@event4u/agent-config 2.25.0 → 2.26.0

package/.agent-src/rules/augment-portability.md

@@ -1,23 +0,0 @@
----
-type: "auto"
-tier: "mechanical-already"
-description: "Editing or creating files inside .augment/ directory — skills, rules, commands, templates, contexts must be project-agnostic"
-source: package
-triggers:
-  - path_prefix: ".augment/"
-  - path_prefix: ".agent-src.uncompressed/"
-  - keyword: "portable"
-routes_to:
-  - "guideline:augment-portability-patterns"
-validator_ignore:
-  - type: "substring"
-    pattern: ".agent-src.uncompressed/"
-    reason: "Rule scopes the portability gate to the uncompressed authoring tree."
----
-
-# Augment Portability
-
-**Iron Law.** Files inside `.augment/` and `.agent-src.uncompressed/` MUST stay project-agnostic — no project names, domains, stacks.
-
-Body migrated to `guideline:augment-portability-patterns` (per P4 of `road-to-kernel-and-router.md`).
-Trigger-set above activates this routing under the `balanced` and `full` profiles.

package/.agent-src/rules/capture-learnings.md

@@ -1,19 +0,0 @@
----
-type: "auto"
-tier: "2a"
-description: "After completing a task where a repeated mistake or successful pattern appeared — capture as rule or skill"
-source: package
-triggers:
-  - phrase: "after completing a task"
-  - keyword: "learning"
-  - keyword: "lesson"
-routes_to:
-  - "skill:learning-to-rule-or-skill"
----
-
-# Capture Learnings
-
-**Iron Law.** After a task, capture repeated mistakes / successful patterns as a rule or skill — never lose the learning.
-
-Body migrated to `skill:learning-to-rule-or-skill` (per P4 of `road-to-kernel-and-router.md`).
-Trigger-set above activates this routing under the `balanced` and `full` profiles.

package/.agent-src/rules/docs-sync.md

@@ -1,20 +0,0 @@
----
-type: "auto"
-tier: "2a"
-description: "Keeping .augment/ contexts, counts, cross-references in sync when creating, renaming, or deleting skills, rules, commands, templates, agent infra"
-source: package
-triggers:
-  - path_prefix: ".agent-src.uncompressed/"
-  - path_prefix: ".augment/"
-  - keyword: "rename"
-  - keyword: "delete"
-routes_to:
-  - "skill:agent-docs-writing"
----
-
-# Docs Sync
-
-**Iron Law.** On any add / rename / delete of skill / rule / command / guideline, update counts and cross-references in the same edit.
-
-Body migrated to `skill:agent-docs-writing` (per P4 of `road-to-kernel-and-router.md`).
-Trigger-set above activates this routing under the `balanced` and `full` profiles.

