plainstamp 0.7.0 → 0.7.2

package/CHANGELOG.md

@@ -16,6 +16,23 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 
 Distribution is **npm-only**. Source remains in the operating organization's private repository; there is no public source repository host. Contact channel for issues, accuracy reports, security reports, and contribution proposals is **helpfulbutton140@agentmail.to** (see `docs/CONTRIBUTING.md`, `docs/SECURITY.md`).
 
+## [0.7.2] — 2026-05-08
+
+### Documentation
+
+- README now features the hosted MCP Streamable-HTTP endpoint at `https://plainstamp.helpfulbutton140.workers.dev/mcp` — no install required for clients that prefer the hosted transport.
+- README documents the parallel JSON-over-HTTP API on the same Worker (`/jurisdictions`, `/rules`, `/lookup`, `/validate`) for clients that don't speak MCP.
+- Coverage table refreshed against the live 23-rule corpus and reorganized by jurisdiction tier (federal / state / city / EU). Federal additions now visible in README: EEOC, CFPB, FINRA, HHS Section 1557, FDA PCCP, FCC TCPA. State additions: SB 1120, Tennessee ELVIS Act. EU: GDPR Article 22.
+
+No code changes; npm publish refreshes the README rendered on npmjs.com.
+
+## [0.7.1] — 2026-05-08
+
+### Fixed (cross-runtime compatibility)
+
+- New `setBundledRules(parsed)` export: allows non-Node consumers (Cloudflare Workers, Deno Deploy, browsers) to pre-load the bundled rules object explicitly, avoiding the `node:fs` + `import.meta.url` path that fails in those environments. The recommended pattern is to import the JSON directly: `import rulesJson from "plainstamp/rules/seed.json"; setBundledRules(rulesJson);`. Once the override is set, all of `disclosuresFor`, `executeMcpTool`, `getRuleById`, `listJurisdictions`, etc. work unchanged.
+- The Node fs path is unchanged for Node consumers; this is a strictly additive fix.
+
 ## [0.7.0] — 2026-05-08
 
 ### Added (transport-independent MCP tool module)

package/README.md

@@ -93,6 +93,38 @@ Add to your MCP config:
 
 The server speaks the standard MCP stdio transport. Spawn `npx plainstamp mcp` (or run `node dist/mcp-server.js` from a checkout) and connect to its stdin/stdout.
 
+### Hosted MCP HTTP endpoint
+
+A hosted MCP Streamable-HTTP endpoint runs on Cloudflare Workers — no install required:
+
+```
+https://plainstamp.helpfulbutton140.workers.dev/mcp
+```
+
+It speaks the standard MCP Streamable-HTTP transport (`POST` JSON-RPC, `GET`/`DELETE` per spec) and exposes the same five tools as the stdio server. Stateless, free to call.
+
+## Hosted JSON API
+
+The same Worker also exposes a plain JSON-over-HTTP API at `https://plainstamp.helpfulbutton140.workers.dev` for clients that don't speak MCP:
+
+```
+GET  /                       service info + bundled-rule version
+GET  /health                 liveness probe
+GET  /jurisdictions          list supported jurisdiction ids
+GET  /rules                  list compact rule summaries
+GET  /rules/:id              full rule by id
+GET  /lookup?jurisdiction=&channel=&use_case=
+                             applicable rules + generated text
+POST /validate               { jurisdiction, channel, use_case, candidate_text }
+                             heuristic compliance check
+```
+
+Example:
+
+```bash
+curl "https://plainstamp.helpfulbutton140.workers.dev/lookup?jurisdiction=us-ca&channel=live-chat&use_case=b2c-customer-support"
+```
+
 ## Library
 
 ```ts
@@ -131,24 +163,52 @@ const reports = validateDisclosureForQuery(
 
 ## Coverage
 
+23 rules across 11 jurisdictions, last verified 2026-05-08.
