This is the practical on-ramp to GuideCheck. It explains what an
assistant-guide.txt artifact is, what the conformance ladder means in
operational terms, and how to publish a conforming guide one level at a time.
For the exact normative requirements, spec.md is authoritative; this guide
points into it.
GuideCheck is a trust boundary protocol for agent instruction surfaces. It helps ensure the instructions humans approve are the same instructions agents execute.
Adopt GuideCheck if you publish instructions an AI assistant will act on:
- AI-assisted install, setup, or local-development guides
- migration and upgrade runbooks
- remediation and incident playbooks
- support and operations runbooks
- agent skill installation guidance
It is relevant to maintainers who ship those guides, to security and platform engineers who review them, and to verifier authors building tooling.
GuideCheck also composes with agent protocols whose setup and operating
guidance crosses the same trust boundary. These are integrations of the core
profile, not additional audiences or separate profiles: an MCP server's
installation and tool-review guidance, or an A2A companion note for delegated
tasks and remote-agent operating boundaries, is published as an ordinary
assistant-guide.txt and verified the same way. The non-normative notes in
docs/mcp-integration.md, docs/a2a-integration.md, and
docs/acs-integration.md map those surfaces onto the profile.
An AI-assisted guide reaches an assistant through HTML, rendered Markdown, PDFs, docs sites, copied terminal output, and screenshots. Each of those surfaces can carry text a model ingests but a human never sees. A tool-using assistant then runs those instructions with the operator's authority: it executes commands, edits files, installs packages, and calls APIs.
That is a review-integrity problem. The human may approve one instruction surface while the assistant executes another. In operational terms, the failure can look like credential exposure, a destructive command, a malicious dependency install, disabled safeguards, broader MCP tool access, or a remote agent returning instructions that were never reviewed as executable guidance.
GuideCheck removes the presentation layer. It defines one artifact, a
plain-text file named assistant-guide.txt, small enough and strict enough
that the text a human reviews is the text the assistant runs. See spec.md
section 3, and design-rationale.md for the reasoning.
The ladder is additive and honest. Each level states what it has checked and what it has not. A higher level adds structure and provenance; it never adds a safety claim.
| Level | What it establishes | What you publish |
|---|---|---|
| 0 | Instructions are only available through surfaces that can hide or transform text | nothing yet |
| 1 | A plain-text guide exists, is reachable, and carries the compact verification instruction | a .txt guide |
| 2 | Strict ASCII byte profile, size limits, no disallowed constructs | the same guide, within the byte profile |
| 3 | A full assistant safety contract: required sections, action blocks, explicit approval gates | a structured guide |
| 4 | Verifiable provenance: a sidecar manifest plus a cross-channel hash on an independent control plane | guide, manifest, one anchor |
| 5 | A conformant assistant runtime mechanically enforces the execution contract | guide plus runtime |
- Level 1 to 2 is the right first commitment for most publishers. It is plain-text work and removes the presentation-layer attack surface immediately.
- Level 3 is the recommended target for any guide that drives real operational actions. It is the first level with mechanical approval gates.
- Level 4 suits high-consequence guides where the publisher can host a manifest and publish a hash on an independent channel.
- Level 5 is a joint guide-plus-runtime claim. A guide author reaches Level 4; Level 5 is asserted by a conformant runtime, not by a file.
A guide is not obliged to reach Level 3 in one step. Publishing at Level 1 or 2 first is a valid and useful state.
For teams seeking the highest guide-file score, the target is Level 4 of 4.
If verifier output also says level5_ready: true, the guide is prepared for a
Level 5 runtime check. The checker should not present this as Level 4 of 5
or as a missing point.
- Write the task instructions as a plain
.txtfile namedassistant-guide.txt. - State the task scope and the canonical project or repository URL.
- Add the compact verification instruction before any action instructions.
Canonical wording is in
spec.mdsection 10.2. - Make it reachable from a canonical surface: serve it at
/.well-known/assistant-guide.txt, place it at the repository root, or both. When both are served, keep them byte-identical (spec.mdsection 6).
- Restrict the file to the byte profile: ASCII printable bytes plus LF, no
tabs, no carriage returns, no control or invisible characters (
spec.mdsection 8). - Stay within the limits: 8192 bytes, 120 bytes per line, 400 lines.
- Remove disallowed constructs: HTML, CSS, JavaScript, images, remote
embeds, data URLs, escape sequences, encoded command blobs (
spec.mdsection 9). - Serve it with
Content-Type: text/plain; charset=utf-8andX-Content-Type-Options: nosniff(spec.mdsection 20).
