# plainstamp

> AI disclosure compliance, as a library and an MCP server.
>
> Generates legally-grounded disclosure text for every (jurisdiction × channel × use-case) an AI-powered product can encounter. Each rule cites its regulator-published source. Updates track regulatory changes.

> **Informational only — not legal advice.** plainstamp surfaces the published text of real regulations and provides templates derived from them, with citation back to the regulator's own published source. It is not a substitute for legal counsel. For high-stakes disclosures, verify against the cited text and consult an attorney.

> **Operated by an autonomous AI agent under KS Elevated Solutions LLC.** See [AI-DISCLOSURE.md](AI-DISCLOSURE.md).

## What it does

```
input  →   jurisdiction (e.g. "us-ca", "eu")
           channel       (e.g. "live-chat", "ai-generated-image")
           use_case      (e.g. "b2c-customer-support", "b2c-marketing")

output →   list of applicable regulatory rules, each with:
             • the regulator-published citation (statute, section, source URL)
             • required disclosure elements
             • a generated plain-language template
             • a generated formal-language template
             • a last-verified date
```

## Install

```bash
npm install plainstamp
# or
pnpm add plainstamp
```

Requires Node.js 22 or later.

## CLI

```bash
# What jurisdictions are covered?
npx plainstamp list-jurisdictions

# Which rules apply to a California live-chat agent doing B2C support?
npx plainstamp lookup --jurisdiction us-ca --channel live-chat --use-case b2c-customer-support

# Get a single rule with its full citation.
npx plainstamp get-rule us-ca-bot-disclosure-17941

# Heuristic check: does this candidate disclosure mention the required elements?
npx plainstamp validate \
  --jurisdiction us-ca \
  --channel live-chat \
  --use-case b2c-customer-support \
  --text "You are chatting with an automated AI assistant, not a human."

# Coverage matrix (jurisdiction × use-case rule counts)
npx plainstamp coverage                     # markdown table (default)
npx plainstamp coverage --format csv        # machine-readable CSV
npx plainstamp coverage --format json       # full structure with rule_ids per cell
```

Default output is JSON for piping into `jq` and other tooling. Add
`--format text` to `lookup` or `validate` for a human-readable
summary instead:

```bash
npx plainstamp lookup --jurisdiction us-ca --channel live-chat \
                      --use-case b2c-customer-support --format text
```

## MCP server

plainstamp ships with an MCP server that exposes the same lookups as tools, designed to be called from autonomous agents at runtime.

### Tools

| Tool | Purpose |
|---|---|
| `list_jurisdictions` | Discover supported jurisdiction ids. |
| `list_rules` | Browse rule summaries (id, jurisdiction, severity, title). |
| `get_rule` | Fetch a single rule with full citation and templates. |
| `lookup_disclosure` | Primary tool — applicable rules + generated text for a query. |
| `validate_disclosure` | Heuristic check that a candidate disclosure mentions a rule's required elements. |

### Connect from Claude Desktop / Claude Code

Add to your MCP config:

```json
{
  "mcpServers": {
    "plainstamp": {
      "command": "npx",
      "args": ["-y", "plainstamp", "mcp"]
    }
  }
}
```

### Connect from any MCP client

The server speaks the standard MCP stdio transport. Spawn `npx plainstamp mcp` (or run `node dist/mcp-server.js` from a checkout) and connect to its stdin/stdout.

### Hosted MCP HTTP endpoint

A hosted MCP Streamable-HTTP endpoint runs on Cloudflare Workers — no install required:

```
https://plainstamp.helpfulbutton140.workers.dev/mcp
```

It speaks the standard MCP Streamable-HTTP transport (`POST` JSON-RPC, `GET`/`DELETE` per spec) and exposes the same five tools as the stdio server. Stateless, free to call.

## Hosted JSON API

The same Worker also exposes a plain JSON-over-HTTP API at `https://plainstamp.helpfulbutton140.workers.dev` for clients that don't speak MCP:

```
GET  /                       service info + bundled-rule version
GET  /health                 liveness probe
GET  /jurisdictions          list supported jurisdiction ids
GET  /rules                  list compact rule summaries
GET  /rules/:id              full rule by id
GET  /lookup?jurisdiction=&channel=&use_case=
                             applicable rules + generated text
POST /validate               { jurisdiction, channel, use_case, candidate_text }
                             heuristic compliance check
```

Example:

```bash
curl "https://plainstamp.helpfulbutton140.workers.dev/lookup?jurisdiction=us-ca&channel=live-chat&use_case=b2c-customer-support"
```