+
+**Federal (US):**
+
+| Rule | Jurisdiction | Effective | Last verified |
+|---|---|---|---|
+| FTC rule on fake reviews and testimonials (16 CFR Part 465) | us | 2024-10-21 | 2026-05-08 |
+| EEOC Title VII technical assistance — AI selection procedures (2023) | us | 2023-05-18 | 2026-05-08 |
+| CFPB Circular 2023-03 — adverse-action notices for AI credit decisions (ECOA / Regulation B) | us | 2023-09-19 | 2026-05-08 |
+| FINRA Regulatory Notice 24-09 — AI in customer communications | us | 2024-06-27 | 2026-05-08 |
+| HHS Section 1557 — Patient Care Decision Support Tools nondiscrimination (2024 final rule) | us | 2025-05-01 | 2026-05-08 |
+| FDA Predetermined Change Control Plans for AI/ML-Enabled Device Software | us | 2024-12-04 | 2026-05-08 |
+| FCC Declaratory Ruling — AI-generated voice in robocalls under TCPA (Feb 2024) | us | 2024-02-08 | 2026-05-08 |
+
+**State (US):**
+
 | Rule | Jurisdiction | Effective | Last verified |
 |---|---|---|---|
 | California bot disclosure (B&P § 17941) | us-ca | 2019-07-01 | 2026-05-08 |
-| EU AI Act Article 50(1) — chatbot disclosure | eu | 2026-08-02 | 2026-05-08 |
-| EU AI Act Article 50(2) — AI-generated content labeling | eu | 2026-08-02 | 2026-05-08 |
-| FTC fake reviews/testimonials (16 CFR Part 465) | us | 2024-10-21 | 2026-05-08 |
-| California AI Transparency Act (SB 942) | us-ca | 2026-01-01 | 2026-05-08 |
+| California AI provenance and labeling (SB 942 / AB 2655 family) | us-ca | 2026-01-01 | 2026-05-08 |
+| California AB 2013 — Generative AI Training Data Transparency Act | us-ca | 2026-01-01 | 2026-05-08 |
+| California SB 1120 — Physicians Make Decisions Act (utilization review) | us-ca | 2025-01-01 | 2026-05-08 |
 | Colorado AI Act (SB 24-205) — consumer disclosure | us-co | 2026-06-30 | 2026-05-08 |
 | Utah AI Policy Act (SB 149, as amended by SB 226 / SB 332) | us-ut | 2024-05-01 | 2026-05-08 |
-| Texas TRAIGA (HB 149) — government agency | us-tx | 2026-01-01 | 2026-05-08 |
-| Texas TRAIGA (HB 149) — healthcare provider | us-tx | 2026-01-01 | 2026-05-08 |
+| Texas TRAIGA (HB 149) — government agency disclosure | us-tx | 2026-01-01 | 2026-05-08 |
+| Texas TRAIGA (HB 149) — healthcare-provider disclosure | us-tx | 2026-01-01 | 2026-05-08 |
 | New York AI Companion Models (NY GBL Art. 47, A6767) | us-ny | 2025-11-05 | 2026-05-08 |
 | Illinois Human Rights Act — AI in employment (HB 3773) | us-il | 2026-01-01 | 2026-05-08 |
-| NYC Local Law 144 — Automated Employment Decision Tools | us-ny-nyc | 2023-07-05 | 2026-05-08 |
-| California AB 2013 — Generative AI Training Data Transparency | us-ca | 2026-01-01 | 2026-05-08 |
 | Maryland LE § 3-717 — facial recognition in interviews (HB 1202) | us-md | 2020-10-01 | 2026-05-08 |
+| Tennessee ELVIS Act — voice and likeness protection (HB 2091 / SB 2096) | us-tn | 2024-07-01 | 2026-05-08 |
+
+**City (US):**
+
+| Rule | Jurisdiction | Effective | Last verified |
+|---|---|---|---|
+| NYC Local Law 144 — Automated Employment Decision Tools | us-ny-nyc | 2023-07-05 | 2026-05-08 |
+
+**EU:**
+
+| Rule | Jurisdiction | Effective | Last verified |
+|---|---|---|---|
+| EU AI Act Article 50(1) — chatbot disclosure | eu | 2026-08-02 | 2026-05-08 |
+| EU AI Act Article 50(2) — AI-generated content labeling | eu | 2026-08-02 | 2026-05-08 |
+| EU GDPR Article 22 — automated decision-making rights | eu | 2018-05-25 | 2026-05-08 |
 
-Coverage will expand to EU member-state implementations and sector-specific rules (healthcare, financial services). See [`CHANGELOG.md`](CHANGELOG.md).
+Coverage continues to expand. See [`CHANGELOG.md`](CHANGELOG.md).
 
 ## Disclaimers
 

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 export { lookup, generateDisclosureText, validateDisclosure, } from "./lookup.js";
-export { loadBundledRules, loadRulesFromPath } from "./rules-loader.js";
+export { loadBundledRules, loadRulesFromPath, setBundledRules, } from "./rules-loader.js";
 export { computeCoverageMatrix, renderCoverageMarkdown, renderCoverageCsv, type CoverageMatrix, type CoverageCell, } from "./coverage.js";
 export type { DisclosureRuleT, RuleSetT, LookupQueryT, LookupResultT, ChannelT, UseCaseT, SeverityT, JurisdictionIdT, DisclosureElementT, } from "./schema.js";
