@aryaminus/controlkeel-opencode 0.2.18 → 0.2.20

package/.opencode/skills/cloudflare-agent/references/cloudflare-integration.md

@@ -0,0 +1,226 @@
+# Cloudflare Agent Governance Configuration
+
+## Quick Start
+
+### 1. Create Cloudflare Worker with Agents SDK
+
+```bash
+npx create-cloudflare@latest --template cloudflare/agents-starter my-governed-agent
+cd my-governed-agent
+npm install
+```
+
+### 2. Add CK Governance Tools
+
+Create `src/governance.ts`:
+
+```typescript
+import type { Env } from "./env";
+
+export async function validateWithCK(env: Env, action: string, payload: any) {
+  const response = await env.CK_GOVERNANCE.fetch("https://your-ck-instance/validate", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      action,
+      payload,
+      agent: "cloudflare-agent",
+      version: "1.0.0"
+    })
+  });
+  return response.json();
+}
+
+export async function checkBudget(env: Env, scope: string = "task") {
+  const response = await env.CK_GOVERNANCE.fetch(`https://your-ck-instance/budget/${scope}`);
+  return response.json();
+}
+```
+
+### 3. Configure wrangler.toml
+
+```toml
+name = "governed-agent"
+main = "src/index.ts"
+compatibility_date = "2025-03-02"
+
+[[d1_databases]]
+binding = "DB"
+database_name = "agent-db"
+database_id = "your-d1-id"
+
+[[r2_buckets]]
+binding = "AGENT_BUCKET"
+bucket_name = "agent-workspace"
+
+[[unsafe.bindings]]
+name = "CK_GOVERNANCE"
+type = "durable_object_namespace"
+class_name = "GovernanceDO"
+
+[env.production.vars]
+CK_INSTANCE = "https://controlkeel.yourdomain.com"
+```
+
+### 4. Create D1 Database
+
+```bash
+wrangler d1 create agent-db
+wrangler d1 execute agent-db --local --command="
+  CREATE TABLE IF NOT EXISTS agent_logs (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    timestamp INTEGER NOT NULL,
+    action TEXT NOT NULL,
+    payload TEXT,
+    decision TEXT,
+    budget_before INTEGER,
+    budget_after INTEGER
+  );
+  
+  CREATE TABLE IF NOT EXISTS agent_state (
+    key TEXT PRIMARY KEY,
+    value TEXT,
+    updated_at INTEGER
+  );
+"
+```
+
+## R2 Bucket Setup
+
+```bash
+# Create R2 bucket for agent workspace
+wrangler r2 bucket create agent-workspace
+```
+
+## Governance Rules Example
+
+Configure in CK:
+
+```json
+{
+  "policy": {
+    "shell": {
+      "allowed_commands": ["git", "npm", "node", "python", "cargo"],
+      "blocked_patterns": ["rm -rf /", "sudo", "chmod 777"],
+      "max_duration_ms": 60000
+    },
+    "file_access": {
+      "allowed_paths": ["/workspace/*"],
+      "max_file_size_mb": 10
+    },
+    "budget": {
+      "task": { "max_tokens": 100000, "max_calls": 50 },
+      "daily": { "max_tokens": 1000000, "max_calls": 500 }
+    }
+  }
+}
+```
+
+## MCP Server Setup
+
+```typescript
+// src/mcp/governance.ts
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { z } from "zod";
+
+export function createGovernanceMCP(env: Env) {
+  const server = new McpServer({
+    name: "controlkeel-governance",
+    version: "1.0.0"
+  });
+
+  server.tool(
+    "ck_validate",
+    "Validate an action against governance policies",
+    {
+      action: z.string(),
+      payload: z.record(z.any())
+    },
+    async ({ action, payload }) => {
+      return await validateWithCK(env, action, payload);
+    }
+  );
+
+  server.tool(
+    "ck_budget_check",
+    "Check remaining budget",
+    {
+      scope: z.enum(["task", "session", "daily"]).optional()
+    },
+    async ({ scope }) => {
+      return await checkBudget(env, scope || "task");
+    }
+  );
+
+  return server;
+}
+```
+
+## Testing Governance
+
+```typescript
+// test/governance.test.ts
+import { describe, it, expect } from "vitest";
+
+describe("Cloudflare Agent Governance", () => {
+  it("should validate shell commands", async () => {
+    const result = await validateWithCK(env, "shell_execute", {
+      command: "npm install"
+    });
+    expect(result.decision).toBe("approved");
+  });
+
+  it("should block dangerous commands", async () => {
+    const result = await validateWithCK(env, "shell_execute", {
+      command: "rm -rf /"
+    });
+    expect(result.decision).toBe("denied");
+  });
+
+  it("should track budget", async () => {
+    const before = await checkBudget(env, "task");
+    // make API call...
+    const after = await checkBudget(env, "task");
+    expect(after.remaining).toBeLessThan(before.remaining);
+  });
+});
+```
+
+## Monitoring
+
+### Log Queries
+
+```sql
+-- Recent governance decisions
+SELECT * FROM agent_logs 
+ORDER BY timestamp DESC 
+LIMIT 20;
+
+-- Blocked actions
+SELECT * FROM agent_logs 
+WHERE decision = 'denied' 
+ORDER BY timestamp DESC;
+
+-- Budget usage
+SELECT 
+  DATE(timestamp, 'unixepoch') as day,
+  COUNT(*) as total_actions,
+  SUM(json_extract(payload, '$.tokens')) as tokens_used
+FROM agent_logs
+GROUP BY day;
+```
+
+### Prometheus Metrics
+
+Configure in `wrangler.toml`:
+
+```toml
+[observability]
+enabled = true
+```
+
+Track:
+- `governance_decisions_total{decision="approved|denied"}`
+- `budget_consumed_tokens`
+- `shell_execution_duration_ms`
+- `file_operations_total`

