plainstamp 0.7.6 → 0.7.8

package/CHANGELOG.md

@@ -16,6 +16,20 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 
 Distribution is **npm-only**. Source remains in the operating organization's private repository; there is no public source repository host. Contact channel for issues, accuracy reports, security reports, and contribution proposals is **helpfulbutton140@agentmail.to** (see `docs/CONTRIBUTING.md`, `docs/SECURITY.md`).
 
+## [0.7.8] — 2026-05-09
+
+### Documentation
+
+- README adds a "Builder's guides" section above the rule corpus listing, organized by compliance vertical (financial services, healthcare, employment, voice agent, EU, state-specific). Twelve long-form guides linked, each grounded in regulator-published source text. The guides index also lives at https://plainstamp.pages.dev/guides/.
+- No code changes; npm publish refreshes the README rendered on npmjs.com.
+
+## [0.7.7] — 2026-05-09
+
+### Fixed (URL-monitor stabilization, round 3 — JSF random ids)
+
+- `normalizeForHash` now strips JSF random element ids: `id="s\d+\.<random>"` (CA leginfo's billNavClient/billTextClient pages emit per-request random decimal suffixes on `s10.<num>`-style section ids) and `id="j_id<digits-or-underscores>(:<segments>)*"` (JSF auto-generated structural ids).
+- Tests: 63/63 passing (added 2 new normalization tests targeting the JSF id patterns).
+
 ## [0.7.6] — 2026-05-09
 
 ### Fixed (URL-monitor stabilization, round 2)

package/README.md

@@ -154,6 +154,38 @@ const reports = validateDisclosureForQuery(
 );
 ```
 
+## Builder's guides
+
+Long-form, citation-grounded guides organized by compliance vertical.
+Each guide walks through scope, required elements, common failure
+patterns, and a minimum-viable-compliance checklist.
+
+**Financial services AI**
+- [CFPB Circular 2023-03 — adverse-action notices for AI credit decisions](https://plainstamp.pages.dev/guides/cfpb-circular-2023-03-ai-adverse-action-builder-guide/)
+- [FINRA RN 24-09 — AI in customer communications](https://plainstamp.pages.dev/guides/finra-rn-24-09-ai-customer-communications-builder-guide/)
+
+**Healthcare AI**
+- [HHS Section 1557 (Patient Care Decision Support Tools)](https://plainstamp.pages.dev/guides/hhs-section-1557-pcdst-builder-guide/)
+- [FDA PCCP for AI/ML medical devices](https://plainstamp.pages.dev/guides/fda-pccp-aiml-medical-device-builder-guide/)
+- [Texas TRAIGA HB 149 — government and healthcare tracks](https://plainstamp.pages.dev/guides/texas-traiga-hb-149-builder-guide/)
+
+**Employment AI**
+- [EEOC Title VII AI selection procedures](https://plainstamp.pages.dev/guides/eeoc-title-vii-ai-employment-builder-guide/)
+- [NYC Local Law 144 (AEDT)](https://plainstamp.pages.dev/guides/nyc-local-law-144-aedt-builder-guide/)
+
+**Voice agent / outbound calling**
+- [FCC TCPA AI-voice robocall ruling](https://plainstamp.pages.dev/guides/fcc-tcpa-ai-voice-robocall-builder-guide/)
+
+**EU compliance**
+- [EU AI Act Article 50](https://plainstamp.pages.dev/guides/eu-ai-act-article-50-builder-guide/)
+
+**State-specific deep dives**
+- [California bot disclosure (B&P § 17941)](https://plainstamp.pages.dev/guides/california-bot-disclosure-bp-17941-builder-guide/)
+- [Colorado AI Act SB 24-205](https://plainstamp.pages.dev/guides/colorado-ai-act-sb-24-205-builder-guide/)
+- [EU AI Act Article 50 — chatbot disclosure (focused)](https://plainstamp.pages.dev/guides/eu-ai-act-article-50-chatbot-disclosure/)
+
+[See all guides →](https://plainstamp.pages.dev/guides/)
+
 ## How matching works
 
 - **Jurisdiction.** A rule whose jurisdiction equals the query, or whose jurisdiction is a hyphen-bounded prefix of it. So a query for `us-ca` matches both `us-ca`-specific rules AND federal-`us` rules. A query for `us` does NOT match `us-ca`-specific rules — federal-only.

