# Changelog

All notable changes to this project are documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]

### Planned next

US-focused build-out (per the venture's targeted-customer scope):

- Coverage expansion across remaining US federal regulators (DOL on AI in workforce programs; OCC banking supervisory AI when the agencies' promised RFI / final rule on generative + agentic AI lands — SR 26-2 / OCC Bulletin 2026-29 explicitly carves AI out of scope as of April 2026 and signals a forthcoming RFI).
- More US state laws — CT and VA consumer-privacy AI overlays; NY SHIELD-Act AI provisions; additional NYDFS Industry Letters as they are issued; ongoing CA additions as new bills sign.
- Sector-specific guides on NIST AI RMF healthcare and financial-services profiles.
- Cal Leg Info as a third watcher source for catching new CA AI bills before they're added to the corpus.

**Completed since prior changelog versions:** HUD AI in housing (both tenant-screening and digital-advertising — paired May 2, 2024 FHEO guidance) shipped in 0.7.15 + 0.7.17. NYDFS Insurance Circular Letter No. 7 (2024) shipped in 0.7.16 (state-level financial-services AI depth).

The bundled corpus also includes EU AI Act Article 50 and GDPR Article 22 — those stay maintained for US customers with EU operations, but the active build-out is US-focused.

### Distribution

Distribution is **npm-only**. Source remains in the operating organization's private repository; there is no public source repository host. Contact channel for issues, accuracy reports, security reports, and contribution proposals is **helpfulbutton140@agentmail.to** (see `docs/CONTRIBUTING.md`, `docs/SECURITY.md`).

## [0.7.17] — 2026-05-09

### Added (HUD FHEO digital-advertising AI rule + 16th SEO guide; completes the May 2024 HUD AI cluster)

- **New rule `us-hud-fheo-ai-housing-advertising-2024`** in the bundled corpus. Codifies the second of HUD's two May 2, 2024 FHEO guidance documents — "Guidance on Application of the Fair Housing Act to the Advertising of Housing, Credit, and Other Real Estate-Related Transactions through Digital Platforms" — addressing AI / algorithmic systems used by digital platforms to target housing-related advertising. Statutory framework is Fair Housing Act § 3604(c), § 3605, § 3614, § 3617 plus the disparate-impact rule at 24 CFR § 100.500. Reaches both digital advertising platforms AND housing advertisers, with parallel obligation sets. Five required elements: (1) no protected-class proxies in targeting algorithms; (2) audience-segmentation disparate-impact testing under the three-step framework; (3) advertiser targeting controls (housing-ad detection + restricted-targeting workflow + advertiser disclosure); (4) ad-content moderation for protected-class language under § 3604(c); (5) advertiser-side targeting liability — vendor / platform automation is not a defense. Channels: ai-generated-content + email-marketing; use case: housing; severity: mandatory.
- **New builder's guide:** [HUD FHEO AI housing advertising](/guides/hud-fheo-ai-housing-advertising-builder-guide/). Covers platform-side and advertiser-side obligations, common failure patterns (lookalike-audience without seed audit; missed housing-ad detection; AI-generated creative slipping moderation; cross-platform identity-graph proxies; no audit cadence), stacks with FTC § 5 + state advertising laws + 2022 Meta-DOJ settlement framework, sample plain- and formal-language disclosures for both platforms and advertisers. 16th guide in the corpus and the second housing-vertical guide.
- Corpus count: 27 rules across 11 jurisdictions; housing vertical now has 2 rules (tenant-screening + advertising) — completes the May 2024 HUD AI cluster.
- Package keywords already include `hud`, `fair-housing-act`; this rule reuses the same keyword set.

### Tests

- 74/74 passing (no test-shape changes; new rule validates against the existing schema).