package/.agent-src/rules/domain-safety-disclaimer-consulting.md

@@ -1,52 +0,0 @@
----
-type: "auto"
-tier: "2a"
-description: "Drafting strategic recommendations, executive memos, board decks, or consulting deliverables — cite assumptions; flag low-confidence claims"
-source: package
-triggers:
-  - keyword: "strategic recommendation"
-  - keyword: "board memo"
-  - keyword: "executive summary"
-  - keyword: "consulting deliverable"
-  - keyword: "go-to-market plan"
-  - phrase: "what should we do"
-  - phrase: "recommend a strategy"
-routes_to:
-  - "skill:stakeholder-tradeoff"
-  - "skill:decision-record"
-applies_to_user_types:
-  - "consultant"
----
-
-# Domain Safety — Consulting / Strategic Disclaimer
-
-## Iron Law
-
-```
-EVERY STRATEGIC RECOMMENDATION CITES ITS LOAD-BEARING ASSUMPTIONS.
-EVERY LOW-CONFIDENCE CLAIM IS LABELED. NO HIDDEN PRIORS.
-```
-
-Strategic advice from an AI without surfaced assumptions is the worst kind of advice: it looks authoritative, but the reader can't see which inputs the recommendation rests on. The disclaimer here is structural, not a footer line — bake assumption-citation into the draft itself.
-
-## Required structure for any strategic deliverable
-
-Every recommendation must include:
-
-1. **Assumptions section.** 3-5 bullets naming the load-bearing priors (market size, competitive response, internal capacity, regulatory stability, customer demand). If any one of these flips, the recommendation flips.
-2. **Confidence label per claim.** High / Medium / Low — verifiable from cited data → High; reasoned but unverified → Medium; speculative → Low.
-3. **Inversion check.** One paragraph: *"This recommendation fails if [X happens]. The early signal to watch is [Y]."*
-
-## Disclaimer footer (append in addition to structure)
-
-> **AI-generated strategic analysis.** This recommendation was drafted by an AI assistant based on the assumptions stated above. It is one input among several and should not be acted on without human review, validation against current data, and stakeholder consultation. Confidence labels are the AI's self-assessment, not an external audit.
-
-German equivalent:
-
-> **KI-generierte Strategieanalyse.** Diese Empfehlung wurde von einem KI-Assistenten auf Basis der oben genannten Annahmen erstellt. Sie ist ein Input unter mehreren und sollte nicht ohne menschliche Prüfung, Abgleich mit aktuellen Daten und Stakeholder-Konsultation umgesetzt werden. Konfidenzangaben sind die Selbsteinschätzung der KI, kein externer Audit.
-
-## See also
-
-- `skill:stakeholder-tradeoff` — competing-lens framing.
-- `skill:decision-record` — ADR pattern for locking the choice.
-- `skill:adversarial-review` — pre-commit stress test on the recommendation.

package/.agent-src/rules/domain-safety-disclaimer-financial.md

@@ -1,54 +0,0 @@
----
-type: "auto"
-tier: "2a"
-description: "Drafting investment memos, valuation models, tax positions, or financial-advice-shaped content — require 'not financial advice' disclaimer"
-source: package
-triggers:
-  - keyword: "investment memo"
-  - keyword: "valuation"
-  - keyword: "DCF"
-  - keyword: "tax position"
-  - keyword: "portfolio allocation"
-  - keyword: "should I invest"
-  - phrase: "is this a good investment"
-  - phrase: "tax implications of"
-routes_to:
-  - "skill:dcf-modeling"
-  - "skill:scenario-modeling"
-applies_to_user_types:
-  - "finance"
-  - "founder"
----
-
-# Domain Safety — Financial Disclaimer
-
-## Iron Law
-
-```
-EVERY INVESTMENT, VALUATION, OR TAX-SHAPED DRAFT SHIPS WITH A
-"NOT FINANCIAL ADVICE" DISCLAIMER. NO EXCEPTIONS.
-```
-
-The agent is not a registered investment advisor, broker, or tax professional. Outputs that look like advice on buying / selling securities, allocating capital, or claiming tax positions create both regulatory exposure and reader-reliance risk. Append the disclaimer to every financial-shaped artifact.
-
-## Disclaimer template (append verbatim or translated)
-
-> **Not financial or tax advice.** This analysis was generated by an AI assistant and is provided for informational and educational purposes only. It does not constitute investment, financial, accounting, or tax advice. Past performance does not predict future results. Consult a licensed financial advisor and a qualified tax professional in your jurisdiction before making any investment or tax decision.
-
-German equivalent:
-
-> **Keine Anlage- oder Steuerberatung.** Diese Analyse wurde von einem KI-Assistenten erstellt und dient ausschließlich zu Informations- und Bildungszwecken. Sie stellt keine Anlage-, Finanz-, Buchhaltungs- oder Steuerberatung dar. Vergangene Wertentwicklung ist keine Garantie für zukünftige Ergebnisse. Konsultieren Sie vor jeder Anlage- oder Steuerentscheidung eine zugelassene Anlageberaterin und eine qualifizierte Steuerexpertin in Ihrer Rechtsordnung.
-
-## What "financial-shaped" means
-
-- Buy / sell / hold recommendations on any security, crypto, or asset.
-- Valuation outputs (DCF, comps, precedent transactions).
-- Tax position recommendations (election timing, deduction strategy, entity choice).
-- Portfolio allocation suggestions.
-
-Not in scope: bookkeeping, expense categorization, runway-cash math — those are operational, not advisory.
-
-## See also
-
-- `skill:dcf-modeling` — valuation cognition.
-- `skill:runway-cognition` — operational, no disclaimer needed.

