GuideCheck is a security-relevant standards project. Changes to the Human-Verifiable Assistant Guide profile are reviewed with that in mind.
spec.mdandverifier-conformance.mdare normative. Changes to either are profile changes.finding-ids.mdis normative for the finding-id registry. Contract validation requires every finding id emitted by the verifier and hosted API to be documented there, so adding, renaming, or removing an id is a profile change.design-rationale.mdandthreat-register.mdare explanatory. They must stay consistent with the normative documents.schemas/is normative for the field sets it describes.examples/andfixtures/must remain consistent with the current profile version.archive/is historical and is not edited.
Profile versions follow Semantic Versioning as defined in spec.md section 11.
- MAJOR: a change that removes a field, tightens a constraint, or invalidates previously conforming guides or verifiers
- MINOR: an additive optional field, a relaxed constraint, or a new compatible check or fixture
- PATCH: an editorial fix with no conformance effect
Every normative change updates CHANGELOG.md in the same commit.
- Open an issue describing the problem, not just the proposed wording. Security standards fail most often from unstated assumptions.
- State the threat model impact. If the change weakens a defense, say so and justify it.
- For normative changes, identify every section, schema, example, and fixture affected. Spec and verifier-conformance must not drift apart.
- If the change affects the conformance ladder, the verifier output schema, or the action block shape, expect a longer review.
- Run
make evalbefore submitting changes that affect fixtures, finding ids, verifier behavior, examples, or guide profile rules.
Normative changes are reviewed by a maintainer with security ownership. A
change that adds, removes, or reclassifies an attack mitigation is reviewed
against threat-register.md and spec.md section 27.
A change to verifier behavior is incomplete without fixture coverage. The
fixture suite under fixtures/ is the conformance target for verifier
implementations. Add or update fixtures in the same change that alters a
verifier requirement.
Fixture-suite releases will be signed and versioned once
verifier-conformance.md reaches a stable conformance target, so verifier
authors can pin a trusted corpus. See roadmap.md.
The local eval runner in scripts/eval_guidecheck.py checks static fixtures
and generated edge cases. It is a regression harness for this repository, not
a substitute for the normative text or static fixture suite. Generated eval
cases that become conformance requirements should be promoted into static
fixture directories.
Documentation follows the repository markdown conventions: plain headings, no
emphasis inside headings, triple-backtick code fences, no em dashes, bare
https domains. Guide examples and fixtures must satisfy the byte profile
they claim to demonstrate.
Do not open a public issue for a vulnerability in the profile, a verifier, or a published guide. See SECURITY.md.
Contributions to specification text and documentation are accepted under CC-BY-4.0. Contributions to code and schemas are accepted under MIT. By contributing you agree your contribution is licensed under the applicable license.