Generic compliance audit context. Load before any task touching verification tiers, regulated forms, document uploads, identity verification, or anything involving user identity. Also load before any task that might accidentally reintroduce payment processing or regulated contract functionality.
Replace these placeholders with your project's forbidden files:
[FORBIDDEN_FILE_1] — e.g. payment processing service[FORBIDDEN_FILE_2] — e.g. regulated contract page[FORBIDDEN_ROUTE_1] — e.g. /contract routeAdapt these to your regulated domain:
Replace with your project's access tier structure:
[TIER_0]: Unverified — browse only[TIER_1]: Basic verified — core actions (view/chat/request)[TIER_2]: Fully verified — full access via approved identity OAuthAdapt to your jurisdiction's PII requirements:
[PII_FIELD_1] (e.g. National ID): always mask in UI — show partial format only[PII_FIELD_2] (e.g. Passport number): always mask — first 2 chars + **** + last 1[PII_FIELD_3] (e.g. OAuth token ID): always maskRun: npx tsc --noEmit (or equivalent for your stack) Zero type errors required before considering task complete.
Replace this section with your project's regulated domain rules: