When building data enrichment or assistant features, treat customer and personal data as high-risk.
Rules
Never paste real names, emails, phone numbers, or identifiers into agent prompts or commit messages
Use synthetic fixtures in examples and tests
Redact PII in logs, error reports, and session transcripts
Scope data access by organization or tenant — never return cross-tenant rows
Validate all external payloads with Zod (or equivalent) before persistence
Document lawful basis and retention only in internal compliance docs — keep code comments technical
AI session hygiene
Do not attach production database dumps to agent context
Prefer aggregated or anonymized samples for debugging
If uncertain whether data is sensitive, treat it as sensitive
Raw content
Copy into your project — e.g. .instructions.md, .agent.md, or SKILL.md
## Overview
When building data enrichment or assistant features, treat customer and personal data as high-risk.
## Rules
- Never paste real names, emails, phone numbers, or identifiers into agent prompts or commit messages
- Use synthetic fixtures in examples and tests
- Redact PII in logs, error reports, and session transcripts
- Scope data access by organization or tenant — never return cross-tenant rows
- Validate all external payloads with Zod (or equivalent) before persistence
- Document lawful basis and retention only in internal compliance docs — keep code comments technical
## AI session hygiene
- Do not attach production database dumps to agent context
- Prefer aggregated or anonymized samples for debugging
- If uncertain whether data is sensitive, treat it as sensitive