adobe-policy-guardrails
Implement Adobe-specific lint rules, CI policy checks, and runtime guardrails covering credential scanning (p8_ patterns), Firefly content policy pre-screening, PDF Services quota enforcement, and OAuth scope validation. Trigger with phrases like "adobe policy", "adobe lint", "adobe guardrails", "adobe eslint", "adobe content policy".
What this skill does
# Adobe Policy & Guardrails
## Overview
Automated policy enforcement for Adobe integrations: credential pattern scanning (Adobe OAuth secrets use `p8_` prefix), Firefly content policy pre-screening, PDF Services quota guardrails, and OAuth scope validation.
## Prerequisites
- ESLint configured in project
- CI/CD pipeline (GitHub Actions)
- Understanding of Adobe credential patterns
## Instructions
### Guardrail 1: Adobe Credential Pattern Scanner
Adobe OAuth Server-to-Server secrets follow the `p8_` prefix pattern:
```yaml
# .github/workflows/adobe-security.yml
name: Adobe Security Scan
on: [push, pull_request]
jobs:
credential-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Scan for Adobe credential patterns
run: |
EXIT_CODE=0
# Adobe OAuth client secrets (p8_ prefix)
if grep -rE "p8_[A-Za-z0-9_-]{20,}" --include="*.ts" --include="*.js" --include="*.py" --include="*.json" --include="*.yaml" --include="*.yml" . 2>/dev/null | grep -v node_modules | grep -v '.git'; then
echo "::error::Adobe client_secret pattern (p8_) found in source code"
EXIT_CODE=1
fi
# Adobe IMS access tokens (JWT format)
if grep -rE "eyJ[A-Za-z0-9_-]{100,}\.[A-Za-z0-9_-]{100,}" --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules | grep -v '.git' | grep -v '\.test\.' | grep -v '__mock'; then
echo "::warning::Potential Adobe access token found in source (may be test fixture)"
fi
# Org IDs (format: HEXSTRING@AdobeOrg)
if grep -rE "[A-F0-9]{24}@AdobeOrg" --include="*.ts" --include="*.js" --include="*.json" . 2>/dev/null | grep -v node_modules | grep -v '.git' | grep -v '.env.example'; then
echo "::warning::Adobe Org ID found in source — consider using env var"
fi
exit $EXIT_CODE
```
### Guardrail 2: Firefly Content Policy Pre-Screener
```typescript
// src/adobe/guardrails/content-policy.ts
// Pre-screen prompts before sending to Firefly API to avoid wasted credits
interface ContentPolicyResult {
allowed: boolean;
violations: string[];
suggestions: string[];
}
const CONTENT_RULES = [
{
name: 'real-people',
pattern: /\b(photo of|portrait of|picture of)\s+(a\s+)?(real|actual|specific)\s+(person|man|woman|child)/i,
message: 'Firefly cannot generate images of specific real people',
suggestion: 'Use generic descriptions like "a professional in a business suit"',
},
{
name: 'trademarks',
pattern: /\b(nike|adidas|apple|google|microsoft|disney|marvel|coca.?cola|pepsi|starbucks|mcdonalds)\b/i,
message: 'Firefly will reject prompts containing brand trademarks',
suggestion: 'Use generic descriptions like "athletic shoes" or "tech company logo style"',
},
{
name: 'explicit-content',
pattern: /\b(nude|naked|explicit|pornograph|gore|violent|bloody|graphic death)\b/i,
message: 'Firefly rejects explicit or violent content',
suggestion: 'Use appropriate imagery descriptions',
},
{
name: 'celebrity',
pattern: /\b(celebrity|famous|actor|actress|politician|president|singer|musician)\s+(name|like|resembling)/i,
message: 'Firefly cannot generate images of identifiable celebrities',
suggestion: 'Describe the style or aesthetic without naming individuals',
},
];
export function screenFireflyPrompt(prompt: string): ContentPolicyResult {
const violations: string[] = [];
const suggestions: string[] = [];
for (const rule of CONTENT_RULES) {
if (rule.pattern.test(prompt)) {
violations.push(`[${rule.name}] ${rule.message}`);
suggestions.push(rule.suggestion);
}
}
return {
allowed: violations.length === 0,
violations,
suggestions,
};
}
// Usage in API layer
export function guardFireflyPrompt(prompt: string): void {
const result = screenFireflyPrompt(prompt);
if (!result.allowed) {
throw new Error(
`Firefly content policy pre-check failed:\n` +
result.violations.join('\n') +
'\n\nSuggestions:\n' +
result.suggestions.join('\n')
);
}
}
```
### Guardrail 3: PDF Services Quota Enforcement
```typescript
// src/adobe/guardrails/pdf-quota.ts
// Enforce PDF Services monthly transaction limits
class PdfQuotaGuard {
private monthlyLimit: number;
private transactionsUsed: number = 0;
private monthStart: Date;
constructor(tier: 'free' | 'paid' = 'free') {
this.monthlyLimit = tier === 'free' ? 500 : Infinity;
this.monthStart = new Date(new Date().getFullYear(), new Date().getMonth(), 1);
}
check(): { allowed: boolean; remaining: number; warning: boolean } {
// Reset counter on new month
const now = new Date();
if (now.getMonth() !== this.monthStart.getMonth()) {
this.transactionsUsed = 0;
this.monthStart = new Date(now.getFullYear(), now.getMonth(), 1);
}
const remaining = this.monthlyLimit - this.transactionsUsed;
return {
allowed: remaining > 0,
remaining,
warning: remaining < this.monthlyLimit * 0.2,
};
}
record(): void {
const status = this.check();
if (!status.allowed) {
throw new Error(`PDF Services quota exhausted (${this.monthlyLimit} transactions/month)`);
}
this.transactionsUsed++;
if (status.warning) {
console.warn(`PDF Services: ${status.remaining - 1} transactions remaining this month`);
}
}
}
export const pdfQuota = new PdfQuotaGuard(
process.env.ADOBE_PDF_TIER === 'paid' ? 'paid' : 'free'
);
```
### Guardrail 4: OAuth Scope Validation
```typescript
// Verify that the requested scopes match what the environment should use
function validateAdobeScopes(scopes: string, environment: string): void {
const scopeList = scopes.split(',').map(s => s.trim());