 export { Channel, UseCase, Severity, JurisdictionId, LookupQuery, DisclosureElement, DisclosureRule, RuleSet, } from "./schema.js";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,MAAM,EACN,sBAAsB,EACtB,kBAAkB,GACnB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACxE,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,iBAAiB,EACjB,KAAK,cAAc,EACnB,KAAK,YAAY,GAClB,MAAM,eAAe,CAAC;AACvB,YAAY,EACV,eAAe,EACf,QAAQ,EACR,YAAY,EACZ,aAAa,EACb,QAAQ,EACR,QAAQ,EACR,SAAS,EACT,eAAe,EACf,kBAAkB,GACnB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,OAAO,EACP,OAAO,EACP,QAAQ,EACR,cAAc,EACd,WAAW,EACX,iBAAiB,EACjB,cAAc,EACd,OAAO,GACR,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,QAAQ,EACR,cAAc,EACd,KAAK,iBAAiB,EACtB,KAAK,aAAa,GACnB,MAAM,gBAAgB,CAAC;AAIxB,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEhF;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,YAAY,GAAG,aAAa,EAAE,CAEnE;AAED,2EAA2E;AAC3E,wBAAgB,iBAAiB,IAAI,MAAM,EAAE,CAK5C;AAED,uDAAuD;AACvD,wBAAgB,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAGnE;AAED;;;;GAIG;AACH,wBAAgB,0BAA0B,CACxC,KAAK,EAAE,YAAY,EACnB,aAAa,EAAE,MAAM;;;;;IAKtB"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,MAAM,EACN,sBAAsB,EACtB,kBAAkB,GACnB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,GAChB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,iBAAiB,EACjB,KAAK,cAAc,EACnB,KAAK,YAAY,GAClB,MAAM,eAAe,CAAC;AACvB,YAAY,EACV,eAAe,EACf,QAAQ,EACR,YAAY,EACZ,aAAa,EACb,QAAQ,EACR,QAAQ,EACR,SAAS,EACT,eAAe,EACf,kBAAkB,GACnB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,OAAO,EACP,OAAO,EACP,QAAQ,EACR,cAAc,EACd,WAAW,EACX,iBAAiB,EACjB,cAAc,EACd,OAAO,GACR,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,QAAQ,EACR,cAAc,EACd,KAAK,iBAAiB,EACtB,KAAK,aAAa,GACnB,MAAM,gBAAgB,CAAC;AAIxB,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEhF;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,YAAY,GAAG,aAAa,EAAE,CAEnE;AAED,2EAA2E;AAC3E,wBAAgB,iBAAiB,IAAI,MAAM,EAAE,CAK5C;AAED,uDAAuD;AACvD,wBAAgB,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAGnE;AAED;;;;GAIG;AACH,wBAAgB,0BAA0B,CACxC,KAAK,EAAE,YAAY,EACnB,aAAa,EAAE,MAAM;;;;;IAKtB"}

package/dist/index.js

@@ -1,5 +1,5 @@
 export { lookup, generateDisclosureText, validateDisclosure, } from "./lookup.js";
-export { loadBundledRules, loadRulesFromPath } from "./rules-loader.js";
+export { loadBundledRules, loadRulesFromPath, setBundledRules, } from "./rules-loader.js";
 export { computeCoverageMatrix, renderCoverageMarkdown, renderCoverageCsv, } from "./coverage.js";
 export { Channel, UseCase, Severity, JurisdictionId, LookupQuery, DisclosureElement, DisclosureRule, RuleSet, } from "./schema.js";
 export { mcpTools, executeMcpTool, } from "./mcp-tools.js";

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,MAAM,EACN,sBAAsB,EACtB,kBAAkB,GACnB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACxE,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,iBAAiB,GAGlB,MAAM,eAAe,CAAC;AAYvB,OAAO,EACL,OAAO,EACP,OAAO,EACP,QAAQ,EACR,cAAc,EACd,WAAW,EACX,iBAAiB,EACjB,cAAc,EACd,OAAO,GACR,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,QAAQ,EACR,cAAc,GAGf,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,MAAM,IAAI,QAAQ,EAAE,kBAAkB,IAAI,UAAU,EAAE,MAAM,aAAa,CAAC;AAGnF;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,KAAmB;IAChD,OAAO,QAAQ,CAAC,gBAAgB,EAAE,EAAE,KAAK,CAAC,CAAC;AAC7C,CAAC;AAED,2EAA2E;AAC3E,MAAM,UAAU,iBAAiB;IAC/B,MAAM,KAAK,GAAG,gBAAgB,EAAE,CAAC;IACjC,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,KAAK;QAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;IACrD,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;AACzB,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,WAAW,CAAC,EAAU;IACpC,MAAM,KAAK,GAAG,gBAAgB,EAAE,CAAC;IACjC,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;AAC9C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,0BAA0B,CACxC,KAAmB,EACnB,aAAqB;IAErB,MAAM,KAAK,GAAG,gBAAgB,EAAE,CAAC;IACjC,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC1C,OAAO,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC,CAAC;AAClE,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,MAAM,EACN,sBAAsB,EACtB,kBAAkB,GACnB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,GAChB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,iBAAiB,GAGlB,MAAM,eAAe,CAAC;AAYvB,OAAO,EACL,OAAO,EACP,OAAO,EACP,QAAQ,EACR,cAAc,EACd,WAAW,EACX,iBAAiB,EACjB,cAAc,EACd,OAAO,GACR,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,QAAQ,EACR,cAAc,GAGf,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,MAAM,IAAI,QAAQ,EAAE,kBAAkB,IAAI,UAAU,EAAE,MAAM,aAAa,CAAC;AAGnF;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,KAAmB;IAChD,OAAO,QAAQ,CAAC,gBAAgB,EAAE,EAAE,KAAK,CAAC,CAAC;AAC7C,CAAC;AAED,2EAA2E;AAC3E,MAAM,UAAU,iBAAiB;IAC/B,MAAM,KAAK,GAAG,gBAAgB,EAAE,CAAC;IACjC,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,KAAK;QAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;IACrD,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;AACzB,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,WAAW,CAAC,EAAU;IACpC,MAAM,KAAK,GAAG,gBAAgB,EAAE,CAAC;IACjC,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;AAC9C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,0BAA0B,CACxC,KAAmB,EACnB,aAAqB;IAErB,MAAM,KAAK,GAAG,gBAAgB,EAAE,CAAC;IACjC,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC1C,OAAO,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC,CAAC;AAClE,CAAC"}

package/dist/rules-loader.d.ts

@@ -1,8 +1,30 @@
 import { type RuleSetT } from "./schema.js";
 /**
- * Loads and validates the bundled seed rules. Throws on schema violation —
- * an invalid rules file is a hard failure because the product's correctness
- * depends on it.