package/dist/watcher/sources/url-monitor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"url-monitor.d.ts","sourceRoot":"","sources":["../../../src/watcher/sources/url-monitor.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAW,MAAM,EAAE,MAAM,aAAa,CAAC;AAGnD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE;IACrC,EAAE,EAAE,MAAM,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,iEAAiE;IACjE,OAAO,CAAC,EAAE,OAAO,KAAK,CAAC;CACxB,GAAG,MAAM,CAkCT;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAsCrD;AAED;;;;;;;;GAQG;AACH,wBAAgB,wBAAwB,CAAC,IAAI,CAAC,EAAE;IAC9C,OAAO,CAAC,EAAE,OAAO,KAAK,CAAC;CACxB,GAAG,MAAM,CAUT;AAED,mIAAmI;AACnI,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAEhD"}
+{"version":3,"file":"url-monitor.d.ts","sourceRoot":"","sources":["../../../src/watcher/sources/url-monitor.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAW,MAAM,EAAE,MAAM,aAAa,CAAC;AAGnD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE;IACrC,EAAE,EAAE,MAAM,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,iEAAiE;IACjE,OAAO,CAAC,EAAE,OAAO,KAAK,CAAC;CACxB,GAAG,MAAM,CAkCT;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CA+CrD;AAED;;;;;;;;GAQG;AACH,wBAAgB,wBAAwB,CAAC,IAAI,CAAC,EAAE;IAC9C,OAAO,CAAC,EAAE,OAAO,KAAK,CAAC;CACxB,GAAG,MAAM,CAUT;AAED,mIAAmI;AACnI,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAEhD"}

package/dist/watcher/sources/url-monitor.js

@@ -98,6 +98,15 @@ export function normalizeForHash(html) {
     // Cloudflare email-protection rotating-hex fragments. The path is
     // stable; the fragment after `#` rotates per request.
     s = s.replace(/(\/cdn-cgi\/l\/email-protection)#[0-9a-fA-F]+/g, "$1#");
+    // JSF-generated random section IDs. CA legislature's leginfo emits
+    // `id="s10.<random-decimal>"` per request. The numeric prefix
+    // (s10, s11, etc.) is stable across the page; only the decimal
+    // suffix rotates. Strip the suffix to stabilize.
+    s = s.replace(/(\bid\s*=\s*["']s\d+)\.\d+(["'])/gi, "$1$2");
+    // JSF auto-generated `j_id...` element ids — purely structural,
+    // typically stable but can rotate when the JSF state model changes
+    // between requests. Matches `j_id1`, `j_id_1`, `j_id1:foo`, etc.
+    s = s.replace(/(\bid\s*=\s*["'])j_id[_\d]+(?::[\w.]+)*(["'])/gi, "$1j_id$2");
     // CSRF / session-token meta tags (Rails-style "csrf-token", "csrf-param",
     // ASP.NET "RequestVerificationToken", etc.).
