# ChangeSpec.com - Full Site Bundle Generated: 2026-05-12T10:23:49Z Source: https://changespec.com License: CC-BY-4.0 unless otherwise marked. Underlying specification is Apache-2.0 at https://changespec.org. Status: Commercial implementation of ChangeSpec 1.0 draft. This document is a single-file ingestion of the entire changespec.com commercial index, including the product overview, FAQ, per-vendor summaries of tracked changes, pricing, and links to machine-readable JSON endpoints. For canonical HTML versions, see https://changespec.com/. For the specification itself, see https://changespec.org/. Table of contents: 1. What ChangeSpec is 2. Who uses it and how 3. Frequently asked questions 4. Tracked vendors (with recent events) 5. Examples by category 6. Pricing 7. API and machine-readable endpoints 8. Privacy, security, and agent policy =============================================================================== # 1. What ChangeSpec is ChangeSpec is an open standard plus a hosted index for communicating software changes between producers (vendors, library maintainers, service operators) and consumers (developers, AI coding agents, compliance teams). The standard (Apache-2.0, at https://changespec.org) defines: - A JSON event format describing one software change - A category taxonomy: api_breaking, api_deprecation, security, pricing, tos, data_handling, informational, cosmetic - A severity taxonomy: critical, high, medium, low, informational - A vendor identifier namespace (bare slugs or `{ecosystem}:{package}`) - Source attribution: publisher_verified, crawled, community - Optional publisher signatures (Ed25519) - Transport bindings over HTTPS webhook, MCP, RSS/Atom, and a polling API The hosted index (commercial, at https://changespec.com) crawls vendor changelogs, advisories, and policy pages, emits ChangeSpec events, publishes them over the transports above, grades vendors on their communication quality, and offers paid tiers for enterprise compliance use cases. # 2. Who uses it and how - **Developers** subscribe to per-vendor RSS feeds or the global changes feed to catch breaking API changes before they ship to production. - **AI coding agents** (Claude Code, Cursor, Windsurf, Cline, Zed, Continue) connect via the MCP binding and surface ChangeSpec events during code review, dependency upgrades, and planning. - **Compliance teams** (DORA, OSFI B-10, OCC third-party risk) use the publisher-verified stream as a continuous-monitoring signal for vendor material changes with audit trails. - **Vendors** publish their own changes to ChangeSpec-compatible endpoints, either by adding ChangeSpec output to their existing changelog or by registering their source with the hosted index. Integration modes: - MCP: `https://changespec.com/.well-known/mcp` points to the server - RSS: `https://changespec.com/changes.rss` and per-vendor feeds - JSON: `https://changespec.com/data/` static endpoints - CLI and SDKs: see https://changespec.com/implementations/ =============================================================================== # 3. Frequently asked questions ChangeSpec FAQ - Frequently Asked Questions Skip to main content v1.1 Spec Vendors FAQ Implementations Report GitHub ChangeSpec FAQ Frequently asked questions Plain-English answers. If your question is not here, open an issue at github.com/changespec/spec/issues or email hello@changespec.com. What is ChangeSpec? ChangeSpec is an open JSON event format and taxonomy for communicating software changes. A ChangeSpec event describes one change - a breaking API change, a deprecation, a security advisory, a pricing change, a TOS update - in a machine-readable way that developers, AI agents, and compliance teams can all consume. The specification is Apache 2.0, hosted at changespec.org. The commercial aggregator that crawls vendor changelogs and emits ChangeSpec events is at changespec.com. Who is ChangeSpec for? How do I install ChangeSpec? ChangeSpec is a format, not an app. To consume it: subscribe to the RSS feed at changespec.com/changes.rss, add the ChangeSpec MCP server to your AI coding tool (discovery pointer at /.well-known/mcp), use the JSON endpoints under /data/, or use the reference libraries in Go, TypeScript, and Python linked from the