vercel-policy-guardrails
Implement Vercel lint rules, policy enforcement, and automated guardrails. Use when setting up code quality rules for Vercel integrations, implementing pre-commit hooks, or configuring CI policy checks for Vercel best practices. Trigger with phrases like "vercel policy", "vercel lint", "vercel guardrails", "vercel best practices check", "vercel eslint".
Install
mkdir -p .claude/skills/vercel-policy-guardrails && curl -L -o skill.zip "https://mcp.directory/api/skills/download/8433" && unzip -o skill.zip -d .claude/skills/vercel-policy-guardrails && rm skill.zipInstalls to .claude/skills/vercel-policy-guardrails
About this skill
Vercel Policy Guardrails
Overview
Protect against common Vercel failure modes with automated guardrails: ESLint rules preventing secret exposure in client bundles, pre-commit hooks scanning for credentials, CI checks validating vercel.json and edge runtime compatibility, and runtime middleware enforcing auth on protected routes.
Prerequisites
- ESLint configured in project
- Git hooks infrastructure (husky or lefthook)
- CI/CD pipeline (GitHub Actions or similar)
- TypeScript for type enforcement
Instructions
Step 1: ESLint Rules — Prevent Secret Exposure
// .eslintrc.js — custom rules for Vercel projects
module.exports = {
rules: {
// Prevent using NEXT_PUBLIC_ prefix for sensitive variables
'no-restricted-syntax': [
'error',
{
selector: 'MemberExpression[object.property.name="env"][property.name=/^NEXT_PUBLIC_(SECRET|KEY|TOKEN|PASSWORD|PRIVATE)/]',
message: 'Do not prefix secrets with NEXT_PUBLIC_ — they will be exposed in the client bundle',
},
],
},
overrides: [
{
// Edge runtime files — prevent Node.js API usage
files: ['**/edge-*.ts', '**/middleware.ts'],
rules: {
'no-restricted-imports': [
'error',
{
paths: [
{ name: 'fs', message: 'fs is not available in Edge Runtime. Use fetch or Vercel Blob.' },
{ name: 'path', message: 'path is not available in Edge Runtime. Use URL API.' },
{ name: 'crypto', message: 'Use globalThis.crypto (Web Crypto API) in Edge Runtime.' },
{ name: 'child_process', message: 'child_process is not available in Edge Runtime.' },
{ name: 'net', message: 'net is not available in Edge Runtime.' },
],
},
],
},
},
],
};
Step 2: Pre-Commit Hook — Credential Scanning
# Install husky
npm install --save-dev husky
npx husky init
#!/usr/bin/env bash
# .husky/pre-commit
set -euo pipefail
# Scan staged files for credentials
PATTERNS=(
'VERCEL_TOKEN\s*[:=]\s*\S+'
'vercel_[a-zA-Z]*_token\s*[:=]\s*\S+'
'sk_live_[a-zA-Z0-9]+'
'NEXT_PUBLIC_.*SECRET'
'api\.vercel\.com.*Bearer\s+[a-zA-Z0-9]+'
)
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
FOUND=0
for file in $STAGED_FILES; do
for pattern in "${PATTERNS[@]}"; do
if grep -qEi "$pattern" "$file" 2>/dev/null; then
echo "ERROR: Potential credential found in $file"
echo " Pattern: $pattern"
FOUND=1
fi
done
done
if [ $FOUND -ne 0 ]; then
echo ""
echo "Commit blocked: Remove credentials and use environment variables."
echo "See: vercel env add <KEY> <environment>"
exit 1
fi
Step 3: CI Policy Check — vercel.json Validation
# .github/workflows/vercel-policy.yml
name: Vercel Policy Checks
on: [pull_request]
jobs:
policy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with: { node-version: 20 }
- name: Validate vercel.json schema
run: |
if [ -f vercel.json ]; then
node -e "
const config = require('./vercel.json');
const errors = [];
// Check for deprecated builds property
if (config.builds) {
errors.push('vercel.json uses deprecated \"builds\" property — use \"functions\" instead');
}
// Check compressHTML (iOS Safari issue)
if (config.compressHTML === true) {
errors.push('compressHTML should be disabled — causes iOS Safari rendering issues');
}
// Check for hardcoded secrets in headers
const headerStr = JSON.stringify(config.headers ?? []);
if (/Bearer\s+[a-zA-Z0-9]{20,}/.test(headerStr)) {
errors.push('Hardcoded token found in vercel.json headers');
}
if (errors.length > 0) {
console.error('Policy violations:');
errors.forEach(e => console.error(' - ' + e));
process.exit(1);
}
console.log('vercel.json policy checks passed');
"
fi
- name: Check edge runtime compatibility
run: |
# Find files with edge runtime declaration
for file in $(grep -rl "runtime.*=.*'edge'" src/ api/ 2>/dev/null || true); do
echo "Checking edge compatibility: $file"
# Check for Node.js-only imports
if grep -E "require\(['\"]fs['\"]|from ['\"]fs['\"]|from ['\"]path['\"]|from ['\"]crypto['\"]" "$file"; then
echo "ERROR: $file uses Node.js APIs incompatible with Edge Runtime"
exit 1
fi
done
echo "Edge runtime compatibility checks passed"
- name: Check bundle size budget
run: |
npm ci
npm run build
# Check output size
TOTAL=$(du -sb .next/ 2>/dev/null | cut -f1 || echo 0)
MAX=$((250 * 1024 * 1024)) # 250MB
if [ "$TOTAL" -gt "$MAX" ]; then
echo "ERROR: Build output ($TOTAL bytes) exceeds budget ($MAX bytes)"
exit 1
fi
echo "Bundle size within budget: $TOTAL bytes"
Step 4: Env Var Documentation Guard
#!/usr/bin/env bash
# scripts/check-env-docs.sh — ensure .env.example stays in sync
set -euo pipefail