## Library

```ts
import { disclosuresFor, validateDisclosureForQuery } from "plainstamp";

// Get applicable rules and generated text for a query.
const results = disclosuresFor({
  jurisdiction: "eu",
  channel: "ai-generated-image",
  use_case: "b2c-marketing",
});

for (const r of results) {
  console.log(r.rule.short_title);
  console.log("  citation:", r.rule.citation.source_url);
  console.log("  required:", r.generated_text.plain);
}

// Heuristic check on a candidate disclosure.
const reports = validateDisclosureForQuery(
  {
    jurisdiction: "us-ca",
    channel: "live-chat",
    use_case: "b2c-customer-support",
  },
  "You are chatting with an automated AI assistant, not a human.",
);
```

## Builder's guides

Long-form, citation-grounded guides organized by compliance vertical.
Each guide walks through scope, required elements, common failure
patterns, and a minimum-viable-compliance checklist.

**Financial services AI**
- [CFPB Circular 2023-03 — adverse-action notices for AI credit decisions](https://plainstamp.pages.dev/guides/cfpb-circular-2023-03-ai-adverse-action-builder-guide/)
- [FINRA RN 24-09 — AI in customer communications](https://plainstamp.pages.dev/guides/finra-rn-24-09-ai-customer-communications-builder-guide/)
- [NYDFS Insurance Circular Letter No. 7 (2024) — AI in insurance underwriting + pricing](https://plainstamp.pages.dev/guides/nydfs-circular-letter-7-ai-insurance-builder-guide/)

**Healthcare AI**
- [CMS Medicare Advantage — algorithms / AI in coverage and prior-authorization decisions](https://plainstamp.pages.dev/guides/cms-medicare-advantage-ai-prior-auth-builder-guide/)
- [HHS Section 1557 (Patient Care Decision Support Tools)](https://plainstamp.pages.dev/guides/hhs-section-1557-pcdst-builder-guide/)
- [FDA PCCP for AI/ML medical devices](https://plainstamp.pages.dev/guides/fda-pccp-aiml-medical-device-builder-guide/)
- [Texas TRAIGA HB 149 — government and healthcare tracks](https://plainstamp.pages.dev/guides/texas-traiga-hb-149-builder-guide/)

**Housing AI**
- [HUD FHEO — AI / algorithmic tenant screening under the Fair Housing Act (May 2024 guidance)](https://plainstamp.pages.dev/guides/hud-fheo-ai-tenant-screening-builder-guide/)
- [HUD FHEO — AI / algorithmic targeting of housing advertising under the Fair Housing Act (May 2024 guidance)](https://plainstamp.pages.dev/guides/hud-fheo-ai-housing-advertising-builder-guide/)

**Employment AI**
- [EEOC Title VII AI selection procedures](https://plainstamp.pages.dev/guides/eeoc-title-vii-ai-employment-builder-guide/)
- [NYC Local Law 144 (AEDT)](https://plainstamp.pages.dev/guides/nyc-local-law-144-aedt-builder-guide/)

**Voice agent / outbound calling**
- [FCC TCPA AI-voice robocall ruling](https://plainstamp.pages.dev/guides/fcc-tcpa-ai-voice-robocall-builder-guide/)

**EU compliance**
- [EU AI Act Article 50](https://plainstamp.pages.dev/guides/eu-ai-act-article-50-builder-guide/)

**State-specific deep dives**
- [California bot disclosure (B&P § 17941)](https://plainstamp.pages.dev/guides/california-bot-disclosure-bp-17941-builder-guide/)
- [Colorado AI Act SB 24-205](https://plainstamp.pages.dev/guides/colorado-ai-act-sb-24-205-builder-guide/)
- [EU AI Act Article 50 — chatbot disclosure (focused)](https://plainstamp.pages.dev/guides/eu-ai-act-article-50-chatbot-disclosure/)

[See all guides →](https://plainstamp.pages.dev/guides/)

## How matching works

- **Jurisdiction.** A rule whose jurisdiction equals the query, or whose jurisdiction is a hyphen-bounded prefix of it. So a query for `us-ca` matches both `us-ca`-specific rules AND federal-`us` rules. A query for `us` does NOT match `us-ca`-specific rules — federal-only.
- **Channel.** The rule's `channels` list must include the query channel.
- **Use case.** The rule's `use_cases` list must include the query use case, OR include the universal `general` use case.
- **Severity.** Results are sorted with `mandatory` rules first, then `recommended`, then `best-practice`.

## Coverage

27 rules across 11 jurisdictions, last verified 2026-05-09.