implementations page. Is ChangeSpec free? Does ChangeSpec replace Dependabot or Renovate? How does ChangeSpec work with Claude Code or Cursor? ChangeSpec has a normative MCP transport binding. Any MCP-capable agent - Claude Code, Cursor, Windsurf, Cline, Zed, Continue - can connect to the ChangeSpec MCP server and call tools like get_recent_changes, check_project_deps, search_changes, and get_vendor_grade. The agent receives structured event data and can reason about severity, action required, and migration steps without any per-agent adapter. Is my data private when I use ChangeSpec? Reading public vendor data on changespec.com does not require an account. The MCP server's check_project_deps tool parses your lockfile in the local server process - the file contents are not sent to changespec.com. Dependency names are sent to the index to match against events. How do I bypass ChangeSpec if I need to? Every consumer interface has a direct fallback to the underlying source. RSS items link to the vendor's original page. JSON events include source_url on every event. The MCP binding returns raw ChangeSpec events you can inspect. There is no lock-in - ChangeSpec is additive to whatever you already do. Which vendors does ChangeSpec support? The canonical list is at /data/vendors.json. Initial coverage includes major developer platforms - Anthropic, Vercel, GitHub, Cloudflare, Twilio, Stripe, Supabase, MongoDB, Auth0, and others. Vendor coverage grows continuously based on user demand and voluntary publisher opt-in. How is ChangeSpec different from RSS or CloudEvents? Can vendors publish ChangeSpec events themselves? Yes. Any vendor can publish ChangeSpec events directly by adding ChangeSpec output to their existing changelog infrastructure. Publisher-verified events use Ed25519 signatures to cryptographically attest authorship. Events signed by the vendor flow through the hosted index with source_type=publisher_verified and are prioritized in consumer-facing displays over crawled events. What is a retraction event and how does it differ from a security advisory? The key difference from a security advisory: a retraction carries tooling action signals - do_not_install: true, last_known_good_version, and provenance_invalidated. The provenance_invalidated field is the critical addition. Build provenance tools like SLSA and Sigstore answer "was this built in CI?" A compromised pipeline can produce packages with valid attestations. provenance_invalidated: true tells downstream tooling that even valid-looking attestations on the affected versions should not be trusted - the signing key was in the wrong hands. Who maintains ChangeSpec? The specification is drafted by Roboticforce Inc. (Steve Leggett, founder) and is open for community contribution on GitHub at changespec/spec. The commercial implementation at changespec.com is operated by Roboticforce. The governance structure, contribution process, and working groups are documented at changespec.org/governance. ChangeSpec is an open standard. Apache 2.0. Operated by Roboticforce Inc. Contact: hello@changespec.com Spec Implementations Report Governance changespec.org ## What is ChangeSpec? ChangeSpec is an open JSON event format and taxonomy for communicating software changes. A ChangeSpec event describes one change - a breaking API change, a deprecation, a security advisory, a pricing change, a TOS update - in a machine-readable way that developers, AI agents, and compliance teams can all consume. ## Who is it for? Three audiences: developers who build on external vendors and want a structured changelog feed; AI coding agents that need to know about vendor changes their training data does not cover; and compliance teams that must monitor third-party changes continuously under DORA, OSFI B-10, OCC guidance, and similar. ## How do I install it? You do not install ChangeSpec itself - it is a format. To consume it: - Subscribe to RSS feeds at https://changespec.com/changes.rss - Add the MCP server to your AI coding tool (see /.well-known/mcp) - Use the JSON endpoints under /data/ - Use the reference libraries (Go, TypeScript, Python) at https://changespec.org/implementations/ ## Is it free? The specification is Apache-2.0 and free forever. The hosted index at