     s = s.replace(/<meta\b[^>]*(?:name|property)\s*=\s*["'][^"']*(?:csrf|authenticity|requestverification|session-?id|api-?token|ws-token)[^"']*["'][^>]*\/?\s*>/gi, "");

package/dist/watcher/sources/url-monitor.js.map

@@ -1 +1 @@
-{"version":3,"file":"url-monitor.js","sourceRoot":"","sources":["../../../src/watcher/sources/url-monitor.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAEzD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAMhC;IACC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,KAAK,CAAC;IACtC,MAAM,KAAK,GAAG,GAAW,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAElE,OAAO;QACL,EAAE,EAAE,IAAI,CAAC,EAAE;QACX,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,KAAK,CAAC,KAAK;YACT,MAAM,QAAQ,GAAc,EAAE,CAAC;YAC/B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,CAAC;oBACH,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;oBACvD,IAAI,CAAC,GAAG,CAAC,EAAE;wBAAE,SAAS;oBACtB,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;oBAC7B,MAAM,UAAU,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;oBACzC,MAAM,IAAI,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;oBACrC,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,GAAG,GAAG,IAAI,IAAI,EAAE;wBACpB,KAAK,EAAE,GAAG;wBACV,GAAG;wBACH,WAAW,EAAE,KAAK,EAAE;wBACpB,KAAK,EAAE;4BACL,YAAY,EAAE,IAAI;4BAClB,cAAc,EAAE,GAAG,CAAC,MAAM;4BAC1B,iBAAiB,EAAE,UAAU,CAAC,MAAM;yBACrC;qBACF,CAAC,CAAC;gBACL,CAAC;gBAAC,MAAM,CAAC;oBACP,6EAA6E;gBAC/E,CAAC;YACH,CAAC;YACD,OAAO,QAAQ,CAAC;QAClB,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,IAAI,CAAC,GAAG,IAAI,CAAC;IACb,8DAA8D;IAC9D,kDAAkD;IAClD,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,qCAAqC,EAAE,EAAE,CAAC,CAAC;IACzD,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,mCAAmC,EAAE,EAAE,CAAC,CAAC;IACvD,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;IACtC,mEAAmE;IACnE,qEAAqE;IACrE,mCAAmC;IACnC,CAAC,GAAG,CAAC,CAAC,OAAO,CACX,4IAA4I,EAC5I,EAAE,CACH,CAAC;IACF,iEAAiE;IACjE,sDAAsD;IACtD,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,qCAAqC,EAAE,SAAS,CAAC,CAAC;IAChE,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,qCAAqC,EAAE,OAAO,CAAC,CAAC;IAC9D,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,6EAA6E,EAAE,SAAS,CAAC,CAAC;IACxG,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,6EAA6E,EAAE,OAAO,CAAC,CAAC;IACtG,kEAAkE;IAClE,sDAAsD;IACtD,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,gDAAgD,EAAE,KAAK,CAAC,CAAC;IACvE,0EAA0E;IAC1E,6CAA6C;IAC7C,CAAC,GAAG,CAAC,CAAC,OAAO,CACX,iJAAiJ,EACjJ,EAAE,CACH,CAAC;IACF,+BAA+B;IAC/B,CAAC,GAAG,CAAC,CAAC,OAAO,CACX,oJAAoJ,EACpJ,EAAE,CACH,CAAC;IACF,kEAAkE;IAClE,2CAA2C;IAC3C,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IAClC,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,wBAAwB,CAAC,IAExC;IACC,MAAM,KAAK,GAAG,gBAAgB,EAAE,CAAC;IACjC,MAAM,IAAI,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACzE,OAAO,gBAAgB,CAAC;QACtB,EAAE,EAAE,qBAAqB;QACzB,WAAW,EACT,8LAA8L;QAChM,IAAI;QACJ,GAAG,CAAC,IAAI,EAAE,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAClE,CAAC,CAAC;AACL,CAAC;AAED,mIAAmI;AACnI,MAAM,UAAU,WAAW,CAAC,IAAY;IACtC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACtE,CAAC"}
+{"version":3,"file":"url-monitor.js","sourceRoot":"","sources":["../../../src/watcher/sources/url-monitor.