v0.6.0

Full Changelog: v0.5.0...v0.6.0

GuideCheck 0.5.0

Audit-driven release. Highlights:

Security

• package-registry JSON anchors bind the hash to assistant-guide-specific metadata instead of accepting the first sha256 field anywhere in the registry record
• hosted verification enforces a five-fetch per-request budget with exact fetch deduplication, uses one deterministically selected unbranded content-variation probe, warns on off-domain recommended verifiers, and warns when package-registry assistant-guide URLs disagree with canonical-url

Added

• version-sync check in make test across every version-bearing surface, including byte-identity of the published .well-known guide copy
• exact warning pinning on all 68 local-file fixtures (warnings_exact / forbidden_warning_ids), so false-positive warnings fail tests
• deterministic anchor-channel tests for dns-txt, repository-file, signed-security-txt, and transparency-log
• first standalone conformance-kit artifact (fixtures, schemas, finding-ids, verifier-conformance) for independent verifier implementations

Changed

• finding-ids.md is normative for the finding-id registry
• ADOPTION reframes MCP/A2A as ecosystem integrations of the core profile
• INTENT records the Level 5 ownership decision (GuideCheck owns the runtime fixture suite and evaluator, gated by pre-level-5 readiness)

Fixed

• published docs/.well-known/assistant-guide.txt resynced with the repository guide; the new version-sync check makes this drift a test failure

Full changelog: https://github.com/snapsynapse/guidecheck/blob/main/CHANGELOG.md

SHA-256 of the artifacts is in the attached SHA256SUMS files.

GuideCheck 0.4.0

GuideCheck 0.4.0

A security hardening release. It supersedes 0.3.2 (which was version-bumped but
never tagged or published) and covers everything since 0.3.1.

Security

• detector negation handling rewritten: a negation now suppresses a prohibited
  or encoded-execution pattern only when it directly governs that pattern, so
  inserting do not elsewhere on the line no longer disables the detector
• marker discipline: action and metadata fences that differ only by surrounding
  whitespace or letter case (for example [ACTION]) are no longer silently
  dropped; they raise a blocking malformed finding so a verifier and a lenient
  agent parser cannot diverge on which actions exist
• command and class consistency: a command is cross-checked against its declared
  class by command-head analysis; a network fetch piped into an interpreter
  blocks as command.fetch-execute, and under-declared network or code-executing
  commands raise warnings
• registry anchors: a registry-url is counted toward Level 4 only when its host
  is a recognized independent registry, closing a self-hosted-anchor path

Added

• finding ids command.fetch-execute, network.command-implies-networked,
  approval.command-implies-required, anchor.registry.unrecognized-host, and
  level4.requires-fetch
• verifier-conformance.md sections for marker discipline and command/class
  consistency
• a recorded adversarial review in threat-register.md

Changed

• the local-file reference verifier now caps the achieved level at Level 3. It
  still checks supplied manifest and anchor evidence for consistency and reports
  level4.requires-fetch, but Level 4 (independent provenance) is assertable
  only by the fetching hosted verifier, matching verifier-conformance.md
  section 6
• the eval runner imports the primary engine instead of carrying a second copy
  of the checks, so there is one source of truth
• profile, verifier, hosted verifier, spec, verifier-conformance, examples, and
  public pages now report 0.4.0; guide verifier-conformance ranges move to
  >=0.4.0, <0.5.0 and applies-to to guidecheck 0.4.x
• the published docs/.well-known/assistant-guide.txt is resynced byte-for-byte
  with the repository assistant-guide.txt (it had drifted at 0.3.1)

Verification

• make test: 130 eval cases, 66 reference fixtures, 76 contract fixtures,
  6 guide-artifact byte profiles, and the parser-edge, hosted-API, fetch-replay,
  fetch-safety, and CLI-contract suites all pass.
• Detector changes were re-attacked by an independent adversarial pass before
  release; verified bypasses and false positives were fixed and regression-tested.
• docs/.well-known/assistant-guide.txt confirmed byte-identical to the
  repository assistant-guide.txt at 0.4.0.

