windsurf-data-handling
Control what code and data Windsurf AI can access and process in your workspace. Use when handling sensitive data, implementing data exclusion patterns, or ensuring compliance with privacy regulations in Windsurf environments. Trigger with phrases like "windsurf data privacy", "windsurf PII", "windsurf GDPR", "windsurf compliance", "codeium data", "windsurf telemetry".
What this skill does
# Windsurf Data Handling
## Overview
Control what code and data Windsurf's AI (Cascade, Supercomplete) can access. Covers file exclusion patterns, telemetry controls, Codeium's data processing model, and compliance configuration for regulated environments.
## Prerequisites
- Windsurf IDE installed
- Understanding of Codeium's data processing model
- Identified sensitive files and directories in workspace
## Instructions
### Step 1: Understand Codeium's Data Model
```yaml
# What happens with your code in Windsurf
data_flow:
indexed_locally:
what: "File contents, structure, dependencies"
where: "Local machine only"
purpose: "Supercomplete context, Cascade awareness"
retention: "Persists until re-indexed"
sent_to_cloud:
what: "Cascade prompts, code snippets around cursor"
where: "Codeium cloud (or self-hosted for Enterprise)"
purpose: "AI model inference"
retention: "Zero-data retention for ALL paid plans"
never_processed:
what: "Files in .codeiumignore, .gitignore, node_modules"
where: "N/A"
purpose: "N/A"
compliance:
certifications: ["SOC 2 Type II", "FedRAMP High"]
hipaa: "BAA available for Enterprise customers"
data_retention: "Zero for paid plans, configurable for Enterprise"
deployment: "Cloud, Hybrid, or Self-Hosted options"
```
### Step 2: Configure .codeiumignore for Data Protection
```gitignore
# .codeiumignore — files Windsurf AI will NEVER see or index
# Uses gitignore syntax. Default: .gitignore and node_modules excluded.
# ===== SECRETS =====
.env
.env.*
.env.local
credentials.json
serviceAccountKey.json
*.pem
*.key
*.p12
*.pfx
.aws/
.gcloud/
.azure/
vault-config.*
# ===== CUSTOMER DATA =====
data/customers/
data/exports/
data/backups/
*.sql
*.sql.gz
*.dump
fixtures/production-*
# ===== INFRASTRUCTURE SECRETS =====
terraform.tfstate
terraform.tfstate.backup
*.tfvars
*.auto.tfvars
ansible/vault*
# ===== COMPLIANCE BOUNDARIES =====
# PCI zone — credit card processing code
src/pci/
# HIPAA zone — health data processing
src/hipaa/
# Financial data
reports/financial/
```
### Step 3: Disable Telemetry (Regulated Environments)
```json
// settings.json — maximum privacy configuration
{
"codeium.enableTelemetry": false,
"codeium.enableSnippetTelemetry": false,
"telemetry.telemetryLevel": "off",
"update.showReleaseNotes": false
}
```
### Step 4: Configure Autocomplete Data Boundaries
```json
// Disable Supercomplete for sensitive file types
{
"codeium.autocomplete.languages": {
"plaintext": false,
"env": false,
"dotenv": false,
"properties": false,
"ini": false,
"yaml": false,
"json": false
}
}
```
**Rationale:** YAML and JSON files often contain configuration with secrets. Disabling Supercomplete for these types prevents the AI from seeing or suggesting content based on config files.
### Step 5: Safe Cascade Usage with Sensitive Code
```markdown
## Rules for using Cascade in regulated codebases
1. NEVER paste secrets into Cascade chat
- BAD: "My API key is sk-abc123, why isn't it working?"
- GOOD: "I'm getting auth errors. The key is set in .env as API_KEY."
2. NEVER ask Cascade to read excluded files
- BAD: "Read .env and tell me what's configured"
- GOOD: "What environment variables does src/config.ts expect?"
