compliance-agent 0.1.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- compliance_agent-0.1.0/.gitignore +42 -0
- compliance_agent-0.1.0/LICENSE +21 -0
- compliance_agent-0.1.0/PKG-INFO +541 -0
- compliance_agent-0.1.0/README.md +504 -0
- compliance_agent-0.1.0/examples/sample-chatbot/README.md +28 -0
- compliance_agent-0.1.0/pyproject.toml +64 -0
- compliance_agent-0.1.0/rules/annex3.yaml +106 -0
- compliance_agent-0.1.0/src/compliance_agent/__init__.py +34 -0
- compliance_agent-0.1.0/src/compliance_agent/analyzer/__init__.py +5 -0
- compliance_agent-0.1.0/src/compliance_agent/analyzer/articles/__init__.py +53 -0
- compliance_agent-0.1.0/src/compliance_agent/analyzer/articles/art10.py +41 -0
- compliance_agent-0.1.0/src/compliance_agent/analyzer/articles/art11.py +41 -0
- compliance_agent-0.1.0/src/compliance_agent/analyzer/articles/art12.py +41 -0
- compliance_agent-0.1.0/src/compliance_agent/analyzer/articles/art13.py +59 -0
- compliance_agent-0.1.0/src/compliance_agent/analyzer/articles/art14.py +43 -0
- compliance_agent-0.1.0/src/compliance_agent/analyzer/articles/art15.py +68 -0
- compliance_agent-0.1.0/src/compliance_agent/analyzer/articles/art26.py +66 -0
- compliance_agent-0.1.0/src/compliance_agent/analyzer/articles/art28.py +61 -0
- compliance_agent-0.1.0/src/compliance_agent/analyzer/articles/art50.py +41 -0
- compliance_agent-0.1.0/src/compliance_agent/analyzer/articles/art6.py +47 -0
- compliance_agent-0.1.0/src/compliance_agent/analyzer/articles/art7.py +45 -0
- compliance_agent-0.1.0/src/compliance_agent/analyzer/articles/art9.py +37 -0
- compliance_agent-0.1.0/src/compliance_agent/analyzer/articles/base.py +237 -0
- compliance_agent-0.1.0/src/compliance_agent/analyzer/gaps.py +41 -0
- compliance_agent-0.1.0/src/compliance_agent/classifier/__init__.py +5 -0
- compliance_agent-0.1.0/src/compliance_agent/classifier/annex3.py +34 -0
- compliance_agent-0.1.0/src/compliance_agent/classifier/risk.py +109 -0
- compliance_agent-0.1.0/src/compliance_agent/cli.py +367 -0
- compliance_agent-0.1.0/src/compliance_agent/models/__init__.py +5 -0
- compliance_agent-0.1.0/src/compliance_agent/models/findings.py +111 -0
- compliance_agent-0.1.0/src/compliance_agent/models/recommendations.py +17 -0
- compliance_agent-0.1.0/src/compliance_agent/recommender/__init__.py +5 -0
- compliance_agent-0.1.0/src/compliance_agent/recommender/engine.py +122 -0
- compliance_agent-0.1.0/src/compliance_agent/recommender/rules.py +139 -0
- compliance_agent-0.1.0/src/compliance_agent/reporter/__init__.py +10 -0
- compliance_agent-0.1.0/src/compliance_agent/reporter/json_report.py +30 -0
- compliance_agent-0.1.0/src/compliance_agent/reporter/markdown.py +187 -0
- compliance_agent-0.1.0/src/compliance_agent/reporter/pdf_report.py +323 -0
- compliance_agent-0.1.0/src/compliance_agent/reporter/templates/report.html +263 -0
- compliance_agent-0.1.0/src/compliance_agent/reporter/terminal.py +305 -0
- compliance_agent-0.1.0/src/compliance_agent/scanner/__init__.py +5 -0
- compliance_agent-0.1.0/src/compliance_agent/scanner/detectors/__init__.py +22 -0
- compliance_agent-0.1.0/src/compliance_agent/scanner/detectors/agents.py +180 -0
- compliance_agent-0.1.0/src/compliance_agent/scanner/detectors/base.py +92 -0
- compliance_agent-0.1.0/src/compliance_agent/scanner/detectors/frameworks/__init__.py +24 -0
- compliance_agent-0.1.0/src/compliance_agent/scanner/detectors/frameworks/autogen.py +71 -0
- compliance_agent-0.1.0/src/compliance_agent/scanner/detectors/frameworks/base.py +81 -0
- compliance_agent-0.1.0/src/compliance_agent/scanner/detectors/frameworks/crewai.py +61 -0
- compliance_agent-0.1.0/src/compliance_agent/scanner/detectors/frameworks/langchain.py +80 -0
- compliance_agent-0.1.0/src/compliance_agent/scanner/detectors/frameworks/langgraph.py +51 -0