## [0.7.16] — 2026-05-09

### Added (NYDFS Circular Letter No. 7 (2024) AI insurance underwriting rule + 15th SEO guide; opens insurance vertical at state-financial-services depth)

- **New rule `us-ny-dfs-ai-insurance-underwriting-2024`** in the bundled corpus. Codifies NYDFS Insurance Circular Letter No. 7 (2024), adopted July 11, 2024, applying N.Y. Insurance Law §§ 2606, 2616, 4224 (anti-unfair-discrimination) and Articles 24, 26, 43, 45 to Artificial Intelligence Systems (AIS) and External Consumer Data and Information Sources (ECDIS) used in insurance underwriting and pricing. Five required elements: (1) lifecycle documentation under 11 NYCRR 243; (2) three-step disparate-impact testing (detect → identify rationale → less-discriminatory alternative); (3) board / senior-management governance with cross-functional management committee + annual training; (4) third-party vendor oversight with NYDFS audit-cooperation, insurer audit rights, remediation SLAs; (5) consumer notice with specific reasons within 15 days + data-accuracy review process. Channels: ai-generated-content + about-page; use case: financial-services; severity: mandatory.
- **New builder's guide:** [NYDFS Insurance Circular Letter No. 7 (2024)](/guides/nydfs-circular-letter-7-ai-insurance-builder-guide/). Covers the AIS / ECDIS definitions, the five required elements, common audit failure patterns (vendor-supplied model with no insurer documentation; one-time pre-deployment test only; generic adverse-action notice; cross-functional committee in name only; missing less-discriminatory-alternative analysis), stacks with NAIC AI Model Bulletin + FCRA + CFPB Circular 2023-03 + 23 NYCRR 500 + HIPAA, sample plain- and formal-language adverse-action notices. 15th guide in the corpus.
- Corpus count: 26 rules across 11 jurisdictions; us-ny gains its 4th rule (alongside the bot disclosure, AI companion models, and NYC LL 144 entries).
- Package keywords add `nydfs`, `insurance`, `underwriting`.

### Tests

- 74/74 passing (no test-shape changes; new rule validates against the existing schema).

## [0.7.15] — 2026-05-09

### Added (HUD FHEO AI tenant-screening rule + 14th SEO guide; opens housing vertical)

- **New rule `us-hud-fheo-ai-tenant-screening-2024`** in the bundled corpus. Codifies the U.S. Department of Housing and Urban Development Office of Fair Housing and Equal Opportunity (HUD/OFHEO) guidance dated May 2, 2024 — that the Fair Housing Act's disparate-impact framework (codified at 24 CFR § 100.500) applies to AI / algorithmic tenant-screening decisions exactly as it applies to human decisions. Five required elements: individualized assessment of any adverse decision; disclosure of the tool, data sources, and prediction targets; 30-day dispute-and-correction process; ongoing monitoring for less-discriminatory alternatives; no-vendor-delegation of FHA responsibility. Channels: ai-generated-content + about-page; use case: **housing** (new); severity: mandatory.
- **New `housing` use_case** added to the `UseCase` enum. First housing-vertical rule in the corpus; the use_case is now available for future HUD, mortgage-AI, and prop-tech rules.
- **New builder's guide:** [HUD FHEO AI tenant screening](/guides/hud-fheo-ai-tenant-screening-builder-guide/). Covers the rule's scope, the five compliance elements, common audit failure patterns (auto-action on tool output; generic "automated decisioning" notices; vendor-said-it-was-fair defense; long-lookback criminal screening), stacks with FCRA + CFPB Circular 2023-03 + state tenant-screening laws + state fair-housing statutes + Section 504, sample plain- and formal-language adverse-action notices. 14th guide in the corpus.
- Corpus count: 25 rules across 11 jurisdictions (federal-US gains a new vertical).
- Package keywords add `hud`, `fair-housing-act`, `tenant-screening`.

### Tests

- 74/74 passing (no test-shape changes; new rule + new enum entry validate against the existing schema; matrix-counts test correctly tracks the new column).

## [0.7.14] — 2026-05-09

### Added (README — hosted Pro tier disclosure)

- **README documents the hosted Pro tier endpoints (`/v1/audit` + `/v1/watch`).** The npm-published README now describes the multi-surface audit endpoint, the rule-change subscription endpoint (rule_id, surface, or hybrid), and the pre-launch trial-key offer for the waitlist. No package code changes — pure user-facing documentation refresh on the highest-traffic dev surface plainstamp has.

### Tests

- 74/74 passing (no behavior change).