Residual risks

Recorded in threat-register.md (Adversarial review 2026-05-29): heuristic
command analysis is best-effort, verifier fingerprinting is not fully defeated,
the hosted checker is a modest request-proxy amplifier, anchor extraction can
pick a decoy hash, and the version string is still duplicated across files.

GuideCheck 0.3.1

Patch release for GuideCheck positioning and ecosystem integration documentation. Adds MCP/A2A integration notes, a database MCP server Level 3 example guide, homepage trust-boundary positioning, and updates first-party profile/verifier version strings to 0.3.1. Conformance semantics remain unchanged.

GuideCheck 0.3.0

GuideCheck 0.3.0 adds Level 4 verifier coverage, Level 5 readiness reporting, hosted public-web hardening warnings, clearer guide-score messaging, and Level 4 package-registry adoption examples. See CHANGELOG.md for details.

GuideCheck v0.2.0

Human-Verifiable Assistant Guide profile 0.2.0 and verifier-conformance profile 0.2.0.

This release resolves all open questions from the spec, the verifier-conformance profile, and the roadmap, restructures the spec into an adoption-first document set, and bumps the version to reflect constraint tightenings.

Added

• ADOPTION.md — practical on-ramp: conformance ladder, level-by-level path, guide-author checklist.
• operator-guide.md — non-normative defense-in-depth practices.
• Public append-only transparency log as an independent cross-channel provenance anchor.
• Reading guide and linked contents at the top of spec.md.

Changed

• code-executing actions now require explicit approval at Level 3.
• Guide copies served at both the well-known path and the repository root must be byte-identical.
• repository-url is defined as the source repository root.
• Staleness keys off the publisher's valid-until; no arbitrary last-reviewed threshold.
• Reference verifier and eval harness updated to match.

Removed

• The Open Questions sections from spec.md and verifier-conformance.md; resolved and future items now live in roadmap.md.

Full detail in CHANGELOG.md. Conformance is not safety: a verifier confirms form, the human confirms meaning.

v0.1.0

Initial draft for review.

Specification

• Human-Verifiable Assistant Guide profile for assistant-guide.txt
• core artifact, one-artifact bounded-task scope, canonical well-known path
• strict ASCII byte profile, 8 KiB size cap, 120-byte line and 400-line limits
• disallowed constructs and Markdown-as-text clarification
• required sections at Level 3, compact verification instruction at Level 1, assistant invocation prompt content
• guide metadata block with normative fences, version-range syntax, and field set
• sidecar manifest provenance model and cross-channel hash publication (DNS TXT, package registry, public repository file, signed security.txt)
• action classification with seven classes including code-executing, structured [action] blocks, command field restrictions, runner semantics
• stop-and-ask conditions and canonical approval phrasing
• threat model, untrusted content handling, integrity-versus-instruction fetch distinction, hard ban on chained guides
• public information safety and risky pattern guidance
• five-level conformance ladder including Level 5 runtime-enforced execution
• discovery surfaces, HTTPS serving requirements, verifier requirements, verifier output schema
• residual threats and operator defense-in-depth checklist
• locale handling and final ASCII-only position

Companion documents

• Verifier Conformance Profile defining public-web and local-file evaluation modes, fetch safety, SSRF defenses, level calculation, output schema, and fixture suite conformance
• design rationale capturing the reasoning behind the 8 KiB cap, ASCII-only profile, sidecar manifest, cross-channel publication, hard chained-guide ban, and other decisions
• threat register enumerating network, hosting, provenance, verifier, runtime, user, and availability risk classes
• JSON Schema for the manifest and verifier output

Project

• designated standard primary verifier at https://guidecheck.org/verify
• canonical site at https://guidecheck.org/