Examples
30 reference guardrails.
Add any with npx guardrails-ref add <name> or use presets: add --preset default, security, quality, frontend, api, production. Combine: add --preset default,frontend.
Use npx guardrails-ref why <name> to show full content.
Reference guardrails
| Name | What it prevents |
|---|---|
| Logging or committing API keys, passwords, tokens | |
| Fake or placeholder API keys instead of asking for real values | |
| Catching errors without surfacing them to the user | |
| Exposing sensitive data or admin actions without role checks | |
| Destructive ops without plan.md and audit log | |
| Continuing in polluted context; reset when 80% full or 10+ errors | |
| Direct schema changes instead of migrations | |
rm -rf, DROP TABLE, TRUNCATE without approval | |
| eval(), new Function(), or dynamic code execution | |
| New packages without human confirmation | |
| Touching node_modules, .git, lockfiles, .env without approval | |
| git commit or push without explicit user approval | |
| Hardcoded API URLs, base URLs, endpoints | |
sudo, su, or root commands without approval | |
| Runaway tool calls and API loops | |
console.log in production code | |
| Merging code without tests | |
| Reimplementing when existing code or helpers exist | |
Inline style= in HTML/JSX | |
| Raw SQL without parameterization | |
| Unexplained numeric literals | |
git push --force, destructive rebase without approval | |
| Suggesting deprecated or obsolete APIs | |
| Assuming env vars exist without validation | |
| Hardcoded labels, messages, errors in UI | |
| Breaking public APIs without semver bump or migration path | |
| User-controlled paths without validation (.., symlinks) | |
| UI without alt text, ARIA, keyboard support, or contrast | |
| API calls without timeouts, retries, or error handling | |
| Changing behavior without updating README, docs, or changelog |
Presets
| Preset | Guardrails |
|---|---|
| no-plaintext-secrets, no-destructive-commands, no-new-deps-without-approval, require-commit-approval (4) | |
| 9 security guardrails (secrets, access control, path traversal, SQL, eval, etc.) | |
| 8 code quality guardrails (tests, magic numbers, inline styles, deprecated APIs, etc.) | |
| require-accessibility, no-inline-styles, no-hardcoded-user-facing-strings (3) | |
| require-api-resilience, no-hardcoded-urls, no-unsafe-env-assumptions, no-placeholder-credentials (4) | |
| 6 production-ready guardrails (tests, migrations, docs, versioning, etc.) |
npx guardrails-ref add --preset defaultnpx guardrails-ref add --preset securitynpx guardrails-ref add --preset qualitynpx guardrails-ref add --preset default,frontendCombine presets with commas. Use init --preset default to add a preset at init.
Add multiple
npx guardrails-ref add no-destructive-commands no-new-deps-without-approval no-hardcoded-urlsadd --list for the full list of available guardrails.
why <name> to show a guardrail's full content before adding.