windsurf-policy-guardrails
Implement team-wide Windsurf usage policies, code quality gates, and Cascade guardrails. Use when setting up code review policies for AI-generated code, configuring Turbo mode safety controls, or implementing CI gates for Cascade output. Trigger with phrases like "windsurf policy", "windsurf guardrails", "cascade safety rules", "windsurf team rules", "AI code policy".
Best use case
windsurf-policy-guardrails is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement team-wide Windsurf usage policies, code quality gates, and Cascade guardrails. Use when setting up code review policies for AI-generated code, configuring Turbo mode safety controls, or implementing CI gates for Cascade output. Trigger with phrases like "windsurf policy", "windsurf guardrails", "cascade safety rules", "windsurf team rules", "AI code policy".
Teams using windsurf-policy-guardrails should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/windsurf-policy-guardrails/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How windsurf-policy-guardrails Compares
| Feature / Agent | windsurf-policy-guardrails | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement team-wide Windsurf usage policies, code quality gates, and Cascade guardrails. Use when setting up code review policies for AI-generated code, configuring Turbo mode safety controls, or implementing CI gates for Cascade output. Trigger with phrases like "windsurf policy", "windsurf guardrails", "cascade safety rules", "windsurf team rules", "AI code policy".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Windsurf Policy Guardrails
## Overview
Policy guardrails for team Windsurf usage: controlling what Cascade can do, enforcing code review for AI output, configuring terminal safety controls, and preventing common AI coding mistakes.
## Prerequisites
- Windsurf configured for team use
- Git workflow established
- CI/CD pipeline in place
- Team agreement on AI usage standards
## Instructions
### Step 1: Terminal Command Safety (Turbo Mode Controls)
Configure what Cascade can and cannot auto-execute:
```json
// settings.json — Team-wide terminal safety
{
"windsurf.cascadeCommandsAllowList": [
"npm test", "npm run", "npx vitest", "npx tsc",
"git status", "git diff", "git log", "git add",
"eslint", "prettier", "biome",
"ls", "cat", "head", "tail", "wc", "grep"
],
"windsurf.cascadeCommandsDenyList": [
"rm -rf", "rm -r /",
"sudo",
"git push --force", "git reset --hard",
"DROP TABLE", "DELETE FROM", "TRUNCATE",
"curl | bash", "wget | sh",
"chmod 777",
"kill -9",
"shutdown", "reboot", "halt",
"mkfs", "dd if=",
"npm publish", "npx publish"
]
}
```
### Step 2: Workspace Isolation Rules
Prevent Cascade from accessing sensitive directories:
```gitignore
# .codeiumignore — security boundary
# AI cannot see or modify files matching these patterns
# Credentials
.env
.env.*
credentials/
secrets/
*.pem
*.key
# Infrastructure
terraform.tfstate*
*.tfvars
ansible/vault*
# Customer data
data/production/
exports/
```
```markdown
<!-- .windsurf/rules/protected-files.md -->
---
trigger: always_on
---
## Protected Files Policy
- NEVER modify files in migrations/ without explicit request
- NEVER modify Dockerfile or docker-compose.yml without explicit request
- NEVER modify CI/CD workflows (.github/workflows/) without explicit request
- NEVER modify package.json dependencies without explicit request
- ALWAYS ask before changing database schema files
```
### Step 3: AI Code Review Policy
```yaml
# .github/workflows/ai-code-gate.yml
name: AI Code Quality Gate
on: pull_request
jobs:
ai-review-gate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with: { fetch-depth: 0 }
- name: Check cascade commit policy
run: |
# Count files changed
FILES=$(git diff --name-only origin/main..HEAD | wc -l)
# Large changesets need explicit review
if [ "$FILES" -gt 15 ]; then
echo "::warning::Large changeset ($FILES files modified)."
echo "If AI-generated, ensure line-by-line review."
fi
# New files must have tests
NEW_SRC=$(git diff --name-only --diff-filter=A origin/main..HEAD | grep -cE '\.(ts|js)$' || true)
NEW_TEST=$(git diff --name-only --diff-filter=A origin/main..HEAD | grep -cE '\.(test|spec)\.' || true)
if [ "$NEW_SRC" -gt 3 ] && [ "$NEW_TEST" -eq 0 ]; then
echo "::error::$NEW_SRC new source files without tests."