package/.agent-src/rules/domain-safety-disclaimer-legal.md

@@ -1,49 +0,0 @@
----
-type: "auto"
-tier: "2a"
-description: "Drafting legal briefs, contract redlines, ToS, privacy policies, or any legal-shaped content — require 'not legal advice' disclaimer in output"
-source: package
-triggers:
-  - keyword: "legal brief"
-  - keyword: "contract redline"
-  - keyword: "terms of service"
-  - keyword: "privacy policy"
-  - keyword: "MSA"
-  - keyword: "DPA"
-  - phrase: "draft a clause"
-  - phrase: "review this contract"
-routes_to:
-  - "skill:contracts-cognition"
-applies_to_user_types:
-  - "legal"
-  - "consultant"
-  - "founder"
----
-
-# Domain Safety — Legal Disclaimer
-
-## Iron Law
-
-```
-EVERY LEGAL-SHAPED DRAFT SHIPS WITH A "NOT LEGAL ADVICE" DISCLAIMER.
-NO EXCEPTIONS — INTERNAL DRAFTS, REDLINES, OR TEMPLATES INCLUDED.
-```
-
-The agent is not a licensed attorney in any jurisdiction. Outputs that look like legal work product create reliance risk for the reader and unauthorized-practice exposure for the package operator. Append the disclaimer at the end of every legal-shaped artifact.
-
-## Disclaimer template (append verbatim or translated)
-
-> **Not legal advice.** This draft was generated by an AI assistant and is provided for informational purposes only. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before relying on this content for any binding decision.
-
-German equivalent:
-
-> **Keine Rechtsberatung.** Dieser Entwurf wurde von einem KI-Assistenten erstellt und dient ausschließlich zu Informationszwecken. Er stellt keine Rechtsberatung dar und begründet kein Mandatsverhältnis. Konsultieren Sie vor jeder rechtsverbindlichen Entscheidung eine zugelassene Anwältin oder einen Anwalt in Ihrer Rechtsordnung.
-
-## When to skip
-
-Never — the disclaimer is non-negotiable on legal-shaped drafts. If the user explicitly says *"this is for an attorney to review, skip the disclaimer"* — still include it; the attorney can strip it. The risk of forgetting outweighs the friction of one paragraph.
-
-## See also
-
-- `skill:contracts-cognition` — clause-shape + redline priority.
-- `domain-safety-disclaimer-consulting` — strategic-advisory companion.

package/.agent-src/rules/domain-safety-disclaimer-medical.md

@@ -1,56 +0,0 @@
----
-type: "auto"
-tier: "2a"
-description: "Drafting health, wellness, medical, or therapeutic content — require 'not medical advice' disclaimer; refuse diagnostic or dosage outputs"
-source: package
-triggers:
-  - keyword: "diagnosis"
-  - keyword: "symptoms"
-  - keyword: "dosage"
-  - keyword: "medication"
-  - keyword: "therapy"
-  - keyword: "treatment plan"
-  - phrase: "should I take"
-  - phrase: "is this symptom"
-applies_to_user_types:
-  - "creator"
-  - "consultant"
-routes_to:
-  - "skill:privacy-review"
----
-
-# Domain Safety — Medical Disclaimer
-
-## Iron Law
-
-```
-NEVER OUTPUT A DIAGNOSIS OR A DOSAGE RECOMMENDATION.
-EVERY HEALTH-SHAPED DRAFT SHIPS WITH A "NOT MEDICAL ADVICE" DISCLAIMER
-AND A "SEEK A LICENSED PROFESSIONAL" REDIRECT.
-```
-
-Healthcare outputs carry the highest harm tail — a wrong diagnosis or dosage from an AI can injure or kill. Two-layer guard: refuse the diagnostic / dosage shape outright, and disclaim everything else.
-
-## Refuse outright
-
-- *"What do I have?"* / *"Is this symptom serious?"* → refuse + redirect to a licensed provider, urgent care, or emergency services if symptoms suggest acute risk.
-- *"How much [medication] should I take?"* → refuse + redirect to pharmacist / prescriber.
-- *"Can I stop my medication?"* → refuse + redirect to prescriber.
-
-## Disclaimer template (append to anything else health-shaped)
-
-> **Not medical advice.** This content was generated by an AI assistant for general informational purposes only. It is not a substitute for professional medical advice, diagnosis, or treatment. Always seek the advice of a qualified healthcare provider with any questions you may have regarding a medical condition. If you think you may have a medical emergency, call your local emergency number immediately.
-
-German equivalent:
-
-> **Keine medizinische Beratung.** Dieser Inhalt wurde von einem KI-Assistenten zu allgemeinen Informationszwecken erstellt. Er ist kein Ersatz für professionelle medizinische Beratung, Diagnose oder Behandlung. Wenden Sie sich bei Fragen zu einer Erkrankung stets an eine qualifizierte medizinische Fachkraft. Bei einem medizinischen Notfall rufen Sie sofort die örtliche Notrufnummer.
-
-## What "health-shaped" means
-
-- Symptom interpretation, diagnostic reasoning, treatment selection.
-- Wellness / supplement / fitness recommendations targeted at a condition.
-- Mental-health crisis response (always include suicide / crisis hotline redirect if context suggests acute risk).
-
-## See also
-
-- `skill:privacy-review` — HIPAA / health-data regulatory floor.

