Windsurf usage policies, code quality gates, and Cascade guardrails. Use when setting up code review policies for AI-generated code, configuring Turbo mode safety controls, or implementing CI gates for Cascade output. Trigger with phrases like "windsurf policy", "windsurf guardrails", "cascade safety rules", "windsurf team rules", "AI code policy".
vercel-policy-guardrails
Implement lint rules, CI policy checks, and automated guardrails for Vercel projects. Use when setting up code quality rules, preventing secret exposure, or enforcing deployment policies for Vercel applications. Trigger with phrases like "vercel policy", "vercel lint", "vercel guardrails", "vercel best practices check", "vercel secret scan".
supabase-policy-guardrails
Enforce organizational governance for Supabase projects: shared RLS policy library with reusable templates, table and column naming conventions, migration review process with CI checks, cost alert thresholds, and security audit scripts scanning for common misconfigurations. Use when establishing Supabase standards across teams, creating RLS policy templates, setting up migration review workflows, or auditing existing projects for security and cost issues. Trigger with phrases like "supabase governance", "supabase policy library", "supabase naming convention", "supabase migration review", "supabase cost alert", "supabase security audit", "supabase RLS template".
snowflake-policy-guardrails
Implement Snowflake governance guardrails with network rules, session policies, authentication policies, and automated compliance checks. Use when enforcing security policies, implementing data governance, or configuring automated compliance for Snowflake. Trigger with phrases like "snowflake policy", "snowflake guardrails", "snowflake governance", "snowflake compliance", "snowflake enforce".
shopify-policy-guardrails
Implement Shopify app policy enforcement with ESLint rules for API key detection, query cost budgets, and App Store compliance checks. Trigger with phrases like "shopify policy", "shopify lint", "shopify guardrails", "shopify compliance", "shopify eslint", "shopify app review".
sentry-policy-guardrails
Enforce organizational governance and policy guardrails for Sentry usage. Use when standardizing Sentry configuration across services, enforcing PII scrubbing, building shared config packages, or auditing drift. Trigger with phrases like "sentry governance", "sentry policy", "sentry standards", "enforce sentry config", "sentry compliance".
salesforce-policy-guardrails
Implement Salesforce lint rules, SOQL injection prevention, and API usage guardrails. Use when enforcing Salesforce integration code quality, preventing SOQL injection, or configuring CI policy checks for Salesforce best practices. Trigger with phrases like "salesforce policy", "salesforce lint", "salesforce guardrails", "SOQL injection", "salesforce eslint", "salesforce code review".
retellai-policy-guardrails
Retell AI policy guardrails — AI voice agent and phone call automation. Use when working with Retell AI for voice agents, phone calls, or telephony. Trigger with phrases like "retell policy guardrails", "retellai-policy-guardrails", "voice agent".
replit-webhooks-events
Handle Replit deployment events, build Replit Extensions, and set up Agents & Automations. Use when integrating with Replit deployment lifecycle, building workspace extensions, or creating automated workflows with Replit Agent. Trigger with phrases like "replit webhook", "replit events", "replit extension", "replit automation", "replit notifications", "replit agent automation".
replit-upgrade-migration
Upgrade Replit Nix channels, migrate between database types, and update deployment targets. Use when upgrading Nix channel versions, migrating from Replit DB to PostgreSQL, switching deployment types, or updating system dependencies. Trigger with phrases like "upgrade replit", "replit nix upgrade", "migrate replit database", "replit version update", "replit channel update".
replit-security-basics
Apply Replit security best practices: Secrets management, REPL_IDENTITY tokens, Auth headers, and public Repl safety. Use when securing API keys, validating request identity, or auditing Replit security configuration. Trigger with phrases like "replit security", "replit secrets", "secure replit", "replit public safety", "replit identity token".
replit-sdk-patterns
Apply production-ready patterns for Replit Database, Object Storage, and Auth APIs. Use when implementing Replit integrations, structuring data access layers, or establishing team coding standards for Replit services. Trigger with phrases like "replit patterns", "replit best practices", "replit code patterns", "idiomatic replit", "replit SDK".