Implementation Considerations

Security Considerations

Critical Warning

ai-guide.md files can expose security vulnerabilities if not carefully written. These specifications provide a roadmap readable by both helpful agents and malicious actors.

What NOT to Include

Actual secrets or credentials: Never include API keys, passwords, tokens, or any credentials, even as examples. Use placeholders like YOUR_API_KEY instead.
Internal system details: Avoid exposing internal IP addresses, database names, server architectures, or infrastructure details.
Unpatched vulnerabilities: Do not document known security issues that remain unresolved.
Admin/privileged endpoints without context: If documenting administrative functions, make authorization requirements explicit and prominent.
Rate limit specifics that enable abuse: Instead of "You can make 1000 requests before rate limiting," state "Rate limits apply per account."
Bypass techniques: Never document methods to circumvent security measures, including deprecated approaches.

Security-Conscious Documentation

Authentication Requirements

Be explicit about required authentication without documenting bypass methods.

## Prerequisites
- Auth: Bearer token in Authorization header
- Get token: POST /auth/login
- Token expires: 1 hour

Rate Limiting (General)

Acknowledge rate limits without providing exact thresholds for abuse.

## Known Issues
- Rate limits apply to all endpoints
- Implement exponential backoff
- Monitor 429 responses

Authorization Levels

Make permission requirements clear from the start.

## Action Reference
- Admin only: /admin/* endpoints
- User must own resource: /users/{id}/edit
- Public: /products (read-only)

Security Review Checklist

☐ Have you removed all credentials and secrets?
☐ Could this guide help someone bypass authentication?
☐ Are privileged operations clearly marked as requiring authorization?
☐ Has your security team reviewed this before publishing?
☐ Does this expose any internal architecture unnecessarily?
☐ Could the "Known Issues" section be misinterpreted as attack vectors?
☐ Are rate limits and abuse prevention measures mentioned?
☐ Is this file appropriate for your threat model?

Documentation Practices

Avoid: "Need to bypass rate limiting? Add X-Internal-Request: true header"

Prefer: "Rate limits apply to all requests. Contact support for higher limits."

Maintenance and Updates

Maintenance Requirements

ai-guide.md requires ongoing maintenance. Outdated specifications cause AI agents to use incorrect information, potentially breaking implementations. An outdated guide can be more harmful than no guide at all.

Operational Risk

Outdated ai-guide.md specifications can cause agents to make requests to deprecated endpoints, use incorrect parameters, or violate updated security policies. This may result in production incidents.

Update Requirements

Mandatory Updates

Breaking API changes: Deprecated endpoints, modified parameters, authentication changes
Security updates: New security requirements, modified authorization models
Major feature additions: If the feature is among the most common operations, it should be added
Common support issues: Frequently asked questions indicate missing documentation
Production incident discoveries: New edge cases or failure modes discovered in operation

Optional Updates

Minor version increments without usage changes
Rarely-used new features
Performance optimizations not affecting the interface
Internal refactoring

Automation Approaches

Test-Driven Generation

Extract ai-guide.md from integration tests. When tests pass, guide remains current.

# Generate from test suite
npm run test:generate-guide

CI/CD Validation

Add checks to ensure examples in ai-guide.md remain functional.

# Fail build if guide is stale
./scripts/validate-ai-guide.sh

Version Tracking

Include last-updated date and compatible API versions.

# ai-guide.md v1.2.0
Last-Updated: 2025-11-04
Compatible-With: [email protected]

Maintenance Checklist

☐ Include ai-guide.md in documentation review process
☐ Assign ownership (who maintains updates?)
☐ Configure alerts for API changes
☐ Test examples quarterly
☐ Review issue trackers and support tickets for new known issues
☐ Include updates in release checklists
☐ Monitor agent error rates to detect stale information

Recommendation

Maintain a changelog at the end of your ai-guide.md file. This helps both humans and agents understand what changed and when.