changespec.com is free for individual developers and small teams. Paid tiers cover enterprise features: publisher-verified streams with signatures, custom vendor crawling, audit-log exports, SLAs, and compliance reporting. ## Does it replace Dependabot / Renovate? No. Dependabot and Renovate upgrade your dependencies. ChangeSpec tells you what changed in your dependencies, and in services that are not even in your lockfile (your CDN, your payments provider, your LLM API, your SaaS vendors). They are complementary. ChangeSpec events can inform Dependabot PR bodies. ## How does it work with Claude Code / Cursor? ChangeSpec has a normative MCP transport binding. Any MCP-capable agent can connect to the ChangeSpec MCP server, call \`get_recent_changes\`, \`check_project_deps\`, \`search_changes\`, and get structured event data back. The agent then reasons about severity and action using the tools defined in the MCP binding spec. ## Is my data private? The hosted index at changespec.com does not require an account to read public vendor data. If you use the MCP server's \`check_project_deps\` tool, your lockfile content is parsed locally by the MCP server process - it is not sent to changespec.com. Dependency names are sent to the index to match against events. See https://changespec.com/privacy for the full policy. ## How do I bypass it if needed? Every consumer interface has a direct fallback. RSS points to the underlying source URL. JSON endpoints include \`source_url\` on every event. The MCP binding returns raw ChangeSpec events that you can inspect. There is no lock-in. ## What vendors are supported? The index grows continuously. The canonical list is at https://changespec.com/data/vendors.json. Initial coverage includes the major developer platforms (Anthropic, Vercel, GitHub, Cloudflare, Twilio, Stripe, Supabase, MongoDB, Auth0, etc.) and expands based on user demand. ## How is it different from RSS / CloudEvents? RSS is a channel format. CloudEvents is a generic event envelope. ChangeSpec is a domain-specific schema for one narrow thing: software changes. ChangeSpec sits on top of CloudEvents - the envelope format is compatible - and is distributed over RSS as one of several transport bindings. ChangeSpec adds the taxonomy, severity levels, migration guidance, and signing model that neither RSS nor CloudEvents provides. =============================================================================== # 4. Tracked vendors (with recent events) The canonical machine-readable index is at https://changespec.com/data/vendors.json. Below is a plain-text summary of each vendor and their most recent changes. ## Anthropic slug: anthropic url: https://www.anthropic.com description: AI safety company and maker of the Claude family of models. Publishes the Messages API and Workbench. canonical: https://changespec.com/v/anthropic json: https://changespec.com/data/vendors/anthropic.json rss: https://changespec.com/v/anthropic.rss Recent changes: - [medium] 2026-04-01T10:00:00Z api_deprecation: claude-2 model deprecated, sunset 2027-01-01 summary: The claude-2 and claude-2.1 model identifiers are deprecated and will stop accepting requests on 2027-01-01. Applications should migrate to claude-3-5-sonnet-20241022 or later. After the sunset date, requests to deprecated model identifiers will return a 404 error. migration: Replace 'claude-2' or 'claude-2.1' with 'claude-3-5-sonnet-20241022' in your model parameter. source: https://docs.anthropic.com/deprecations effective: 2026-04-01 sunset: 2027-01-01 - [low] 2026-03-28T16:00:00Z informational: MCP server registry public beta launched summary: Anthropic opened the Model Context Protocol server registry to public submissions. Third-party developers may now submit MCP server packages for review and inclusion. Registry submissions are reviewed within 5 business days. source: https://docs.anthropic.com/mcp/registry effective: 2026-03-28 - [high] 2026-04-08T09:00:00Z api_breaking: Rate limits on claude-3-opus-20240229 reduced 40% for tier-1 accounts summary: Effective 2026-04-15, Tier 1 accounts will see a 40% reduction in requests-per-minute limits for claude-3-opus-20240229. This does not affect Tier 2 or higher accounts. The change is intended to encourage migration to