- compliance_agent-0.1.0/src/compliance_agent/scanner/detectors/patterns.py +196 -0
- compliance_agent-0.1.0/src/compliance_agent/scanner/detectors/providers.py +156 -0
- compliance_agent-0.1.0/src/compliance_agent/scanner/engine.py +199 -0
- compliance_agent-0.1.0/src/compliance_agent/scanner/parser.py +41 -0
- compliance_agent-0.1.0/templates/README.md +34 -0
- compliance_agent-0.1.0/templates/art10/data_governance.py +84 -0
- compliance_agent-0.1.0/templates/art11/technical_documentation.py +114 -0
- compliance_agent-0.1.0/templates/art12/event_logging.py +137 -0
- compliance_agent-0.1.0/templates/art14/human_oversight.py +132 -0
- compliance_agent-0.1.0/templates/art50/content_marking.py +85 -0
- compliance_agent-0.1.0/templates/art50/deepfake_disclosure.py +92 -0
- compliance_agent-0.1.0/templates/art50/transparency_notice.py +95 -0
- compliance_agent-0.1.0/templates/art9/risk_management.py +133 -0
- compliance_agent-0.1.0/templates/common/ai_disclosure_banner.html +49 -0
- compliance_agent-0.1.0/templates/common/ai_disclosure_middleware.py +67 -0
- compliance_agent-0.1.0/templates/common/compliance_config.yaml +33 -0
- compliance_agent-0.1.0/tests/__init__.py +0 -0
- compliance_agent-0.1.0/tests/conftest.py +90 -0
- compliance_agent-0.1.0/tests/test_articles.py +191 -0
- compliance_agent-0.1.0/tests/test_classifier.py +148 -0
- compliance_agent-0.1.0/tests/test_cli.py +110 -0
- compliance_agent-0.1.0/tests/test_detectors.py +137 -0
- compliance_agent-0.1.0/tests/test_framework_detectors.py +174 -0
- compliance_agent-0.1.0/tests/test_package.py +20 -0
- compliance_agent-0.1.0/tests/test_parser.py +29 -0
- compliance_agent-0.1.0/tests/test_pdf_reporter.py +170 -0
- compliance_agent-0.1.0/tests/test_recommender.py +149 -0
- compliance_agent-0.1.0/tests/test_scanner.py +159 -0
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
# Python-generated files
|
|
2
|
+
__pycache__/
|
|
3
|
+
*.py[oc]
|
|
4
|
+
build/
|
|
5
|
+
dist/
|
|
6
|
+
wheels/
|
|
7
|
+
*.egg-info
|
|
8
|
+
|
|
9
|
+
# Virtual environments
|
|
10
|
+
.venv
|
|
11
|
+
venv/
|
|
12
|
+
env/
|
|
13
|
+
|
|
14
|
+
# Environment / secrets
|
|
15
|
+
.env
|
|
16
|
+
.env.*
|
|
17
|
+
|
|
18
|
+
# Tooling caches
|
|
19
|
+
.mypy_cache/
|
|
20
|
+
.pytest_cache/
|
|
21
|
+
.ruff_cache/
|
|
22
|
+
.coverage
|
|
23
|
+
htmlcov/
|
|
24
|
+
coverage.xml
|
|
25
|
+
|
|
26
|
+
# Editor
|
|
27
|
+
.idea/
|
|
28
|
+
.vscode/
|
|
29
|
+
.DS_Store
|
|
30
|
+
|
|
31
|
+
# Generated compliance reports
|
|
32
|
+
compliance-report-*.pdf
|
|
33
|
+
compliance-report-*.md
|
|
34
|
+
|
|
35
|
+
# Runtime artifacts from templates/demos
|
|
36
|
+
ai_logs*/
|
|
37
|
+
oversight_audit.jsonl
|
|
38
|
+
risk_register.json
|
|
39
|
+
dataset_cards*/
|
|
40
|
+
|
|
41
|
+
# Unrelated sibling checkout (ECC plugin repo)
|
|
42
|
+
ECC/
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 latreon
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
|
@@ -0,0 +1,541 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: compliance-agent
|
|
3
|
+
Version: 0.1.0
|
|
4
|
+
Summary: EU AI Act compliance scanner for AI projects
|
|
5
|
+
Author-email: latreon <ferdakerim@gmail.com>
|
|
6
|
+
License: MIT License
|
|
7
|
+
|
|
8
|
+
Copyright (c) 2026 latreon
|
|
9
|
+
|
|
10
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
11
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
12
|
+
in the Software without restriction, including without limitation the rights
|
|
13
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
14
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
15
|
+
furnished to do so, subject to the following conditions:
|
|
16
|
+
|
|
17
|
+
The above copyright notice and this permission notice shall be included in all
|
|
18
|
+
copies or substantial portions of the Software.
