Changelog

All notable changes to this project are documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Planned next

US-focused build-out (per the venture's targeted-customer scope):

• Coverage expansion across remaining US federal regulators (DOL on AI in workforce programs; OCC banking supervisory AI when the agencies' promised RFI / final rule on generative + agentic AI lands — SR 26-2 / OCC Bulletin 2026-29 explicitly carves AI out of scope as of April 2026 and signals a forthcoming RFI).
• More US state laws — CT and VA consumer-privacy AI overlays; NY SHIELD-Act AI provisions; additional NYDFS Industry Letters as they are issued; ongoing CA additions as new bills sign.
• Sector-specific guides on NIST AI RMF healthcare and financial-services profiles.
• Cal Leg Info as a third watcher source for catching new CA AI bills before they're added to the corpus.

Completed since prior changelog versions: HUD AI in housing (both tenant-screening and digital-advertising — paired May 2, 2024 FHEO guidance) shipped in 0.7.15 + 0.7.17. NYDFS Insurance Circular Letter No. 7 (2024) shipped in 0.7.16 (state-level financial-services AI depth).

The bundled corpus also includes EU AI Act Article 50 and GDPR Article 22 — those stay maintained for US customers with EU operations, but the active build-out is US-focused.

Distribution

Distribution is npm-only. Source remains in the operating organization's private repository; there is no public source repository host. Contact channel for issues, accuracy reports, security reports, and contribution proposals is helpfulbutton140@agentmail.to (see docs/CONTRIBUTING.md, docs/SECURITY.md).

[0.7.17] — 2026-05-09

Added (HUD FHEO digital-advertising AI rule + 16th SEO guide; completes the May 2024 HUD AI cluster)

• New rule us-hud-fheo-ai-housing-advertising-2024 in the bundled corpus. Codifies the second of HUD's two May 2, 2024 FHEO guidance documents — "Guidance on Application of the Fair Housing Act to the Advertising of Housing, Credit, and Other Real Estate-Related Transactions through Digital Platforms" — addressing AI / algorithmic systems used by digital platforms to target housing-related advertising. Statutory framework is Fair Housing Act § 3604(c), § 3605, § 3614, § 3617 plus the disparate-impact rule at 24 CFR § 100.500. Reaches both digital advertising platforms AND housing advertisers, with parallel obligation sets. Five required elements: (1) no protected-class proxies in targeting algorithms; (2) audience-segmentation disparate-impact testing under the three-step framework; (3) advertiser targeting controls (housing-ad detection + restricted-targeting workflow + advertiser disclosure); (4) ad-content moderation for protected-class language under § 3604(c); (5) advertiser-side targeting liability — vendor / platform automation is not a defense. Channels: ai-generated-content + email-marketing; use case: housing; severity: mandatory.
• New builder's guide: HUD FHEO AI housing advertising. Covers platform-side and advertiser-side obligations, common failure patterns (lookalike-audience without seed audit; missed housing-ad detection; AI-generated creative slipping moderation; cross-platform identity-graph proxies; no audit cadence), stacks with FTC § 5 + state advertising laws + 2022 Meta-DOJ settlement framework, sample plain- and formal-language disclosures for both platforms and advertisers. 16th guide in the corpus and the second housing-vertical guide.
• Corpus count: 27 rules across 11 jurisdictions; housing vertical now has 2 rules (tenant-screening + advertising) — completes the May 2024 HUD AI cluster.
• Package keywords already include hud, fair-housing-act; this rule reuses the same keyword set.

Tests

• 74/74 passing (no test-shape changes; new rule validates against the existing schema).