claude-3-5-sonnet-20241022 which has 2x higher rate limits. migration: Migrate to claude-3-5-sonnet-20241022 to maintain current throughput. Alternatively, upgrade to Tier 2 to retain existing limits on opus. source: https://docs.anthropic.com/en/api/rate-limits effective: 2026-04-15 - [informational] 2026-03-20T14:00:00Z informational: Batch API now supports up to 100k requests per batch summary: The Anthropic Batch API limit increased from 10,000 to 100,000 requests per batch. Existing integrations require no changes. Billing and processing time scale proportionally. source: https://docs.anthropic.com/en/api/creating-message-batches effective: 2026-03-20 - [medium] 2026-04-10T12:00:00Z data_handling: Data processing agreement updated - EU subprocessors list revised summary: Anthropic updated its Data Processing Agreement on 2026-04-10. The EU subprocessors list adds one new provider (infrastructure provider in Frankfurt region) and removes a deprecated analytics vendor. Organizations with strict DPA requirements should review the updated list and obtain sign-off from their data protection officer if required. source: https://www.anthropic.com/legal/privacy effective: 2026-04-10 - [medium] 2026-03-15T10:00:00Z api_deprecation: Legacy tool_use format deprecated in favor of tools parameter summary: The experimental tool_use response format from the claude-3 preview period is deprecated. All applications must migrate to the stable tools parameter format. The legacy format will be rejected by the API starting 2026-06-01. The tools format has been stable since claude-3 GA. migration: Replace experimental tool_use blocks with the stable tools parameter format. See migration guide for field-by-field mapping. source: https://docs.anthropic.com/en/api/tool-use effective: 2026-03-15 sunset: 2026-06-01 ## Cloudflare slug: cloudflare url: https://www.cloudflare.com description: Cloud connectivity and security platform. CDN, Workers serverless runtime, R2 storage, Zero Trust access. canonical: https://changespec.com/v/cloudflare json: https://changespec.com/data/vendors/cloudflare.json rss: https://changespec.com/v/cloudflare.rss Recent changes: - [high] 2026-04-08T10:00:00Z api_breaking: Workers runtime V8 version bump - setTimeout now enforces 30s max summary: Cloudflare Workers updated the underlying V8 runtime. As part of this update, setTimeout and setInterval now enforce a maximum delay of 30,000ms. Previously, delays longer than 30s were silently clamped but not documented. Workers relying on delays longer than 30s must be refactored to use Durable Object alarms, which support arbitrary future scheduling. migration: Replace setTimeout calls with delays over 30 seconds with Durable Object alarms. Alarms support arbitrary future scheduling and survive Worker restarts. source: https://developers.cloudflare.com/workers/runtime-apis/timers/ effective: 2026-04-14 - [medium] 2026-03-28T16:00:00Z pricing: R2 storage egress pricing introduced for high-volume tiers summary: Cloudflare R2 introduced egress pricing for accounts transferring more than 10TB per month. Data transferred below the 10TB threshold remains free. Above the threshold, egress is billed at $0.015 per GB. This change affects the billing model of R2 for large-scale storage users. Egress to Cloudflare's own network (Workers, Pages) is always free regardless of volume. source: https://developers.cloudflare.com/r2/pricing/ effective: 2026-05-01 - [medium] 2026-03-12T09:00:00Z api_deprecation: Workers Sites deprecated in favor of Cloudflare Pages summary: Workers Sites, the original static site deployment mechanism for Workers, is deprecated. New projects should use Cloudflare Pages, which offers equivalent functionality with improved DX and automatic preview deployments. Workers Sites will continue to work for existing deployments until 2027-06-01. The wrangler site CLI commands are deprecated but functional. migration: Migrate Workers Sites projects to Cloudflare Pages. The migration guide covers wrangler.toml conversion and build configuration differences. source: https://developers.cloudflare.com/pages/migrations/migrating-from-workers-sites/ effective: 2026-03-12 sunset: 2027-06-01 - [critical] 2026-04-03T14:00:00Z security: Zero Trust WARP