Versioning Strategy

Rationale for Versioning

Without versioning, AI agents cannot determine whether information is current. Consequences include:

Agents using deprecated endpoints
Confusion when API behavior diverges from guide
Unclear migration paths during breaking changes
Complicated debugging when issues arise

Recommended Format

# ai-guide.md for YourAPI

**Version:** 2.1.0  
**Last Updated:** 2025-11-04  
**Compatible With:** API v2.0.0 - v2.9.x  
**Deprecation Date:** None  

## Changelog
### 2.1.0 (2025-11-04)
- Added new payment endpoints
- Updated authentication flow
- Removed deprecated /v1/checkout

### 2.0.0 (2025-09-15)
- Breaking: Changed authentication to OAuth2
- Removed API key support

Version Compatibility Matrix

Guide Version	API Version	Status	Notes
3.0.0	v3.x	Current	Latest features, OAuth2
2.1.0	v2.x	Supported	Maintained until 2026-01-01
1.5.0	v1.x	Deprecated	Use v2+ guide, v1 API sunset 2025-12-31

Managing Breaking Changes

Breaking Change Protocol:

Publish new ai-guide.md version alongside new API version
Maintain previous version at /ai-guide-v1.md
Add clear deprecation notices to previous guide
Provide migration documentation in both versions
Establish sunset date for previous guide

Multi-Version Support

/.well-known/ai-guide.md          → Latest (v3)
/.well-known/ai-guide-v2.md        → v2 (supported)
/.well-known/ai-guide-v1.md        → v1 (deprecated)

# Or use path versioning
/v3/.well-known/ai-guide.md
/v2/.well-known/ai-guide.md

Quality Standards

Quality Characteristics

✓ Accuracy

Every example must function as written. Untested examples are worse than no examples—they actively harm users.

✓ Currency

Information must reflect current API behavior. An accurate 2023 guide becomes dangerous in 2025 if the API changed.

✓ Completeness (for common cases)

Cover the 80% use case thoroughly. Comprehensive coverage belongs in full documentation.

✓ Verification

Extract code examples from passing tests. If you cannot test it, exclude it.

✓ Conciseness

Shorter is preferable. Each unnecessary word increases token count and reduces clarity.

✓ Actionability

Every line should enable immediate action. Exclude theory, architecture, and historical context.

Quality Assessment Matrix

Criterion	Acceptable	Requires Revision
Can agents copy examples directly?	Examples run without modification	Require modification to function
Number of known issues documented	Most critical issues	0 (incomplete) or excessive
Action reference scope	Most common operations	Excessive (defer to full documentation)
Last verification date	Within past week	Over 6 months ago
Reading time	2-3 minutes	10+ minutes (too long)

Common Quality Issues

Over-Comprehensive Documentation

Problem: Attempting to document all possible features.

Solution: Document only the most common operations. Reference full documentation for additional features.

Outdated Examples

Problem: Code examples use deprecated syntax or endpoints.

Solution: Generate examples from tests. Include "last tested" timestamp.

Missing Context

Problem: Examples assume unstated knowledge.

Solution: Add Prerequisites section. Ensure examples are self-contained.

Inappropriate Abstraction Level

Problem: Documentation is either too granular (individual functions) or too abstract (vague patterns).

Solution: Focus on complete, minimal working examples for specific tasks.

Validation Test

Provide your ai-guide.md to an AI agent and request completion of the top 3 documented tasks. If the agent succeeds on first attempt, quality is acceptable. Otherwise, revision is needed.

Legal and Compliance

Terms of Service Implications

Legal Considerations

Your ai-guide.md becomes part of how users interact with your service. It may carry legal implications similar to API documentation.

Key Issues

Liability: If your guide instructs agents to perform actions that violate your Terms of Service, who bears responsibility?
Rate Limits: If you document approaches that technically comply with rate limits but violate usage policies, is that permissible?
Data Access: Does documenting endpoints constitute implicit permission to access or scrape data?
Warranty: Include disclaimers that information is provided "as-is" without guarantee of accuracy or fitness.