package/.opencode/skills/compliance-audit/SKILL.md

@@ -0,0 +1,34 @@
+---
+name: compliance-audit
+description: "Run a structured compliance audit against active ControlKeel policy packs and domain controls. Use this before shipping regulated data flows, external integrations, or document exports."
+license: Apache-2.0
+compatibility:
+  - codex
+  - claude-standalone
+  - claude-plugin
+  - copilot-plugin
+  - github-repo
+  - open-standard
+metadata:
+  author: controlkeel
+  version: "2.0"
+  category: compliance
+  ck_mcp_tools:
+    - ck_context
+    - ck_validate
+    - ck_finding
+---
+
+# Compliance Audit Skill
+
+## Audit flow
+
+1. Call `ck_context` and confirm the active compliance profile for the session.
+2. Review only the pack sections that match the active domain pack and data flows.
+3. Use `ck_validate` for concrete snippets and configs when the checklist points to code.
+4. Persist each failing control with `ck_finding`.
+5. End with packs checked, controls reviewed, blockers, and required approvals.
+
+## Additional resources
+
+- For the full domain-by-domain checklist, see [references/control-matrix.md](references/control-matrix.md)

package/.opencode/skills/compliance-audit/agents/openai.yaml

@@ -0,0 +1,12 @@
+interface:
+  display_name: "Compliance Audit"
+  short_description: "CK compliance control review aligned to active policy packs and domain packs."
+  brand_color: "#1d4ed8"
+policy:
+  allow_implicit_invocation: true
+dependencies:
+  tools:
+    - type: "mcp"
+      value: "controlkeel"
+      description: "ControlKeel MCP server"
+

