From shopify-pack
Implement Shopify app policy enforcement with ESLint rules for API key detection, query cost budgets, and App Store compliance checks. Use when hardening a Shopify app against secret leaks, enforcing query cost limits, or preparing for App Store submission review. Trigger with phrases like "shopify policy", "shopify lint", "shopify guardrails", "shopify compliance", "shopify eslint", "shopify app review".
npx claudepluginhub flight505/skill-forge --plugin shopify-packThis skill is limited to using the following tools:
Automated policy enforcement for Shopify apps: secret detection, query cost budgets, App Store compliance checks, and CI policy validation.
Guides Next.js Cache Components and Partial Prerendering (PPR): 'use cache' directives, cacheLife(), cacheTag(), revalidateTag() for caching, invalidation, static/dynamic optimization. Auto-activates on cacheComponents: true.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Share bugs, ideas, or general feedback.
Automated policy enforcement for Shopify apps: secret detection, query cost budgets, App Store compliance checks, and CI policy validation.
shopify.app.tomlCustom ESLint rule that catches hardcoded Shopify tokens (shpat_*, shpss_*) and API secrets in string literals and template literals.
See Secret Detection ESLint for the complete rule implementation.
Static analysis of GraphQL queries enforcing budgets: max 100 items per first: param, max 3 levels of nesting, and max 500 estimated cost. Runs at build/test time.
See Query Cost Budget for the complete implementation.
Git hooks that scan staged changes for Shopify tokens and block .env files from being committed.
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: shopify-token-scan
name: Scan for Shopify tokens
language: system
entry: bash -c '
if git diff --cached --diff-filter=d | grep -E "shpat_[a-f0-9]{32}|shpss_[a-f0-9]{32}" ; then
echo "ERROR: Shopify access token detected in staged changes"
exit 1
fi'
pass_filenames: false
- id: shopify-env-check
name: Check .env not staged
language: system
entry: bash -c '
if git diff --cached --name-only | grep -E "^\.env$|^\.env\.local$|^\.env\.production$" ; then
echo "ERROR: .env file staged for commit"
exit 1
fi'
pass_filenames: false
Pre-submission script that validates all three GDPR webhooks, token hygiene, CSP headers, and API version stability.
See Compliance Checker for the complete implementation.
GitHub Actions workflow enforcing token scanning, GDPR webhook configuration, and API version stability on every push and PR.
See CI Policy Pipeline for the complete workflow.
| Issue | Cause | Solution |
|---|---|---|
| False positive on token | Base64 string matched | Narrow regex pattern |
| Query cost estimate wrong | Complex variable nesting | Use actual debug header in tests |
| Pre-commit bypassed | --no-verify flag | Enforce in CI as backup |
| App Store rejection | Missing GDPR webhook | Run compliance checker before submit |
# One-liner: check for token leaks in staged changes
git diff --cached | grep -E "shpat_|shpss_" && echo "TOKEN LEAK!" || echo "Clean"
# Check GDPR compliance
grep -c "customers/data_request\|customers/redact\|shop/redact" shopify.app.toml
# Should output: 3