|
|
19
|
+
|
|
20
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
21
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
22
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
23
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
24
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
25
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
26
|
+
SOFTWARE.
|
|
27
|
+
License-File: LICENSE
|
|
28
|
+
Keywords: ai,cli,compliance,eu-ai-act,scanner
|
|
29
|
+
Requires-Python: >=3.12
|
|
30
|
+
Requires-Dist: pathspec>=1.1.1
|
|
31
|
+
Requires-Dist: pydantic>=2.13.4
|
|
32
|
+
Requires-Dist: pyyaml>=6.0.3
|
|
33
|
+
Requires-Dist: rich>=15.0.0
|
|
34
|
+
Requires-Dist: typer>=0.26.8
|
|
35
|
+
Requires-Dist: weasyprint>=69.0
|
|
36
|
+
Description-Content-Type: text/markdown
|
|
37
|
+
|
|
38
|
+
# ComplianceAgent
|
|
39
|
+
|
|
40
|
+
**Check if your AI project follows EU rules.**
|
|
41
|
+
|
|
42
|
+
[](https://github.com/latreon/compliance-agent/actions)
|
|
43
|
+
[](https://www.python.org/downloads/)
|
|
44
|
+
[](LICENSE)
|
|
45
|
+
|
|
46
|
+
The EU has new rules for AI. If you're building with OpenAI, Anthropic, LangChain,
|
|
47
|
+
or any AI framework, you need to check whether you comply. This tool does it for
|
|
48
|
+
you — one command, about 5 seconds.
|
|
49
|
+
|
|
50
|
+
[30-Second Start](#30-second-start) · [What It Does](#what-it-does-simple-version) · [How It Works](#how-it-works) · [Examples](#real-examples) · [All Commands](#command-reference) · [FAQ](#common-questions)
|
|
51
|
+
|
|
52
|
+
---
|
|
53
|
+
|
|
54
|
+
## 30-Second Start
|
|
55
|
+
|
|
56
|
+
```bash
|
|
57
|
+
# Install
|
|
58
|
+
pip install compliance-agent
|
|
59
|
+
|
|
60
|
+
# Check your project
|
|
61
|
+
compliance-agent scan .
|
|
62
|
+
|
|
63
|
+
# That's it — read what it found.
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
## What It Does (Simple Version)
|
|
67
|
+
|
|
68
|
+
1. **Scans your code** — finds where you use AI (OpenAI, LangChain, etc.).
|
|
69
|
+
2. **Checks the rules** — compares your code against EU AI Act requirements.
|
|
70
|
+
3. **Tells you what's missing** — shows exactly what you need to fix.
|
|
71
|
+
4. **Gives you the code** — provides copy-paste fixes for each problem.
|
|
72
|
+
|
|
73
|
+
## What You'll See
|
|
74
|
+
|
|
75
|
+
When you run `compliance-agent scan .`, you get something like:
|
|
76
|
+
|
|
77
|
+
```text
|
|
78
|
+
YOUR PROJECT STATUS
|
|
79
|
+
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
80
|
+
Risk Level: LIMITED (some rules apply)