// Development should only have minimal scopes
if (environment === 'development') {
const prodOnlyScopes = ['ff_apis'];
const violations = scopeList.filter(s => prodOnlyScopes.includes(s));
if (violations.length > 0) {
console.warn(`Adobe scope warning: ${violations.join(', ')} should not be in development`);
}
}
// Required scopes that should always be present
const required = ['openid', 'AdobeID'];
const missing = required.filter(s => !scopeList.includes(s));
if (missing.length > 0) {
throw new Error(`Adobe required scopes missing: ${missing.join(', ')}`);
}
}
```
### Guardrail 5: Runtime Operation Guard
```typescript
// Prevent dangerous operations based on environment
const BLOCKED_IN_PROD: Record<string, string> = {
'delete-all-assets': 'Mass deletion blocked in production',
'reset-quota-counter': 'Quota reset blocked in production',
'use-test-credentials': 'Test credentials blocked in production',
};
function guardAdobeOperation(operation: string): void {
const isProd = process.env.NODE_ENV === 'production';
if (isProd && BLOCKED_IN_PROD[operation]) {
throw new Error(`BLOCKED: ${BLOCKED_IN_PROD[operation]}`);
}
}
```
## Output
- CI secret scanning for Adobe credential patterns (`p8_`, JWTs, Org IDs)
- Firefly prompt pre-screening avoiding wasted credits on policy violations
- PDF Services quota enforcement with monthly tracking
- OAuth scope validation per environment
- Runtime operation guards for production safety
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| Secret scan false positive | Test fixture contains pattern | Exclude test dirs from scan |
| Prompt wrongly rejected | Pattern too broad | Refine regex; allow legitimate uses |
| Quota counter reset | Server restart | Persist counter in Redis/DB |
| Scope validation fails | Wrong env var | Check `NODE_ENV` and `ADOBE_SCOPES` |
## Resources
- [Firefly Content Policy](https://developer.adobe.com/firefly-services/docs/firefly-api/)
- [PDF Services Pricing](https://developer.adobe.com/document-services/pricing/main/)
- [OAuth Server-to-Server Scopes](https://developer.Related in Cloud & DevOps
appbuilder-action-scaffolder
IncludedCreate, implement, deploy, and debug Adobe Runtime actions with consistent layout, validation, and error handling. Use this skill whenever the user needs to add actions to an App Builder project, understand action structure (params, response format, web/raw actions), configure actions in the manifest, use App Builder SDKs (State, Files, Events, database), deploy and invoke actions via CLI, debug action issues, or implement patterns such as webhook receivers, custom event providers, journaling consumers, large payload redirects, action sequence pipelines, and Asset Compute workers. Also trigger when users mention serverless functions in Adobe context, action logging, IMS authentication for actions, or cron-style scheduled actions.
orchestrating-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. Use this skill when the user needs a multi-step Data Cloud pipeline, cross-phase troubleshooting, or data space and data kit management. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase sf data360 workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching phase-specific skill), the task is STDM/session tracing/parquet telemetry (use observing-agentforce), standard CRM SOQL (use querying-soql), or Apex implementation (use generating-apex).
github-project-automation
IncludedAutomate GitHub repository setup with CI/CD workflows, issue templates, Dependabot, and CodeQL security scanning. Includes 12 production-tested workflows and prevents 18 errors: YAML syntax, action pinning, and configuration. Use when: setting up GitHub Actions CI/CD, creating issue/PR templates, enabling Dependabot or CodeQL scanning, deploying to Cloudflare Workers, implementing matrix testing, or troubleshooting YAML indentation, action version pinning, secrets syntax, runner versions, or CodeQL configuration. Keywords: github actions, github workflow, ci/cd, issue templates, pull request templates, dependabot, codeql, security scanning, yaml syntax, github automation, repository setup, workflow templates, github actions matrix, secrets management, branch protection, codeowners, github projects, continuous integration, continuous deployment, workflow syntax error, action version pinning, runner version, github context, yaml indentation error
sf-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase `sf data360` workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching sf-datacloud-* skill), the task is STDM/session tracing/parquet telemetry (use sf-ai-agentforce-observability), standard CRM SOQL (use sf-soql), or Apex implementation (use sf-apex).
fabric-cli
IncludedUse this skill for Fabric.so CLI workflows with the `fabric` terminal command: diagnose/install/login, search or browse a Fabric library, save notes/links/files, create folders, ask the Fabric AI assistant, manage tasks/workspaces, generate shell completion, check subscription usage, produce JSON output, and use Fabric as persistent agent memory. Do not use for Microsoft Fabric/Azure/Power BI `fab`, Daniel Miessler's Fabric framework, Python Fabric SSH, Fabric.js, or textile/fashion fabric.
lark
IncludedLark/Feishu CLI skills: lark-cli operations for docs, markdown, sheets, base, calendar, im, mail, task, okr, drive, wiki, slides, whiteboard, apps, approval, attendance, contact, vc, minutes, event. Use when the user needs to operate Lark/Feishu resources via lark-cli, send messages, manage documents, spreadsheets, calendars, tasks, OKRs, deploy web pages, or any Feishu/Lark workspace operations.