package/.opencode/skills/compliance-audit/references/control-matrix.md

@@ -0,0 +1,51 @@
+# Control Matrix
+
+Use the session's active compliance profile to select the relevant section.
+Each control lists a concrete check. Run `ck_validate` to scan for known patterns,
+then manually verify items that require human judgment.
+
+## Baseline
+
+- **Secrets**: Verify no hardcoded API keys, tokens, passwords, or private keys exist in source code, config files, or logs. Run `ck_validate` and confirm zero `security.hardcoded_secret` findings.
+- **Injection**: Verify SQL queries use parameterized statements or Ecto-style bindings. Verify shell commands avoid string interpolation of user input. Verify HTML templates escape dynamic content. Run `ck_validate` and confirm zero `security.sql_injection`, `security.shell_injection`, and `security.xss` findings.
+- **XSS**: Verify no `innerHTML` assignments from untrusted input. Verify React/Phoenix templates escape by default. Check any dangerously-set HTML APIs.
+
+## Healthcare
+
+- **PHI encryption**: Confirm all stored PHI uses AES-256 or equivalent encryption at rest. Confirm all PHI in transit uses TLS 1.2+. Check database column-level encryption for diagnosis, treatment, and identifier fields.
+- **Role-based access**: Verify every route or API endpoint that touches PHI checks the caller's role. Verify admin-only endpoints are not reachable by non-admin tokens. Check that audit logs record which role accessed which record.
+- **Audit logging**: Confirm all PHI read/write operations produce an immutable log entry with timestamp, user/service identity, record ID, and action type. Verify logs are append-only and retained per HIPAA requirements (minimum 6 years).
+- **Breach process**: Confirm a documented incident response plan exists for PHI breaches. Verify the plan includes notification timelines (60 days for covered entities). Check that breach detection triggers alerts to the compliance officer.
+- **Minimum necessary**: Verify each access scope exposes only the minimum PHI fields required for the task. Confirm bulk export endpoints strip fields not needed by the consumer.
+
+## Finance
+
+- **No raw card data**: Verify no credit card numbers appear in logs, databases, error reports, or debug output. Confirm all card data flows through a PCI-DSS-compliant payment processor. Run `ck_validate` and check for `security.hardcoded_secret` patterns matching card-number formats.
+- **Tokenization**: Verify stored payment references are processor tokens, not raw card numbers. Confirm token-to-card resolution only happens at the payment processor boundary.
+- **Immutable financial records**: Confirm financial transaction rows use insert-only semantics. Verify no UPDATE or DELETE paths exist on transaction tables. Check that correction entries create new rows with reversal references rather than modifying existing records.
+- **Segregation of duties**: Verify the same identity cannot both create and approve a financial transaction. Confirm approval workflows require a different user or service account than the initiator.
+- **Audit trail**: Confirm every financial state change produces a signed, timestamped audit entry. Verify audit entries include before/after state for reconciliation.
+
+## Education
+
+- **Student-record disclosure**: Verify FERPA-compliant consent checks before any student data export. Confirm directory information opt-out is respected in all listing endpoints. Check that student IDs are not exposed in URLs or logs.
+- **Age and consent checks**: Verify age-gating logic for accounts under 13 (COPPA). Confirm parental consent workflow is triggered before data collection for minors. Check that consent records are retained and auditable.
+- **Access logging**: Confirm all student record access produces an audit log entry. Verify bulk access (e.g., instructor roster views) logs the scope of records accessed.
+
+## HR
+
+- **Candidate data segregation**: Verify candidate PII is stored separately from interview scoring data. Confirm hiring decision records reference scored rubrics, not raw candidate attributes. Check that rejected candidate data is retained per required retention periods and then purged.
+- **No protected-attribute scoring**: Verify no model or scoring logic uses race, gender, age, religion, disability, or other protected attributes as input features. Confirm compensation algorithms use only role, level, geography, and experience. Run `ck_validate` on any scoring or ranking code.
+- **Salary data access controls**: Verify compensation data is accessible only to roles with explicit need (HR ops, finance payroll). Confirm manager visibility is limited to direct reports. Check that salary fields are excluded from bulk export unless the caller has explicit compensation scope.
+
+## Legal
+
+- **Privilege isolation**: Verify attorney-client privileged documents are tagged and access-controlled to legal team only. Confirm privilege tags propagate to search indexes and export endpoints. Check that AI-generated summaries of privileged content do not leak into non-privileged contexts.
+- **Encrypted documents**: Confirm legal documents are encrypted at rest with key management tied to legal team roles. Verify document sharing links expire and require authentication. Check that deleted documents are purged from backups within retention policy.
+- **Retention schedule**: Verify document retention periods are configured per document type and jurisdiction. Confirm automated purge or archive runs respect legal-hold flags. Check that retention policy changes do not retroactively shorten holds on active matters.
+
+## Marketing / Sales / Real Estate
+
+- **Consent and unsubscribe**: Verify CAN-SPAM-compliant unsubscribe links in all marketing emails. Confirm unsubscribe requests take effect within 10 business days. Check that purchased lead lists include consent provenance metadata.
+- **CRM or lead PII protection**: Verify CRM export endpoints strip or mask PII for non-authorized scopes. Confirm contact deletion requests propagate across all CRM integrations within the required timeframe (typically 30 days for GDPR). Check that lead scoring does not use sensitive attributes.
+- **Fair-housing and tenant-data controls**: Verify property listing algorithms do not filter by protected neighborhood characteristics. Confirm tenant screening uses only legally permissible criteria. Check that tenant PII retention respects state-specific data destruction requirements.