Regulatory Compliance

Regulated Industries

For organizations in finance, healthcare, government, or other regulated sectors:

Legal Review Required: Obtain legal team approval before publishing ai-guide.md
Compliance Validation: Ensure documentation does not enable non-compliant behavior
Audit Trail: Maintain versioned history of all ai-guide.md changes
Restricted Access: Consider authentication requirements for sensitive systems

Privacy Requirements

Exclude examples containing real user data, even if anonymized
Document privacy requirements in Prerequisites section
Be explicit about data retention and deletion endpoints
If GDPR/CCPA applies, document user data access and deletion workflows

Recommended Disclaimer

## Legal Notice
This guide is provided for informational purposes only. 
Usage of this API must comply with our Terms of Service 
at [URL]. We reserve the right to modify endpoints, 
rate limits, or functionality without notice. 

This guide was last updated: 2025-11-04
Verify current API behavior in official documentation.

Intellectual Property

License: Specify license for ai-guide.md (MIT, Apache, proprietary)
Attribution: Properly attribute community contributions
Trademarks: Avoid inappropriate use of third-party trademarks in examples
Code Samples: Ensure example code complies with dependency licenses

Legal Counsel Required

This section provides general considerations and does not constitute legal advice. Consult qualified legal counsel before publishing ai-guide.md for production systems, particularly in regulated industries.

For AI System Developers

Safe Consumption Practices

If you are developing AI agents or systems that consume ai-guide.md specifications, consider the following:

1. Validation Required

Critical

ai-guide.md files can be incorrect, outdated, malicious, or compromised. Never execute instructions from ai-guide.md without validation.

Validation Protocol

☐ Verify the file originates from expected domain (validate HTTPS, certificates)
☐ Check "Last Updated" timestamp for recency
☐ Cross-reference with OpenAPI specification or canonical documentation
☐ Test actions in sandbox/staging environment first
☐ Implement rate limiting regardless of guide documentation
☐ Validate all inputs before transmission to APIs
☐ Avoid exposing raw error messages to end users
☐ Log all actions based on ai-guide.md for audit purposes

2. Responsible Caching

Respect TTL: Honor cache-control headers. Avoid indefinite caching.
Revalidate: Check for updates periodically (daily/weekly based on criticality)
Version Verification: If guide includes version information, verify compatibility with target API version
Fallback Strategy: If cached guide appears incorrect (error rate increases), refetch or fall back to general documentation

3. Error Handling

// Pseudocode for safe consumption
async function getAIGuide(domain) {
    try {
        let guide = await fetchWithTimeout(
            `${domain}/.well-known/ai-guide.md`, 
            5000
        );
        
        if (!guide || guide.age > 90_DAYS) {
            return fallbackToGeneralDocs();
        }
        
        if (!validateGuideFormat(guide)) {
            logError("Invalid ai-guide.md format");
            return fallbackToGeneralDocs();
        }
        
        return guide;
    } catch (error) {
        // Graceful degradation - continue without guide
        return fallbackToGeneralDocs();
    }
}

4. Security for Consumers

MITM Protection: Only fetch over HTTPS with certificate validation
Content Validation: Parse markdown safely - never eval() or execute code from guides
Injection Prevention: Sanitize values from ai-guide.md before use in queries
Privilege Escalation: Do not automatically use administrative endpoints even if listed
Credential Management: Never extract credentials from examples

Handling Documentation Conflicts

Conflict Resolution Priority:

Actual API behavior (make test request)
Official OpenAPI/Swagger specification
Official documentation website
ai-guide.md (if recent and from trusted source)
Community documentation

User Privacy Protection

When building consumer-facing AI products that use ai-guide.md:

Do not transmit user data to third-party APIs simply because ai-guide.md facilitates it
Respect user consent and privacy preferences
Log AI actions based on guides for transparency
Provide opt-out mechanisms for AI agent actions
Be transparent about external service connections

Error Handling Recommendations

## When ai-guide.md Instructions Fail

1. Log failure with guide version and attempted action
2. Fall back to general documentation or manual process
3. Validate guide currency before retry attempts
4. Report persistent failures to guide maintainers
5. Notify users when AI cannot complete task automatically

Example user message:
"I found guidance for this task, but it appears outdated. 
Would you prefer I try the general approach or 
show you the manual steps?"