|
|
81
|
+
AI Found: OpenAI chatbot, LangChain agent
|
|
82
|
+
Issues: 3 things to fix
|
|
83
|
+
|
|
84
|
+
WHAT TO FIX
|
|
85
|
+
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
86
|
+
1. Add a "You're talking to AI" notice to your chat
|
|
87
|
+
→ Copy this file: templates/art50/transparency_notice.py
|
|
88
|
+
|
|
89
|
+
2. Log all AI conversations (EU requires record-keeping)
|
|
90
|
+
→ Copy this file: templates/art12/event_logging.py
|
|
91
|
+
|
|
92
|
+
3. Add error handling for AI failures
|
|
93
|
+
→ Add try/except blocks around AI calls
|
|
94
|
+
|
|
95
|
+
NEXT STEPS
|
|
96
|
+
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
97
|
+
Get the fix files: compliance-agent recommend . --output ./fixes
|
|
98
|
+
```
|
|
99
|
+
|
|
100
|
+
## Do I Need This?
|
|
101
|
+
|
|
102
|
+
**Yes, if you:**
|
|
103
|
+
|
|
104
|
+
- Use OpenAI, Anthropic, Google, or any AI API
|
|
105
|
+
- Build chatbots or AI assistants
|
|
106
|
+
- Use LangChain, CrewAI, AutoGen, or LangGraph
|
|
107
|
+
- Deploy AI in the EU or serve EU users
|
|
108
|
+
- Want to avoid fines (up to €35M)
|
|
109
|
+
|
|
110
|
+
**No, if you:**
|
|
111
|
+
|
|
112
|
+
- Don't use AI in your project
|
|
113
|
+
- Only use AI for personal projects (not a business)
|
|
114
|
+
- Don't operate in, or serve users in, the EU
|
|
115
|
+
|
|
116
|
+
## Installation
|
|
117
|
+
|
|
118
|
+
### For most users
|
|
119
|
+
|
|
120
|
+
```bash
|
|
121
|
+
pip install compliance-agent
|
|
122
|
+
```
|
|
123
|
+
|
|
124
|
+
That's it. Skip to the [30-Second Start](#30-second-start).
|
|
125
|
+
|
|
126
|
+
**If `pip install` fails**, try:
|
|
127
|
+
|
|
128
|
+
```bash
|
|
129
|
+
python -m pip install compliance-agent
|
|
130
|
+
```
|
|
131
|
+
|
|
132
|
+
**If you get "Permission denied":**
|
|
133
|
+
|
|
134
|
+
```bash
|
|
135
|
+
pip install --user compliance-agent
|
|
136
|
+
```
|
|
137
|
+
|
|
138
|
+
**If you use a virtual environment**, activate it first:
|
|
139
|
+
|
|
140
|
+
```bash
|
|
141
|
+
source venv/bin/activate # Linux / macOS
|
|
142
|
+
venv\Scripts\activate # Windows
|
|
143
|
+
pip install compliance-agent
|
|
144
|
+
```
|
|
145
|
+
|
|
146
|
+
**If you use `uv`:**
|
|
147
|
+
|
|
148
|
+
```bash
|
|
149
|
+
uv pip install compliance-agent
|
|
150
|
+
```
|
|
151
|
+
|
|
152
|
+
**Install the latest unreleased version from GitHub:**
|
|
153
|
+
|
|
154
|
+
```bash
|
|
155
|
+
pip install git+https://github.com/latreon/compliance-agent.git
|
|
156
|
+
```
|
|
157
|
+
|
|
158
|
+
**Verify it worked:**
|
|
159
|
+
|
|
160
|
+
```bash
|
|
161
|
+
compliance-agent version
|
|
162
|
+
# ComplianceAgent v0.1.0
|
|
163
|
+
```
|
|
164
|
+
|
|
165
|
+
Trouble installing or running? See the [Troubleshooting guide](docs/TROUBLESHOOTING.md).
|
|
166
|
+
|
|
167
|
+
## How It Works
|
|
168
|
+
|
|
169
|
+
### Step 1: Scan your code
|
|
170
|
+
|
|
171
|
+
The scanner reads your project files and looks for AI-related patterns:
|
|
172
|
+
|
|
173
|
+
- `import openai` — you're using OpenAI
|
|
174
|
+
- `from langchain` — you're using LangChain
|
|
175
|
+
- `AgentExecutor()` — you're running an AI agent
|
|
176
|
+
- `client.chat.completions.create()` — you're calling an AI API
|
|
177
|
+
|
|
178
|
+
It uses **AST parsing** (not just text search) to avoid false positives. A comment
|
|
179
|
+
that mentions "OpenAI" won't trigger a finding — only real code does.