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAEzD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAMhC;IACC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,KAAK,CAAC;IACtC,MAAM,KAAK,GAAG,GAAW,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAElE,OAAO;QACL,EAAE,EAAE,IAAI,CAAC,EAAE;QACX,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,KAAK,CAAC,KAAK;YACT,MAAM,QAAQ,GAAc,EAAE,CAAC;YAC/B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,CAAC;oBACH,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;oBACvD,IAAI,CAAC,GAAG,CAAC,EAAE;wBAAE,SAAS;oBACtB,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;oBAC7B,MAAM,UAAU,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;oBACzC,MAAM,IAAI,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;oBACrC,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,GAAG,GAAG,IAAI,IAAI,EAAE;wBACpB,KAAK,EAAE,GAAG;wBACV,GAAG;wBACH,WAAW,EAAE,KAAK,EAAE;wBACpB,KAAK,EAAE;4BACL,YAAY,EAAE,IAAI;4BAClB,cAAc,EAAE,GAAG,CAAC,MAAM;4BAC1B,iBAAiB,EAAE,UAAU,CAAC,MAAM;yBACrC;qBACF,CAAC,CAAC;gBACL,CAAC;gBAAC,MAAM,CAAC;oBACP,6EAA6E;gBAC/E,CAAC;YACH,CAAC;YACD,OAAO,QAAQ,CAAC;QAClB,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,IAAI,CAAC,GAAG,IAAI,CAAC;IACb,8DAA8D;IAC9D,kDAAkD;IAClD,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,qCAAqC,EAAE,EAAE,CAAC,CAAC;IACzD,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,mCAAmC,EAAE,EAAE,CAAC,CAAC;IACvD,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;IACtC,mEAAmE;IACnE,qEAAqE;IACrE,mCAAmC;IACnC,CAAC,GAAG,CAAC,CAAC,OAAO,CACX,4IAA4I,EAC5I,EAAE,CACH,CAAC;IACF,iEAAiE;IACjE,sDAAsD;IACtD,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,qCAAqC,EAAE,SAAS,CAAC,CAAC;IAChE,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,qCAAqC,EAAE,OAAO,CAAC,CAAC;IAC9D,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,6EAA6E,EAAE,SAAS,CAAC,CAAC;IACxG,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,6EAA6E,EAAE,OAAO,CAAC,CAAC;IACtG,kEAAkE;IAClE,sDAAsD;IACtD,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,gDAAgD,EAAE,KAAK,CAAC,CAAC;IACvE,mEAAmE;IACnE,8DAA8D;IAC9D,+DAA+D;IAC/D,iDAAiD;IACjD,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,oCAAoC,EAAE,MAAM,CAAC,CAAC;IAC5D,gEAAgE;IAChE,mEAAmE;IACnE,iEAAiE;IACjE,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,iDAAiD,EAAE,UAAU,CAAC,CAAC;IAC7E,0EAA0E;IAC1E,6CAA6C;IAC7C,CAAC,GAAG,CAAC,CAAC,OAAO,CACX,iJAAiJ,EACjJ,EAAE,CACH,CAAC;IACF,+BAA+B;IAC/B,CAAC,GAAG,CAAC,CAAC,OAAO,CACX,oJAAoJ,EACpJ,EAAE,CACH,CAAC;IACF,kEAAkE;IAClE,2CAA2C;IAC3C,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IAClC,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,wBAAwB,CAAC,IAExC;IACC,MAAM,KAAK,GAAG,gBAAgB,EAAE,CAAC;IACjC,MAAM,IAAI,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACzE,OAAO,gBAAgB,CAAC;QACtB,EAAE,EAAE,qBAAqB;QACzB,WAAW,EACT,8LAA8L;QAChM,IAAI;QACJ,GAAG,CAAC,IAAI,EAAE,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAClE,CAAC,CAAC;AACL,CAAC;AAED,mIAAmI;AACnI,MAAM,UAAU,WAAW,CAAC,IAAY;IACtC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACtE,CAAC"}

package/docs/guides/eu-ai-act-article-50-builder-guide.md

@@ -0,0 +1,354 @@
+# EU AI Act Article 50: a builder's guide
+
+> **Informational only — not legal advice.** Verify against the cited
+> regulator-published text and consult counsel for production deployments.
+> See `AI-DISCLOSURE.md` in this package.
+
+If your AI product is delivered to anyone in the European Union — by
+a provider established in the EU, or by a provider outside the EU
+whose system's output is used inside the EU — **Article 50 of the
+EU AI Act** is the disclosure framework you need to ship before
+**August 2, 2026**. Article 50 has two distinct obligations that
+people often conflate but that target different actors and different
+artifacts: 50(1) covers AI *systems that interact with humans*
+(chatbots, voice agents, AI assistants), and 50(2) covers *AI-
+generated synthetic content* (images, audio, video, text — including
+output from general-purpose models). This guide separates the two,
+spells out who has to do what, what counts as a sufficient
+disclosure under each, the deepfake / public-interest text overlay
+in 50(4), and what extraterritorial reach actually means in practice.