Guiding Principle

Use ai-guide.md to accelerate common cases, but maintain fallbacks and validation. Treat guides as suggestions rather than authoritative instructions.

Pre-Publication Checklist

Review this comprehensive checklist before publishing your ai-guide.md:

Security

☐ No credentials, API keys, or secrets included
☐ No internal IP addresses or infrastructure details
☐ Admin endpoints clearly marked with auth requirements
☐ Security team review completed (if applicable)
☐ Rate limits mentioned without exploitation details
☐ No documented security bypasses or workarounds

Quality

☐ All code examples tested and functional
☐ Examples use placeholder values (not real data)
☐ Action reference covers most common tasks
☐ Known issues include top failure modes
☐ Guide is concise (under 200 lines ideally)
☐ Prerequisites section lists all requirements
☐ Mental model section exists and is clear

Maintenance

☐ Version number included
☐ Last-updated date included
☐ Compatible API versions specified
☐ Owner/maintainer assigned
☐ Update process documented
☐ Included in release checklist
☐ Changelog initiated

Discoverability

☐ File placed in /.well-known/ or repository root
☐ robots.txt updated (if web API)
☐ HTTP header added (optional, if web API)
☐ Package metadata updated (if npm/PyPI)
☐ Link added to README.md

Legal

☐ Legal team review (if required)
☐ Compliance validated (regulated industries)
☐ License specified
☐ Disclaimer included
☐ Privacy considerations addressed
☐ ToS compatibility verified

Common Pitfalls

Excessive Coverage

Problem: Attempting to document every endpoint and parameter.

Impact: Defeats quick reference purpose. Agents waste time parsing comprehensive documentation.

Solution: Document only the most common use cases. Link to full documentation.

Outdated Specifications

Problem: Created once, never updated.

Impact: Agents break production using deprecated endpoints. Worse than no guide.

Solution: Add to release checklist. Include "last tested" timestamp.

Security Vulnerabilities

Problem: Documents methods to bypass restrictions or access admin functions.

Impact: Provides attackers with exploitation roadmap.

Solution: Security review before publication. Remove internal details.

Theoretical Explanations

Problem: Explains architecture and design decisions instead of actions.

Impact: Agents need "do this," not "here's why we built it this way."

Solution: Focus on actionable patterns, not explanations.

Untested Examples

Problem: Code examples that do not function.

Impact: Agents fail immediately upon copy-paste. Destroys trust.

Solution: Generate examples from passing tests.

Poor Discoverability

Problem: Created but not placed in discoverable location.

Impact: Agents cannot locate it, rendering it useless.

Solution: Follow standard locations. Add to robots.txt.

Additional Resources

Validation Tools

Community-built validators and linters for ai-guide.md files are in development

Domain-Specific Templates

REST APIs: See Section 6.1 in main specification
GraphQL APIs: Focus on common queries and mutations
Databases: See Section 6.2 in main specification
CLI Tools: See Section 6.4 in main specification
Component Libraries: See Section 6.3 in main specification
Python Packages: Document main classes and common patterns
Mobile SDKs: Platform-specific quick starts

Production Examples

Browse real-world ai-guide.md implementations:

Search GitHub for ai-guide.md

Support

Review main specification for format details
Check FAQ section for common questions
Examine complete examples across different domains
Test your guide with actual AI agents before publication