|
|
180
|
+
|
|
181
|
+
### Step 2: Classify risk
|
|
182
|
+
|
|
183
|
+
Based on what it finds, the tool assigns a risk level:
|
|
184
|
+
|
|
185
|
+
| Risk Level | What It Means | Rules That Apply |
|
|
186
|
+
|------------|---------------|------------------|
|
|
187
|
+
| **MINIMAL** | Basic AI usage, no user interaction | Almost none |
|
|
188
|
+
| **LIMITED** | AI interacts with users | Transparency rules (Art. 50) |
|
|
189
|
+
| **HIGH** | AI makes important decisions | Full compliance required |
|
|
190
|
+
| **UNACCEPTABLE** | Banned AI practices (Art. 5) | Cannot be deployed |
|
|
191
|
+
|
|
192
|
+
### Step 3: Check compliance
|
|
193
|
+
|
|
194
|
+
The tool checks 12 specific articles of the EU AI Act:
|
|
195
|
+
|
|
196
|
+
| Article | What It Checks | When It Matters |
|
|
197
|
+
|---------|----------------|-----------------|
|
|
198
|
+
| Art. 50 | "You're talking to AI" notice | Any user-facing AI |
|
|
199
|
+
| Art. 12 | Logging AI conversations | All AI systems |
|
|
200
|
+
| Art. 14 | Human oversight for decisions | High-risk / agentic AI |
|
|
201
|
+
| Art. 15 | Error handling and robustness | All AI systems |
|
|
202
|
+
| ... | [see the full list](#compliance-coverage) | ... |
|
|
203
|
+
|
|
204
|
+
### Step 4: Recommend fixes
|
|
205
|
+
|
|
206
|
+
For each issue found, the tool:
|
|
207
|
+
|
|
208
|
+
1. Explains what's wrong
|
|
209
|
+
2. Shows which rule requires the fix
|
|
210
|
+
3. Provides a code template you can copy
|
|
211
|
+
4. Tells you exactly where to put it
|
|
212
|
+
|
|
213
|
+
```text
|
|
214
|
+
ISSUE: No "You're talking to AI" notice
|
|
215
|
+
RULE: EU AI Act Article 50(1)
|
|
216
|
+
FIX: Copy templates/art50/transparency_notice.py into your project
|
|
217
|
+
WHERE: Add it before your chat endpoint
|
|
218
|
+
```
|
|
219
|
+
|
|
220
|
+
## Real Examples
|
|
221
|
+
|
|
222
|
+
### Example 1: Simple chatbot (Limited risk)
|
|
223
|
+
|
|
224
|
+
A basic chatbot using OpenAI:
|
|
225
|
+
|
|
226
|
+
```python
|
|
227
|
+
# chatbot.py
|
|
228
|
+
import openai
|
|
229
|
+
|
|
230
|
+
client = openai.OpenAI()
|
|
231
|
+
|
|
232
|
+
def chat(user_input):
|
|
233
|
+
return client.chat.completions.create(
|
|
234
|
+
model="gpt-4",
|
|
235
|
+
messages=[{"role": "user", "content": user_input}],
|
|
236
|
+
).choices[0].message.content
|
|
237
|
+
```
|
|
238
|
+
|
|
239
|
+
Scan result:
|
|
240
|
+
|
|
241
|
+
```text
|
|
242
|
+
RISK: LIMITED (Article 50 applies)
|
|
243
|
+
ISSUES: 2
|
|
244
|
+
1. No "You're talking to AI" notice
|
|
245
|
+
2. No logging of conversations
|
|
246
|
+
FIX: Add a transparency notice + logging.
|
|
247
|
+
```
|
|
248
|
+
|
|
249
|
+
### Example 2: LangChain agent (Higher risk)
|
|
250
|
+
|
|
251
|
+
An agent that can search the web and send emails:
|
|
252
|
+
|
|
253
|
+
```python
|
|
254
|
+
# agent.py
|
|
255
|
+
from langchain.agents import AgentExecutor
|
|
256
|
+
from langchain.tools import Tool
|
|
257
|
+
|
|
258
|
+
tools = [
|
|
259
|
+
Tool(name="search", func=search_web, description="Search the web"),
|
|
260
|
+
Tool(name="email", func=send_email, description="Send an email"),
|
|
261
|
+
]
|
|
262
|
+
|
|
263
|
+
executor = AgentExecutor(agent=agent, tools=tools)
|
|
264
|
+
```
|
|
265
|
+
|
|
266
|
+
Scan result:
|
|
267
|
+
|
|
268
|
+
```text
|
|
269
|
+
RISK: HIGH (agent with tool access)
|
|
270
|
+
FRAMEWORKS: LangChain (agent, tools)
|
|
271
|
+
ISSUES: 5
|
|
272
|
+
1. No human oversight before tool use
|
|
273
|
+
2. No logging of tool calls
|
|
274
|
+
3. No error handling for API failures
|
|
275
|
+
4. No "You're talking to AI" notice
|
|
276
|
+
5. No data governance documentation
|
|
277
|
+
FIX: Add human-in-the-loop, logging, error handling, transparency.