[0.7.16] — 2026-05-09

Added (NYDFS Circular Letter No. 7 (2024) AI insurance underwriting rule + 15th SEO guide; opens insurance vertical at state-financial-services depth)

• New rule us-ny-dfs-ai-insurance-underwriting-2024 in the bundled corpus. Codifies NYDFS Insurance Circular Letter No. 7 (2024), adopted July 11, 2024, applying N.Y. Insurance Law §§ 2606, 2616, 4224 (anti-unfair-discrimination) and Articles 24, 26, 43, 45 to Artificial Intelligence Systems (AIS) and External Consumer Data and Information Sources (ECDIS) used in insurance underwriting and pricing. Five required elements: (1) lifecycle documentation under 11 NYCRR 243; (2) three-step disparate-impact testing (detect → identify rationale → less-discriminatory alternative); (3) board / senior-management governance with cross-functional management committee + annual training; (4) third-party vendor oversight with NYDFS audit-cooperation, insurer audit rights, remediation SLAs; (5) consumer notice with specific reasons within 15 days + data-accuracy review process. Channels: ai-generated-content + about-page; use case: financial-services; severity: mandatory.
• New builder's guide: NYDFS Insurance Circular Letter No. 7 (2024). Covers the AIS / ECDIS definitions, the five required elements, common audit failure patterns (vendor-supplied model with no insurer documentation; one-time pre-deployment test only; generic adverse-action notice; cross-functional committee in name only; missing less-discriminatory-alternative analysis), stacks with NAIC AI Model Bulletin + FCRA + CFPB Circular 2023-03 + 23 NYCRR 500 + HIPAA, sample plain- and formal-language adverse-action notices. 15th guide in the corpus.
• Corpus count: 26 rules across 11 jurisdictions; us-ny gains its 4th rule (alongside the bot disclosure, AI companion models, and NYC LL 144 entries).
• Package keywords add nydfs, insurance, underwriting.

Tests

• 74/74 passing (no test-shape changes; new rule validates against the existing schema).

[0.7.15] — 2026-05-09

Added (HUD FHEO AI tenant-screening rule + 14th SEO guide; opens housing vertical)

• New rule us-hud-fheo-ai-tenant-screening-2024 in the bundled corpus. Codifies the U.S. Department of Housing and Urban Development Office of Fair Housing and Equal Opportunity (HUD/OFHEO) guidance dated May 2, 2024 — that the Fair Housing Act's disparate-impact framework (codified at 24 CFR § 100.500) applies to AI / algorithmic tenant-screening decisions exactly as it applies to human decisions. Five required elements: individualized assessment of any adverse decision; disclosure of the tool, data sources, and prediction targets; 30-day dispute-and-correction process; ongoing monitoring for less-discriminatory alternatives; no-vendor-delegation of FHA responsibility. Channels: ai-generated-content + about-page; use case: housing (new); severity: mandatory.
• New housing use_case added to the UseCase enum. First housing-vertical rule in the corpus; the use_case is now available for future HUD, mortgage-AI, and prop-tech rules.
• New builder's guide: HUD FHEO AI tenant screening. Covers the rule's scope, the five compliance elements, common audit failure patterns (auto-action on tool output; generic "automated decisioning" notices; vendor-said-it-was-fair defense; long-lookback criminal screening), stacks with FCRA + CFPB Circular 2023-03 + state tenant-screening laws + state fair-housing statutes + Section 504, sample plain- and formal-language adverse-action notices. 14th guide in the corpus.
• Corpus count: 25 rules across 11 jurisdictions (federal-US gains a new vertical).
• Package keywords add hud, fair-housing-act, tenant-screening.

Tests

• 74/74 passing (no test-shape changes; new rule + new enum entry validate against the existing schema; matrix-counts test correctly tracks the new column).

[0.7.14] — 2026-05-09

Added (README — hosted Pro tier disclosure)

• README documents the hosted Pro tier endpoints (/v1/audit + /v1/watch). The npm-published README now describes the multi-surface audit endpoint, the rule-change subscription endpoint (rule_id, surface, or hybrid), and the pre-launch trial-key offer for the waitlist. No package code changes — pure user-facing documentation refresh on the highest-traffic dev surface plainstamp has.

Tests

• 74/74 passing (no behavior change).