client update required - CVE-2026-2141 summary: A privilege escalation vulnerability (CVE-2026-2141) was identified in the Cloudflare WARP client for Windows versions below 2024.12.0. An attacker with local code execution can escalate to SYSTEM privileges. The vulnerability is in the WARP service IPC handler. Update all Windows WARP installations to 2024.12.0 or later immediately. macOS and Linux clients are not affected. migration: Deploy WARP 2024.12.0 to all Windows endpoints via MDM. MDM deployment guide linked in source URL. Verify version via warp-cli --version. source: https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/download-warp/ effective: 2026-04-03 - [low] 2026-03-20T12:00:00Z data_handling: Workers Logs retention period changed from 7 days to 72 hours on free tier summary: Workers Logs retention on the free tier has been reduced from 7 days to 72 hours. Paid tier retention is unchanged at 7 days. The Workers Analytics API is unaffected. Teams on free tier who rely on the logs UI for debugging have a narrower window to review errors. source: https://developers.cloudflare.com/workers/observability/logs/workers-logs/ effective: 2026-03-20 ## GitHub slug: github url: https://github.com description: Software development platform. Git hosting, Actions CI/CD, Packages, Copilot, and enterprise security tools. canonical: https://changespec.com/v/github json: https://changespec.com/data/vendors/github.json rss: https://changespec.com/v/github.rss Recent changes: - [low] 2026-03-15T18:00:00Z tos: Terms of Service updated - automated account restrictions clarified summary: GitHub updated Section 2.4 of its Terms of Service to clarify restrictions on automated account creation and bulk repository scraping. The changes codify existing enforcement policy and do not restrict activity that was previously permitted. Organizations running CI/CD systems, dependency scanners, or similar automation using PATs are not affected. source: https://docs.github.com/en/site-policy/github-terms/github-terms-of-service effective: 2026-03-15 - [high] 2026-04-01T12:00:00Z api_breaking: Actions runner token scope reduced - secrets no longer inherited by default summary: GitHub Actions workflow runs now require explicit secrets inheritance declarations. Child reusable workflows no longer automatically inherit the calling workflow's secrets. This is a security hardening change. Workflows using reusable actions with secrets must add 'secrets: inherit' or pass individual secrets explicitly. migration: Add 'secrets: inherit' to reusable workflow calls, or pass individual secrets explicitly using the 'secrets:' map. Audit all workflows calling external reusable workflows. source: https://docs.github.com/en/actions/using-workflows/reusing-workflows effective: 2026-04-01 - [medium] 2026-04-05T16:00:00Z pricing: GitHub Copilot for Business price increase - $19 to $21/user/month summary: GitHub Copilot for Business pricing increases from $19 to $21 per user per month, effective June 1, 2026. Annual subscriptions locked in before May 1 retain current pricing for the remainder of the contract term. Per-seat pricing changes will appear in the May billing cycle for monthly subscribers. source: https://github.com/pricing effective: 2026-06-01 - [low] 2026-03-20T09:00:00Z api_deprecation: GitHub REST API v3 pagination Link header format deprecated summary: GitHub is deprecating the Link header pagination format in REST API responses in favor of the newer X-GitHub-Next-Page-URL header. The Link header will continue to work until 2027-01-01. New API clients should use the dedicated pagination headers. GitHub Apps with GitHub's Octokit client libraries are unaffected as they will be updated automatically. source: https://docs.github.com/en/rest/using-the-rest-api/using-pagination-in-the-rest-api effective: 2026-03-20 sunset: 2027-01-01 - [high] 2026-04-10T14:00:00Z security: GitHub Advanced Security - secret scanning now covers 200+ additional token types summary: GitHub expanded its secret scanning detection to cover 200+ additional third-party token formats from vendors including Databricks, MongoDB Atlas, and Pinecone. Organizations with GitHub Advanced Security enabled will see increased alerts if these token types are present