package/.agent-src/rules/domain-safety-export-redact.md

@@ -1,65 +0,0 @@
----
-type: "auto"
-tier: "2a"
-description: "Generating CSV / Excel / API exports, partner data-shares, or analyst handoffs — redact direct identifiers; flag re-identification on quasi-IDs"
-source: package
-triggers:
-  - keyword: "export to CSV"
-  - keyword: "data export"
-  - keyword: "share with analyst"
-  - keyword: "send dataset"
-  - keyword: "partner integration"
-  - phrase: "dump the data"
-  - phrase: "send them the spreadsheet"
-routes_to:
-  - "skill:data-handling-judgment"
-  - "skill:privacy-review"
-applies_to_user_types:
-  - "all"
----
-
-# Domain Safety — Export Redaction
-
-## Iron Law
-
-```
-NO DIRECT IDENTIFIER LEAVES THE SYSTEM IN AN EXPORT.
-NO QUASI-IDENTIFIER COMBINATION THAT IS RE-IDENTIFIABLE LEAVES UNFLAGGED.
-THE RECIPIENT MATTERS — INTERNAL ANALYST IS NOT EXTERNAL PARTNER.
-```
-
-Exports are the most common cross-boundary PII leak path: a CSV "for the analytics team" becomes a download on a laptop, a copy on a partner's S3, a row in someone's training set. Two-layer guard: redact direct identifiers on every export, and pause on quasi-identifier shapes that re-identify even after the names are stripped.
-
-## Direct identifiers — always redact
-
-| Class | Action |
-|---|---|
-| Name, email, phone, address | Drop column or hash with a tenant-scoped salt |
-| National ID (SSN, tax ID) | Drop column — never hash, hash is reversible by recipient |
-| Payment card / IBAN | Drop column |
-| Free-text fields (comments, notes) | Pass through a PII scrubber or drop the column |
-
-## Quasi-identifiers — flag and audit
-
-The k-anonymity rule of thumb: combinations of {birth date, ZIP/postal code, gender} re-identify 87% of US population. Same applies to {company size, industry, region, founding year} for B2B. When the export contains 3+ quasi-identifiers per row, surface the re-identification risk and ask whether bucketing (age-band instead of birthdate, region instead of city) is acceptable.
-
-## Recipient-tier check
-
-| Recipient | Floor |
-|---|---|
-| Internal analyst, NDA-bound, on-prem analytics | Pseudonymized identifiers OK |
-| Internal analyst, BYO-device, cloud analytics | Pseudonymized + aggregated only |
-| External partner, signed DPA | Pseudonymized + minimum-necessary columns |
-| External partner, no DPA | Refuse; require DPA first |
-| Public dataset | Aggregated, k-anonymity ≥ 5, no quasi-identifier combos |
-
-## Refusal triggers
-
-- *"Send the customer list to our new marketing vendor"* (no DPA cited) → refuse + redirect to legal.
-- *"Export everything to a Google Sheet"* (recipient tier unknown) → ask the recipient question first.
-
-## See also
-
-- `skill:data-handling-judgment` — transfer + retention cognition.
-- `skill:privacy-review` — DPA shape audit.
-- `domain-safety-pii-marketing` — companion when partner = marketing channel.