+ * Provide the bundled rules object explicitly. Useful in environments
+ * where `import.meta.url`-based filesystem reads are unavailable or
+ * unreliable (Cloudflare Workers, Deno Deploy, browsers): the caller
+ * imports `plainstamp/rules/seed.json` directly and hands the parsed
+ * object to this function before any other plainstamp lookup.
+ *
+ * Idempotent. Calling with `null` clears the override.
+ *
+ * @example
+ *   import rulesJson from "plainstamp/rules/seed.json";
+ *   import { setBundledRules, executeMcpTool } from "plainstamp";
+ *   setBundledRules(rulesJson);
+ */
+export declare function setBundledRules(rules: unknown | null): void;
+/**
+ * Loads and validates the bundled seed rules. If `setBundledRules()`
+ * has been called, returns that override. Otherwise reads from the
+ * package's `rules/seed.json` file via `node:fs` + `import.meta.url`.
+ *
+ * Throws on schema violation — an invalid rules file is a hard
+ * failure because the product's correctness depends on it.
+ *
+ * In non-Node environments (Workers, browsers), `import.meta.url` may
+ * not resolve to a usable path; in that case, callers MUST set the
+ * override via `setBundledRules()` before any lookup.
  */
 export declare function loadBundledRules(): RuleSetT;
 /** Loads rules from an arbitrary path. Useful for tests and for callers that maintain their own rules feed. */

package/dist/rules-loader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rules-loader.d.ts","sourceRoot":"","sources":["../src/rules-loader.ts"],"names":[],"mappings":"AAGA,OAAO,EAAW,KAAK,QAAQ,EAAE,MAAM,aAAa,CAAC;AAIrD;;;;GAIG;AACH,wBAAgB,gBAAgB,IAAI,QAAQ,CAK3C;AAED,+GAA+G;AAC/G,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,QAAQ,CAIxD"}
+{"version":3,"file":"rules-loader.d.ts","sourceRoot":"","sources":["../src/rules-loader.ts"],"names":[],"mappings":"AAGA,OAAO,EAAW,KAAK,QAAQ,EAAE,MAAM,aAAa,CAAC;AAIrD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,IAAI,GAAG,IAAI,CAE3D;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,IAAI,QAAQ,CAO3C;AAED,+GAA+G;AAC/G,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,QAAQ,CAIxD"}

package/dist/rules-loader.js

@@ -2,13 +2,40 @@ import { readFileSync } from "node:fs";
 import { fileURLToPath } from "node:url";
 import { dirname, join } from "node:path";
 import { RuleSet } from "./schema.js";
-const here = dirname(fileURLToPath(import.meta.url));
+let bundledRulesOverride = null;
 /**
- * Loads and validates the bundled seed rules. Throws on schema violation —
- * an invalid rules file is a hard failure because the product's correctness
- * depends on it.
+ * Provide the bundled rules object explicitly. Useful in environments
+ * where `import.meta.url`-based filesystem reads are unavailable or
+ * unreliable (Cloudflare Workers, Deno Deploy, browsers): the caller
+ * imports `plainstamp/rules/seed.json` directly and hands the parsed
+ * object to this function before any other plainstamp lookup.
+ *
+ * Idempotent. Calling with `null` clears the override.
+ *
+ * @example
+ *   import rulesJson from "plainstamp/rules/seed.json";
+ *   import { setBundledRules, executeMcpTool } from "plainstamp";
+ *   setBundledRules(rulesJson);
+ */
+export function setBundledRules(rules) {
+    bundledRulesOverride = rules === null ? null : RuleSet.parse(rules);
+}
+/**
+ * Loads and validates the bundled seed rules. If `setBundledRules()`
+ * has been called, returns that override. Otherwise reads from the
+ * package's `rules/seed.json` file via `node:fs` + `import.meta.url`.
+ *
+ * Throws on schema violation — an invalid rules file is a hard
+ * failure because the product's correctness depends on it.
+ *
+ * In non-Node environments (Workers, browsers), `import.meta.url` may
+ * not resolve to a usable path; in that case, callers MUST set the
+ * override via `setBundledRules()` before any lookup.
  */
 export function loadBundledRules() {
+    if (bundledRulesOverride !== null)
+        return bundledRulesOverride;
+    const here = dirname(fileURLToPath(import.meta.url));
     const path = join(here, "..", "rules", "seed.json");
     const raw = readFileSync(path, "utf-8");
     const parsed = JSON.parse(raw);

package/dist/rules-loader.js.map

@@ -1 +1 @@
-{"version":3,"file":"rules-loader.js","sourceRoot":"","sources":["../src/rules-loader.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAiB,MAAM,aAAa,CAAC;AAErD,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAErD;;;;GAIG;AACH,MAAM,UAAU,gBAAgB;IAC9B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,OAAO,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;AAC/B,CAAC;AAED,+GAA+G;AAC/G,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,OAAO,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;AAC/B,CAAC"}
+{"version":3,"file":"rules-loader.js","sourceRoot":"","sources":["../src/rules-loader.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAiB,MAAM,aAAa,CAAC;AAErD,IAAI,oBAAoB,GAAoB,IAAI,CAAC;AAEjD;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,eAAe,CAAC,KAAqB;IACnD,oBAAoB,GAAG,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AACtE,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,gBAAgB;IAC9B,IAAI,oBAAoB,KAAK,IAAI;QAAE,OAAO,oBAAoB,CAAC;IAC/D,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,OAAO,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;AAC/B,CAAC;AAED,+GAA+G;AAC/G,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,OAAO,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;AAC/B,CAAC"}

package/dist/watcher/sources/federal-register.d.ts

@@ -1,13 +1,21 @@
 import type { Source } from "../types.js";
 /**
- * Federal Register source. Fetches recent rules and proposed rules matching
- * a search term (default: "artificial intelligence"). The Federal Register
- * search is permissive — results often include items only tangentially
- * related — so the orchestrator should treat new articles as candidates for
- * review rather than guaranteed plainstamp-relevant updates.
