windsurf-policy-guardrails

# Windsurf Policy & Guardrails

## Overview
Automated policy enforcement and guardrails for Windsurf integrations.

## Prerequisites
- ESLint configured in project
- Pre-commit hooks infrastructure
- CI/CD pipeline with policy checks
- TypeScript for type enforcement

## ESLint Rules

### Custom Windsurf Plugin
```javascript
// eslint-plugin-windsurf/rules/no-hardcoded-keys.js
module.exports = {
  meta: {
    type: 'problem',
    docs: {
      description: 'Disallow hardcoded Windsurf API keys',
    },
    fixable: 'code',
  },
  create(context) {
    return {
      Literal(node) {
        if (typeof node.value === 'string') {
          if (node.value.match(/^sk_(live|test)_[a-zA-Z0-9]{24,}/)) {
            context.report({
              node,
              message: 'Hardcoded Windsurf API key detected',
            });
          }
        }
      },
    };
  },
};
```

### ESLint Configuration
```javascript
// .eslintrc.js
module.exports = {
  plugins: ['windsurf'],
  rules: {
    'windsurf/no-hardcoded-keys': 'error',
    'windsurf/require-error-handling': 'warn',
    'windsurf/use-typed-client': 'warn',
  },
};
```

## Pre-Commit Hooks

```yaml
# .pre-commit-config.yaml
repos:
  - repo: local
    hooks:
      - id: windsurf-secrets-check
        name: Check for Windsurf secrets
        entry: bash -c 'git diff --cached --name-only | xargs grep -l "sk_live_" && exit 1 || exit 0'
        language: system
        pass_filenames: false

      - id: windsurf-config-validate
        name: Validate Windsurf configuration
        entry: node scripts/validate-windsurf-config.js
        language: node
        files: '\.windsurf\.json$'
```

## TypeScript Strict Patterns

```typescript
// Enforce typed configuration
interface WindsurfStrictConfig {
  apiKey: string;  // Required
  environment: 'development' | 'staging' | 'production';  // Enum
  timeout: number;  // Required number, not optional
  retries: number;
}

// Disallow any in Windsurf code
// @ts-expect-error - Us