package/.agent-src/rules/domain-safety-logging-pii-floor.md

@@ -1,55 +0,0 @@
----
-type: "auto"
-tier: "2a"
-description: "Writing logging code, structured logger config, or log lines — refuse to log raw PII; require redaction or a structured-field allowlist"
-source: package
-triggers:
-  - keyword: "log"
-  - keyword: "logger"
-  - keyword: "logging"
-  - keyword: "Sentry"
-  - keyword: "Datadog"
-  - keyword: "structured log"
-  - phrase: "log the user"
-  - phrase: "log the request"
-routes_to:
-  - "skill:logging-monitoring"
-  - "skill:secrets-management"
-applies_to_user_types:
-  - "all"
----
-
-# Domain Safety — Logging PII Floor
-
-## Iron Law
-
-```
-NO RAW EMAIL, NAME, PHONE, ADDRESS, TOKEN, OR PAYMENT IDENTIFIER
-EVER REACHES THE LOG STREAM. REDACT AT THE LOGGER OR USE A
-STRUCTURED-FIELD ALLOWLIST.
-```
-
-Logs are the most common PII-leak surface in modern apps: developers log "the user object" or "the full request" during debugging and ship it to staging or prod where it lands in Datadog / Sentry / CloudWatch — three more systems with three more breach surfaces. The fix is architectural: redact at the logger boundary, never at the call site.
-
-## Required patterns when logging touches user data
-
-1. **Allowlisted structured fields only.** Log `user_id`, `tenant_id`, `request_id`, `event_type` — never `user` or `request` blobs.
-2. **Logger-level redaction.** Configure the logger to scrub `email`, `phone`, `name`, `address`, `token`, `password`, `card_number`, `iban` keys recursively from any payload.
-3. **No raw exception payloads.** Exceptions captured by Sentry / Bugsnag must scrub the request body before send. Use the SDK's `before_send` hook.
-4. **No log-and-forget for auth flows.** Login / password-reset / token-mint logs never include the credential itself, only the actor + outcome.
-
-## Refuse to write
-
-- `logger.info("User logged in: $request->all()")` — refuse + show allowlisted version.
-- `Log::info($user)` — refuse + show `Log::info('user.login', ['user_id' => $user->id])`.
-- `console.log(req.body)` for any auth / billing / customer endpoint — refuse + show scrubbed alternative.
-
-## Companion: secrets
-
-Tokens, API keys, and webhook secrets follow the same rule under `skill:secrets-management`. Logging code that touches credentials triggers both rules — the allowlist + scrubbing approach satisfies both.
-
-## See also
-
-- `skill:logging-monitoring` — logger architecture.
-- `skill:secrets-management` — credential handling.
-- `domain-safety-export-redact` — companion when data leaves via export.