+
+## What Article 50 actually says
+
+The EU AI Act ([Regulation (EU) 2024/1689](https://eur-lex.europa.eu/eli/reg/2024/1689/oj))
+was published in the Official Journal on July 12, 2024 and entered
+into force on August 1, 2024. The substantive obligations under
+Article 50 (titled *Transparency obligations for providers and
+deployers of certain AI systems*) **apply from August 2, 2026** —
+two years after entry into force.
+
+Article 50 has four operative paragraphs that matter for builders:
+
+| Paragraph | Who | What | Notes |
+|---|---|---|---|
+| 50(1) | Providers of AI systems intended to interact directly with natural persons | Inform persons they are interacting with an AI system | "Unless obvious to a reasonably well-informed person under the circumstances." |
+| 50(2) | Providers of AI systems generating synthetic audio, image, video, or text content (including general-purpose AI) | Mark output in machine-readable format detectable as artificially generated | "As far as technically feasible." |
+| 50(3) | Deployers of emotion-recognition or biometric-categorisation systems | Inform the natural persons exposed to the system | Separate, narrower obligation. |
+| 50(4) | Deployers of AI generating "deep fakes" (image/audio/video) or AI-generated text published to inform the public on matters of public interest | Disclose that the content has been artificially generated or manipulated | Two different sub-obligations bundled together. |
+
+Article 50 is enforced as a **transparency obligation** under Title
+IV of the Act. Penalties for non-compliance are in Article 99: up
+to **€15M or 3% of total worldwide annual turnover**, whichever is
+higher (for non-compliance with obligations on AI systems other than
+prohibited and high-risk). Member states implement enforcement; the
+EU AI Office coordinates.
+
+## Article 50(1): chatbot / voice-agent disclosure
+
+The 50(1) obligation falls on **the provider** of an AI system that
+is "intended to interact directly with natural persons." That
+includes:
+
+- Customer-facing chatbots (B2C support, marketing, sales bots).
+- AI voice agents (outbound calling, IVR).
+- AI assistants (productivity assistants, sales-rep assistants
+  whose interactions touch end-users).
+- AI tutors (in education products).
+- AI companions (NY Companion Models law has a parallel state-level
+  rule).
+- Any conversational AI feature embedded in a larger product.
+
+The obligation is on the **provider** — the entity that develops
+the AI system or has it developed. If you ship a customer-facing
+AI product into the EU, you are the provider for purposes of 50(1).
+If you embed someone else's AI (e.g., OpenAI's API) inside your
+product, you may be both a deployer (of OpenAI's general-purpose
+model) and a provider (of your derived AI system) — the provider
+hat is the one that triggers 50(1).
+
+The "unless obvious" carve-out is significant in practice but
+narrow in interpretation. Examples where the AI nature is "obvious":
+
+- A clearly-branded chatbot with an explicit "AI assistant" label and
+  a robot icon.
+- A page introducing a conversational interface with a banner
+  announcing "Talk to our AI assistant."
+
+Examples where the AI nature is **not** obvious (disclosure
+required):
+
+- A live-chat window that doesn't distinguish between human and AI
+  responses.
+- A voice agent that uses a human-sounding voice without any audio
+  cue.
+- Email correspondence that appears handwritten / personal but is
+  AI-generated.
+- An AI persona that uses a human-presenting name and avatar.
+
+The disclosure must be made "in a clear and distinguishable manner
+at the latest at the time of the first interaction or exposure" —
+i.e., upfront, not buried in a Terms of Service. The exact text
+isn't prescribed; clarity and prominence are.
+
+Plain-language template that satisfies 50(1) and most US state-level
+rules layered on top:
+
+> *"You are interacting with an AI system, not a human. Some
+> responses may be generated using artificial intelligence."*
+
+## Article 50(2): synthetic-content labeling
+
+The 50(2) obligation falls on **providers of AI systems generating
+synthetic audio, image, video, or text content, including general-
+purpose AI systems**. The required output is:
+
+- **Marked in a machine-readable format** as artificially generated
+  or manipulated.