package/.opencode/skills/controlkeel-governance/SKILL.md

@@ -0,0 +1,89 @@
+---
+name: controlkeel-governance
+description: "Operate inside a ControlKeel-governed session. Use this before code edits, shell execution, delegation, deploy work, or any task that needs CK validation, findings, budget, proof, or routing context."
+license: Apache-2.0
+compatibility:
+  - codex
+  - claude-standalone
+  - claude-plugin
+  - copilot-plugin
+  - github-repo
+  - open-standard
+allowed-tools:
+  - ck_validate
+  - ck_context
+  - ck_finding
+  - ck_memory_search
+  - ck_memory_record
+  - ck_memory_archive
+  - ck_regression_result
+  - ck_budget
+  - ck_route
+  - ck_skill_list
+  - ck_skill_load
+  - ck_cost_optimizer
+  - ck_deployment_advisor
+  - ck_outcome_tracker
+metadata:
+  author: controlkeel
+  version: "2.0"
+  category: governance
+  ck_mcp_tools:
+    - ck_validate
+    - ck_context
+    - ck_finding
+    - ck_memory_search
+    - ck_memory_record
+    - ck_memory_archive
+    - ck_regression_result
+    - ck_budget
+    - ck_route
+    - ck_cost_optimizer
+    - ck_deployment_advisor
+    - ck_outcome_tracker
+---
+
+# ControlKeel Governance Skill
+
+You are operating inside a **ControlKeel-governed session**. Start here whenever you need the base CK operating protocol.
+
+## Core loop
+
+1. Call `ck_context` at task start to load mission, risk, budget, proof, active findings, workspace context, context reacquisition, instruction hierarchy, and recent transcript state.
+2. Call `ck_validate` before writing code, config, shell, or deploy text, and pass trust-boundary metadata when the source content came from the web, tools, skills, or mixed provenance.
+3. If you discover a problem the scanner did not raise, call `ck_finding`.
+4. Use `ck_memory_search` when you need explicit recall of prior decisions, checkpoints, or findings rather than relying only on the default context packet.
+5. Use `ck_memory_record` to persist important decisions, assumptions, and operator guidance that future agents should recover.
+6. Use `ck_memory_archive` to retire stale or superseded guidance before it keeps contaminating retrieval.
+7. Call `ck_budget` and `ck_cost_optimizer` before expensive model or bulk operations.
+8. Call `ck_route` before delegating sub-work to another agent.
+9. Use `ck_deployment_advisor` to analyze stack and generate deployment templates when checking ship readiness.
+10. Use `ck_regression_result` to record external browser or QA evidence before claiming deploy readiness.
+11. Use `ck_outcome_tracker` to track success/failure outcomes for continuous learning.
+12. Use `ck_skill_list` and `ck_skill_load` to activate more specific CK workflows.
+
+## Non-negotiable rules
+
+- Never skip `ck_validate` before repo mutations or shell execution.
+- A blocked ruling means stop and surface the finding.
+- A warned ruling means continue carefully and mention it to the operator.
+- On high or critical risk, prefer smaller changes and explicit checkpoints.
+- Before saying work is done, re-check proof, findings, and budget state.
+
+## Quick reference
+
+- `ck_context` — mission, task, budget, proof, memory, workspace snapshot, transcript summary, resume context
+- `ck_validate` — governed preflight scan with trust-boundary checks
+- `ck_finding` — persist manual findings
+- `ck_memory_search`, `ck_memory_record`, `ck_memory_archive` — explicit typed-memory retrieval and hygiene
+- `ck_regression_result` — import external regression evidence into proof state
+- `ck_budget` — cost estimate / commit
+- `ck_route` — best agent recommendation
+- `ck_cost_optimizer` — cost optimization strategies and model comparison
+- `ck_deployment_advisor` — repo stack detection, CI/Docker generation, DNS/SSL guide
+- `ck_outcome_tracker` — record and review session outcomes/agent scores
+- `ck_skill_list`, `ck_skill_load` — specialized workflow activation
+
+## Additional resources
+
+- For the full governed workflow, see [references/workflow.md](references/workflow.md)