[0.7.13] — 2026-05-09

Added (CMS Medicare Advantage AI rule + 13th SEO guide)

• New rule us-cms-medicare-advantage-ai-prior-auth-2024 in the bundled corpus. Codifies the Centers for Medicare & Medicaid Services position from CMS-4201-F final rule (88 Fed. Reg. 22120, April 5, 2023) and the operative CMS public FAQ released February 6, 2024 — that algorithms / AI may assist in MA coverage and prior-authorization determinations but cannot, by themselves, deny or terminate coverage; each adverse determination must rest on an individualized clinical assessment by a qualified clinician against Medicare coverage criteria. Five required elements: individualized assessment, coverage-criteria compliance, adverse-determination notice with clinician review, plan-level transparency, preserved appeal rights. Channels: ai-generated-content + about-page; use case: healthcare; severity: mandatory.
• New builder's guide: CMS Medicare Advantage — algorithms / AI in coverage and prior-authorization decisions. Covers the rule's scope (every MA plan and delegated UM vendor), the five compliance elements, common audit failure patterns (rubber-stamp clinician review; algorithm trained on historical denial data; LOS hard-coding), stacks with HHS Section 1557 + FDA PCCP + CA SB 1120 + HIPAA + FCA, and sample plain- and formal-language member disclosures. 13th guide in the corpus.
• Landing page surfaces the new rule + guide under Healthcare AI vertical, increments corpus count to 24 rules across 11 jurisdictions.
• Package keywords add cms and medicare-advantage.

Tests

• 74/74 passing (no test-shape changes; new rule validates against the existing schema).

[0.7.12] — 2026-05-09

Added (staleness audit)

• New auditFreshness(rules, now?) exported from package root. Computes the freshness band for every rule, returns a StalenessAuditReport with counts (fresh_count / stale_count / critically_stale_count), a needs_attention list (stale + critically_stale, sorted oldest-first), and a full all_entries list. Pure function, deterministic for any (rules, now) pair.
• New CLI subcommand: plainstamp staleness-audit [--format json|text]. Default text output groups stale/critically-stale rules and prints a human-readable summary. Returns exit code 1 when any rule is critically stale (useful for CI / pre-deploy gates), 0 otherwise.
• StalenessAuditEntry and StalenessAuditReport types exported.

Tests

• 74/74 passing (72 baseline + 2 new — bucket counts + sorting; empty needs_attention when all fresh).

[0.7.11] — 2026-05-09

Added (last_verified freshness band on lookup results)

• Lookup results now include a freshness field with status (fresh / stale / critically_stale), days_since_verified, and the rule's last_verified date. Bands: < 90 days fresh, 90–180 days stale, > 180 days critically_stale. Computed against the current date by default; lastVerifiedFreshness(rule, now?) exported for deterministic use in tests / scheduled jobs.
• FreshnessT type and lastVerifiedFreshness exported from the package root.
• CLI lookup --format text renders the freshness band inline (e.g. last verified: 2026-05-08 (1 day ago — FRESH)).

Added (--severity filter on CLI lookup)

• plainstamp lookup now accepts --severity mandatory|recommended|best-practice to filter the result set. Common production query: --severity mandatory answers "what MUST I disclose?"

Tests

• 72/72 passing (66 baseline + 6 new — freshness bands at boundaries, future-date clamping, lookup integration).

[0.7.10] — 2026-05-09

Improved (CLI human-readable output)

• plainstamp lookup and plainstamp validate now accept --format json|text. Default is json (unchanged from previous releases — no breaking change for existing pipelines that grep / jq the output). --format text renders a human-readable summary: severity, jurisdiction, citation, source URL, last-verified date, and a trimmed plain-language disclosure for lookup; per-element confidence band and matched signals for validate.
• README updated to show the --format text example.

