replit-policy-guardrails

Included with Lifetime

$97 forever

Enforce security and resource policies for Replit-hosted apps: secrets exposure prevention, resource limits, deployment visibility, and database access controls. Use when hardening a Replit app for production, auditing security posture, or setting up guardrails for team development. Trigger with phrases like "replit policy", "replit guardrails", "replit security audit", "replit hardening", "replit best practices check".

Securitysaasreplitsecuritypolicy

What this skill does

# Replit Policy Guardrails

## Overview

Policy enforcement for Replit-hosted applications. Replit's public-by-default Repls, shared hosting, and resource limits require specific guardrails around secrets exposure, resource consumption, deployment security, and endpoint protection.

## Prerequisites

- Replit account with Deployment access
- Understanding of Replit's security model
- Awareness of Replit's Terms of Service

## Instructions

### Step 1: Secrets Exposure Prevention

Replit Repls are **public by default** on free plans. Source code is visible to anyone.

```python
# CRITICAL POLICY: Never hardcode secrets in source files

# BAD — visible to anyone viewing your Repl
API_KEY = "sk-live-abc123"
DB_PASSWORD = "p@ssw0rd"

# GOOD — use Replit Secrets (AES-256 encrypted)
import os

API_KEY = os.environ.get("API_KEY")
if not API_KEY:
    raise RuntimeError("API_KEY not set. Add it in the Secrets tab (lock icon).")

# Startup validation — fail fast if secrets missing
REQUIRED_SECRETS = ["API_KEY", "DATABASE_URL", "JWT_SECRET"]
missing = [s for s in REQUIRED_SECRETS if not os.environ.get(s)]
if missing:
    raise RuntimeError(f"Missing required secrets: {missing}")
```

**Automated secret detection:**

```typescript
// Pre-deploy check script: scripts/check-secrets.ts
import { readFileSync, readdirSync, statSync } from 'fs';
import { join } from 'path';

const SECRET_PATTERNS = [
  /sk[-_](?:live|test)[-_]\w{20,}/,     // API keys
  /(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]+['"]/i,
  /(?:secret|token)\s*[:=]\s*['"][^'"]{10,}['"]/i,
  /-----BEGIN (?:RSA |EC )?PRIVATE KEY-----/,
  /eyJ[A-Za-z0-9-_]+\.eyJ[A-Za-z0-9-_]+/,  // JWT tokens
];

function scanFile(filepath: string): string[] {
  const content = readFileSync(filepath, 'utf-8');
  const issues: string[] = [];

  SECRET_PATTERNS.forEach((pattern, i) => {
    if (pattern.test(content)) {
      issues.push(`${filepath}: potential secret found (pattern ${i})`);
    }
  });

  return issues;
}

function scanDirectory(dir: string): string[] {
  const issues: string[] = [];
  const entries = readdirSync(dir);

  for (const entry of entries) {
    if (['.git', 'node_modules', '.cache', 'dist'].includes(entry)) continue;
    const path = join(dir, entry);
    if (statSync(path).isDirectory()) {
      issues.push(...scanDirectory(path));
    } else if (/\.(ts|js|py|json|env|yaml|yml|toml)$/.test(entry)) {
      issues.push(...scanFile(path));
    }
  }

  return issues;
}

const issues = scanDirectory('.');
if (issues.length > 0) {
  console.error('SECRET SCAN FAILED:');
  issues.forEach(i => console.error(`  ${i}`));
  process.exit(1);
}
console.log('Secret scan passed: no hardcoded secrets found.');
```