echo "Add tests before merging AI-generated code."
exit 1
fi
- name: Scan for hardcoded secrets
run: |
SECRETS_FOUND=$(git diff origin/main..HEAD | grep -cE '(sk_live|sk_test|AKIA[A-Z0-9]|ghp_|glpat-|xoxb-)' || true)
if [ "$SECRETS_FOUND" -gt 0 ]; then
echo "::error::Potential hardcoded secret detected in diff."
exit 1
fi
```
### Step 4: Team Cascade Usage Guidelines
```markdown
<!-- docs/windsurf-policy.md — committed to repo -->
# Team Windsurf AI Usage Policy
## Required Practices
1. **Git before Cascade** — commit or stash before every Cascade session
2. **Feature branches only** — never use Cascade on main or develop
3. **Review every diff** — accept changes file-by-file, not "accept all"
4. **Test after accepting** — run tests before committing Cascade changes
5. **Tag AI commits** — prefix with `[cascade]` for traceability
## Prohibited Actions
1. Never paste secrets, API keys, or passwords into Cascade chat
2. Never let Cascade modify production config without manual review
3. Never use Cascade to write security-critical code without expert review
4. Never accept Cascade suggestions for database migrations without DBA review
5. Never use Turbo mode with commands not in the allow list
## Code Review Standards for AI-Generated Code
- Reviewer MUST verify logic, not just syntax
- Reviewer MUST check edge cases (AI often misses boundary conditions)
- Reviewer MUST verify error handling (AI tends to happy-path)
- Reviewer MUST check for AI-specific patterns: unnecessary abstraction,
over-engineering, cargo-cult patterns from training data
## Accountability
- The developer who accepts and commits AI-generated code is responsible
- "Cascade wrote it" is not an excuse for bugs in production
- All standard code review requirements apply to AI-generated code
```
### Step 5: Extension Trust Policy
```json
// .vscode/extensions.json (works in Windsurf)
{
"recommendations": [
"esbenp.prettier-vscode",
"dbaeumer.vscode-eslint",
"biomejs.biome"
],
"unwantedRecommendations": [
"github.copilot",
"github.copilot-chat",
"tabnine.tabnine-vscode",
"sourcegraph.cody-ai"
]
}
```
### Step 6: Pre-Cascade Checklist Workflow
```markdown
<!-- .windsurf/workflows/safe-cascade.md -->
---
name: safe-cascade
description: Pre-flight checks before Cascade work
---
// turbo-all
1. Run `git status` — verify clean working tree
2. Run `git checkout -b cascade/$(date +%Y%m%d-%H%M%S)` — new branch
3. Run `git log --oneline -3` — note recent context
4. Report: "Ready for Cascade. Branch created. Clean working tree."
5. Ask: "What would you like Cascade to do?"
```
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| Cascade modifies secrets | Files not in .codeiumignore | Add to .codeiumignore, rotate exposed secret |
| Untested AI code merged | No CI gate | Add test-required check to PR |
| Conflicting suggestions | Multiple AI extensions | Remove competing extensions |
| Developer bypasses policy | No enforcement | Add CI gates, team training |
| Cascade runs destructive command | Not in deny list | Add to cascadeCommandsDenyList |
## Examples
### Quick Policy Verification
```bash
set -euo pipefail
echo "=== Policy Compliance Check ==="
echo "Branch protection: $(gh api repos/:owner/:repo/branches/main/protection --jq '.required_status_checks.contexts | length' 2>/dev/null || echo 'N/A') checks"
echo ".codeiumignore: $([ -f .codeiumignore ] && echo 'EXISTS' || echo 'MISSING')"
echo "Policy doc: $([ -f docs/windsurf-policy.md ] && echo 'EXISTS' || echo 'MISSING')"
echo "Extension control: $([ -f .vscode/extensions.json ] && echo 'EXISTS' || echo 'MISSING')"
```
## Resources
- [Windsurf Terminal Docs](https://docs.windsurf.com/windsurf/terminal)
- [Windsurf Rules](https://docs.windsurf.com/windsurf/cascade/memories)
- [Windsurf Admin Guide](https://docs.windsurf.com/windsurf/guide-for-admins)
## Next Steps
For architecture strategies, see `windsurf-architecture-variants`.Related Skills
windsurf-webhooks-events
Build Windsurf extensions and integrate with VS Code extension API events. Use when building custom Windsurf extensions, tracking editor events, or integrating Windsurf with external tools via extension development. Trigger with phrases like "windsurf extension", "windsurf events", "windsurf plugin", "build windsurf extension", "windsurf API".