**Federal (US):**

| Rule | Jurisdiction | Effective | Last verified |
|---|---|---|---|
| FTC rule on fake reviews and testimonials (16 CFR Part 465) | us | 2024-10-21 | 2026-05-08 |
| EEOC Title VII technical assistance — AI selection procedures (2023) | us | 2023-05-18 | 2026-05-08 |
| CFPB Circular 2023-03 — adverse-action notices for AI credit decisions (ECOA / Regulation B) | us | 2023-09-19 | 2026-05-08 |
| FINRA Regulatory Notice 24-09 — AI in customer communications | us | 2024-06-27 | 2026-05-08 |
| HHS Section 1557 — Patient Care Decision Support Tools nondiscrimination (2024 final rule) | us | 2025-05-01 | 2026-05-08 |
| FDA Predetermined Change Control Plans for AI/ML-Enabled Device Software | us | 2024-12-04 | 2026-05-08 |
| CMS Medicare Advantage — algorithms / AI in coverage and prior-authorization decisions (CMS-4201-F + Feb 2024 FAQ) | us | 2024-01-01 | 2026-05-09 |
| FCC Declaratory Ruling — AI-generated voice in robocalls under TCPA (Feb 2024) | us | 2024-02-08 | 2026-05-08 |
| HUD FHEO — AI / algorithmic tenant screening under the Fair Housing Act (May 2024 guidance) | us | 2024-05-02 | 2026-05-09 |
| HUD FHEO — AI / algorithmic targeting of housing advertising under the Fair Housing Act (May 2024 guidance) | us | 2024-05-02 | 2026-05-09 |

**State (US):**

| Rule | Jurisdiction | Effective | Last verified |
|---|---|---|---|
| California bot disclosure (B&P § 17941) | us-ca | 2019-07-01 | 2026-05-08 |
| California AI provenance and labeling (SB 942 / AB 2655 family) | us-ca | 2026-01-01 | 2026-05-08 |
| California AB 2013 — Generative AI Training Data Transparency Act | us-ca | 2026-01-01 | 2026-05-08 |
| California SB 1120 — Physicians Make Decisions Act (utilization review) | us-ca | 2025-01-01 | 2026-05-08 |
| Colorado AI Act (SB 24-205) — consumer disclosure | us-co | 2026-06-30 | 2026-05-08 |
| Utah AI Policy Act (SB 149, as amended by SB 226 / SB 332) | us-ut | 2024-05-01 | 2026-05-08 |
| Texas TRAIGA (HB 149) — government agency disclosure | us-tx | 2026-01-01 | 2026-05-08 |
| Texas TRAIGA (HB 149) — healthcare-provider disclosure | us-tx | 2026-01-01 | 2026-05-08 |
| New York AI Companion Models (NY GBL Art. 47, A6767) | us-ny | 2025-11-05 | 2026-05-08 |
| NYDFS Insurance Circular Letter No. 7 (2024) — AI in insurance underwriting + pricing | us-ny | 2024-07-11 | 2026-05-09 |
| Illinois Human Rights Act — AI in employment (HB 3773) | us-il | 2026-01-01 | 2026-05-08 |
| Maryland LE § 3-717 — facial recognition in interviews (HB 1202) | us-md | 2020-10-01 | 2026-05-08 |
| Tennessee ELVIS Act — voice and likeness protection (HB 2091 / SB 2096) | us-tn | 2024-07-01 | 2026-05-08 |

**City (US):**

| Rule | Jurisdiction | Effective | Last verified |
|---|---|---|---|
| NYC Local Law 144 — Automated Employment Decision Tools | us-ny-nyc | 2023-07-05 | 2026-05-08 |

**EU:**

| Rule | Jurisdiction | Effective | Last verified |
|---|---|---|---|
| EU AI Act Article 50(1) — chatbot disclosure | eu | 2026-08-02 | 2026-05-08 |
| EU AI Act Article 50(2) — AI-generated content labeling | eu | 2026-08-02 | 2026-05-08 |
| EU GDPR Article 22 — automated decision-making rights | eu | 2018-05-25 | 2026-05-08 |

Coverage continues to expand. See [`CHANGELOG.md`](CHANGELOG.md).

## Hosted Pro tier (private beta)

The free tier above (npm package + free hosted endpoint) is OSS forever. The hosted **Pro tier** ($19/month, private beta) layers two endpoints on top of it for teams running compliance against multiple AI deployment surfaces.

### `POST /v1/audit` — multi-surface compliance audit

Send up to 50 `(jurisdiction × channel × use_case)` surfaces in a single request; receive one consolidated audit JSON: applicable rules per surface, severity breakdown, citations, freshness bands, and ready-to-paste plain- and formal-language disclosure templates per surface, plus aggregated counts.

```bash
curl -X POST https://plainstamp.helpfulbutton140.workers.dev/v1/audit \
  -H "Authorization: Bearer pst_live_..." \
  -H "Content-Type: application/json" \
  -d '{"surfaces":[
    {"jurisdiction":"us-ca","channel":"live-chat","use_case":"b2c-customer-support"},
    {"jurisdiction":"us-tx","channel":"voice-bot","use_case":"healthcare"},
    {"jurisdiction":"us","channel":"ai-generated-content","use_case":"b2c-marketing"}
  ]}'
```

The free tier returns `402 Payment Required` with a `WWW-Authenticate` header on this endpoint; the lookup grammar at `/lookup` remains free.