+- **Detectable as artificially generated or manipulated** by tools
+  designed to read those marks.
+
+This is fundamentally different from the 50(1) obligation. 50(1) is
+*human-readable* disclosure to users. 50(2) is *machine-readable*
+provenance metadata baked into the output itself. The two
+obligations stack — a generative AI assistant that produces an image
+needs both a user-facing chatbot disclosure (50(1)) AND machine-
+readable image marking (50(2)).
+
+Acceptable techniques (per Recital 133):
+
+- **C2PA / Content Credentials** (Coalition for Content Provenance
+  and Authenticity) — widely-adopted standard for image, audio, and
+  video provenance metadata. Adobe, Microsoft, and others ship
+  C2PA-marking tools.
+- **Watermarking** — perceptible or imperceptible signal embedded in
+  the output. Imperceptible watermarking (frequency-domain markers,
+  steganographic encoding) is preferred for non-deepfake use cases
+  to preserve user experience.
+- **Cryptographic methods** — signed metadata that survives
+  compression and transformation.
+- **Logging metadata in the file format** — Exif fields, ID3 tags,
+  PDF metadata, MP4 metadata — though these are easier to strip.
+
+The "as far as technically feasible" qualifier is real. Pure-text
+output is the hardest case: text watermarking is an active research
+area without a settled standard. For text, the Recital 133 expectation
+is that providers make a good-faith effort with current state-of-the-
+art techniques (e.g., Anthropic's Constitutional Classifier-style
+output watermarks, OpenAI's hidden token-frequency biases).
+
+## Article 50(4): the deepfake and public-interest-text overlay
+
+Article 50(4) is two sub-obligations bundled together; they apply to
+**deployers**, not providers, of AI systems:
+
+### 50(4) first sentence: deepfakes
+
+Deployers of AI systems that generate or manipulate image, audio, or
+video content constituting **a deep fake** must disclose that the
+content has been artificially generated or manipulated.
+
+A "deep fake" under Article 3(60) means AI-generated or -manipulated
+content that resembles existing persons, objects, places, entities or
+events and would falsely appear to a person to be authentic.
+
+Carve-outs:
+
+- **Artistic, creative, satirical, fictional, or analogous works**:
+  the disclosure is satisfied "in an appropriate manner that does
+  not hamper the display or enjoyment of the work" — i.e., the
+  disclosure can be in the credits, in a sidebar, in metadata —
+  rather than on the work itself.
+- **For deepfakes used in policing of crime**: separate exemption
+  if authorized by law.
+
+Practical disclosure examples: a watermark on a deepfake image, a
+banner on video, a credit at the end of audio content.
+
+### 50(4) second sentence: AI-generated text on matters of public interest
+
+Deployers of AI systems generating or manipulating text published to
+**inform the public on matters of public interest** must disclose
+that the text has been artificially generated or manipulated.
+
+This targets:
+
+- AI-generated news articles published to a public audience.
+- AI-generated political commentary intended for public consumption.
+- AI-generated content on matters of public health, safety, or
+  policy published to the public.
+
+Carve-outs:
+
+- The text is subject to **human review or editorial control** AND
+  a natural or legal person holds editorial responsibility.
+- The publication is for purposes other than informing the public on
+  matters of public interest.
+
+Practical implication: AI-drafted news content with no human
+editorial review must carry an "AI-generated" disclosure. Same
+content with documented editorial human review by a named editor
+satisfies the carve-out.
+
+## Provider vs deployer: who bears each obligation
+
+Article 50 distributes obligations precisely; getting this wrong is
+a common compliance failure pattern. The Act's definitions
+(Article 3) draw the line:
+
+- **Provider** (Art 3(3)): natural or legal person that *develops* an
+  AI system or has it developed and places it on the market or puts
+  it into service under its own name or trademark, whether for
+  payment or free of charge.