- Add the metadata block with all required fields (
spec.mdsection 11). - Add the required sections, each restated in the guide's own prose: title,
scope, invocation prompt, safety rules, threat model, untrusted content
handling, authority statement, and disclaimer (
spec.mdsection 10.1). - Express every substantive action as a structured
[action]block withid,class,approval, andcommand(spec.mdsection 12). - Set
approval: requiredon everyprivileged,destructive,persistence-changing,data-accessing, orcode-executingaction. - Add stop-and-ask conditions and an acceptance checklist (
spec.mdsections 13 and 22).
- Publish a sidecar manifest at a stable URL with
guide-sha256,guide-bytes, andimmutable-release-url; name it in themanifest-urlmetadata field (spec.mdsection 11). - Cross-publish the same
guide-sha256on at least one independent control plane: a DNS TXT record, package registry metadata, a public repository file, a signedsecurity.txt, or a public append-only transparency log. - Confirm a verifier reports both the manifest match and one agreeing independent anchor.
Package registry examples:
- npm
package.json:
"assistantGuide": {
"url": "https://example.com/.well-known/assistant-guide.txt",
"sha256": "<64-hex>"
}
- PyPI
pyproject.toml:
[project.urls]
Assistant-Guide = "https://example.com/.well-known/assistant-guide.txt"
Carry the hash in the sidecar manifest referenced by the guide metadata.
- Cargo
Cargo.toml:
[package.metadata.assistant-guide]
url = "https://example.com/.well-known/assistant-guide.txt"
sha256 = "<64-hex>"
- Generic registry metadata:
assistantGuide.url = "https://example.com/.well-known/assistant-guide.txt"
assistantGuide.sha256 = "<64-hex>"
When package registry metadata is the chosen independent anchor, include a
registry-url in the guide metadata that points to a specific package record,
not a registry homepage or search result.
For JSON registry records, put the hash inside assistant-guide-specific
metadata, such as assistantGuide.sha256; unrelated sha256 fields elsewhere
in the package record do not count as GuideCheck anchors.
Level 5 is not a guide-only claim. A guide author prepares for it by reaching
Level 4 and following the Level 5 preparation list in spec.md section 18.
The Level 5 claim itself belongs to a conformant assistant runtime that
mechanically enforces the execution contract defined in spec.md section 18.
Use this before publishing. It tracks the normative requirements; spec.md
is authoritative on each.
Level 1
- file is plain
.txt, namedassistant-guide.txt - task scope stated
- canonical project or repository URL present
- compact verification instruction appears before any action instructions
- reachable from a canonical surface; both copies byte-identical if both are served
Level 2
- byte profile satisfied: ASCII printable plus LF, no tabs, carriage returns, control, or invisible characters
- within 8192 bytes, 120 bytes per line, 400 lines
- no disallowed constructs
- served as
text/plain; charset=utf-8withnosniff
Level 3
- metadata block present with all required fields
- all required sections present and restated in the guide's own prose
- every substantive action is an
[action]block -
approval: requiredon every privileged, destructive, persistence-changing, data-accessing, and code-executing action -
commandfields satisfy the section 12 restrictions - every
code-executingaction that invokes an in-repo script or entry point inlines its commands or pins the bytes withexec-sha256(0.7.0; spec section 12) -
networkedactions declare a narrowegress - stop-and-ask conditions and acceptance checklist present
- no safety overclaiming
Level 4
- sidecar manifest published and named in
manifest-url -
guide-sha256cross-published on at least one independent channel - a verifier confirms the manifest match and one agreeing anchor
Level 5 readiness
- every action declares
runner - every networked action uses
approval: required - shell actions use
runner: shell, require approval, and include a narrownotesrationale - applicable
cwd,env, andegressfields are narrow and explicit - verifier output reports
level5_ready: true
Conformance to this profile, at any level, does not mean a guide is safe to
follow, that the publisher is trustworthy, or that an assistant may skip the
security practices a competent operator already applies. A verifier confirms
form. The human confirms meaning. Read the full guide before authorizing an
assistant, and read operator-guide.md for the defense-in-depth practices
that go with adoption.
spec.md: the normative Human-Verifiable Assistant Guide profileverifier-conformance.md: the normative profile for verifier toolsoperator-guide.md: non-normative operator practicesexamples/: sample conforming guides- Verify a guide at https://guidecheck.org/verify