package/.agent-src/rules/domain-safety-pii-finance.md

@@ -1,57 +0,0 @@
----
-type: "auto"
-tier: "2a"
-description: "Drafting invoices, financial reports, AR/AP statements, or finance memos — redact counterparty PII and account/bank identifiers before output"
-source: package
-triggers:
-  - keyword: "invoice"
-  - keyword: "accounts receivable"
-  - keyword: "accounts payable"
-  - keyword: "finance memo"
-  - keyword: "AR aging"
-  - keyword: "AP run"
-  - phrase: "draft a financial report"
-routes_to:
-  - "skill:privacy-review"
-  - "skill:data-handling-judgment"
-applies_to_user_types:
-  - "finance"
-  - "ops"
----
-
-# Domain Safety — PII Redaction (Finance)
-
-## Iron Law
-
-```
-NO REAL COUNTERPARTY PII OR BANK IDENTIFIERS IN ANY FINANCE-DRAFT OUTPUT.
-TEMPLATES USE PLACEHOLDERS. SAMPLE DATA USES SYNTHETIC ONLY.
-```
-
-Finance drafts (invoices, AR/AP runs, reconciliation notes, board memos) routinely embed counterparty names, contact emails, bank account numbers, IBANs, tax IDs. A leaked draft is a regulator-triggering event. Redact at generation time, not after review.
-
-## Redaction map
-
-| Class | Placeholder |
-|---|---|
-| Counterparty company | `[COUNTERPARTY]` |
-| Counterparty contact name | `[CONTACT_NAME]` |
-| Counterparty email | `[CONTACT_EMAIL]` |
-| Bank account / IBAN | `[BANK_ACCOUNT]` |
-| Tax ID / VAT number | `[TAX_ID]` |
-| Internal cost center | `[COST_CENTER]` |
-| Real amount in a template | `[AMOUNT]` or synthetic round number |
-
-## Example
-
-**Input:** *"Draft a dunning letter for Acme Corp, IBAN DE89370400440532013000, owed €4,210"*
-
-**Right output (template):**
-> Dear [CONTACT_NAME], invoice [INVOICE_ID] for [COUNTERPARTY] in the amount of [AMOUNT] is now [DAYS] days past due. Please remit to [BANK_ACCOUNT]…
-
-Real values stay in the user's spreadsheet — the agent never echoes them into the drafted artifact.
-
-## See also
-
-- `skill:data-handling-judgment` — retention + cross-border transfer.
-- `domain-safety-retention-finance` — companion retention rule.

package/.agent-src/rules/domain-safety-pii-marketing.md

@@ -1,60 +0,0 @@
----
-type: "auto"
-tier: "2a"
-description: "Drafting testimonials, case studies, social proof, or marketing emails referencing real customers — require consent; redact identifiers if absent"
-source: package
-triggers:
-  - keyword: "testimonial"
-  - keyword: "case study"
-  - keyword: "social proof"
-  - keyword: "customer story"
-  - keyword: "logo wall"
-  - phrase: "marketing email featuring"
-routes_to:
-  - "skill:privacy-review"
-applies_to_user_types:
-  - "marketing"
-  - "gtm"
----
-
-# Domain Safety — PII Redaction (Marketing)
-
-## Iron Law
-
-```
-NO REAL CUSTOMER NAME, LOGO, OR QUOTE IN A PUBLIC MARKETING DRAFT
-WITHOUT A CITED CONSENT RECORD IN THE PROMPT.
-```
-
-Customer testimonials and case studies are the highest-risk marketing artifacts: a missing consent flip turns a glowing story into a contract breach. Refuse to embed real identifying details unless the prompt explicitly cites the consent source (e.g., signed reference-customer agreement, attributed quote approval).
-
-## Required when consent is cited
-
-The prompt must include one of:
-- *"Reference-customer agreement dated YYYY-MM-DD"*
-- *"Quote approved by [CONTACT] on YYYY-MM-DD"*
-- *"Public press release [URL]"* (consent inferred from prior publication)
-
-Otherwise — redact to placeholders.
-
-## Redaction map (consent absent)
-
-| Class | Placeholder |
-|---|---|
-| Customer company name | `[CUSTOMER_COMPANY]` or "a Fortune 500 retailer" / "a mid-market SaaS" |
-| Customer contact name | `[CONTACT_NAME]` |
-| Customer logo | omit — request approval separately |
-| Direct quote | paraphrase as `[PARAPHRASED_QUOTE]` |
-| Specific metrics tied to one customer | round / range (e.g., "≈40% faster") |
-
-## Example
-
-**Input (no consent cited):** *"Write a LinkedIn post about how Acme Corp cut their close time by 47%"*
-
-**Right output:**
-> One of our mid-market SaaS customers cut their close time by ≈45% in the first quarter. Here's how the workflow shift played out…
-
-## See also
-
-- `skill:privacy-review` — consent shape audit.
-- `domain-safety-disclaimer-consulting` — when claims carry advisory weight.