+ * Federal Register source. Fetches recent rules, proposed rules, agency
+ * notices, and presidential documents matching a search term (default:
+ * "artificial intelligence"). The Federal Register search is permissive —
+ * results often include items only tangentially related — so the
+ * orchestrator should treat new articles as candidates for review rather
+ * than guaranteed plainstamp-relevant updates.
+ *
+ * Notices and presidential documents are included alongside rules and
+ * proposed rules because much actionable AI regulatory activity (FCC
+ * declaratory rulings, OCC bulletins, OMB memoranda, executive orders)
+ * appears in those categories rather than in formal rulemaking.
  */
 export declare function federalRegisterSource(opts?: {
     searchTerm?: string;
     perPage?: number;
+    /** Override the default doc-type filter. Defaults to RULE + PRORULE + NOTICE + PRESDOCU. */
+    types?: ReadonlyArray<"RULE" | "PRORULE" | "NOTICE" | "PRESDOCU">;
 }): Source;
 //# sourceMappingURL=federal-register.d.ts.map

package/dist/watcher/sources/federal-register.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"federal-register.d.ts","sourceRoot":"","sources":["../../../src/watcher/sources/federal-register.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAW,MAAM,EAAE,MAAM,aAAa,CAAC;AAmBnD;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,CAAC,EAAE;IAC3C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GAAG,MAAM,CAsCT"}
+{"version":3,"file":"federal-register.d.ts","sourceRoot":"","sources":["../../../src/watcher/sources/federal-register.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAW,MAAM,EAAE,MAAM,aAAa,CAAC;AAmBnD;;;;;;;;;;;;GAYG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,CAAC,EAAE;IAC3C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,4FAA4F;IAC5F,KAAK,CAAC,EAAE,aAAa,CAAC,MAAM,GAAG,SAAS,GAAG,QAAQ,GAAG,UAAU,CAAC,CAAC;CACnE,GAAG,MAAM,CAwCT"}

package/dist/watcher/sources/federal-register.js

@@ -1,23 +1,31 @@
 const ENDPOINT = "https://www.federalregister.gov/api/v1/articles.json";
 /**
- * Federal Register source. Fetches recent rules and proposed rules matching
- * a search term (default: "artificial intelligence"). The Federal Register
- * search is permissive — results often include items only tangentially
- * related — so the orchestrator should treat new articles as candidates for
- * review rather than guaranteed plainstamp-relevant updates.
+ * Federal Register source. Fetches recent rules, proposed rules, agency
+ * notices, and presidential documents matching a search term (default:
+ * "artificial intelligence"). The Federal Register search is permissive —
+ * results often include items only tangentially related — so the
+ * orchestrator should treat new articles as candidates for review rather
+ * than guaranteed plainstamp-relevant updates.
+ *
+ * Notices and presidential documents are included alongside rules and
+ * proposed rules because much actionable AI regulatory activity (FCC
+ * declaratory rulings, OCC bulletins, OMB memoranda, executive orders)
+ * appears in those categories rather than in formal rulemaking.
  */
 export function federalRegisterSource(opts) {
     const term = opts?.searchTerm ?? "artificial intelligence";
     const perPage = opts?.perPage ?? 20;
+    const types = opts?.types ?? ["RULE", "PRORULE", "NOTICE", "PRESDOCU"];
     const id = `federal-register-${term.replace(/[^a-z0-9]+/gi, "-").toLowerCase()}`;
     return {
         id,
-        description: `Federal Register articles (Rules and Proposed Rules) matching "${term}"`,
+        description: `Federal Register articles (${types.join(", ")}) matching "${term}"`,
         async fetch() {
             const url = new URL(ENDPOINT);
             url.searchParams.set("conditions[term]", term);
-            url.searchParams.append("conditions[type][]", "RULE");
-            url.searchParams.append("conditions[type][]", "PRORULE");
+            for (const t of types) {
+                url.searchParams.append("conditions[type][]", t);
+            }
             url.searchParams.set("per_page", String(perPage));
             url.searchParams.set("order", "newest");
             const res = await fetch(url.toString());

package/dist/watcher/sources/federal-register.js.map

@@ -1 +1 @@
-{"version":3,"file":"federal-register.js","sourceRoot":"","sources":["../../../src/watcher/sources/federal-register.ts"],"names":[],"mappings":"AAEA,MAAM,QAAQ,GAAG,sDAAsD,CAAC;AAiBxE;;;;;;GAMG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAGrC;IACC,MAAM,IAAI,GAAG,IAAI,EAAE,UAAU,IAAI,yBAAyB,CAAC;IAC3D,MAAM,OAAO,GAAG,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC;IACpC,MAAM,EAAE,GAAG,oBAAoB,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;IAEjF,OAAO;QACL,EAAE;QACF,WAAW,EAAE,kEAAkE,IAAI,GAAG;QACtF,KAAK,CAAC,KAAK;YACT,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC9B,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,CAAC,CAAC;YAC/C,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;YACtD,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,oBAAoB,EAAE,SAAS,CAAC,CAAC;YACzD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;YAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