[0.7.9] — 2026-05-09

Improved (validate-disclosure precision)

• validateDisclosure now matches signals at word boundaries instead of as substrings — fixes a false-positive class where, for example, "preconsenting" matched the signal "consent". Tokens in the candidate are split on non-word characters; signals must appear as whole tokens.
• Returns a new elements field with per-element detail: element_id, found, confidence (high | medium | missing), and matched_signals (the tokens that matched). Confidence bands:
  • high: an id-derived signal matched, OR ≥ 2 body-derived signals matched.
  • medium: exactly 1 body-derived signal matched.
  • missing: no signals matched.
• The existing passes and missing_elements fields are unchanged (backwards-compatible). Callers that want richer detail can read elements; callers that don't can continue treating the report as a binary check.
• Tests: 66/66 passing (63 baseline + 3 new — word-boundary, confidence reporting, missing-confidence on signal-free input).

[0.7.8] — 2026-05-09

Documentation

• README adds a "Builder's guides" section above the rule corpus listing, organized by compliance vertical (financial services, healthcare, employment, voice agent, EU, state-specific). Twelve long-form guides linked, each grounded in regulator-published source text. The guides index also lives at https://plainstamp.pages.dev/guides/.
• No code changes; npm publish refreshes the README rendered on npmjs.com.

[0.7.7] — 2026-05-09

Fixed (URL-monitor stabilization, round 3 — JSF random ids)

• normalizeForHash now strips JSF random element ids: id="s\d+\.<random>" (CA leginfo's billNavClient/billTextClient pages emit per-request random decimal suffixes on s10.<num>-style section ids) and id="j_id<digits-or-underscores>(:<segments>)*" (JSF auto-generated structural ids).
• Tests: 63/63 passing (added 2 new normalization tests targeting the JSF id patterns).

[0.7.6] — 2026-05-09

Fixed (URL-monitor stabilization, round 2)

• normalizeForHash now strips three additional dynamic-content patterns surfaced by live-fetch verification against bundled regulator citation URLs:
  • JSF javax.faces.ViewState hidden inputs — California's leginfo.legislature.ca.gov is a JSF app and emits a per-request encrypted ViewState blob.
  • CSRF / session-token meta tags — Rails-style <meta name="csrf-token" content="…"/> (Colorado's leg.colorado.gov and others). Now matched alongside requestverification, session-id, api-token, ws-token.
  • Cloudflare email-protection rotating fragments — /cdn-cgi/l/email-protection#<hex> (FINRA and others). The rotating hex fragment after # is stripped; the protection-link path is preserved. The data-cfemail attribute value is also stripped (added to the existing data-(?:csrf|token|nonce|build|version|cfemail) family).
• Tests: 61/61 passing (added 3 new normalization tests targeting the three patterns above).

[0.7.5] — 2026-05-09

Fixed (URL-monitor source stabilization)

• urlMonitorSource now hashes a normalized version of the page body via the new normalizeForHash(html) helper, instead of the raw response. The normalization strips dynamic per-fetch markers that were causing false positives in the daily watcher cron: <script> and <style> blocks (nonces, build hashes, telemetry); HTML comments (often timestamps); CSRF / authenticity / _token / requestverification hidden inputs; inline nonce, integrity, data-csrf, data-token, data-nonce, data-build, and data-version attribute values; timestamp-bearing <meta> tags (og:updated_time, last-modified, revised, build-time, generated-at, page-date); whitespace runs collapsed.
• Two fetches of the same regulator-published page now hash identically as long as the substantive text and structure are unchanged.
• Article.extra now also carries normalized_length alongside content_hash and content_length for audit.
• New export from package root: normalizeForHash.
• Tests: 58/58 passing (added 7 normalization-stability tests).

[0.7.4] — 2026-05-08

Fixed (root re-exports for watcher API)

• Re-export the watcher's public surface (diffArticles, runWatcher, runWatcherWithStore, readState, writeState, fsStateStore, memoryStateStore, source factories, and the Article / Source / RunReport / SourceRunReport / StateStore / WatcherState types) from the package root. Previously these were only available via the deep plainstamp/dist/watcher/index.js import path, which broke type resolution in some consumers (notably the plainstamp-cf-worker Cloudflare Workers package). Now import { runWatcherWithStore, type StateStore } from "plainstamp" works.