## [0.7.13] — 2026-05-09

### Added (CMS Medicare Advantage AI rule + 13th SEO guide)

- **New rule `us-cms-medicare-advantage-ai-prior-auth-2024`** in the bundled corpus. Codifies the Centers for Medicare & Medicaid Services position from CMS-4201-F final rule (88 Fed. Reg. 22120, April 5, 2023) and the operative CMS public FAQ released February 6, 2024 — that algorithms / AI may assist in MA coverage and prior-authorization determinations but cannot, by themselves, deny or terminate coverage; each adverse determination must rest on an individualized clinical assessment by a qualified clinician against Medicare coverage criteria. Five required elements: individualized assessment, coverage-criteria compliance, adverse-determination notice with clinician review, plan-level transparency, preserved appeal rights. Channels: ai-generated-content + about-page; use case: healthcare; severity: mandatory.
- **New builder's guide:** [CMS Medicare Advantage — algorithms / AI in coverage and prior-authorization decisions](/guides/cms-medicare-advantage-ai-prior-auth-builder-guide/). Covers the rule's scope (every MA plan and delegated UM vendor), the five compliance elements, common audit failure patterns (rubber-stamp clinician review; algorithm trained on historical denial data; LOS hard-coding), stacks with HHS Section 1557 + FDA PCCP + CA SB 1120 + HIPAA + FCA, and sample plain- and formal-language member disclosures. 13th guide in the corpus.
- Landing page surfaces the new rule + guide under Healthcare AI vertical, increments corpus count to 24 rules across 11 jurisdictions.
- Package keywords add `cms` and `medicare-advantage`.

### Tests

- 74/74 passing (no test-shape changes; new rule validates against the existing schema).

## [0.7.12] — 2026-05-09

### Added (staleness audit)

- New `auditFreshness(rules, now?)` exported from package root. Computes the freshness band for every rule, returns a `StalenessAuditReport` with counts (`fresh_count` / `stale_count` / `critically_stale_count`), a `needs_attention` list (stale + critically_stale, sorted oldest-first), and a full `all_entries` list. Pure function, deterministic for any `(rules, now)` pair.
- New CLI subcommand: `plainstamp staleness-audit [--format json|text]`. Default text output groups stale/critically-stale rules and prints a human-readable summary. Returns exit code 1 when any rule is critically stale (useful for CI / pre-deploy gates), 0 otherwise.
- `StalenessAuditEntry` and `StalenessAuditReport` types exported.

### Tests

- 74/74 passing (72 baseline + 2 new — bucket counts + sorting; empty needs_attention when all fresh).

## [0.7.11] — 2026-05-09

### Added (last_verified freshness band on lookup results)

- Lookup results now include a `freshness` field with `status` (`fresh` / `stale` / `critically_stale`), `days_since_verified`, and the rule's `last_verified` date. Bands: < 90 days fresh, 90–180 days stale, > 180 days critically_stale. Computed against the current date by default; `lastVerifiedFreshness(rule, now?)` exported for deterministic use in tests / scheduled jobs.
- `FreshnessT` type and `lastVerifiedFreshness` exported from the package root.
- CLI `lookup --format text` renders the freshness band inline (e.g. `last verified: 2026-05-08 (1 day ago — FRESH)`).

### Added (`--severity` filter on CLI lookup)

- `plainstamp lookup` now accepts `--severity mandatory|recommended|best-practice` to filter the result set. Common production query: `--severity mandatory` answers "what MUST I disclose?"

### Tests

- 72/72 passing (66 baseline + 6 new — freshness bands at boundaries, future-date clamping, lookup integration).

## [0.7.10] — 2026-05-09

### Improved (CLI human-readable output)

- `plainstamp lookup` and `plainstamp validate` now accept `--format json|text`. Default is `json` (unchanged from previous releases — no breaking change for existing pipelines that grep / jq the output). `--format text` renders a human-readable summary: severity, jurisdiction, citation, source URL, last-verified date, and a trimmed plain-language disclosure for `lookup`; per-element confidence band and matched signals for `validate`.
- README updated to show the `--format text` example.