in any repository, including private ones. No configuration changes required; scanning activates automatically. source: https://docs.github.com/en/code-security/secret-scanning/introduction/supported-secret-scanning-patterns effective: 2026-04-10 ## Twilio slug: twilio url: https://www.twilio.com description: Cloud communications platform. Voice, SMS, email, and video APIs. Segment customer data platform. canonical: https://changespec.com/v/twilio json: https://changespec.com/data/vendors/twilio.json rss: https://changespec.com/v/twilio.rss Recent changes: - [high] 2026-04-02T14:00:00Z api_breaking: Programmable Voice TwiML redirect limit reduced to 10 hops summary: Starting 2026-05-01, Twilio enforces a maximum of 10 consecutive TwiML redirects per call. Previously, the limit was 25. Calls that exceed 10 redirects will receive a 482 Too Many Hops error and be terminated. Applications with deep IVR trees or recursive TwiML patterns must be refactored. migration: Audit TwiML redirect chains in your call flow. Replace recursive redirect patterns with server-side logic that consolidates steps. source: https://www.twilio.com/docs/voice/twiml/redirect effective: 2026-05-01 - [high] 2026-04-08T10:00:00Z pricing: SMS A2P 10DLC surcharge increases 15% effective June 2026 summary: The A2P 10DLC carrier surcharge for US domestic SMS will increase by approximately 15% on 2026-06-01 due to carrier network fee adjustments. This applies to all SMS sent via long code numbers registered on the A2P 10DLC system. Short code and toll-free number pricing is unchanged. source: https://www.twilio.com/en-us/pricing/sms effective: 2026-06-01 - [medium] 2026-03-25T16:00:00Z data_handling: Message content retention default reduced from 13 months to 7 days summary: Twilio changed the default message content retention period from 13 months to 7 days for new accounts. Existing accounts retain their current settings until 2026-07-01, after which they will also migrate to the 7-day default unless explicitly extended in the console. This change does not affect message metadata (SID, status, timestamps), which are retained for 13 months. migration: If your compliance requirements need longer content retention, configure the retention period explicitly in the Twilio console or via the API before 2026-07-01. source: https://www.twilio.com/en-us/legal/data-retention-policy effective: 2026-07-01 - [medium] 2026-03-10T09:00:00Z api_deprecation: TaskRouter legacy API (v1) end of life 2027-01-01 summary: Twilio TaskRouter REST API version 1 is deprecated and will reach end of life on 2027-01-01. Applications must migrate to TaskRouter v2. The v2 API offers a unified task model, improved worker attributes schema, and support for multi-channel routing. Migration documentation is available at the source URL. migration: Review the TaskRouter v1 to v2 migration guide. The Task object schema changed; filter attributes and routing expressions may require updates. source: https://www.twilio.com/docs/taskrouter/api effective: 2026-03-10 sunset: 2027-01-01 ## Vercel slug: vercel url: https://vercel.com description: Frontend cloud platform. Builds, deploys, and hosts web applications. Maintains Next.js. canonical: https://changespec.com/v/vercel json: https://changespec.com/data/vendors/vercel.json rss: https://changespec.com/v/vercel.rss Recent changes: - [medium] 2026-04-05T12:00:00Z api_deprecation: Vercel CLI v28 deprecated; v32 required by 2026-07-01 summary: Vercel CLI versions below 32 are deprecated and will stop authenticating to the Vercel platform on 2026-07-01. Teams using version-pinned CLI in CI/CD must update before the deadline. v32 requires Node.js 18 or later. migration: Run 'npm install -g vercel@latest' in your CI image. Verify Node.js is 18+. No config file changes required. source: https://vercel.com/changelog/cli-v32 effective: 2026-04-05 sunset: 2026-07-01 - [high] 2026-03-22T09:00:00Z api_breaking: Environment variable names with double underscores no longer supported summary: Vercel platform build environment no longer injects environment variables with double underscores (__) in the name. These were undocumented aliases created during the legacy build pipeline migration. If your project references any such variables