Agent-Skills.md

Agent Skills: Shopify Policy & Guardrails

|

UncategorizedID: jeremylongshore/claude-code-plugins-plus-skills/shopify-policy-guardrails

Repository

jeremylongshore/claude-code-plugins-plus-skills
jeremylongshoreLicense: NOASSERTION
1,723221

Install this agent skill to your local

pnpm dlx add-skill https://github.com/jeremylongshore/claude-code-plugins-plus-skills/tree/HEAD/plugins/saas-packs/shopify-pack/skills/shopify-policy-guardrails

Skill Files

Browse the full folder contents for shopify-policy-guardrails.

Download Skill

Loading file tree…

plugins/saas-packs/shopify-pack/skills/shopify-policy-guardrails/SKILL.md

Skill Metadata

Name
shopify-policy-guardrails
Description
'Implement Shopify app policy enforcement with ESLint rules for API key

Shopify Policy & Guardrails

Overview

Automated policy enforcement for Shopify apps: secret detection, query cost budgets, App Store compliance checks, and CI policy validation.

Prerequisites

  • ESLint configured in project
  • Pre-commit hooks infrastructure
  • CI/CD pipeline with GitHub Actions
  • Shopify app with shopify.app.toml

Instructions

Step 1: Secret Detection Rules

Custom ESLint rule that catches hardcoded Shopify tokens (shpat_*, shpss_*) and API secrets in string literals and template literals.

See Secret Detection ESLint for the complete rule implementation.

Step 2: Query Cost Budget Enforcement

Static analysis of GraphQL queries enforcing budgets: max 100 items per first: param, max 3 levels of nesting, and max 500 estimated cost. Runs at build/test time.

See Query Cost Budget for the complete implementation.

Step 3: Pre-Commit Hooks

Git hooks that scan staged changes for Shopify tokens and block .env files from being committed.

# .pre-commit-config.yaml
repos:
  - repo: local
    hooks:
      - id: shopify-token-scan
        name: Scan for Shopify tokens
        language: system
        entry: bash -c '
          if git diff --cached --diff-filter=d | grep -E "shpat_[a-f0-9]{32}|shpss_[a-f0-9]{32}" ; then
            echo "ERROR: Shopify access token detected in staged changes"
            exit 1
          fi'
        pass_filenames: false

      - id: shopify-env-check
        name: Check .env not staged
        language: system
        entry: bash -c '
          if git diff --cached --name-only | grep -E "^\.env$|^\.env\.local$|^\.env\.production$" ; then
            echo "ERROR: .env file staged for commit"
            exit 1
          fi'
        pass_filenames: false

Step 4: App Store Compliance Checker

Pre-submission script that validates all three GDPR webhooks, token hygiene, CSP headers, and API version stability.

See Compliance Checker for the complete implementation.

Step 5: CI Policy Pipeline

GitHub Actions workflow enforcing token scanning, GDPR webhook configuration, and API version stability on every push and PR.

See CI Policy Pipeline for the complete workflow.

Output

  • ESLint rules catching hardcoded tokens
  • Query cost budgets enforced
  • Pre-commit hooks blocking secret leaks
  • App Store compliance checker
  • CI policy pipeline preventing violations

Error Handling

| Issue | Cause | Solution | |-------|-------|----------| | False positive on token | Base64 string matched | Narrow regex pattern | | Query cost estimate wrong | Complex variable nesting | Use actual debug header in tests | | Pre-commit bypassed | --no-verify flag | Enforce in CI as backup | | App Store rejection | Missing GDPR webhook | Run compliance checker before submit |

Examples

Quick Policy Scan

# One-liner: check for token leaks in staged changes
git diff --cached | grep -E "shpat_|shpss_" && echo "TOKEN LEAK!" || echo "Clean"

# Check GDPR compliance
grep -c "customers/data_request\|customers/redact\|shop/redact" shopify.app.toml
# Should output: 3

Resources