clay-policy-guardrails
Implement Clay lint rules, policy enforcement, and automated guardrails. Use when setting up code quality rules for Clay integrations, implementing pre-commit hooks, or configuring CI policy checks for Clay best practices. Trigger with phrases like "clay policy", "clay lint", "clay guardrails", "clay best practices check", "clay eslint".
Install with Tessl CLI
npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill clay-policy-guardrails78
Does it follow best practices?
Optimize this skill
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Clay Policy & Guardrails
Overview
Automated policy enforcement and guardrails for Clay integrations.
Prerequisites
- ESLint configured in project
- Pre-commit hooks infrastructure
- CI/CD pipeline with policy checks
- TypeScript for type enforcement
ESLint Rules
Custom Clay Plugin
// eslint-plugin-clay/rules/no-hardcoded-keys.js
module.exports = {
meta: {
type: 'problem',
docs: {
description: 'Disallow hardcoded Clay API keys',
},
fixable: 'code',
},
create(context) {
return {
Literal(node) {
if (typeof node.value === 'string') {
if (node.value.match(/^sk_(live|test)_[a-zA-Z0-9]{24,}/)) {
context.report({
node,
message: 'Hardcoded Clay API key detected',
});
}
}
},
};
},
};ESLint Configuration
// .eslintrc.js
module.exports = {
plugins: ['clay'],
rules: {
'clay/no-hardcoded-keys': 'error',
'clay/require-error-handling': 'warn',
'clay/use-typed-client': 'warn',
},
};Pre-Commit Hooks
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: clay-secrets-check
name: Check for Clay secrets
entry: bash -c 'git diff --cached --name-only | xargs grep -l "sk_live_" && exit 1 || exit 0'
language: system
pass_filenames: false
- id: clay-config-validate
name: Validate Clay configuration
entry: node scripts/validate-clay-config.js
language: node
files: '\.clay\.json$'TypeScript Strict Patterns
// Enforce typed configuration
interface ClayStrictConfig {
apiKey: string; // Required
environment: 'development' | 'staging' | 'production'; // Enum
timeout: number; // Required number, not optional
retries: number;
}
// Disallow any in Clay code
// @ts-expect-error - Using any is forbidden
const client = new Client({ apiKey: any });
// Prefer this
const client = new ClayClient(config satisfies ClayStrictConfig);Architecture Decision Records
ADR Template
# ADR-001: Clay Client Initialization
## Status
Accepted
## Context
We need to decide how to initialize the Clay client across our application.
## Decision
We will use the singleton pattern with lazy initialization.
## Consequences
- Pro: Single client instance, connection reuse
- Pro: Easy to mock in tests
- Con: Global state requires careful lifecycle management
## Enforcement
- ESLint rule: clay/use-singleton-client
- CI check: grep for "new ClayClient(" outside allowed filesPolicy-as-Code (OPA)
# clay-policy.rego
package clay
# Deny production API keys in non-production environments
deny[msg] {
input.environment != "production"
startswith(input.apiKey, "sk_live_")
msg := "Production API keys not allowed in non-production environment"
}
# Require minimum timeout
deny[msg] {
input.timeout < 10000
msg := sprintf("Timeout too low: %d < 10000ms minimum", [input.timeout])
}
# Require retry configuration
deny[msg] {
not input.retries
msg := "Retry configuration is required"
}CI Policy Checks
# .github/workflows/clay-policy.yml
name: Clay Policy Check
on: [push, pull_request]
jobs:
policy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check for hardcoded secrets
run: |
if grep -rE "sk_(live|test)_[a-zA-Z0-9]{24,}" --include="*.ts" --include="*.js" .; then
echo "ERROR: Hardcoded Clay keys found"
exit 1
fi
- name: Validate configuration schema
run: |
npx ajv validate -s clay-config.schema.json -d config/clay/*.json
- name: Run ESLint Clay rules
run: npx eslint --plugin clay --rule 'clay/no-hardcoded-keys: error' src/Runtime Guardrails
// Prevent dangerous operations in production
const BLOCKED_IN_PROD = ['deleteAll', 'resetData', 'migrateDown'];
function guardClayOperation(operation: string): void {
const isProd = process.env.NODE_ENV === 'production';
if (isProd && BLOCKED_IN_PROD.includes(operation)) {
throw new Error(`Operation '${operation}' blocked in production`);
}
}
// Rate limit protection
function guardRateLimits(requestsInWindow: number): void {
const limit = parseInt(process.env.CLAY_RATE_LIMIT || '100');
if (requestsInWindow > limit * 0.9) {
console.warn('Approaching Clay rate limit');
}
if (requestsInWindow >= limit) {
throw new Error('Clay rate limit exceeded - request blocked');
}
}Instructions
Step 1: Create ESLint Rules
Implement custom lint rules for Clay patterns.
Step 2: Configure Pre-Commit Hooks
Set up hooks to catch issues before commit.
Step 3: Add CI Policy Checks
Implement policy-as-code in CI pipeline.
Step 4: Enable Runtime Guardrails
Add production safeguards for dangerous operations.
Output
- ESLint plugin with Clay rules
- Pre-commit hooks blocking secrets
- CI policy checks passing
- Runtime guardrails active
Error Handling
| Issue | Cause | Solution |
|---|---|---|
| ESLint rule not firing | Wrong config | Check plugin registration |
| Pre-commit skipped | --no-verify | Enforce in CI |
| Policy false positive | Regex too broad | Narrow pattern match |
| Guardrail triggered | Actual issue | Fix or whitelist |
Examples
Quick ESLint Check
npx eslint --plugin clay --rule 'clay/no-hardcoded-keys: error' src/Resources
Next Steps
For architecture blueprints, see clay-architecture-variants.
- Commit
22fc789
- Last updated
- Created
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.