## [0.7.9] — 2026-05-09

### Improved (validate-disclosure precision)

- `validateDisclosure` now matches signals at word boundaries instead of as substrings — fixes a false-positive class where, for example, "preconsenting" matched the signal "consent". Tokens in the candidate are split on non-word characters; signals must appear as whole tokens.
- Returns a new `elements` field with per-element detail: `element_id`, `found`, `confidence` (`high` | `medium` | `missing`), and `matched_signals` (the tokens that matched). Confidence bands:
  - **high**: an id-derived signal matched, OR ≥ 2 body-derived signals matched.
  - **medium**: exactly 1 body-derived signal matched.
  - **missing**: no signals matched.
- The existing `passes` and `missing_elements` fields are unchanged (backwards-compatible). Callers that want richer detail can read `elements`; callers that don't can continue treating the report as a binary check.
- Tests: 66/66 passing (63 baseline + 3 new — word-boundary, confidence reporting, missing-confidence on signal-free input).

## [0.7.8] — 2026-05-09

### Documentation

- README adds a "Builder's guides" section above the rule corpus listing, organized by compliance vertical (financial services, healthcare, employment, voice agent, EU, state-specific). Twelve long-form guides linked, each grounded in regulator-published source text. The guides index also lives at https://plainstamp.pages.dev/guides/.
- No code changes; npm publish refreshes the README rendered on npmjs.com.

## [0.7.7] — 2026-05-09

### Fixed (URL-monitor stabilization, round 3 — JSF random ids)

- `normalizeForHash` now strips JSF random element ids: `id="s\d+\.<random>"` (CA leginfo's billNavClient/billTextClient pages emit per-request random decimal suffixes on `s10.<num>`-style section ids) and `id="j_id<digits-or-underscores>(:<segments>)*"` (JSF auto-generated structural ids).
- Tests: 63/63 passing (added 2 new normalization tests targeting the JSF id patterns).

## [0.7.6] — 2026-05-09

### Fixed (URL-monitor stabilization, round 2)

- `normalizeForHash` now strips three additional dynamic-content patterns surfaced by live-fetch verification against bundled regulator citation URLs:
  - **JSF `javax.faces.ViewState` hidden inputs** — California's `leginfo.legislature.ca.gov` is a JSF app and emits a per-request encrypted ViewState blob.
  - **CSRF / session-token meta tags** — Rails-style `<meta name="csrf-token" content="…"/>` (Colorado's `leg.colorado.gov` and others). Now matched alongside `requestverification`, `session-id`, `api-token`, `ws-token`.
  - **Cloudflare email-protection rotating fragments** — `/cdn-cgi/l/email-protection#<hex>` (FINRA and others). The rotating hex fragment after `#` is stripped; the protection-link path is preserved. The `data-cfemail` attribute value is also stripped (added to the existing `data-(?:csrf|token|nonce|build|version|cfemail)` family).
- Tests: 61/61 passing (added 3 new normalization tests targeting the three patterns above).

## [0.7.5] — 2026-05-09

### Fixed (URL-monitor source stabilization)

- `urlMonitorSource` now hashes a normalized version of the page body via the new `normalizeForHash(html)` helper, instead of the raw response. The normalization strips dynamic per-fetch markers that were causing false positives in the daily watcher cron: `<script>` and `<style>` blocks (nonces, build hashes, telemetry); HTML comments (often timestamps); CSRF / authenticity / `_token` / `requestverification` hidden inputs; inline `nonce`, `integrity`, `data-csrf`, `data-token`, `data-nonce`, `data-build`, and `data-version` attribute values; timestamp-bearing `<meta>` tags (`og:updated_time`, `last-modified`, `revised`, `build-time`, `generated-at`, `page-date`); whitespace runs collapsed.
- Two fetches of the same regulator-published page now hash identically as long as the substantive text and structure are unchanged.
- `Article.extra` now also carries `normalized_length` alongside `content_hash` and `content_length` for audit.
- New export from package root: `normalizeForHash`.
- Tests: 58/58 passing (added 7 normalization-stability tests).

## [0.7.4] — 2026-05-08

### Fixed (root re-exports for watcher API)

- Re-export the watcher's public surface (`diffArticles`, `runWatcher`, `runWatcherWithStore`, `readState`, `writeState`, `fsStateStore`, `memoryStateStore`, source factories, and the `Article` / `Source` / `RunReport` / `SourceRunReport` / `StateStore` / `WatcherState` types) from the package root. Previously these were only available via the deep `plainstamp/dist/watcher/index.js` import path, which broke type resolution in some consumers (notably the `plainstamp-cf-worker` Cloudflare Workers package). Now `import { runWatcherWithStore, type StateStore } from "plainstamp"` works.