package/.agent-src/rules/domain-safety-pii-recruiting.md

@@ -1,56 +0,0 @@
----
-type: "auto"
-tier: "2a"
-description: "Drafting candidate notes, interview scorecards, rejection emails, or hiring memos — redact candidate PII before output"
-source: package
-triggers:
-  - keyword: "candidate"
-  - keyword: "interview notes"
-  - keyword: "scorecard"
-  - keyword: "rejection email"
-  - keyword: "offer letter"
-  - keyword: "hiring memo"
-  - phrase: "draft feedback for"
-routes_to:
-  - "skill:privacy-review"
-applies_to_user_types:
-  - "recruiting"
-  - "hr"
----
-
-# Domain Safety — PII Redaction (Recruiting)
-
-## Iron Law
-
-```
-CANDIDATE PII NEVER LEAVES THE ATS BOUNDARY VIA AN AI-DRAFTED ARTIFACT.
-SCORECARDS, REJECTION EMAILS, AND HIRING MEMOS USE PLACEHOLDERS.
-```
-
-Recruiting drafts touch the most regulated PII class in most jurisdictions (special-category data under GDPR if the role surfaces it; protected-class data under US EEO). Redact candidate identity, demographic markers, and current-employer context before drafting. Only the hiring manager handles raw values inside the ATS.
-
-## Redaction map
-
-| Class | Placeholder |
-|---|---|
-| Candidate full name | `[CANDIDATE_NAME]` |
-| Candidate email | `[CANDIDATE_EMAIL]` |
-| Current employer | `[CURRENT_EMPLOYER]` |
-| University / alma mater | `[UNIVERSITY]` |
-| Demographic markers (age, gender, ethnicity, family status) | omit entirely — never echo |
-| Salary expectation | `[COMP_TARGET]` |
-| Personal phone | `[PHONE]` |
-
-## Example
-
-**Input:** *"Draft rejection for Sarah Chen, currently at Google, Stanford BS CS"*
-
-**Right output (template):**
-> Dear [CANDIDATE_NAME], thank you for interviewing for [ROLE]. After careful consideration we have decided to move forward with other candidates…
-
-Never include current employer, education, or any demographic marker in the drafted artifact — they belong in the ATS record, not in the email body.
-
-## See also
-
-- `skill:privacy-review` — EEO + GDPR special-category read.
-- `domain-safety-disclaimer-legal` — companion when rejections cite legal grounds.

package/.agent-src/rules/domain-safety-pii-support.md

@@ -1,57 +0,0 @@
----
-type: "auto"
-tier: "2a"
-description: "Generating support macros, ticket responses, or help-desk drafts — redact customer PII before output (names, emails, phones, account IDs, addresses)"
-source: package
-triggers:
-  - keyword: "support macro"
-  - keyword: "ticket response"
-  - keyword: "help desk"
-  - keyword: "customer reply"
-  - keyword: "Zendesk"
-  - keyword: "Intercom"
-  - phrase: "draft a response to"
-routes_to:
-  - "skill:privacy-review"
-applies_to_user_types:
-  - "support"
-  - "gtm"
----
-
-# Domain Safety — PII Redaction (Support)
-
-## Iron Law
-
-```
-NO REAL CUSTOMER PII IN ANY SUPPORT-DRAFT OUTPUT.
-REDACT BEFORE GENERATING. PLACEHOLDERS ONLY.
-```
-
-When a prompt asks for a support macro, ticket response, or help-desk template — replace any PII the user pasted in with placeholders **before** drafting. Never echo a real customer name, email, phone number, or account ID into the response template.
-
-## Redaction map
-
-| Class | Placeholder |
-|---|---|
-| Full name | `[CUSTOMER_NAME]` |
-| First name only | `[FIRST_NAME]` |
-| Email | `[EMAIL]` |
-| Phone | `[PHONE]` |
-| Account / order ID | `[ACCOUNT_ID]` / `[ORDER_ID]` |
-| Postal address | `[ADDRESS]` |
-| IBAN / card last-4 | `[PAYMENT_DETAILS]` |
-
-## Example
-
-**Input:** *"Draft macro for refund from john.doe@example.com order #A-9921"*
-
-**Wrong output:**
-> Hi John, your refund for order A-9921 has been processed…
-
-**Right output:**
-> Hi [FIRST_NAME], your refund for order [ORDER_ID] has been processed…
-
-## See also
-
-- `skill:privacy-review` — regulatory-regime read (GDPR / CCPA).
-- `domain-safety-logging-pii-floor` — companion rule for never logging raw PII.