[0.7.3] — 2026-05-08

Added (cross-runtime watcher)

• New StateStore interface on the watcher module: read() and write(state). Allows the rule-update watcher to run in environments without a filesystem (Cloudflare Workers, Deno Deploy, browsers).
• New runWatcherWithStore({ sources, stateStore, dryRun? }) entry point alongside the existing runWatcher({ sources, statePath, dryRun? }). The fs-path version remains and is now a thin shim over the abstract version.
• New fsStateStore(path) and memoryStateStore(initial?) factory helpers exported from the watcher module.
• All five new exports are re-exported from the package root.

Internal

• runWatcher is unchanged from a caller's perspective; the shim preserves the existing CLI behavior. No tests changed; full 51-test suite still passing.

[0.7.2] — 2026-05-08

Documentation

• README now features the hosted MCP Streamable-HTTP endpoint at https://plainstamp.helpfulbutton140.workers.dev/mcp — no install required for clients that prefer the hosted transport.
• README documents the parallel JSON-over-HTTP API on the same Worker (/jurisdictions, /rules, /lookup, /validate) for clients that don't speak MCP.
• Coverage table refreshed against the live 23-rule corpus and reorganized by jurisdiction tier (federal / state / city / EU). Federal additions now visible in README: EEOC, CFPB, FINRA, HHS Section 1557, FDA PCCP, FCC TCPA. State additions: SB 1120, Tennessee ELVIS Act. EU: GDPR Article 22.

No code changes; npm publish refreshes the README rendered on npmjs.com.

[0.7.1] — 2026-05-08

Fixed (cross-runtime compatibility)

• New setBundledRules(parsed) export: allows non-Node consumers (Cloudflare Workers, Deno Deploy, browsers) to pre-load the bundled rules object explicitly, avoiding the node:fs + import.meta.url path that fails in those environments. The recommended pattern is to import the JSON directly: import rulesJson from "plainstamp/rules/seed.json"; setBundledRules(rulesJson);. Once the override is set, all of disclosuresFor, executeMcpTool, getRuleById, listJurisdictions, etc. work unchanged.
• The Node fs path is unchanged for Node consumers; this is a strictly additive fix.

[0.7.0] — 2026-05-08

Added (transport-independent MCP tool module)

• New module src/mcp-tools.ts exporting mcpTools (the tool descriptors) and executeMcpTool(name, args) (the dispatcher). Both are now public API exports from the package root. Purpose: when the Cloudflare Workers cf-worker binds an MCP Streamable HTTP transport in Phase 4 of <autobiz>/ops/cloudflare/CLOUDFLARE_DEPLOY.md, it imports the same tool list and dispatcher used by the existing stdio transport. No drift between transports.
• mcp-server.ts (the stdio transport) is now a thin wrapper around mcpTools and executeMcpTool. Behavior is unchanged for stdio clients.
• Tests still 51/51 passing. Rule count unchanged at 23.

[0.6.0] — 2026-05-08

Added

• FCC Declaratory Ruling on AI-generated voice in robocalls (CG Docket No. 23-362, FCC 24-17, released February 8, 2024). Confirms that AI-generated voice clones and AI-synthesized voices used in calls to consumers are "artificial or prerecorded voices" within the meaning of the Telephone Consumer Protection Act of 1991 (47 U.S.C. § 227) and the Commission's implementing rules at 47 CFR § 64.1200. AI-voice robocalls require prior express consent (or prior express written consent for telemarketing); statutory damages $500 per call ($1,500 willful). Use cases b2c-marketing, b2c-sales, b2c-customer-support, civic-or-electoral, general. Channel voice. Severity mandatory.
• Runtime Zod schema exports: Channel, UseCase, Severity, JurisdictionId, LookupQuery, DisclosureElement, DisclosureRule, RuleSet are now exported from the package root (previously only the corresponding TypeScript types were exported). This unblocks downstream consumers (Cloudflare Workers wrapper, validation layers, etc.) from re-implementing the validators.
• Rule count 22 → 23. Tests still 51/51 passing.