## [0.7.3] — 2026-05-08

### Added (cross-runtime watcher)

- New `StateStore` interface on the watcher module: `read()` and `write(state)`. Allows the rule-update watcher to run in environments without a filesystem (Cloudflare Workers, Deno Deploy, browsers).
- New `runWatcherWithStore({ sources, stateStore, dryRun? })` entry point alongside the existing `runWatcher({ sources, statePath, dryRun? })`. The fs-path version remains and is now a thin shim over the abstract version.
- New `fsStateStore(path)` and `memoryStateStore(initial?)` factory helpers exported from the watcher module.
- All five new exports are re-exported from the package root.

### Internal

- `runWatcher` is unchanged from a caller's perspective; the shim preserves the existing CLI behavior. No tests changed; full 51-test suite still passing.

## [0.7.2] — 2026-05-08

### Documentation

- README now features the hosted MCP Streamable-HTTP endpoint at `https://plainstamp.helpfulbutton140.workers.dev/mcp` — no install required for clients that prefer the hosted transport.
- README documents the parallel JSON-over-HTTP API on the same Worker (`/jurisdictions`, `/rules`, `/lookup`, `/validate`) for clients that don't speak MCP.
- Coverage table refreshed against the live 23-rule corpus and reorganized by jurisdiction tier (federal / state / city / EU). Federal additions now visible in README: EEOC, CFPB, FINRA, HHS Section 1557, FDA PCCP, FCC TCPA. State additions: SB 1120, Tennessee ELVIS Act. EU: GDPR Article 22.

No code changes; npm publish refreshes the README rendered on npmjs.com.

## [0.7.1] — 2026-05-08

### Fixed (cross-runtime compatibility)

- New `setBundledRules(parsed)` export: allows non-Node consumers (Cloudflare Workers, Deno Deploy, browsers) to pre-load the bundled rules object explicitly, avoiding the `node:fs` + `import.meta.url` path that fails in those environments. The recommended pattern is to import the JSON directly: `import rulesJson from "plainstamp/rules/seed.json"; setBundledRules(rulesJson);`. Once the override is set, all of `disclosuresFor`, `executeMcpTool`, `getRuleById`, `listJurisdictions`, etc. work unchanged.
- The Node fs path is unchanged for Node consumers; this is a strictly additive fix.

## [0.7.0] — 2026-05-08

### Added (transport-independent MCP tool module)

- New module `src/mcp-tools.ts` exporting `mcpTools` (the tool descriptors) and `executeMcpTool(name, args)` (the dispatcher). Both are now public API exports from the package root. Purpose: when the Cloudflare Workers cf-worker binds an MCP Streamable HTTP transport in Phase 4 of `<autobiz>/ops/cloudflare/CLOUDFLARE_DEPLOY.md`, it imports the same tool list and dispatcher used by the existing stdio transport. No drift between transports.
- `mcp-server.ts` (the stdio transport) is now a thin wrapper around `mcpTools` and `executeMcpTool`. Behavior is unchanged for stdio clients.
- Tests still 51/51 passing. Rule count unchanged at 23.

## [0.6.0] — 2026-05-08

### Added

- FCC Declaratory Ruling on AI-generated voice in robocalls (CG Docket No. 23-362, FCC 24-17, released February 8, 2024). Confirms that AI-generated voice clones and AI-synthesized voices used in calls to consumers are "artificial or prerecorded voices" within the meaning of the Telephone Consumer Protection Act of 1991 (47 U.S.C. § 227) and the Commission's implementing rules at 47 CFR § 64.1200. AI-voice robocalls require prior express consent (or prior express written consent for telemarketing); statutory damages $500 per call ($1,500 willful). Use cases `b2c-marketing`, `b2c-sales`, `b2c-customer-support`, `civic-or-electoral`, `general`. Channel `voice`. Severity `mandatory`.
- Runtime Zod schema exports: `Channel`, `UseCase`, `Severity`, `JurisdictionId`, `LookupQuery`, `DisclosureElement`, `DisclosureRule`, `RuleSet` are now exported from the package root (previously only the corresponding TypeScript types were exported). This unblocks downstream consumers (Cloudflare Workers wrapper, validation layers, etc.) from re-implementing the validators.
- Rule count 22 → 23. Tests still 51/51 passing.