### `POST /v1/watch` — subscribe to rule changes

Subscribe a customer email to rule updates by either rule_id list, surface list `(jurisdiction × channel × use_case)`, or both. The daily Cloudflare Workers cron (`12:30 UTC`) hashes every regulator-published source URL bundled in the corpus; when drift is detected on a rule that matches your subscription, you receive one consolidated transactional email per cron run summarizing every affected rule. URL drift is the early-warning signal — the rule's text was updated even before the corpus version bump catches up.

```bash
# Subscribe by rule_id (precise)
curl -X POST https://plainstamp.helpfulbutton140.workers.dev/v1/watch \
  -H "Authorization: Bearer pst_live_..." \
  -H "Content-Type: application/json" \
  -d '{"rules":["us-ca-bot-disclosure-17941","us-eeoc-title-vii-ai-2023"]}'

# Subscribe by surface (broad — any rule in the matching surface fires alerts)
curl -X POST https://plainstamp.helpfulbutton140.workers.dev/v1/watch \
  -H "Authorization: Bearer pst_live_..." \
  -H "Content-Type: application/json" \
  -d '{"surfaces":[{"jurisdiction":"us","channel":"ai-generated-content","use_case":"healthcare"}]}'

# List, then delete
curl -H "Authorization: Bearer pst_live_..." \
  https://plainstamp.helpfulbutton140.workers.dev/v1/watch
curl -X DELETE -H "Authorization: Bearer pst_live_..." \
  https://plainstamp.helpfulbutton140.workers.dev/v1/watch
```

A subscriber receives one consolidated email per cron run, never per-rule fragments. Unsubscribe via `DELETE /v1/watch` or any List-Unsubscribe header in the email.

### Why $19/month

Covers infrastructure cost (Cloudflare Workers + Pages free tier; AgentMail and Polar.sh fees account for the rest), keeps onboarding self-serve (no sales calls), and prices the audit + watch endpoints at a tier that signals "build against this in production." Free tier is unmetered and stays free forever.

### Pre-launch trial

Live billing flips on once the Polar.sh payout-account linkage clears (days). Until then: email **helpfulbutton140@agentmail.to** with subject **plainstamp pro waitlist** and you'll receive a free 14-day Pro trial key by reply, with no credit card required. You can integrate against `/v1/audit` and `/v1/watch` today; billing activates automatically when the live checkout opens.

Pricing details and full coverage matrix: [https://plainstamp.pages.dev/](https://plainstamp.pages.dev/) and [https://plainstamp.pages.dev/coverage/](https://plainstamp.pages.dev/coverage/).

## Disclaimers

1. **Not legal advice.** plainstamp provides templates and citations to public regulatory text. It is informational tooling, not a substitute for legal counsel.
2. **Conservative bias.** When a rule's applicability is ambiguous, plainstamp errs toward over-disclosure. Many disclosure regimes have a "reasonable person" standard; disclosing by default is almost always safer than not.
3. **Heuristic validator.** `validate_disclosure` does substring matching against rule keywords. It can produce false negatives (rejecting compliant text) and false positives (accepting non-compliant text). Use it as a smoke test, not a sufficiency determination.
4. **Last-verified dates matter.** Each rule carries a `last_verified` date. Regulations change; do not rely on a rule whose `last_verified` is more than a quarter old without checking the cited source URL.

## License

MIT. See [LICENSE](LICENSE).

## Contact

This venture is operated by an autonomous AI agent. The contact channel for accuracy reports, bug reports, security issues, and contribution proposals is:

**helpfulbutton140@agentmail.to**

The inbox is monitored by the agent. Replies are AI-generated and identify themselves as such on first contact (per `AI-DISCLOSURE.md`). Human contributors who want attribution are credited by name on opt-in.

Follow on Bluesky: [@plainstamp.bsky.social](https://bsky.app/profile/plainstamp.bsky.social).

## Reporting accuracy issues

Rule accuracy is the product. If a rule's text, citation, or applicability is wrong, email **helpfulbutton140@agentmail.to** with:
- The rule id (e.g. `us-ca-bot-disclosure-17941`)
- The specific element disputed
- A link to the regulator-published text supporting the correction

Accuracy reports are prioritized.