Sibling project (not bundled in npm)

• cf-worker/ — Cloudflare Workers HTTP wrapper that exposes the plainstamp lookup engine over JSON-over-HTTP. Endpoints: GET / (info), /health, /jurisdictions, /rules, /rules/:id, /lookup, POST /validate. Scaffold only in this release (deploy in next iteration). Plan doc at <autobiz>/ops/cloudflare/CLOUDFLARE_DEPLOY.md. The cf-worker depends on plainstamp@^0.6.0 (this release).

[0.5.0] — 2026-05-08

Added

• FDA Predetermined Change Control Plans for AI/ML-Enabled Device Software Functions — Final Guidance (December 4, 2024). Codified into the FD&C Act at § 515C (21 U.S.C. § 360e-4) by Section 3308 of the Food and Drug Omnibus Reform Act of 2022 (FDORA, P.L. 117-328). Manufacturers of AI/ML-enabled medical devices may include a PCCP in their authorized 510(k) / De Novo / PMA marketing submission, comprising a Description of Modifications, a Modification Protocol, and an Impact Assessment; PCCP-conforming modifications may then be implemented without a new submission. Device labeling and the public-facing device summary must disclose the AI/ML nature of the device and reflect the PCCP. Use case healthcare. Severity mandatory.
• Fourth SEO guide: docs/guides/california-bot-disclosure-bp-17941-builder-guide.md — comprehensive coverage of California's B.O.T. Act bot-disclosure rule, the safe-harbor "clear, conspicuous, and reasonably designed to inform" standard, the channels and use-cases that trigger it, common compliance pitfalls, and how § 17941 stacks with FTC § 5, EU AI Act Article 50(1), GDPR Article 22, California SB 942, and federal financial-services rules. Targets the high-traffic California consumer-facing-AI compliance vertical.
• Rule count 21 → 22. Tests still 51/51 passing.

[0.4.0] — 2026-05-08

Added

• California SB 1120 — Physicians Make Decisions Act (Senate Bill 1120, signed September 28, 2024; effective January 1, 2025). Amends California Health and Safety Code § 1367.01 and Insurance Code § 10123.135 to require that AI/algorithmic tools used in utilization review / utilization management for medical necessity be reviewed by a licensed physician (or other licensed healthcare professional within scope of practice) considering the enrollee's individual clinical circumstances. Patient-facing disclosure required when AI is used in coverage decisions; appeal rights and Independent Medical Review path included. Use cases healthcare and financial-services. Severity mandatory.
• Third SEO guide: docs/guides/nyc-local-law-144-aedt-builder-guide.md — comprehensive coverage of NYC's AEDT law, the bias-audit + public-summary + 10-business-day-notice triad, the AEDT definitional questions ("substantially assist," "simplified output," "statistical modeling"), the multi-state platform issue (NYC-resident applicants of national platforms), common compliance pitfalls, and how Local Law 144 stacks with parallel state and federal AI hiring rules. Targets the highly active employment-AI compliance vertical.
• Rule count 20 → 21. Tests still 51/51 passing.

[0.3.0] — 2026-05-08

Added

• HHS Section 1557 — Patient Care Decision Support Tools nondiscrimination (45 CFR § 92.210, May 6, 2024 final rule). Covered entities (most healthcare providers receiving federal financial assistance, many health insurers, HHS-administered programs) must identify uses of AI/ML clinical decision-support tools and make reasonable efforts to mitigate algorithmic discrimination. Compliance deadline May 1, 2025 — now in effect and enforceable. Use case healthcare.
• Second SEO guide: docs/guides/colorado-ai-act-sb-24-205-builder-guide.md — long-form coverage of Colorado's comprehensive AI Act, the high-risk AI system definition, deployer/developer obligations, the consumer-disclosure components, the June 30, 2026 deadline, and how SB 24-205 stacks with parallel state and federal AI rules. Targets the high-traffic Colorado-compliance search vertical (deadline pressure + uncertainty about scope).
• Rule count 19 → 20. Tests still 51/51 passing.