|
|
278
|
+
```
|
|
279
|
+
|
|
280
|
+
### Example 3: CrewAI multi-agent (High risk)
|
|
281
|
+
|
|
282
|
+
A crew of agents researching and writing:
|
|
283
|
+
|
|
284
|
+
```python
|
|
285
|
+
# crew.py
|
|
286
|
+
from crewai import Agent, Task, Crew
|
|
287
|
+
|
|
288
|
+
researcher = Agent(role="Researcher", tools=[search])
|
|
289
|
+
writer = Agent(role="Writer", tools=[write])
|
|
290
|
+
|
|
291
|
+
crew = Crew(
|
|
292
|
+
agents=[researcher, writer],
|
|
293
|
+
tasks=[Task(description="Research", agent=researcher),
|
|
294
|
+
Task(description="Write", agent=writer)],
|
|
295
|
+
)
|
|
296
|
+
crew.kickoff()
|
|
297
|
+
```
|
|
298
|
+
|
|
299
|
+
Scan result:
|
|
300
|
+
|
|
301
|
+
```text
|
|
302
|
+
RISK: HIGH (multiple autonomous agents)
|
|
303
|
+
FRAMEWORKS: CrewAI (agent, crew, task)
|
|
304
|
+
ISSUES: 4
|
|
305
|
+
1. No oversight before crew execution
|
|
306
|
+
2. No logging of agent actions
|
|
307
|
+
3. No documentation of agent roles
|
|
308
|
+
4. No incident reporting procedure
|
|
309
|
+
FIX: Add an approval workflow, logging, documentation, incident plan.
|
|
310
|
+
```
|
|
311
|
+
|
|
312
|
+
## Command Reference
|
|
313
|
+
|
|
314
|
+
```bash
|
|
315
|
+
# Scan a folder ('.' = current folder)
|
|
316
|
+
compliance-agent scan .
|
|
317
|
+
|
|
318
|
+
# Output types
|
|
319
|
+
compliance-agent scan . --format markdown # for reading (default)
|
|
320
|
+
compliance-agent scan . --format json # for computers / CI
|
|
321
|
+
compliance-agent scan . --format pdf # for sharing
|
|
322
|
+
|
|
323
|
+
# Only show serious issues
|
|
324
|
+
compliance-agent scan . --severity high
|
|
325
|
+
|
|
326
|
+
# Skip folders
|
|
327
|
+
compliance-agent scan . --exclude "tests/*" --exclude "docs/*"
|
|
328
|
+
|
|
329
|
+
# Show how to fix each problem
|
|
330
|
+
compliance-agent scan . --fix
|
|
331
|
+
|
|
332
|
+
# Copy fix templates into your project
|
|
333
|
+
compliance-agent recommend . --output ./fixes
|
|
334
|
+
|
|
335
|
+
# Make a shareable report file
|
|
336
|
+
compliance-agent report . --output audit-2026.pdf
|
|
337
|
+
|
|
338
|
+
# For CI/CD: plain output, fail the build on serious issues
|
|
339
|
+
compliance-agent scan . --ci --fail-on high
|
|
340
|
+
```
|
|
341
|
+
|
|
342
|
+
Run `compliance-agent scan --help` to see every option explained.
|
|
343
|
+
|
|
344
|
+
**Exit codes:** `0` success · `1` `--fail-on` threshold met · `2` usage error.
|
|
345
|
+
`.gitignore` is honored automatically, and vendored directories are always skipped.
