The regulation in my build pipeline
Regulatory compliance decays exactly like any other written rule. The durable fix is the same: turn it into an automated check.
- Tariff refunds are “customs business” — regulated under Section 1641 of the Tariff Act, with strict limits on what an unlicensed company may do and even say.
- A compliance audit of my own site found 18 violations: 12 high, 6 medium — promises only a licensed broker may make, in copy I'd written myself.
- Fixing the copy across 17 files wasn't the end. The forbidden phrases went into a denylist the build greps on every change, so a flagged phrase fails the build before it can ship — everywhere the gate looks.
- Bonus lesson: the product pivot itself quietly introduced six new violations — copy drifts toward whatever the feature wants to promise.
TariffRefunded helps small importers recover tariffs they overpaid. That puts it inside one of the oldest regulated perimeters in U.S. commerce: under Section 1641 of the Tariff Act (19 U.S.C. §1641, the law that licenses customs brokers), "customs business" may only be conducted — and in places only even offered — by a licensed broker. For an unlicensed software company the rule reaches all the way down to word choice. "We file your claim" is a violation. "We prepare data you can use to file" is not.
The audit
So I graded my own site the way an examiner would: every page, every button, every email, against what the statute permits. The result: twelve high-severity and six medium-severity violations — eighteen in total — in copy I had written and reviewed myself. Phrasings like "we produce your CBP-format declaration" read as completely ordinary marketing and are precisely what an unlicensed party may not say. Remediation touched seventeen files.
And if this build register has a recurring villain, you already know it: a one-time fix of a recurring class of mistake is just a scheduled recurrence. Every future feature, every AI-drafted line of marketing copy, was a fresh chance to re-violate.
Compliance as a build check
So the audit's output became infrastructure. The eight forbidden phrasings went into a denylist (.claude/config/1641-denylist.txt) that the pre-PR gate greps for on every change, and a match blocks the build. It's a two-stage grep: flag the phrase, then exempt any line carrying an inline 1641-ok: <reason> comment — so a deliberate, justified use passes while an accidental one can't. About ten files carry such suppressions today. Same treatment I give any defect class that has recurred once: stop documenting the rule, start enforcing it.
"We file your claim.""We prepare data you can use to file."the gateEight phrases like the top one live in a denylist the build greps on every change; a match fails the build unless the line carries an inline 1641-ok: <reason> suppression. Only a licensed broker may say the first line — so from the pages the gate covers, that copy can't ship.
The follow-up audit proved the point in both directions. The original eighteen: fixed, and held. But the product pivot that happened in between had quietly introduced six new promissory violations — features offering to "connect you with our broker partner" before any partner existed. Copy drifts toward whatever the feature wants to promise. That's not carelessness; it's gravity. Gravity is what gates are for.
A gate is also only as good as the ground it covers. Mine greps the marketing and landing pages — where the promissory copy almost always lives — not every component in the app, and the same follow-up audit found the blind spot: one line deeper in the interface, offering to "connect you with" a licensed broker, sat just outside the gate's scope with no suppression, exactly where the grep never looked. "A violation can't ship" is only ever true of the paths you point the check at. Naming that limit is the honest version of the claim — and the next move is obvious: widen the scope until the blind spot is gone.
Why the binder model fails
In fifteen years of security consulting I watched organizations treat compliance as a binder: audit, remediate, attest, decay, repeat. The binder fails for the same reason a prose style guide fails — writing a rule down enforces nothing. The move that actually works is converting the regulatory constraint into the same machinery that enforces the engineering ones: a check that runs on every change, written once and forgotten never.
If a rule matters enough to audit, it matters enough to automate.