in build scripts or framework configuration, they must be renamed before the effective date. migration: Search your codebase and next.config.js for any variable names containing double underscores and rename them in the Vercel dashboard. source: https://vercel.com/docs/environment-variables effective: 2026-04-30 - [medium] 2026-04-01T00:00:00Z pricing: Fluid compute pricing model replaces serverless function pricing summary: Vercel replaced per-invocation serverless function pricing with a fluid compute model billed on actual CPU and memory usage per millisecond. Applications with short, frequent invocations will typically see lower costs. Long-running or memory-intensive functions may see higher costs. No code changes required; billing model takes effect on the next billing cycle. source: https://vercel.com/blog/fluid-compute effective: 2026-04-01 - [low] 2026-03-18T16:00:00Z informational: Next.js 15.2 released with React 19 RC support summary: Next.js 15.2 adds stable support for React 19 RC, the new DevTools integration, and improved error messages for missing environment variables. This is a minor release; no breaking changes. Existing Next.js 15.x applications can upgrade with 'npm install next@15.2.0'. source: https://nextjs.org/blog/next-15-2 effective: 2026-03-18 - [low] 2026-03-30T10:00:00Z data_handling: Build log retention reduced from 90 to 30 days summary: Vercel reduced build log retention from 90 days to 30 days effective 2026-04-15. Raw build logs older than 30 days will be deleted automatically. Deployment metadata and status history are not affected. Teams requiring longer log retention should configure log drains to an external provider. migration: Configure a log drain to Datadog, Logtail, or an S3-compatible store before 2026-04-15 if you need logs beyond 30 days. source: https://vercel.com/docs/observability/log-drains effective: 2026-04-15 =============================================================================== # 5. Examples by category One canonical ChangeSpec event per category. Canonical URL: https://changespec.com/examples/ =============================================================================== # 6. Pricing Current tiers (subject to change - canonical at https://changespec.com#pricing): - Developer: free. Public JSON/RSS, MCP server for personal use, community severity triage. - Team: paid. Private org-level feeds, Slack notifications, webhook delivery with retries, vendor digest summaries. - Enterprise: paid. Publisher-verified stream with Ed25519 signature verification, custom vendor crawling, audit-log exports, DORA/OSFI reports, SSO, dedicated SLA. The specification itself is free forever under Apache-2.0. =============================================================================== # 7. API and machine-readable endpoints All endpoints are static JSON or RSS, cacheable, no auth. /llms.txt - this site, in the llms.txt format /llms-full.txt - this document /.well-known/changespec - deployment capability descriptor (JSON) /.well-known/mcp - MCP server discovery /.well-known/ai-plugin.json - OpenAI-style plugin manifest /.well-known/agents.txt - agent policy (analog of robots.txt for agents) /.well-known/security.txt - security contact /data/vendors.json - list of all vendors /data/vendors/{slug}.json - per-vendor detail + events /data/changes.json - global newest-first feed /changes.rss - RSS 2.0 global feed /v/{slug}.rss - per-vendor RSS 2.0 feed /examples/ - worked examples index (HTML) /examples/{name}.json - individual examples (JSON) /api/v1/openapi.json - OpenAPI 3.1 description /self/changes.json - our own changelog, in ChangeSpec format /self/changes.rss - our own changelog, RSS HTTP response headers exposed on every HTML page: Link: ; rel="llms" Link: ; rel="changespec-discovery" X-ChangeSpec-Version: 0.1-draft =============================================================================== # 8. Privacy, security, and agent policy - We welcome AI crawlers. See /robots.txt - no agent is blocked. - Security disclosure: /.well-known/security.txt - Agent policy: /.well-known/agents.txt - We publish our own changes in ChangeSpec format at /self/changes.json as dogfooding. If this site changes, you can subscribe like any other vendor. End of bundle.