# Extract env vars used in code
CODE_VARS=$(grep -roh 'process\.env\.\w\+' src/ api/ 2>/dev/null \
| sed 's/process\.env\.//' \
| sort -u)
# Extract vars documented in .env.example
if [ ! -f .env.example ]; then
echo "ERROR: .env.example file missing"
exit 1
fi
DOC_VARS=$(grep -oE '^\w+=' .env.example | sed 's/=//' | sort -u)
# Find undocumented vars
MISSING=$(comm -23 <(echo "$CODE_VARS") <(echo "$DOC_VARS"))
if [ -n "$MISSING" ]; then
echo "ERROR: Undocumented environment variables:"
echo "$MISSING" | sed 's/^/ /'
echo "Add these to .env.example"
exit 1
fi
echo "All environment variables documented"
Step 5: Runtime Auth Middleware Guard
// middleware.ts — enforce that protected routes always require auth
import { NextRequest, NextResponse } from 'next/server';
// Routes that MUST require authentication
const PROTECTED_PATTERNS = [
/^\/api\/admin/,
/^\/api\/users/,
/^\/dashboard/,
/^\/settings/,
];
// Routes explicitly allowed without auth
const PUBLIC_PATTERNS = [
/^\/api\/health/,
/^\/api\/webhooks/,
/^\/$/, // homepage
/^\/login/,
/^\/signup/,
];
export function middleware(request: NextRequest) {
const { pathname } = request.nextUrl;
const isProtected = PROTECTED_PATTERNS.some(p => p.test(pathname));
const isPublic = PUBLIC_PATTERNS.some(p => p.test(pathname));
if (isProtected && !isPublic) {
const token = request.cookies.get('session')?.value;
if (!token) {
if (pathname.startsWith('/api/')) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
}
return NextResponse.redirect(new URL('/login', request.url));
}
}
return NextResponse.next();
}
export const config = {
matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
};
Step 6: Deployment Freeze Guard
#!/usr/bin/env bash
# scripts/check-deploy-freeze.sh — prevent production deploys during freeze windows
set -euo pipefail
# Check if we're in a deployment freeze window
HOUR=$(date -u +%H)
DAY=$(date -u +%u) # 1=Monday, 7=Sunday
# No deploys on weekends
if [ "$DAY" -gt 5 ]; then
echo "BLOCKED: No production deploys on weekends"
exit 1
fi
# No deploys after 4pm UTC (Friday especially)
if [ "$DAY" -eq 5 ] && [ "$HOUR" -ge 16 ]; then
echo "BLOCKED: No production deploys after 4pm UTC on Fridays"
exit 1
fi
echo "Deploy allowed"
Guardrails Summary
| Guardrail | Enforcement Point | Prevents |
|---|---|---|
| Secret prefix lint | ESLint (editor + CI) | Client bundle secret exposure |
| Edge runtime lint | ESLint (editor + CI) | Node.js APIs in edge functions |
| Credential scan | Pre-commit hook | Secrets in version control |
| vercel.json validation | CI | Deprecated config, hardcoded tokens |
| Env var documentation | CI | Missing .env.example entries |
| Auth middleware | Runtime | Unprotected routes |
| Deploy freeze | CI | Weekend/late deploys |
Output
- ESLint rules preventing secret exposure and edge runtime violations
- Pre-commit hooks blocking credentials from entering git
- CI policy checks validating configuration and compatibility
- Runtime middleware enforcing authentication on protected routes
- Deployment freeze windows preventing risky deploys
Error Handling
| Error | Cause | Solution |
|---|---|---|
| ESLint rule false positive | Variable name matches pattern | Add // eslint-disable-next-line with justification |
| Pre-commit hook blocks valid commit | Pattern too broad | Narrow the regex or add allowlist |
| CI edge check false positive | Dead import | Remove unused import |
| Deploy freeze too restrictive | Urgent hotfix needed | Use --force flag with team approval |
Resources
Next Steps
For architecture variants, see vercel-architecture-variants.
More by jeremylongshore
View all skills by jeremylongshore →You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
pdf-to-markdown
aliceisjustplaying
Convert entire PDF documents to clean, structured Markdown for full context loading. Use this skill when the user wants to extract ALL text from a PDF into context (not grep/search), when discussing or analyzing PDF content in full, when the user mentions "load the whole PDF", "bring the PDF into context", "read the entire PDF", or when partial extraction/grepping would miss important context. This is the preferred method for PDF text extraction over page-by-page or grep approaches.
Related MCP Servers
Browse all servers
GrowthBookManage and optimize feature flags, experiments, and environments in GrowthBook with AI-driven tools for targeting rules
Modus Design SystemDiscover Modus Design System: comprehensive docs, specs, and guides for React UI library and component implementation in
Sequential ThinkingBreak down complex problems with Sequential Thinking, a structured tool and step by step math solver for dynamic, reflec
Knowledge Graph MemoryBuild persistent semantic networks for enterprise & engineering data management. Enable data persistence and memory acro
Task MasterBoost productivity with Task Master: an AI-powered tool for project management and agile development workflows, integrat
Figma ContextUnlock seamless Figma to code: streamline Figma to HTML with Framelink MCP Server for fast, accurate design-to-code work
Stay ahead of the MCP ecosystem
Get weekly updates on new skills and servers.