### Sibling project (not bundled in npm)

- `cf-worker/` — Cloudflare Workers HTTP wrapper that exposes the plainstamp lookup engine over JSON-over-HTTP. Endpoints: `GET /` (info), `/health`, `/jurisdictions`, `/rules`, `/rules/:id`, `/lookup`, `POST /validate`. Scaffold only in this release (deploy in next iteration). Plan doc at `<autobiz>/ops/cloudflare/CLOUDFLARE_DEPLOY.md`. The cf-worker depends on plainstamp@^0.6.0 (this release).

## [0.5.0] — 2026-05-08

### Added

- FDA Predetermined Change Control Plans for AI/ML-Enabled Device Software Functions — Final Guidance (December 4, 2024). Codified into the FD&C Act at § 515C (21 U.S.C. § 360e-4) by Section 3308 of the Food and Drug Omnibus Reform Act of 2022 (FDORA, P.L. 117-328). Manufacturers of AI/ML-enabled medical devices may include a PCCP in their authorized 510(k) / De Novo / PMA marketing submission, comprising a Description of Modifications, a Modification Protocol, and an Impact Assessment; PCCP-conforming modifications may then be implemented without a new submission. Device labeling and the public-facing device summary must disclose the AI/ML nature of the device and reflect the PCCP. Use case `healthcare`. Severity `mandatory`.
- Fourth SEO guide: `docs/guides/california-bot-disclosure-bp-17941-builder-guide.md` — comprehensive coverage of California's B.O.T. Act bot-disclosure rule, the safe-harbor "clear, conspicuous, and reasonably designed to inform" standard, the channels and use-cases that trigger it, common compliance pitfalls, and how § 17941 stacks with FTC § 5, EU AI Act Article 50(1), GDPR Article 22, California SB 942, and federal financial-services rules. Targets the high-traffic California consumer-facing-AI compliance vertical.
- Rule count 21 → 22. Tests still 51/51 passing.

## [0.4.0] — 2026-05-08

### Added

- California SB 1120 — Physicians Make Decisions Act (Senate Bill 1120, signed September 28, 2024; effective January 1, 2025). Amends California Health and Safety Code § 1367.01 and Insurance Code § 10123.135 to require that AI/algorithmic tools used in utilization review / utilization management for medical necessity be reviewed by a licensed physician (or other licensed healthcare professional within scope of practice) considering the enrollee's individual clinical circumstances. Patient-facing disclosure required when AI is used in coverage decisions; appeal rights and Independent Medical Review path included. Use cases `healthcare` and `financial-services`. Severity `mandatory`.
- Third SEO guide: `docs/guides/nyc-local-law-144-aedt-builder-guide.md` — comprehensive coverage of NYC's AEDT law, the bias-audit + public-summary + 10-business-day-notice triad, the AEDT definitional questions ("substantially assist," "simplified output," "statistical modeling"), the multi-state platform issue (NYC-resident applicants of national platforms), common compliance pitfalls, and how Local Law 144 stacks with parallel state and federal AI hiring rules. Targets the highly active employment-AI compliance vertical.
- Rule count 20 → 21. Tests still 51/51 passing.

## [0.3.0] — 2026-05-08

### Added

- HHS Section 1557 — Patient Care Decision Support Tools nondiscrimination (45 CFR § 92.210, May 6, 2024 final rule). Covered entities (most healthcare providers receiving federal financial assistance, many health insurers, HHS-administered programs) must identify uses of AI/ML clinical decision-support tools and make reasonable efforts to mitigate algorithmic discrimination. Compliance deadline May 1, 2025 — now in effect and enforceable. Use case `healthcare`.
- Second SEO guide: `docs/guides/colorado-ai-act-sb-24-205-builder-guide.md` — long-form coverage of Colorado's comprehensive AI Act, the high-risk AI system definition, deployer/developer obligations, the consumer-disclosure components, the June 30, 2026 deadline, and how SB 24-205 stacks with parallel state and federal AI rules. Targets the high-traffic Colorado-compliance search vertical (deadline pressure + uncertainty about scope).
- Rule count 19 → 20. Tests still 51/51 passing.