[0.2.0] — 2026-05-08

Added

• FINRA Regulatory Notice 24-09 — AI in customer communications. Member-firm obligations under FINRA Rules 2210 (communications), 2090 (KYC), 2111 (suitability), 3110 (supervision), 4511 (records), 3220 (gifts) all apply to AI-driven customer communications and recommendations; firms remain responsible for third-party AI vendor outputs. Use case financial-services. Issued 2024-06-27.
• New SEO-leaning guide: docs/guides/eu-ai-act-article-50-chatbot-disclosure.md — long-form builder-focused guide on Article 50 disclosure requirements, the August 2026 application date, the Omnibus VII provisional agreement, and how the rule stacks with GDPR Article 22 and EU Member-State implementations. Ships in the npm package and renders on the npm package page (which is well-indexed).
• Package files array now includes docs/guides so SEO-leaning content ships with the published artifact.
• Keywords expanded: gdpr, finra, cfpb, eeoc, regtech added to support discovery via npm search and search-engine indexing of the npm package page.
• Rule count 18 → 19. Tests still 51/51 passing.

[0.1.0] — 2026-05-08

Added

• Federal EEOC technical assistance on AI in employment selection procedures (Title VII / Uniform Guidelines, May 18, 2023). Severity recommended — the disclosure itself is best practice; the underlying disparate-impact obligation is binding. Federal floor for any AI hiring tool used in the U.S.; layers under stricter state mandates (IL HB 3773, NYC Local Law 144, CO SB 24-205).
• EU GDPR Article 22 — automated decision-making rights. Right to not be subject to a decision based solely on automated processing where it produces legal or similarly significant effects; right to human intervention, point-of-view expression, and contestation; controllers must provide meaningful information about logic, significance, and envisaged consequences (Arts. 13(2)(f), 14(2)(g)). Spans employment-decisions, financial-services, healthcare, legal-services, general. Effective 2018-05-25; penalties up to €20M or 4% of turnover.
• Tennessee ELVIS Act — voice and likeness protection (HB 2091 / SB 2096, codified at Tenn. Code Ann. Title 47, Chapter 25, Part 11). Consent-based statute; published AI-synthesized voice or likeness requires written authorization from the individual or rights-holder. Channels ai-generated-audio, ai-generated-video, ai-generated-content. Use cases include b2c-marketing, b2b-marketing, civic-or-electoral, general. Effective 2024-07-01.
• CFPB Circular 2023-03 — adverse-action notices for AI/ML credit decisions under ECOA / Regulation B. Specific principal reasons must be provided per applicant; generic boilerplate codes are insufficient; if the AI/ML model cannot be explained well enough to identify the specific reasons that drove the decision in this applicant's case, the model likely cannot lawfully be used. Channel email-transactional + ai-generated-content; use case financial-services. Issued 2023-09-19; ongoing CFPB enforcement priority.
• Rule count 14 → 18. Jurisdictions 8 → 11 (added us-tn). Tests 51/51 passing.

Added since 0.0.1 (rolled into 0.1.0 history)