package/.opencode/skills/controlkeel-governance/agents/openai.yaml

@@ -0,0 +1,12 @@
+interface:
+  display_name: "ControlKeel Governance"
+  short_description: "Base governed workflow for CK validation, context, findings, budget, and routing."
+  brand_color: "#0f766e"
+policy:
+  allow_implicit_invocation: true
+dependencies:
+  tools:
+    - type: "mcp"
+      value: "controlkeel"
+      description: "ControlKeel MCP server"
+

package/.opencode/skills/controlkeel-governance/references/workflow.md

@@ -0,0 +1,28 @@
+# Governed Workflow
+
+Use this reference with `controlkeel-governance`.
+
+## Start
+
+1. `ck_context` to load mission, task, risk, budget, proof summary, memory hits, workspace snapshot, and recent transcript events.
+2. Identify whether the task is implementation, review, compliance, benchmark, or policy work.
+3. Load a more specific CK skill if the task has a narrower workflow.
+
+## Before mutations
+
+1. Validate the exact code, config, shell, or text with `ck_validate`.
+2. Respect `block` immediately.
+3. Note `warn` in your reply and continue carefully.
+
+## During work
+
+1. Keep changes small.
+2. Call `ck_budget` before expensive multi-agent or long-context work.
+3. Use `ck_route` when another agent would be materially better.
+4. Create a `ck_finding` entry for any issue not automatically detected.
+
+## Before completion
+
+1. Re-check active findings.
+2. Re-check budget and proof state.
+3. If the session is high or critical risk, summarize decisions and unresolved items explicitly.