YAExC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;YACxC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CACb,sCAAsC,GAAG,CAAC,MAAM,QAAQ,GAAG,CAAC,QAAQ,EAAE,EAAE,CACzE,CAAC;YACJ,CAAC;YACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAe,CAAC;YAC9C,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC9B,EAAE,EAAE,CAAC,CAAC,eAAe;gBACrB,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,GAAG,EAAE,CAAC,CAAC,QAAQ;gBACf,WAAW,EAAE,CAAC,CAAC,gBAAgB;gBAC/B,GAAG,CAAC,CAAC,CAAC,QAAQ,KAAK,IAAI,IAAI,CAAC,CAAC,QAAQ,KAAK,SAAS;oBACjD,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;oBACzB,CAAC,CAAC,EAAE,CAAC;gBACP,GAAG,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS;oBAC1B,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE;oBAC7C,CAAC,CAAC,EAAE,CAAC;gBACP,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE;aACxB,CAAC,CAAC,CAAC;QACN,CAAC;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"federal-register.js","sourceRoot":"","sources":["../../../src/watcher/sources/federal-register.ts"],"names":[],"mappings":"AAEA,MAAM,QAAQ,GAAG,sDAAsD,CAAC;AAiBxE;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAKrC;IACC,MAAM,IAAI,GAAG,IAAI,EAAE,UAAU,IAAI,yBAAyB,CAAC;IAC3D,MAAM,OAAO,GAAG,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC;IACpC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;IACvE,MAAM,EAAE,GAAG,oBAAoB,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;IAEjF,OAAO;QACL,EAAE;QACF,WAAW,EAAE,8BAA8B,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,GAAG;QACjF,KAAK,CAAC,KAAK;YACT,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC9B,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,CAAC,CAAC;YAC/C,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;gBACtB,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC,CAAC,CAAC;YACnD,CAAC;YACD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;YAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YAExC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;YACxC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CACb,sCAAsC,GAAG,CAAC,MAAM,QAAQ,GAAG,CAAC,QAAQ,EAAE,EAAE,CACzE,CAAC;YACJ,CAAC;YACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAe,CAAC;YAC9C,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC9B,EAAE,EAAE,CAAC,CAAC,eAAe;gBACrB,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,GAAG,EAAE,CAAC,CAAC,QAAQ;gBACf,WAAW,EAAE,CAAC,CAAC,gBAAgB;gBAC/B,GAAG,CAAC,CAAC,CAAC,QAAQ,KAAK,IAAI,IAAI,CAAC,CAAC,QAAQ,KAAK,SAAS;oBACjD,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;oBACzB,CAAC,CAAC,EAAE,CAAC;gBACP,GAAG,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS;oBAC1B,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE;oBAC7C,CAAC,CAAC,EAAE,CAAC;gBACP,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE;aACxB,CAAC,CAAC,CAAC;QACN,CAAC;KACF,CAAC;AACJ,CAAC"}

package/docs/guides/hhs-section-1557-pcdst-builder-guide.md

@@ -0,0 +1,268 @@
+# HHS Section 1557 (Patient Care Decision Support Tools): a builder's guide
+
+> **Informational only — not legal advice.** Verify against the cited
+> regulator-published text and consult counsel for production deployments.
+> See `AI-DISCLOSURE.md` in this package.
+
+If your healthcare organization deploys an AI/ML clinical decision-support
+tool — sepsis risk scores, discharge risk models, prior-auth scoring, AI
+triage chatbots, anything that informs a care decision — and the
+organization receives any federal financial assistance (Medicare,
+Medicaid, federally-qualified health center funding, etc.), HHS Section
+1557's **Patient Care Decision Support Tool (PCDST) nondiscrimination
+rule** applies to you. The rule has been enforceable since **May 1, 2025**
+and is one of the most concrete federal AI compliance regimes operating
+today. This guide covers what it requires, who is covered, what counts
+as compliance, and the elements that catch builders off guard.
+
+## What 45 CFR § 92.210 actually requires
+
+On May 6, 2024, the U.S. Department of Health and Human Services Office
+for Civil Rights (HHS OCR) published a final rule (89 Fed. Reg. 37522)
+implementing Section 1557 of the Affordable Care Act (42 U.S.C. § 18116).
+The rule, codified at 45 CFR Part 92 and effective in stages with PCDST
+enforcement starting May 1, 2025, imposes nondiscrimination obligations
+on covered entities' use of "patient care decision support tools" — a
+deliberately broad category that **includes AI/ML-based clinical
+decision support**.
+
+A covered entity must:
+
+1. **Identify uses of PCDSTs** in its health programs and activities that
+   employ input variables or factors that measure race, color, national
+   origin, sex, age, or disability.
+2. **Mitigate the risk of discrimination** resulting from each such tool's
+   use.
+
+Both obligations are framed as "reasonable efforts" — OCR has stated in
+commentary that what is reasonable scales with the entity's size, resources,
+and the tool's risk profile. But documentation of those efforts is essential.
+
+Penalties: loss of federal financial assistance, OCR-imposed corrective
+action plans, potential private right-of-action discrimination claims,
+and reputational fallout. OCR has historically taken Section 1557 seriously
+in enforcement.