|
|
346
|
+
|
|
347
|
+
JSON output is a versioned envelope — safe to parse in CI:
|
|
348
|
+
|
|
349
|
+
```json
|
|
350
|
+
{
|
|
351
|
+
"schema_version": "1.0",
|
|
352
|
+
"tool_version": "0.1.0",
|
|
353
|
+
"scan_result": { "files_scanned": 2, "risk_tier": "limited", "findings": ["..."] }
|
|
354
|
+
}
|
|
355
|
+
```
|
|
356
|
+
|
|
357
|
+
## What It Detects
|
|
358
|
+
|
|
359
|
+
**AI providers**
|
|
360
|
+
|
|
361
|
+
- OpenAI (GPT-4, GPT-4o, o1)
|
|
362
|
+
- Anthropic (Claude)
|
|
363
|
+
- Google (Gemini)
|
|
364
|
+
- Mistral
|
|
365
|
+
- Local models (Ollama, vLLM, transformers, llama.cpp, torch)
|
|
366
|
+
|
|
367
|
+
**Agent patterns**
|
|
368
|
+
|
|
369
|
+
- MCP servers and tool definitions
|
|
370
|
+
- Tool calls and function calling
|
|
371
|
+
- Multi-agent orchestration (CrewAI, AutoGen, LangGraph)
|
|
372
|
+
- Prompt templates and system prompts
|
|
373
|
+
|
|
374
|
+
### Framework-aware detection
|
|
375
|
+
|
|
376
|
+
Beyond generic provider detection, dedicated detectors understand what each
|
|
377
|
+
framework construct means for compliance (only in files that actually import the
|
|
378
|
+
framework — AST-verified):
|
|
379
|
+
|
|
380
|
+
| Framework | Detection | Compliance Mapping |
|
|
381
|
+
|-----------|-----------|--------------------|
|
|
382
|
+
| LangChain | Agents, tools, memory, chains | Art. 14 (oversight), Art. 9 (risk), Art. 12 (logging), Art. 50 (transparency) |
|
|
383
|
+
| CrewAI | Crews, agents, tasks, processes | Art. 14 (oversight), Art. 12 (logging), Art. 11 (docs) |
|
|
384
|
+
| AutoGen | Agents, group chat, function/code execution | Art. 50 (transparency), Art. 12 (logging), Art. 9 (risk) |
|
|
385
|
+
| LangGraph | State graphs, conditional edges, tool nodes, checkpoints | Art. 12 (logging), Art. 11 (docs), Art. 14 (oversight) |
|
|
386
|
+
|
|
387
|
+
## Compliance Coverage
|
|
388
|
+
|
|
389
|
+
ComplianceAgent checks the following EU AI Act articles and reports a per-article
|
|
390
|
+
status (Met / Partial / Missing / Not applicable):
|
|
391
|
+
|
|
392
|
+
| Article | Title | When Applicable |
|
|
393
|
+
|---------|-------|-----------------|
|
|
394
|
+
| 6 | High-risk definition | High-risk tier |
|
|
395
|
+
| 7 | Conformity assessment | High-risk tier |
|
|
396
|
+
| 9 | Risk management | High-risk tier |
|
|
397
|
+
| 10 | Data governance | Data processing or high-risk tier |
|
|
398
|
+
| 11 | Technical documentation | Any AI usage |
|
|
399
|
+
| 12 | Record-keeping | Any AI usage |
|
|
400
|
+
| 13 | Transparency to deployers | User-facing systems |
|
|
401
|
+
| 14 | Human oversight | Agentic patterns or high-risk tier |
|
|
402
|
+
| 15 | Accuracy, robustness, cybersecurity | Any AI usage |
|
|
403
|
+
| 26 | Provider obligations | High-risk tier |
|
|
404
|
+
| 28 | Distributor obligations | Deployment artifacts present |
|
|
405
|
+
| 50 | User transparency | User-facing AI |
|
|
406
|
+
|
|
407
|
+
## Fix Templates
|
|
408
|
+
|
|
409
|
+
ComplianceAgent doesn't just find problems — it ships solutions. Every gap maps to
|
|
410
|
+
a real, copy-pasteable template ([index](templates/README.md)):
|
|
411
|
+
|
|
412
|
+
| Article | Template | Purpose |
|
|
413
|
+
|---------|----------|---------|
|
|
414
|
+
| 50 | `transparency_notice.py` | AI interaction disclosure (decorator + ASGI middleware) |
|
|
415
|
+
| 50 | `content_marking.py` | Machine-readable AI content marking |
|
|
416
|
+
| 50 | `deepfake_disclosure.py` | Synthetic media labeling |
|
|
417
|
+
| 12 | `event_logging.py` | AI event logging with retention + cleanup |
|
|
418
|
+
| 14 | `human_oversight.py` | Human-in-the-loop checkpoints with audit trail |
|
|
419
|
+
| 9 | `risk_management.py` | Risk register and review cycle |
|
|
420
|
+
| 10 | `data_governance.py` | Dataset provenance cards |
|
|
421
|
+
| 11 | `technical_documentation.py` | Annex IV technical documentation generator |
|
|
422
|
+
|
|
423
|
+
Each template is fully working Python (compile-checked in CI), well-commented, and
|
|
424
|
+
framework-agnostic (FastAPI, Flask, Streamlit).