package/.opencode/skills/cost-optimization/SKILL.md

@@ -0,0 +1,36 @@
+---
+name: cost-optimization
+description: "Keep a governed session within budget. Use this before long-running agent work, bulk processing, or any task where spend pressure could change the plan."
+license: Apache-2.0
+compatibility:
+  - codex
+  - claude-standalone
+  - claude-plugin
+  - copilot-plugin
+  - github-repo
+  - open-standard
+metadata:
+  author: controlkeel
+  version: "2.0"
+  category: budget
+  ck_mcp_tools:
+    - ck_budget
+    - ck_context
+    - ck_route
+    - ck_cost_optimizer
+---
+
+# Cost Optimization Skill
+
+## Budget protocol
+
+1. Estimate before expensive work with `ck_budget`.
+2. Prefer smaller checkpoints over one large call when spend is uncertain.
+3. Use `ck_route` to prefer cheaper valid agents when quality permits.
+4. When the budget is low, reduce scope and escalate to the human early.
+5. Commit actual usage after completion if your harness is responsible for spend recording.
+6. Use `ck_cost_optimizer` to discover savings models, caching strategies, and local model alternatives.
+
+## Additional resources
+
+- For estimation, warning thresholds, and split strategies, see [references/budget-playbook.md](references/budget-playbook.md)

package/.opencode/skills/cost-optimization/agents/openai.yaml

@@ -0,0 +1,12 @@
+interface:
+  display_name: "Cost Optimization"
+  short_description: "Budget-aware CK workflow for estimates, commits, and cheaper routing."
+  brand_color: "#7c3aed"
+policy:
+  allow_implicit_invocation: true
+dependencies:
+  tools:
+    - type: "mcp"
+      value: "controlkeel"
+      description: "ControlKeel MCP server"
+

package/.opencode/skills/cost-optimization/references/budget-playbook.md

@@ -0,0 +1,18 @@
+# Budget Playbook
+
+## Estimate first
+
+- Use `ck_budget` estimate mode before expensive operations.
+- Prefer model-based pricing inputs when you know tokens and model.
+- Use explicit `estimated_cost_cents` when the model is unknown.
+
+## Split and checkpoint
+
+- Break long tasks into smaller runs.
+- Stop after each step and reassess remaining session and rolling-24h budget.
+
+## Escalation guidance
+
+- If remaining daily budget is tight, pause and ask for approval before the next expensive step.
+- If the operation is optional, defer it instead of spending the last budget headroom.
+

package/.opencode/skills/domain-audit/SKILL.md

@@ -0,0 +1,41 @@
+---
+name: domain-audit
+description: "Audit a session against its domain pack, especially the regulated and operations-heavy packs such as HR, legal, marketing, sales, real-estate, government, insurance, logistics, manufacturing, e-commerce, and nonprofit. Use this when domain-specific policy needs a manual pass."
+license: Apache-2.0
+compatibility:
+  - codex
+  - claude-standalone
+  - claude-plugin
+  - copilot-plugin
+  - github-repo
+  - open-standard
+metadata:
+  author: controlkeel
+  version: "2.0"
+  category: domain
+  ck_mcp_tools:
+    - ck_context
+    - ck_finding
+---
+
+# Domain Audit Skill
+
+Use this skill when the session’s domain pack drives the real risk more than generic software checks.
+
+## Focus areas
+
+- HR: bias, candidate data, compensation visibility
+- Legal: privilege, retention, document handling
+- Marketing: consent, unsubscribe, analytics PII
+- Sales: CRM data, contact deletion, revenue visibility
+- Real estate: fair-housing logic, tenant PII, retention
+- Government: records retention, constituent data, approval chains
+- Insurance: claims fairness, medical-adjacent privacy, denial review
+- E-commerce: card scope, refunds, fraud controls
+- Logistics: shipment custody, dispatch safety, carrier data
+- Manufacturing: QA holds, traceability, plant safety
+- Nonprofit: donor privacy, grant restrictions, beneficiary exports
+
+## Additional resources
+
+- [Domain review matrix](references/domain-review-matrix.md)

package/.opencode/skills/domain-audit/agents/openai.yaml

@@ -0,0 +1,12 @@
+interface:
+  display_name: "Domain Audit"
+  short_description: "Manual domain-pack review for HR, legal, marketing, sales, and real estate."
+  brand_color: "#9333ea"
+policy:
+  allow_implicit_invocation: true
+dependencies:
+  tools:
+    - type: "mcp"
+      value: "controlkeel"
+      description: "ControlKeel MCP server"
+