### Step 2: Resource Usage Guards

Replit containers have CPU and memory limits. Guard against runaway processes.

```python
import resource
import signal
import os

# Set memory limit (match your deployment tier)
MEMORY_LIMIT_MB = int(os.environ.get("MEMORY_LIMIT_MB", "512"))
resource.setrlimit(
    resource.RLIMIT_AS,
    (MEMORY_LIMIT_MB * 1024 * 1024, MEMORY_LIMIT_MB * 1024 * 1024)
)

# Per-request CPU timeout
def timeout_handler(signum, frame):
    raise TimeoutError("Request exceeded CPU time limit")

signal.signal(signal.SIGALRM, timeout_handler)

@app.route('/process')
def process_request():
    signal.alarm(30)  # 30 second max
    try:
        result = heavy_computation()
        return jsonify(result)
    except TimeoutError:
        return jsonify({"error": "Request timed out"}), 504
    finally:
        signal.alarm(0)
```

```typescript
// Node.js: memory and request size limits
app.use(express.json({ limit: '1mb' }));  // Prevent payload bombs
app.use(express.urlencoded({ limit: '1mb', extended: true }));

// Monitor and alert on high memory
setInterval(() => {
  const heapMB = Math.round(process.memoryUsage().heapUsed / 1024 / 1024);
  if (heapMB > 400) {  // Approaching 512MB limit
    console.warn(`HIGH MEMORY: ${heapMB}MB — consider restart`);
  }
}, 30000);
```

### Step 3: Endpoint Protection

```typescript
// Protect all data endpoints with authentication
import { Request, Response, NextFunction } from 'express';

function requireAuth(req: Request, res: Response, next: NextFunction) {
  const userId = req.headers['x-replit-user-id'];
  if (!userId) {
    return res.status(401).json({ error: 'Authentication required' });
  }
  next();
}

// Apply to all API routes
app.use('/api', requireAuth);

// Admin-only routes: check specific user IDs or roles
function requireAdmin(req: Request, res: Response, next: NextFunction) {
  const userId = req.headers['x-replit-user-id'] as string;
  const adminIds = (process.env.ADMIN_USER_IDS || '').split(',');

  if (!adminIds.includes(userId)) {
    return res.status(403).json({ error: 'Admin access required' });
  }
  next();
}

app.use('/admin', requireAuth, requireAdmin);
```

### Step 4: Deployment Visibility Controls

```typescript
// Validate deployment configuration at startup
function validateDeploymentSecurity() {
  const warnings: string[] = [];

  // Check if running as Deployment vs Repl
  if (!process.env.REPL_DEPLOYMENT && process.env.NODE_ENV === 'production') {
    warnings.push('WARNING: Production NODE_ENV but not a Deployment. Container may sleep.');
  }

  // Check debug mode
  if (process.env.DEBUG && process.env.NODE_ENV === 'production') {
    warnings.push('WARNING: DEBUG enabled in production');
  }

  // Check CORS
  if (process.env.CORS_ORIGIN === '*' && process.env.NODE_ENV === 'production') {
    warnings.push('WARNING: CORS allows all origins in production');
  }

  if (warnings.length) {
    warnings.forEach(w => console.warn(w));
  }

  return { secure: warnings.length === 0, warnings };
}

// Run at startup
const security = validateDeploymentSecurity();
if (!security.secure) {
  console.warn('Security warnings detected. Review before production deployment.');
}
```

### Step 5: Security Audit Checklist

```markdown
## Replit Security Audit

### Secrets (Critical)
- [ ] No API keys in source code
- [ ] All secrets in Replit Secrets tab
- [ ] Startup validates required secrets
- [ ] Secret Scanner warnings addressed

### Access Control
- [ ] All data endpoints require authentication
- [ ] Admin routes have role-based access
- [ ] Rate limiting on public endpoints
- [ ] CORS configured for specific origins

### Data Protection
- [ ] Parameterized SQL queries (no string concatenation)
- [ ] Input validation on all user data
- [ ] Error responses don't expose internals
- [ ] Logs don't contain PII or secrets

### Deployment
- [ ] Production uses Deployments (not Repl "Run")
- [ ] NODE_ENV set to "production"
- [ ] Health endpoint doesn't expose secrets
- [ ] Custom domain has SSL (auto-provisioned)

### Resources
- [ ] Memory limits appropriate for tier
- [ ] Request size limits configured
- [ ] Per-request timeout enforced
- [ ] Payload size validation
```

