Core

Compliance Non-Negotiables

Enrollment status transitions, certificate issuance rules, and credential handling

Enrollment status

Never update enrollments.status directly.
All transitions must pass through centralized transition validation.
Transition service entrypoint: src/lib/compliance/transition-enrollment.ts
CI guardrail command: npm run ops:verify-enrollment-status-writes
Transition test command: npm run test:compliance
invited -> enrolled now requires:
- a recorded disclosure acknowledgment (audit_logs.action = enrollment.disclosure_acknowledged)
- identity data present on the linked client (date_of_birth + 4-digit ssn_last_four)
- payment confirmation or waiver:
  - enrollments.has_fee_waiver = true, or
  - latest course payment record has payments.status = succeeded

Certificate issuance

Certificates cannot be withheld for non-payment.
Completion-based issuance only.

Credential handling

Provider credentials must be encrypted at rest.
Decrypt only in worker execution scope.
Never log plaintext credentials.

See root compliance-engine-spec.md for full requirements.

Authentication

Better Auth setup, environment variables, invites, and dashboard gating

Product Scope (MVP)

In-scope and out-of-scope features for the initial release

On this page

Enrollment status Certificate issuance Credential handling