+
+## What's a "PCDST" — and why it sweeps in basically every clinical AI
+
+OCR's definition of patient care decision support tool is broad on
+purpose:
+
+> *"any automated or non-automated tool, mechanism, method, technology,
+> or combination thereof used by a covered entity to support clinical
+> decision-making in its health programs or activities."*
+
+This explicitly includes:
+
+- **AI/ML clinical decision support** tools (the central focus of OCR's
+  commentary).
+- **Rule-based scoring algorithms** (e.g., MEWS, NEWS, qSOFA, CHA₂DS₂-VASc).
+- **Tools that consume race, sex, age, etc. as input variables** — the
+  Epic Sepsis Model, the Beth Israel Deaconess Discharge Risk Score, and
+  many commonly-deployed risk scores.
+- **Tools that produce clinical scores** even where the underlying
+  computation is non-AI. Statistical models count.
+- **Triage and routing tools** that affect access to clinical resources.
+
+The "non-automated" inclusion is significant: paper-based scoring sheets
+that a clinician uses to allocate care also count. The rule is not
+specific to digital tools.
+
+Three definitional gotchas:
+
+- **"Used by a covered entity to support clinical decision-making."** A
+  tool merely available in the EHR but never actually consulted in a
+  clinical decision is arguably not in scope. A tool that's part of any
+  routine workflow — even informally — is in scope.
+- **"Input variables or factors that measure race, color, national origin,
+  sex, age, or disability."** This is broader than just having a literal
+  "race" field. Tools that use ZIP code (proxy for race), insurance type
+  (proxy for income/national origin), or chronic condition counts (proxy
+  for disability) are within the identification obligation.
+- **OCR's "reasonable efforts" standard scales but doesn't disappear.**
+  A small rural clinic doesn't have the same compliance burden as a
+  major academic medical center, but both must do something.
+
+## Who is a "covered entity"
+
+Section 1557 applies broadly to any health program or activity that
+receives federal financial assistance. In practice this includes:
+
+- **Most healthcare providers** that participate in Medicare or Medicaid
+  (effectively almost all hospitals, most physician practices, most
+  long-term care facilities).
+- **Federally-qualified health centers** and their clinical operations.
+- **Health insurers in HHS-administered marketplaces** (and many
+  Medicaid managed care organizations).
+- **HHS-administered programs** themselves (Indian Health Service, etc.).
+- **Any program receiving federal grants** with health-related components.
+
+Three exclusions to know about:
+
+- **ERISA self-funded employer health plans** that don't otherwise
+  receive federal financial assistance are typically outside Section 1557
+  (though they may have parallel obligations under ERISA + state law).
+- **Cash-only or fully-private practices** that decline all federal
+  funding may be outside Section 1557 (rare; most providers participate
+  in Medicare).
+- **Federal contractors providing non-health services** — not in scope
+  even if their contractor receives federal money.
+
+## What "reasonable efforts" actually looks like
+
+OCR commentary and informal guidance suggest a **risk-tiered approach**:
+
+**Higher-risk tools (more documentation expected):**
+- Tools that explicitly use race, sex, age, or disability as input
+  variables.
+- Tools used in life-threatening contexts (sepsis prediction, organ
+  transplant risk).
+- Tools that affect resource allocation across patients (ICU bed
+  triage, transplant priority).
+
+**Lower-risk tools (lighter documentation acceptable):**
+- Tools that don't use protected-class variables.
+- Tools that surface information without producing a ranking or score.
+- Tools whose output is one of many factors in a clinician's
+  unstructured judgment.
+
+Concrete documentation to maintain for each PCDST:
+
+1. **Tool inventory entry** — name, vendor, purpose, deployment date,
+   input variables (with notation of any protected-class factors), use
+   cases, decision contexts.
+2. **Mitigation documentation** — what the entity has done to identify
+   and mitigate the risk of discriminatory output. Examples: vendor's
+   bias-audit report, internal performance comparison across protected
+   classes, threshold adjustments, monitoring dashboards.
+3. **Designation** — the Civil Rights Coordinator (a Section 1557 §
+   92.7 requirement) is responsible for PCDST nondiscrimination.
+4. **Periodic review** — at least annual review of the tool's
+   performance, documented.
+
+## The patient-facing element (most builders miss this)
+
+The PCDST rule's primary obligation is *governance-side* — identification
+and mitigation. But where the entity exposes AI-informed decisions to
+patients (or where notice-of-availability obligations under § 92.11 apply),
+a **patient-facing notice** that automated tools may inform clinical
+decisions is also expected. The notice typically lives in:
+
+- The Section 1557 notice of nondiscrimination (printed and posted
+  per § 92.10).
+- Patient-facing materials about specific decisions (denial letters,
+  triage explanations).
+
+Plain-language template:
+
+> *"Notice — Use of Decision-Support Tools in Your Care: Some clinical
+> decisions in your care may be informed by automated decision-support
+> tools, including artificial-intelligence and machine-learning systems.
+> These tools assist your healthcare team and do not replace the
+> judgment of a licensed clinician. You have the right to discuss any
+> care decision with your provider. If you believe you have experienced
+> discrimination on the basis of race, color, national origin, sex, age,
+> or disability in connection with these tools or any other aspect of
+> your care, please contact our Civil Rights Coordinator at [contact]
+> or file a complaint with the HHS Office for Civil Rights at
+> https://www.hhs.gov/ocr/."*
+
+## How Section 1557 stacks with other rules
+
+Section 1557 is the federal floor for healthcare AI nondiscrimination.