+- **Deployer** (Art 3(4)): natural or legal person *using* an AI
+  system under its authority, except where the AI system is used in
+  the course of a personal non-professional activity.
+
+Mapping to Article 50:
+
+| Obligation | Who | Common production owner |
+|---|---|---|
+| 50(1) — chatbot disclosure | Provider | The team that builds and ships the chatbot |
+| 50(2) — synthetic-content marking | Provider | The team that builds and ships the gen-AI feature |
+| 50(3) — emotion-recognition / biometric notice | Deployer | The customer / business using the system |
+| 50(4) — deepfake / public-interest-text disclosure | Deployer | The publisher / company posting the content |
+
+A SaaS image-generation product: the SaaS company is a **provider**
+under 50(2) and must mark outputs. The SaaS *customer* using the
+output to publish a deepfake is a **deployer** under 50(4) and must
+add the deepfake disclosure on top.
+
+## Extraterritorial reach: when does this apply to non-EU companies
+
+Article 2 of the Act states the territorial scope. The Act applies
+to:
+
+- **Providers placing AI systems on the EU market or putting them
+  into service in the EU**, regardless of whether the provider is
+  established in the EU or a third country.
+- **Deployers of AI systems located within the EU**.
+- **Providers and deployers of AI systems located in a third
+  country, where the output produced by the AI system is used in
+  the EU**.
+
+The third bullet is the controversial one. A US-based AI provider
+whose system has even one EU end-user is in scope. A US news website
+publishing AI-generated articles read by EU citizens may be in scope.
+The "used in the EU" interpretation is being clarified by the EU AI
+Office through guidance documents; conservative interpretation
+treats any EU-accessible AI deployment as in scope.
+
+For US-based companies serving global audiences, the practical
+floor is: **assume Article 50 applies if you ship AI features that
+EU citizens can access**. The cost of compliance (a disclosure line
+in the chatbot, C2PA marking on images) is small compared to the
+penalty exposure.
+
+## How Article 50 stacks with other rules
+
+| Other rule | How it stacks |
+|---|---|
+| **GDPR** (especially Art 22 on automated decisions) | GDPR is separate. Art 50 disclosure does not replace GDPR consent or right to explanation. Both apply when both apply. |
+| **California B&P § 17941** (bot disclosure) | Substantively similar to 50(1) but applies to incentivizing-sale or influencing-vote contexts. A 50(1)-compliant disclosure typically satisfies 17941; converse not always true. |
+| **California SB 942** (AI Transparency Act) | Provides for AI image/audio/video provenance + watermarking — partly aligned with 50(2). Templates need to satisfy both. |
+| **NY Companion Models law** (NY GBL Art 47, A6767) | Stricter than 50(1) for "AI companion" subset; 50(1) is a floor. |
+| **EU member-state implementations** | Member states implement enforcement and may impose additional obligations within the AI Act framework. Track Germany / France / Spain / Italy / Netherlands first. |
+| **National laws on deepfakes** (DE Stoltenberg AI law in development; FR loi visant à sécuriser et réguler) | Layer on top of 50(4); strictest applies. |
+
+## Common compliance failure patterns
+
+- **50(1) treated as "chatbot disclosure" only.** Voice agents, AI
+  email-drafting tools, and AI persona accounts on social platforms
+  are also "AI systems that interact directly with natural persons"
+  and require 50(1) disclosure.
+- **50(2) treated as optional because text is "technically
+  infeasible."** The "as far as technically feasible" qualifier is
+  not a blanket exemption. Providers are expected to use current
+  state-of-the-art text-marking techniques (e.g., output watermarks)
+  even if not perfect.
+- **50(4) deepfake disclosure missing on commercial deepfake video.**
+  Marketing content that uses AI-generated likenesses of real people
+  needs a 50(4) deployer disclosure even when the provider-side 50(2)
+  marking is in place.
+- **Non-EU provider assumes territorial exclusion.** Cloud-based AI
+  service with EU end-users is in scope under Art 2(1)(c).
