Your AI assistant just followed instructions you never saw.

GuideCheck ensures the instructions humans approve are the same instructions agents execute.

By Sam Rogers, PAICE.work PBC Published Updated v0.4.0 CC BY 4.0

AI setup guides reach assistants through HTML, rendered Markdown, PDFs, and copied terminal output. Those surfaces can hide text from a human while feeding it to a model. GuideCheck is the open standard that turns that trust boundary into one plain-text document: small enough, strict enough, and verifiable enough to review before delegated authority acts.

Human reviews Rendered setup docs, Markdown, PDFs, terminal output, or screenshots.
Agent receives Raw source, hidden comments, invisible bytes, and buried directives.
Divergence appears The reviewed surface and executable instruction surface are not the same.
Authority executes Tools run commands, edit files, install packages, and call APIs.
GuideCheck forces one A bounded, plain-text, hashable artifact with explicit action blocks.
The assistant-guide.txt artifact shown in full as plain text: a filename header, three [action] blocks reading Identify user intent, Formulate plan, and Generate response, and an End of file marker, beside a six-rung conformance ladder numbered 0 to 5.
Read the Specification Verify a guide

Humans approve one surface. Agents may execute another.

A presentation layer sits between a guide's author and the assistant that acts on it. HTML, rendered Markdown, PDFs, documentation sites, copied issue comments, terminal output, screenshots — each can transform, append to, or conceal content on its way to the model. The human reviews the rendered output. The model ingests the raw source. Nothing guarantees those are the same document.

Invisible to the eye

Hidden HTML comments, offscreen CSS, zero-height elements, white-on-white text, script-inserted content. Rendered to nothing for the human; delivered as plain instructions to the model.

Invisible in the bytes

Bidi controls, zero-width characters, and homoglyphs that read one way to a person and another to a tokenizer. Terminal escape sequences that rewrite what a copied command appears to say.

Buried in plain sight

A directive deep in a long guide the reviewer skimmed, or an instruction block below the fold no human scrolled to. Technically visible. Genuinely reviewed, no.

Why this is not cosmetic

A tool-using assistant has real blast radius. It runs shell commands, edits files, installs packages, and calls APIs with the operator's credentials. A hidden instruction is not a rendering quirk — it is an unreviewed command executed under delegated authority. The concrete outcomes are a credential exposed, a destructive command run, a malicious dependency installed, or safeguards disabled while the human believed they had read and approved the entire guide.

How GuideCheck repairs the trust boundary

GuideCheck removes the presentation layer from agent instructions. The profile describes one artifact — a plain-text file named assistant-guide.txt, served at /.well-known/assistant-guide.txt — carrying assistant-facing install, implementation, remediation, migration, and operational instructions for a single bounded task. Three properties preserve review integrity: the instructions humans approve are the same instructions agents execute.

Bounded, so you can read all of it

A strict ASCII byte profile and an 8 KiB size cap. No hidden bytes, no homoglyphs, no offscreen text — and short enough to read in full in one sitting, not skim.

Structured, so nothing is buried

Instructions live in explicit [action] blocks with declared classes, approval gates, and command restrictions. The assistant executes blocks, never loose prose — there is no below the fold.

Verifiable, so it cannot be swapped

A sidecar manifest and cross-channel hash publication let a guide's identity be confirmed without trusting any single hosted service.

Conformance is not safety

Conformance to this profile, at any level, does not mean a guide is safe to follow, that the publisher is trustworthy, or that an assistant may skip the security practices a competent operator would already apply. A verifier confirms form. The human confirms meaning. The standard is one layer in a defense stack — it does not replace sandboxing, least privilege, or human approval.

Six conformance levels

The conformance ladder is additive and honest. Each level states exactly what it has checked and what it has not. Higher levels add structure and provenance — never a safety claim.

LevelWhat it establishes
0Instructions are only available through surfaces that can hide or transform text.
1A plain-text guide exists, is reachable, and carries the compact verification instruction.
2Strict ASCII byte profile, size limits, and no disallowed constructs.
3Assistant safety contract, all required sections, and explicit approval gates.
4Verifiable provenance: a sidecar manifest and a cross-channel hash on an independent control plane.
5A guide plus a conformant assistant runtime that mechanically enforces the execution contract.

Level 4 adds verifiable provenance but not a safety claim. Level 5 is explicitly a guide-plus-runtime claim, not a guide-only claim, because runtime behavior cannot be asserted by a file.

Adopt the profile

Publishing a conformant guide is plain-text work. Write the artifact, serve it at the well-known path, and check it against the verifier conformance profile. No registry, no account, no central oracle. The adoption guide gives a level-by-level path and a guide-author checklist.

For agent ecosystems, the same pattern applies at protocol boundaries. MCP server authors can use GuideCheck for install, tool, resource, and approval review; A2A implementers can use it for delegated-task guidance and returned artifacts that would otherwise become executable instructions. These are integration patterns, not conformance dependencies.

assistant-guide.txt

[assistant-guide-metadata]
identifier: assistant-guide
profile: human-verifiable-assistant-guide
profile-version: 0.4.0
guide-version: 0.4.0
applies-to: example-project 1.x
canonical-url: https://example.com/.well-known/assistant-guide.txt
source-path: /.well-known/assistant-guide.txt
last-reviewed: 2026-05-22
status: active
recommended-verifier: https://guidecheck.org/verify
[/assistant-guide-metadata]

Strict ASCII, 8 KiB maximum, plain text only — no HTML, no Markdown, no hidden bytes.

Serve and verify

# Serve the artifact at the well-known path
GET /.well-known/assistant-guide.txt

# Run a conformant verifier against the URL.
# Output reports: guide SHA-256, achieved
# level, and any blocking findings.

# A conformance claim is valid only when
# backed by verifier output, guide hash,
# achieved level, and findings.

Anyone may build a conformant verifier. The fixture suite keeps independent implementations in agreement.

Verify a guide

GuideCheck publishes a primary verifier for usability — never as the only authoritative verifier and never as a root of trust. It reports what it checked and what it did not. Guide files score up to Level 4 of 4; Level 5 is a separate runtime enforcement claim. Optional agent and expected-level fields help identify compatibility gaps without storing full submitted URLs, prompts, model responses, IP addresses, or stable visitor identifiers as product telemetry.

verifier: human-verifiable-assistant-guide-verifier 0.4.0 guide-sha256: a1b2c3 ... reviewed before use achieved-level: 4 level5-ready: true findings: 0 blocking, 1 advisory note: conformance is not safety — read the guide
Open the verifier → View on GitHub MCP patterns A2A patterns