package/.opencode/skills/domain-audit/references/domain-review-matrix.md

@@ -0,0 +1,71 @@
+# Domain Review Matrix
+
+Use this matrix when the session's domain pack drives real risk more than generic software checks.
+For each domain, verify the listed items. Use `ck_validate` for automated pattern checks, then
+manually verify items that require business-logic or process judgment.
+
+## HR
+
+- **Protected classes in scoring**: Scan job descriptions, screening logic, and ranking algorithms for protected attributes (race, gender, age, religion, disability, national origin). Use `ck_validate` on scoring code. Verify no training data features encode proxies for protected attributes.
+- **Candidate data segregation**: Confirm candidate PII (name, email, address, phone) is stored separately from evaluation data. Verify interviewer notes reference candidate IDs, not names, in analytics. Check that rejected candidate data retention respects local regulations (typically 1-2 years, then purge).
+- **Compensation visibility**: Verify salary bands are visible only to HR ops and authorized managers. Confirm individual compensation data requires explicit role-scoped access. Check that compensation reports aggregate to levels where individual identification is not possible.
+- **Employment verification**: Confirm I-9 document data is stored separately from performance records. Verify work-authorization status is checked at hire and on expiration, but not used in performance or promotion logic.
+
+## Legal
+
+- **Privileged materials isolation**: Verify privileged documents are tagged at creation time. Confirm privilege tags propagate through search, export, and AI-summarization pipelines. Check that privilege review logs record who accessed what and when.
+- **Retention and eDiscovery**: Confirm retention schedules are configured per document type and jurisdiction. Verify automated retention enforcement skips documents on legal hold. Check that expired document purge produces a destruction certificate.
+- **Conflict checking**: Verify new matter intake runs conflict-of-interest checks against existing clients. Confirm conflict check results are logged and require affirmative clearance before work begins.
+
+## Marketing
+
+- **Opt-in and unsubscribe controls**: Verify email and messaging consent is captured with timestamp, source, and scope. Confirm consent records are immutable once created. Check that opt-out requests propagate to all downstream systems within 72 hours.
+- **Analytics PII**: Verify analytics pipelines do not store raw email addresses, phone numbers, or device IDs in user-facing dashboards. Confirm PII used for attribution is hashed or tokenized before storage. Check that audience segment exports exclude individual-level PII unless the consumer has explicit consent scope.
+- **Advertising targeting**: Verify ad targeting does not use sensitive categories (health condition, financial status, sexual orientation, religion). Confirm lookalike audiences exclude protected-attribute proxies.
+
+## Sales
+
+- **CRM contact handling**: Verify CRM export endpoints mask or strip PII for non-authorized scopes. Confirm contact deletion requests propagate to all integrated systems within 30 days. Check that lead enrichment data sources comply with data-minimization principles.
+- **Revenue and quota auditability**: Verify pipeline and forecast data is accessible only to roles with explicit need. Confirm individual deal values are not exposed in team-level dashboards without aggregation. Check that commission calculations are auditable and traceable to signed terms.
+- **Contract handling**: Verify contract documents are encrypted at rest with access restricted to deal team and legal. Confirm contract metadata is stored separately from contract text in analytics. Check that expired contracts are archived per retention policy.
+
+## Real Estate
+
+- **Fair-housing violations blocked**: Verify property listing algorithms do not filter or sort by neighborhood demographic composition. Confirm advertising copy does not contain discriminatory language. Check that recommendation engines do not use protected-class data.
+- **Tenant data protection**: Verify tenant application data (SSN, income, criminal history) is encrypted at rest and purged after the decision period. Confirm screening results are shared only with authorized leasing agents. Check that tenant payment history is accessible only to property management roles.
+- **Retention controls**: Verify lease documents are retained per state-specific requirements (typically 7 years after lease termination). Confirm tenant dispute records are retained for the statute of limitations period.