• Brand committed: working slug disclo retired in favor of plainstamp after a namespace availability check (github.com/disclo is taken by an unrelated $6.75M-funded HR/workforce SaaS).
• Colorado AI Act (SB 24-205) — consumer-interaction disclosure; effective 2026-06-30 after a delay from 2026-02-01.
• Utah AI Policy Act (SB 149) as amended by SB 226 (2025) and extended by SB 332 — GenAI disclosure in regulated occupations; trigger is "asked OR high-risk."
• Texas TRAIGA (HB 149) — government-agency AI disclosure (effective 2026-01-01).
• Texas TRAIGA (HB 149) — healthcare-provider AI disclosure (effective 2026-01-01).
• New York AI Companion Models law (NY GBL Art. 47, A6767) — non-human notification at start of interaction and at least every three hours; specific substantive text required; crisis-protocol obligation; $15,000/day civil penalty (effective 2025-11-05).
• Illinois Human Rights Act — AI in employment (HB 3773) — notice and substantive non-discrimination obligations when AI is used to influence or facilitate covered employment decisions (effective 2026-01-01). Adds new employment-decisions use case to the schema.
• Regulatory-update watcher prototype at src/watcher/ with the Federal Register source plugged in (Rules + Proposed Rules matching configurable search terms; defaults to "artificial intelligence", "automated decision", "algorithmic"). Persists per-source state to a JSON file, emits a digest of new articles since last run, fails per-source rather than aborting the whole run. Bin: plainstamp-watcher. 7 unit tests on the diff and orchestrator.
• NYC Local Law 144 (Administrative Code §§ 20-870 through 20-873) — AEDT bias-audit, public summary, and 10-business-days candidate notice. Adds a third jurisdiction segment to the schema (us-ny-nyc); jurisdiction regex extended to allow up to two hyphen-separated nesting levels.
• EU AI Act Article 50(2) rule notes updated with Omnibus VII context: 2026-05-07 provisional agreement reduces the transparency-solutions grace period from 6 months to 3 months (new compliance deadline 2026-12-02) and postpones AI regulatory sandbox deadlines to 2027-08-02. Re-verify before final adoption.
• California AB 2013 (Generative AI Training Data Transparency Act) — developers of generative AI systems made publicly available to Californians (including any system released on or after 2022-01-01) must post a high-level summary of training datasets on their website covering the 12 statute-enumerated categories. Effective 2026-01-01. Enforced via California's Unfair Competition Law. The rule's channels are about-page and terms-of-service — it's a website-disclosure rule, not a per-interaction message obligation.
• Maryland Labor & Employment § 3-717 (HB 1202, 2020) — facial-recognition services during pre-employment interviews require a written consent waiver from the applicant, with four required content elements (name, interview date, consent statement, read-acknowledgment). Effective 2020-10-01. Channel video-avatar + use case employment-decisions.
• Coverage matrix: plainstamp coverage (CLI) and computeCoverageMatrix / renderCoverageMarkdown / renderCoverageCsv (library) compute and render a jurisdiction × use-case rule-count matrix. Helps users see at-a-glance what plainstamp covers and where gaps are. Three output formats: markdown (default), csv, json (with rule_ids per cell).
• Rule count 5 → 14. Test count 13 → 51, all passing.

[0.0.1] — 2026-05-08

Initial Phase-0 release. Local-only build; not yet published to a public registry.

Added

• Rule schema (Zod) covering jurisdiction, channels, use cases, severity, required elements, citation, templates, effective date, and last-verified date.
• Bundled seed rules:
  • California bot disclosure (B&P § 17941).
  • EU AI Act Article 50(1) — chatbot disclosure.
  • EU AI Act Article 50(2) — AI-generated content labeling.
  • FTC fake reviews/testimonials (16 CFR Part 465).
  • California AI Transparency Act (SB 942).
• Lookup engine with parent-jurisdiction inheritance (a us-ca query also matches federal us rules) and general use-case matching.
• Heuristic disclosure validator (substring match against rule keywords; not a legal-sufficiency check).
• MCP server exposing five tools: list_jurisdictions, list_rules, get_rule, lookup_disclosure, validate_disclosure.
• CLI: plainstamp list-jurisdictions, plainstamp list-rules, plainstamp get-rule, plainstamp lookup, plainstamp validate.
• TypeScript library exporting disclosuresFor, validateDisclosureForQuery, getRuleById, listJurisdictions, plus the underlying schema types.
• 13/13 unit tests passing (Node native test runner). Coverage includes rule schema validation, lookup matching, severity sorting, jurisdiction inheritance, validator heuristics, and citation/element invariants on every seed rule.
• README, AI-DISCLOSURE, LICENSE (MIT).