## Error Handling

| Issue | Cause | Solution |
|-------|-------|----------|
| Secret leaked in code | Not using Secrets tab | Rotate key, move to Secrets |
| OOM kill | No memory limits | Set resource limits, monitor usage |
| Unauthorized data access | Missing auth middleware | Add requireAuth to all /api routes |
| Debug info in production | Debug mode not disabled | Check NODE_ENV and DEBUG env vars |

## Resources

- [Replit Secrets](https://docs.replit.com/replit-workspace/workspace-features/secrets)
- [Replit Security](https://replit.com/products/security)
- [Secure Vibe Coding](https://blog.replit.com/16-ways-to-vibe-code-securely)
- [Secret Scanner](https://blog.replit.com/secret-scanner)

## Next Steps

For architecture patterns, see `replit-architecture-variants`.

Files: 1

Size: 8.3 KB

Complexity: 20/100

Category: Security

Source: https://github.com/jeremylongshore/claude-code-plugins-plus-skills/tree/main/plugins/saas-packs/replit-pack/skills/replit-policy-guardrails

Related in Security

mac-ops

Included

Comprehensive macOS workstation operations — diagnose kernel panics, identify failing drives, audit launchd startup items, decode wake reasons, triage TCC permission denials, manage APFS snapshots, recover from no-boot. Use for: Mac is slow, slow bootup, won't boot, kernel panic, kernel_task hot, mds_stores CPU, photoanalysisd, cloudd, login loop, gray screen, sleep wake failure, drive failing, IO errors, APFS snapshots eating space, Time Machine local snapshots, Spotlight indexing, launchd, LaunchAgent, LaunchDaemon, login items, TCC permissions, Full Disk Access, Screen Recording denied, Gatekeeper, quarantine, com.apple.quarantine, app is damaged, helper tool, /Library/PrivilegedHelperTools, pmset, wake reasons, dark wake, sysdiagnose, panic.ips, DiagnosticReports, configuration profile, MDM profile, remote diagnostics over SSH.

Securityscripts

a11y-audit

Included

Run accessibility audits on web projects combining automated scanning (axe-core, Lighthouse) with WCAG 2.1 AA compliance mapping, manual check guidance, and structured reporting. Output is configurable: markdown report only, markdown plus machine-readable JSON, or markdown plus issue tracker integration. Use this skill whenever the user mentions "accessibility audit", "a11y audit", "WCAG audit", "accessibility check", "compliance scan", or asks to check a web project for accessibility issues. Also trigger when the user wants to verify WCAG conformance or map findings to a specific standard (CAN-ASC-6.2, EN 301 549, ADA/AODA).

Securityscripts

erpclaw

Included

AI-native ERP system with self-extending OS. Full accounting, invoicing, inventory, purchasing, tax, billing, HR, payroll, advanced accounting (ASC 606/842, intercompany, consolidation), and financial reporting. 413 actions across 14 domains, 43 expansion modules. Constitutional guardrails, adversarial audit, schema migration. Double-entry GL, immutable audit trail, US GAAP.

Securityscripts

assess

Included

Assesses and rates quality 0-10 across multiple dimensions (correctness, maintainability, security, performance, testability, simplicity) with pros/cons analysis. Compares against project conventions and prior decisions from memory. Produces structured evaluation reports with actionable improvement suggestions. Use when evaluating code, designs, architectures, or comparing alternative approaches.

Securityscripts

spring-boot-security-jwt

Included

Provides JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x. Use when implementing authentication or authorization in Spring Boot applications.

Securityscripts

code-hardcode-audit

Included

Detect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.

Securityscripts

Detect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.

Securityscripts