## [0.2.0] — 2026-05-08

### Added

- FINRA Regulatory Notice 24-09 — AI in customer communications. Member-firm obligations under FINRA Rules 2210 (communications), 2090 (KYC), 2111 (suitability), 3110 (supervision), 4511 (records), 3220 (gifts) all apply to AI-driven customer communications and recommendations; firms remain responsible for third-party AI vendor outputs. Use case `financial-services`. Issued 2024-06-27.
- New SEO-leaning guide: `docs/guides/eu-ai-act-article-50-chatbot-disclosure.md` — long-form builder-focused guide on Article 50 disclosure requirements, the August 2026 application date, the Omnibus VII provisional agreement, and how the rule stacks with GDPR Article 22 and EU Member-State implementations. Ships in the npm package and renders on the npm package page (which is well-indexed).
- Package `files` array now includes `docs/guides` so SEO-leaning content ships with the published artifact.
- Keywords expanded: `gdpr`, `finra`, `cfpb`, `eeoc`, `regtech` added to support discovery via npm search and search-engine indexing of the npm package page.
- Rule count 18 → 19. Tests still 51/51 passing.

## [0.1.0] — 2026-05-08

### Added

- Federal EEOC technical assistance on AI in employment selection procedures (Title VII / Uniform Guidelines, May 18, 2023). Severity `recommended` — the disclosure itself is best practice; the underlying disparate-impact obligation is binding. Federal floor for any AI hiring tool used in the U.S.; layers under stricter state mandates (IL HB 3773, NYC Local Law 144, CO SB 24-205).
- EU GDPR Article 22 — automated decision-making rights. Right to not be subject to a decision based solely on automated processing where it produces legal or similarly significant effects; right to human intervention, point-of-view expression, and contestation; controllers must provide meaningful information about logic, significance, and envisaged consequences (Arts. 13(2)(f), 14(2)(g)). Spans `employment-decisions`, `financial-services`, `healthcare`, `legal-services`, `general`. Effective 2018-05-25; penalties up to €20M or 4% of turnover.
- Tennessee ELVIS Act — voice and likeness protection (HB 2091 / SB 2096, codified at Tenn. Code Ann. Title 47, Chapter 25, Part 11). Consent-based statute; published AI-synthesized voice or likeness requires written authorization from the individual or rights-holder. Channels `ai-generated-audio`, `ai-generated-video`, `ai-generated-content`. Use cases include `b2c-marketing`, `b2b-marketing`, `civic-or-electoral`, `general`. Effective 2024-07-01.
- CFPB Circular 2023-03 — adverse-action notices for AI/ML credit decisions under ECOA / Regulation B. Specific principal reasons must be provided per applicant; generic boilerplate codes are insufficient; if the AI/ML model cannot be explained well enough to identify the specific reasons that drove the decision in this applicant's case, the model likely cannot lawfully be used. Channel `email-transactional` + `ai-generated-content`; use case `financial-services`. Issued 2023-09-19; ongoing CFPB enforcement priority.
- Rule count 14 → 18. Jurisdictions 8 → 11 (added `us-tn`). Tests 51/51 passing.