3. Use .windsurfrules to enforce safety patterns
- "Always use process.env for secrets, never hardcode"
- "Never log PII fields: email, phone, ssn, creditCard"
4. Mark compliance boundaries in .windsurfrules
- "Files in src/pci/ handle credit card data — extra review required"
- "Files in src/hipaa/ handle health data — never log patient info"
```
### Step 6: Enterprise Self-Hosted Deployment
For maximum data control:
```yaml
# Enterprise deployment options
deployment_modes:
cloud:
data_flow: "Code snippets → Codeium cloud → AI response"
retention: "Zero-data retention (default for paid plans)"
suitable_for: "Most teams"
hybrid:
data_flow: "Code stays on-prem, only prompts sent to cloud"
retention: "Configurable"
suitable_for: "Teams with data residency requirements"
self_hosted:
data_flow: "Everything on-prem or in your cloud"
retention: "You control"
suitable_for: "Highly regulated (finance, healthcare, government)"
requires: "Enterprise plan + infrastructure team"
```
## Data Privacy Audit Checklist
- [ ] `.codeiumignore` covers all secret files and customer data
- [ ] Telemetry disabled (if required by policy)
- [ ] Autocomplete disabled for secret-containing file types
- [ ] `.windsurfrules` includes data handling coding standards
- [ ] Team trained: never paste secrets into Cascade
- [ ] Enterprise: deployment mode matches compliance requirements
- [ ] Enterprise: SSO configured, personal accounts blocked
- [ ] Regular audit: verify no new sensitive files outside ignore patterns
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| AI suggests hardcoded secrets | Secret was in indexed file | Add to `.codeiumignore`, rotate secret |
| PII appears in AI suggestions | Customer data in indexed directory | Exclude data directories |
| Telemetry still sending | Setting not applied | Verify in Settings UI, restart Windsurf |
| Compliance audit finding | Missing ignore patterns | Audit with `find` for exposed file types |
## Examples
### Quick Privacy Audit
```bash
set -euo pipefail
echo "=== Windsurf Data Privacy Audit ==="
echo "Has .codeiumignore: $([ -f .codeiumignore ] && echo 'YES' || echo 'NO')"
echo "Potential exposed secrets:"
find . -type f \
-not -path '*/node_modules/*' -not -path '*/.git/*' \
\( -name '*.env*' -o -name '*.key' -o -name '*.pem' -o -name 'credentials*' \) \
2>/dev/null | while read f; do
grep -q "$(basename "$f")" .codeiumignore 2>/dev/null && echo " $f: PROTECTED" || echo " $f: EXPOSED"
done
```
## Resources
- [Codeium Privacy Policy](https://codeium.com/privacy-policy)
- [Windsurf Security](https://windsurf.com/security)
- [Windsurf Ignore Docs](https://docs.windsurf.com/context-awareness/windsurf-ignore)
## Next Steps
For enterprise access controls, see `windsurf-enterprise-rbac`.
Related in General
modeling-omnistudio-epc-catalog
IncludedSalesforce Industries CME EPC product-modeling skill for Product2-based catalog creation. Use when creating EPC products, configuring product attributes, building offer bundles with Product Child Items, or reviewing EPC DataPack JSON metadata for product catalog changes. TRIGGER when: user creates or updates Product2 EPC records, AttributeAssignment payloads, AttributeMetadata/AttributeDefaultValues, Offer bundles, or ProductChildItem relationships. DO NOT TRIGGER when: designing OmniScripts/FlexCards/Integration Procedures (use building-omnistudio-omniscript, building-omnistudio-flexcard, or building-omnistudio-integration-procedure), implementing Apex business logic (use generating-apex), or troubleshooting deployment pipelines (use deploying-metadata).
relationship-science-coach
IncludedUse this skill for direct, practical adult relationship coaching: couples conflict, repair, trust, marriage, dating, flirting, attachment patterns, emotional connection, sex, desire differences, eroticism, kink negotiation, affection, love languages, breakups, and long-term passion. Draw on Gottman, EFT and Hold Me Tight, attachment science, modern sex research, Perel, Nagoski, Kerner, Schnarch, Love and Stosny, and flexible love-language tools. Be concrete and low-hedge. Redirect only for imminent danger, abuse, coercive control, minors, non-consent, self-harm, stalking, or medical/legal/psychiatric decisions.
building-sf-integrations
IncludedSalesforce integration architecture and runtime plumbing with 120-point scoring. Use this skill to set up Named Credentials, External Credentials, External Services, REST/SOAP callout patterns, Platform Events, and Change Data Capture. TRIGGER when: user sets up Named Credentials, External Services, REST/SOAP callouts, Platform Events, CDC, or touches .namedCredential-meta.xml files. DO NOT TRIGGER when: Connected App/OAuth config (use configuring-connected-apps), Apex-only logic (use generating-apex), or data import/export (use handling-sf-data).
venue-templates
IncludedAccess comprehensive LaTeX templates, formatting requirements, and submission guidelines for major scientific publication venues (Nature, Science, PLOS, IEEE, ACM), academic conferences (NeurIPS, ICML, CVPR, CHI), research posters, and grant proposals (NSF, NIH, DOE, DARPA). This skill should be used when preparing manuscripts for journal submission, conference papers, research posters, or grant proposals and need venue-specific formatting requirements and templates.
let-fate-decide
IncludedDraws the 12 Houses of the Zodiac Tarot spread to inject entropy into planning when prompts are vague, ambiguous, or casually delegated. Interprets the spread to guide next steps. Use when the user says 'let fate decide', 'YOLO', 'whatever', 'idk', or other nonchalant phrases, makes Yu-Gi-Oh references, or when you are about to arbitrarily pick between multiple reasonable approaches. Prefer over ask-questions-if-underspecified when the user's tone is casual or playful rather than precision-seeking.
net-ops
IncludedCross-platform network troubleshooting (Windows, macOS, Linux) via local or remote shell. Use for: DNS broken, can't resolve hostnames, nslookup/dig works but apps fail, NRPT, WFP, scutil, /etc/resolver, systemd-resolved, /etc/resolv.conf, NetworkManager, VPN DNS leak residue (ProtonVPN/Mullvad/WireGuard/AnyConnect), AV/firewall blocking DNS or DoH, Tailscale DNS interaction, intermittent connectivity, remote diagnostics over SSH.