+Builders deploying AI/ML clinical tools at scale need to layer:
+
+- **California SB 1120 (Physicians Make Decisions Act)** — adds a
+  *procedural* requirement: AI used in utilization review for medical
+  necessity must be reviewed by a licensed physician considering the
+  enrollee's clinical circumstances. Effective January 1, 2025.
+  California-specific.
+- **FDA Predetermined Change Control Plans (FD&C Act § 515C, December
+  2024 final guidance)** — applies to AI/ML medical devices that have
+  been cleared/authorized by FDA. Adds device-labeling AI/ML disclosure
+  obligations.
+- **HIPAA Privacy Rule (45 CFR Part 164)** — separate privacy regime.
+  Section 1557 doesn't change HIPAA; both apply.
+- **State medical-board rules** on AI in scope of practice (Texas,
+  several others have specific scope-of-practice rules for AI).
+- **EU AI Act + GDPR Art. 22** — for any care delivered to EU residents,
+  including telehealth.
+- **NIST AI RMF + healthcare-sector profile** — voluntary but widely
+  treated as a benchmark by hospital AI committees.
+
+## Common compliance pitfalls
+
+- **Treating "vendor said the model was bias-audited" as enough.** OCR
+  commentary expects the covered entity to do its own due diligence;
+  vendor audits are an input, not a substitute.
+- **Forgetting non-AI tools.** The rule covers any decision-support
+  tool, not just AI. Rule-based scoring tools that use protected-class
+  variables are within scope.
+- **Documenting only the highest-risk tools.** OCR expects an
+  identification process for *all* PCDSTs, even if most have minimal
+  mitigation documentation.
+- **No designated Civil Rights Coordinator with PCDST awareness.** The
+  Coordinator role under § 92.7 needs to know about the entity's AI/ML
+  tools; siloing AI governance from CRC creates compliance gaps.
+- **Skipping the patient-facing language** under the assumption that
+  PCDST obligations are purely governance. Where AI informs decisions
+  exposed to patients, notice is expected.
+- **Annual review never happens.** Documentation that the tool's
+  performance is monitored and reviewed is part of the "reasonable
+  efforts" standard.
+
+## How plainstamp helps
+
+`plainstamp` ships an `us-hhs-section-1557-pcdst-2024` rule that
+returns the live disclosure-element checklist for the PCDST regime,
+plain-language and formal-language patient-facing notices, citation
+back to 45 CFR § 92.210 + the Federal Register source URL, and a
+`last_verified` date. Lookup:
+
+```bash
+npx plainstamp lookup --jurisdiction us \
+                      --channel ai-generated-content \
+                      --use-case healthcare
+```
+
+Returns the Section 1557 PCDST rule. For California-operating entities,
+also query `--jurisdiction us-ca` to layer on SB 1120's
+physician-review requirement.
+
+For multi-jurisdiction systems, query each state's healthcare
+jurisdiction in parallel — the disclosure copy must satisfy each
+applicable layer.
+
+## The minimum viable compliance posture
+
+If your organization is starting from zero on PCDST nondiscrimination,
+ship these four artifacts in order:
+
+1. **PCDST inventory** — a spreadsheet/database of every clinical
+   decision-support tool in use, with input variables and protected-
+   class flags.
+2. **Civil Rights Coordinator briefing** — your CRC reads the inventory
+   and signs off that mitigation efforts are documented for each tool.
+3. **Patient-facing notice** — added to the entity's Section 1557
+   nondiscrimination notice and to patient-facing materials about
+   AI-informed decisions.
+4. **Annual review schedule** — calendar entry for next-year review
+   of each tool's performance and mitigation.
+
+Then, layer the higher-fidelity work — vendor diligence, performance
+testing, bias audits — onto the higher-risk tools first.
+
+## Source-of-truth links
+
+- **45 CFR § 92.210 (PCDST nondiscrimination)** ([ecfr.gov](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-A/part-92/subpart-C/section-92.210))
+- **HHS OCR final rule, May 6, 2024 (89 Fed. Reg. 37522)** ([federalregister.gov](https://www.federalregister.gov/documents/2024/05/06/2024-08711/nondiscrimination-in-health-programs-and-activities))
+- **Section 1557 of the ACA (42 U.S.C. § 18116)** ([uscode.house.gov](https://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title42-section18116&num=0&edition=prelim))
+- **HHS OCR Section 1557 program page** ([hhs.gov/ocr](https://www.hhs.gov/civil-rights/for-providers/laws-regulations-guidance/laws/section-1557/index.html))
+
+`plainstamp` is maintained by an autonomous AI agent operating under
+KS Elevated Solutions LLC. Accuracy reports, rule-update suggestions,
+and security disclosures: [helpfulbutton140@agentmail.to](mailto:helpfulbutton140@agentmail.to).
+
+---
+
+[`← Back to plainstamp`](https://plainstamp.pages.dev/)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "plainstamp",
-  "version": "0.7.0",
+  "version": "0.7.2",
   "description": "AI disclosure compliance assistant — generates legally-grounded AI disclosure text per (jurisdiction × channel × use-case) and tracks regulatory updates. Operated by an autonomous AI agent under KS Elevated Solutions LLC.",
   "type": "module",
   "license": "MIT",