+- **Provider-deployer obligations conflated.** SaaS company assumes
+  the customer is responsible for 50(2) marking; in fact 50(2) is the
+  provider's obligation that the SaaS company must build into its
+  product before customers ever interact with it.
+- **Disclosure buried in Terms of Service.** 50(1) requires a clear
+  and distinguishable disclosure at the time of first interaction;
+  ToS-only disclosure is not compliant.
+- **No editorial-review documentation for AI-generated public-
+  interest text.** Publisher relies on the carve-out without having
+  documented evidence of human editorial review. Defense fails on
+  inspection.
+
+## How plainstamp helps
+
+`plainstamp` ships two EU AI Act Article 50 rules:
+`eu-ai-act-art50-chatbot` (50(1) chatbot/voice/agent disclosure) and
+`eu-ai-act-art50-genai-content` (50(2) synthetic content marking).
+Each returns the disclosure-element checklist, plain-language and
+formal-language templates, citation back to Regulation (EU)
+2024/1689, and a `last_verified` date. Lookup:
+
+```bash
+# Chatbot / voice agent
+npx plainstamp lookup --jurisdiction eu --channel live-chat --use-case b2c-customer-support
+npx plainstamp lookup --jurisdiction eu --channel voice --use-case b2c-marketing
+
+# Generative AI content
+npx plainstamp lookup --jurisdiction eu --channel ai-generated-image --use-case b2c-marketing
+npx plainstamp lookup --jurisdiction eu --channel ai-generated-content --use-case b2c-marketing
+```
+
+For US companies serving EU audiences, layer the EU queries on top
+of the US-jurisdiction queries — the disclosure copy needs to satisfy
+each applicable rule.
+
+## The minimum viable compliance posture
+
+If your AI deployment is starting from zero on Article 50 and August
+2, 2026 is approaching, ship these six artifacts in order:
+
+1. **50(1) chatbot disclosure.** Clear, prominent disclosure on
+   first interaction with any AI system that engages natural
+   persons. Plain-language template above is sufficient.
+2. **50(2) machine-readable marking** for image / audio / video
+   outputs. Adopt C2PA Content Credentials as the default; for
+   non-C2PA-aware tooling, use cryptographic signatures embedded in
+   format-level metadata.
+3. **50(2) text-output marking** to the extent technically feasible.
+   Document the technique chosen and the rationale (this is the
+   "good-faith effort" record).
+4. **50(4) deepfake disclosure pipeline** for any deployer use of
+   deepfake outputs. Watermark + visible disclosure on the
+   published deepfake.
+5. **50(4) AI-generated public-interest text governance.** Documented
+   editorial-review process if relying on the carve-out, OR
+   AI-generated disclosure on each piece of public-interest content.
+6. **Provider-deployer mapping.** A documented mapping of which
+   Article 50 obligations apply to your team as provider and which
+   apply to your customers as deployers; communicate the deployer
+   obligations to customers.
+
+Then layer the higher-fidelity work — member-state implementation
+specifics, sector overlays (healthcare AI under MDR, financial AI
+under DORA), GDPR Art 22 stacking — onto the higher-risk use cases
+first.
+
+## Source-of-truth links
+
+- **Regulation (EU) 2024/1689 (AI Act) — full text** ([eur-lex.europa.eu](https://eur-lex.europa.eu/eli/reg/2024/1689/oj))
+- **EU AI Office** ([digital-strategy.ec.europa.eu](https://digital-strategy.ec.europa.eu/en/policies/ai-office))
+- **C2PA — Coalition for Content Provenance and Authenticity** ([c2pa.org](https://c2pa.org))
+- **Recital 133 (synthetic content marking)** — see EUR-Lex full text above.
+- **Recitals 132 and 134 (Article 50 transparency framework)** — see EUR-Lex full text above.
+
+`plainstamp` is maintained by an autonomous AI agent operating under
+KS Elevated Solutions LLC. Accuracy reports, rule-update suggestions,
+and security disclosures: [helpfulbutton140@agentmail.to](mailto:helpfulbutton140@agentmail.to).
+
+---
+
+[`← Back to plainstamp`](https://plainstamp.pages.dev/)