### Added since 0.0.1 (rolled into 0.1.0 history)

- Brand committed: working slug `disclo` retired in favor of `plainstamp` after a namespace availability check (github.com/disclo is taken by an unrelated $6.75M-funded HR/workforce SaaS).
- Colorado AI Act (SB 24-205) — consumer-interaction disclosure; effective 2026-06-30 after a delay from 2026-02-01.
- Utah AI Policy Act (SB 149) as amended by SB 226 (2025) and extended by SB 332 — GenAI disclosure in regulated occupations; trigger is "asked OR high-risk."
- Texas TRAIGA (HB 149) — government-agency AI disclosure (effective 2026-01-01).
- Texas TRAIGA (HB 149) — healthcare-provider AI disclosure (effective 2026-01-01).
- New York AI Companion Models law (NY GBL Art. 47, A6767) — non-human notification at start of interaction and at least every three hours; specific substantive text required; crisis-protocol obligation; $15,000/day civil penalty (effective 2025-11-05).
- Illinois Human Rights Act — AI in employment (HB 3773) — notice and substantive non-discrimination obligations when AI is used to influence or facilitate covered employment decisions (effective 2026-01-01). Adds new `employment-decisions` use case to the schema.
- Regulatory-update watcher prototype at `src/watcher/` with the Federal Register source plugged in (Rules + Proposed Rules matching configurable search terms; defaults to "artificial intelligence", "automated decision", "algorithmic"). Persists per-source state to a JSON file, emits a digest of new articles since last run, fails per-source rather than aborting the whole run. Bin: `plainstamp-watcher`. 7 unit tests on the diff and orchestrator.
- NYC Local Law 144 (Administrative Code §§ 20-870 through 20-873) — AEDT bias-audit, public summary, and 10-business-days candidate notice. Adds a third jurisdiction segment to the schema (`us-ny-nyc`); jurisdiction regex extended to allow up to two hyphen-separated nesting levels.
- EU AI Act Article 50(2) rule notes updated with Omnibus VII context: 2026-05-07 provisional agreement reduces the transparency-solutions grace period from 6 months to 3 months (new compliance deadline 2026-12-02) and postpones AI regulatory sandbox deadlines to 2027-08-02. Re-verify before final adoption.
- California AB 2013 (Generative AI Training Data Transparency Act) — developers of generative AI systems made publicly available to Californians (including any system released on or after 2022-01-01) must post a high-level summary of training datasets on their website covering the 12 statute-enumerated categories. Effective 2026-01-01. Enforced via California's Unfair Competition Law. The rule's channels are `about-page` and `terms-of-service` — it's a website-disclosure rule, not a per-interaction message obligation.
- Maryland Labor & Employment § 3-717 (HB 1202, 2020) — facial-recognition services during pre-employment interviews require a written consent waiver from the applicant, with four required content elements (name, interview date, consent statement, read-acknowledgment). Effective 2020-10-01. Channel `video-avatar` + use case `employment-decisions`.
- Coverage matrix: `plainstamp coverage` (CLI) and `computeCoverageMatrix` / `renderCoverageMarkdown` / `renderCoverageCsv` (library) compute and render a jurisdiction × use-case rule-count matrix. Helps users see at-a-glance what plainstamp covers and where gaps are. Three output formats: markdown (default), csv, json (with rule_ids per cell).
- Rule count 5 → 14. Test count 13 → 51, all passing.

## [0.0.1] — 2026-05-08

Initial Phase-0 release. Local-only build; not yet published to a public registry.

### Added

- Rule schema (Zod) covering jurisdiction, channels, use cases, severity, required elements, citation, templates, effective date, and last-verified date.
- Bundled seed rules:
  - California bot disclosure (B&P § 17941).
  - EU AI Act Article 50(1) — chatbot disclosure.
  - EU AI Act Article 50(2) — AI-generated content labeling.
  - FTC fake reviews/testimonials (16 CFR Part 465).
  - California AI Transparency Act (SB 942).
- Lookup engine with parent-jurisdiction inheritance (a `us-ca` query also matches federal `us` rules) and `general` use-case matching.
- Heuristic disclosure validator (substring match against rule keywords; not a legal-sufficiency check).
- MCP server exposing five tools: `list_jurisdictions`, `list_rules`, `get_rule`, `lookup_disclosure`, `validate_disclosure`.
- CLI: `plainstamp list-jurisdictions`, `plainstamp list-rules`, `plainstamp get-rule`, `plainstamp lookup`, `plainstamp validate`.
- TypeScript library exporting `disclosuresFor`, `validateDisclosureForQuery`, `getRuleById`, `listJurisdictions`, plus the underlying schema types.
- 13/13 unit tests passing (Node native test runner). Coverage includes rule schema validation, lookup matching, severity sorting, jurisdiction inheritance, validator heuristics, and citation/element invariants on every seed rule.
- README, AI-DISCLOSURE, LICENSE (MIT).