Windsurf Policy Guardrails
Overview
Policy guardrails for team Windsurf usage: controlling what Cascade can do, enforcing code review for AI output, configuring terminal safety controls, and preventing common AI coding mistakes.
Prerequisites
- Windsurf configured for team use
- Git workflow established
- CI/CD pipeline in place
- Team agreement on AI usage standards
Instructions
Step 1: Terminal Command Safety (Turbo Mode Controls)
Configure what Cascade can and cannot auto-execute:
// settings.json — Team-wide terminal safety
{
"windsurf.cascadeCommandsAllowList": [
"npm test", "npm run", "npx vitest", "npx tsc",
"git status", "git diff", "git log", "git add",
"eslint", "prettier", "biome",
"ls", "cat", "head", "tail", "wc", "grep"
],
"windsurf.cascadeCommandsDenyList": [
"rm -rf", "rm -r /",
"sudo",
"git push --force", "git reset --hard",
"DROP TABLE", "DELETE FROM", "TRUNCATE",
"curl | bash", "wget | sh",
"chmod 777",
"kill -9",
"shutdown", "reboot", "halt",
"mkfs", "dd if=",
"npm publish", "npx publish"
]
}
Step 2: Workspace Isolation Rules
Prevent Cascade from accessing sensitive directories:
# .codeiumignore — security boundary
# AI cannot see or modify files matching these patterns
# Credentials
.env
.env.*
credentials/
secrets/
*.pem
*.key
# Infrastructure
terraform.tfstate*
*.tfvars
ansible/vault*
# Customer data
data/production/
exports/