windsurf-upgrade-migration
Upgrade Windsurf IDE, migrate settings from VS Code or Cursor, and handle breaking changes. Use when upgrading Windsurf versions, migrating from another editor, or handling configuration changes after updates. Trigger with phrases like "upgrade windsurf", "windsurf update", "migrate to windsurf", "windsurf from cursor", "windsurf from vscode".
windsurf-security-basics
Apply Windsurf security best practices for workspace isolation, data privacy, and secret protection. Use when securing sensitive code from AI indexing, configuring telemetry, or auditing Windsurf security posture. Trigger with phrases like "windsurf security", "windsurf secrets", "windsurf privacy", "windsurf data protection", "codeiumignore".
windsurf-sdk-patterns
Apply production-ready Windsurf workspace configuration and Cascade interaction patterns. Use when configuring .windsurfrules, workspace rules, MCP servers, or establishing team coding standards for Windsurf AI. Trigger with phrases like "windsurf patterns", "windsurf best practices", "windsurf config patterns", "windsurfrules", "windsurf workspace".
windsurf-reliability-patterns
Implement reliable Cascade workflows with checkpoints, rollback, and incremental editing. Use when building fault-tolerant AI coding workflows, preventing Cascade from breaking builds, or establishing safe practices for multi-file AI edits. Trigger with phrases like "windsurf reliability", "cascade safety", "windsurf rollback", "cascade checkpoint", "safe cascade workflow".
windsurf-reference-architecture
Implement Windsurf reference architecture with optimal project structure and AI configuration. Use when designing workspace configuration for Windsurf, setting up team standards, or establishing architecture patterns that maximize Cascade effectiveness. Trigger with phrases like "windsurf architecture", "windsurf project structure", "windsurf best practices", "windsurf team setup", "optimize for cascade".
windsurf-rate-limits
Understand and manage Windsurf credit system, usage limits, and model selection. Use when running out of credits, optimizing AI usage costs, or understanding the credit-per-model pricing structure. Trigger with phrases like "windsurf credits", "windsurf rate limit", "windsurf usage", "windsurf out of credits", "windsurf model costs".
windsurf-prod-checklist
Execute Windsurf production readiness checklist for team and enterprise deployments. Use when rolling out Windsurf to a team, preparing for enterprise deployment, or auditing production configuration. Trigger with phrases like "windsurf production", "windsurf team rollout", "windsurf go-live", "windsurf enterprise deploy", "windsurf checklist".
windsurf-performance-tuning
Optimize Windsurf IDE performance: indexing speed, Cascade responsiveness, and memory usage. Use when Windsurf is slow, indexing takes too long, Cascade times out, or the IDE uses too much memory. Trigger with phrases like "windsurf slow", "windsurf performance", "optimize windsurf", "windsurf memory", "cascade slow", "indexing slow".
windsurf-observability
Monitor Windsurf AI adoption, feature usage, and team productivity metrics. Use when tracking AI feature usage, measuring ROI, setting up dashboards, or analyzing Cascade effectiveness across your team. Trigger with phrases like "windsurf monitoring", "windsurf metrics", "windsurf analytics", "windsurf usage", "windsurf adoption".
windsurf-multi-env-setup
Configure Windsurf IDE and Cascade AI across team members and project environments. Use when onboarding teams to Windsurf, setting up per-project Cascade configuration, or managing Windsurf settings across development, staging, and production contexts. Trigger with phrases like "windsurf team setup", "windsurf environments", "windsurf multi-project", "windsurf team config", "cascade rules per env".
windsurf-migration-deep-dive
Migrate to Windsurf from VS Code, Cursor, or other AI IDEs with full configuration transfer. Use when migrating a team to Windsurf, transferring Cursor rules, or evaluating Windsurf against other AI editors. Trigger with phrases like "migrate to windsurf", "switch to windsurf", "windsurf from cursor", "windsurf from copilot", "windsurf evaluation".