#0119compliance6 min read

compliance as code, not as prompt

by platform teamMar 19, 2026

There is a particular kind of platform mistake that doesn't show up in a unit test, doesn't trip a linter, and silently scales until a regulator notices. Compliance bypasses are that kind of mistake. We treat them like we treat SQL injection: not as a thing to be careful about, but as a thing the architecture refuses to do.

The function

Every outbound call passes through a single function: compliance.gate.check_compliance(phone_number, tenant_id, agent_id). It is the only path. The orchestrator's dispatch path imports it. The campaign engine imports it. The test harness imports it. There is no 'just dial this number for testing' shortcut.

# compliance/gate.py — abridged
async def check_compliance(
    phone: str,
    tenant_id: UUID,
    agent_id: UUID,
) -> ComplianceResult:
    e164 = normalize_to_e164(phone)
    timezone = derive_timezone(e164)

    # Each check raises ComplianceBlocked on failure;
    # caller catches and returns a typed reason to the
    # dispatcher. There is no "ignore=True" param.
    await check_dnc_registry(e164, tenant_id)
    await check_tcpa_hours(timezone)
    await check_tenant_dnc(e164, tenant_id)
    await check_consent(e164, tenant_id, agent_id)

    return ComplianceResult(
        e164=e164,
        timezone=timezone,
        required_disclosures=disclosures_for(e164),
    )

The required_disclosures field is what the pipeline factory reads to inject the AI disclosure on the first turn. Two-party consent states get an additional recording disclosure. The disclosure text is fixed; tenants cannot override it.

The DNC lookup

We mirror the National DNC Registry to a partitioned Postgres table, refreshed daily from the FTC's reseller feed. Lookups are O(1) — partitioned by area code, indexed on the full E.164 number. The check adds about 8ms to dispatch.

Tenants also maintain their own per-account DNC list. Anyone who says "please don't call again" gets added by the agent's cs_end_call tool with reason='dnc_requested', which writes to the tenant DNC table inside the same transaction as the call's terminal status.

TCPA calling hours

8am to 9pm in the recipient's local timezone. The recipient's timezone is derived from the E.164 number using the phonenumbers library's geocoding tables. Mobile numbers complicate this — a 415 number could be physically anywhere — but the FCC's enforcement guidance treats area-code-derived timezone as a reasonable basis if you don't know otherwise. We log the assumption so an operator can override.

Why this is the architecture

TCPA violations are $500 to $1,500 per call, trebled to $1,500 to $4,500 for willful violations. There are documented cases of class actions for the entire calling list. The maximum FCC fine per knowingly-non-compliant outbound call has been over $43,000. A platform that lets a dispatcher "skip compliance for testing" is one bad day from the kind of penalty that does not have a settlement structure.

compliance-bypass code paths in production0

We will refuse to ship a feature that requires bypassing the gate. Several have been proposed. None have shipped. The gate is the product.

The function

# compliance/gate.py — abridged async def check_compliance( phone: str, tenant_id: UUID, agent_id: UUID, ) -> ComplianceResult: e164 = normalize_to_e164(phone) timezone = derive_timezone(e164) # Each check raises ComplianceBlocked on failure; # caller catches and returns a typed reason to the # dispatcher. There is no "ignore=True" param. await check_dnc_registry(e164, tenant_id) await check_tcpa_hours(timezone) await check_tenant_dnc(e164, tenant_id) await check_consent(e164, tenant_id, agent_id) return ComplianceResult( e164=e164, timezone=timezone, required_disclosures=disclosures_for(e164), )

The DNC lookup

TCPA calling hours

Why this is the architecture

compliance-bypass code paths in production0

We will refuse to ship a feature that requires bypassing the gate. Several have been proposed. None have shipped. The gate is the product.