+
+## Government / Public Sector
+
+- **Records retention and holds**: Verify all official records follow the jurisdiction's retention schedule. Confirm record deletion requires documented authorization. Check that records requests (FOIA, public records) are processable within statutory deadlines.
+- **Benefits and licensing fairness**: Verify benefits eligibility logic does not use citizenship-adjacent shortcuts as proxies for protected attributes. Confirm licensing decisions follow published criteria and are auditable. Check that automated scoring in case management is explainable and reviewable.
+- **Approval chains**: Verify procurement and policy decisions follow required approval chains. Confirm approval delegation is documented and auditable.
+
+## Insurance / Claims
+
+- **Claims fairness**: Verify claim adjudication logic does not use protected attributes as rating or denial factors. Confirm model-based pricing or underwriting decisions are explainable. Check that denial letters include specific reason codes and appeal instructions.
+- **Medical-adjacent privacy**: Verify health-related claims data is treated with HIPAA-equivalent protections even when not technically PHI. Confirm medical records access is limited to claims adjusters with active case assignment.
+- **Denial review**: Verify denied claims undergo secondary review before finalization. Confirm appeal timelines are tracked and enforced. Check that appeal outcomes are logged with reason and reviewer identity.
+
+## E-commerce / Retail
+
+- **Card and checkout data**: Verify cardholder data environment is segmented from general application infrastructure. Confirm no raw PANs are stored in logs, databases, or error tracking. Check that PCI-DSS self-assessment is completed annually.
+- **Refund and chargeback controls**: Verify refund authorization requires role-appropriate approval for amounts exceeding defined thresholds. Confirm refund processing produces immutable audit entries. Check that refund fraud detection is active and calibrated.
+- **Fraud scoring**: Verify order fraud scoring runs before payment capture. Confirm fraud review queues are staffed to meet response-time SLAs. Check that false-positive rates are monitored.
+
+## Logistics / Supply Chain
+
+- **Chain-of-custody integrity**: Verify chain-of-custody records are immutable once created. Confirm custody transfers produce signed, timestamped audit entries. Check that custody gaps trigger alerts for investigation.
+- **Dispatch and hazmat safety**: Verify dispatch routing does not assign drivers to routes exceeding hours-of-service limits. Confirm hazardous-material routing follows DOT restrictions. Check that safety interlock bypasses require explicit review and are logged.
+- **Carrier data**: Verify carrier insurance and safety ratings are current before load assignment. Confirm carrier PII is not exposed in shipper-facing dashboards.
+
+## Manufacturing / Quality
+
+- **QA holds and recall traces**: Verify quality-hold decisions are immutable and require documented justification. Confirm held inventory is physically and logically segregated from shippable stock. Check that hold releases require authorized sign-off with documented corrective action. Verify lot and serial traceability from raw material through finished goods shipment.
+- **Safety interlocks**: Verify safety-critical system changes go through management-of-change review. Confirm incident reports are retained per OSHA requirements (5 years for records, 30 years for exposure records). Check that safety interlock bypasses cannot occur silently in automation.
+
+## Nonprofit / Grants
+
+- **Donor payment isolation**: Verify donor records are not sold or shared outside the organization's stated privacy policy. Confirm anonymous donation options preserve donor identity from all internal reporting except compliance-required access. Check that donor communication preferences are respected across all channels.
+- **Grant restrictions**: Verify restricted funds are tracked separately from general operating funds. Confirm grant spending reports match restricted-purpose documentation. Check that restricted fund balances are visible to finance and grant management roles only.
+- **Beneficiary data**: Verify beneficiary data exports strip or mask PII unless the consumer has explicit authorization. Confirm bulk beneficiary data transfers use encrypted channels. Check that beneficiary consent for data sharing is documented and current.