|
|
425
|
+
|
|
426
|
+
## PDF Reports
|
|
427
|
+
|
|
428
|
+
Generate an audit-ready PDF for compliance teams, legal, or auditors:
|
|
429
|
+
|
|
430
|
+
```bash
|
|
431
|
+
compliance-agent scan . --format pdf
|
|
432
|
+
# Report saved to: compliance-report-myproject.pdf
|
|
433
|
+
|
|
434
|
+
# Or the dedicated report command (PDF or Markdown, custom path)
|
|
435
|
+
compliance-agent report . --output audit-2026.pdf
|
|
436
|
+
```
|
|
437
|
+
|
|
438
|
+
The PDF includes a cover page, an executive summary with a risk-tier badge and
|
|
439
|
+
metrics, a risk assessment with deadlines, a color-coded findings table, compliance
|
|
440
|
+
gaps with remediation steps, fix recommendations with code snippets, and an EU AI
|
|
441
|
+
Act reference appendix.
|
|
442
|
+
|
|
443
|
+
> PDF generation uses [WeasyPrint](https://weasyprint.org/), which needs the pango
|
|
444
|
+
> native libraries: `brew install pango` (macOS — run with
|
|
445
|
+
> `DYLD_FALLBACK_LIBRARY_PATH=/opt/homebrew/lib` if needed) or
|
|
446
|
+
> `apt install libpango-1.0-0 libpangoft2-1.0-0` (Debian/Ubuntu). Markdown and JSON
|
|
447
|
+
> formats work without it.
|
|
448
|
+
|
|
449
|
+
## CI/CD Integration
|
|
450
|
+
|
|
451
|
+
**GitHub Actions**
|
|
452
|
+
|
|
453
|
+
```yaml
|
|
454
|
+
- name: EU AI Act Compliance Check
|
|
455
|
+
run: |
|
|
456
|
+
pip install compliance-agent
|
|
457
|
+
compliance-agent scan . --ci --fail-on high
|
|
458
|
+
```
|
|
459
|
+
|
|
460
|
+
**Pre-commit hook**
|
|
461
|
+
|
|
462
|
+
```yaml
|
|
463
|
+
# .pre-commit-config.yaml
|
|
464
|
+
repos:
|
|
465
|
+
- repo: https://github.com/latreon/compliance-agent
|
|
466
|
+
rev: v0.1.0
|
|
467
|
+
hooks:
|
|
468
|
+
- id: compliance-agent-scan
|
|
469
|
+
args: [--fail-on, high]
|
|
470
|
+
```
|
|
471
|
+
|
|
472
|
+
## Common Questions
|
|
473
|
+
|
|
474
|
+
**Is this legal advice?**
|
|
475
|
+
No. It's a technical tool that checks your code. Consult a lawyer for legal advice.
|
|
476
|
+
|
|
477
|
+
**Will this slow down my CI/CD?**
|
|
478
|
+
No. It takes about 5 seconds on most projects.
|
|
479
|
+
|
|
480
|
+
**What if I'm not in the EU?**
|
|
481
|
+
If you serve EU users, you still need to comply. The EU AI Act applies to anyone
|
|
482
|
+
providing AI to EU residents.
|
|
483
|
+
|
|
484
|
+
**What if I find issues?**
|
|
485
|
+
The tool gives you exact code fixes. Copy the templates into your project and
|
|
486
|
+
re-run the scan.
|
|
487
|
+
|
|
488
|
+
**Can I use this in production?**
|
|
489
|
+
Yes. Add it to your CI/CD pipeline to catch issues automatically.
|
|
490
|
+
|
|
491
|
+
## Troubleshooting
|
|
492
|
+
|
|
493
|
+
Common problems and fixes are in the [Troubleshooting guide](docs/TROUBLESHOOTING.md).
|
|
494
|
+
Quick hits:
|
|
495
|
+
|
|
496
|
+
- **`command not found: compliance-agent`** → run `python -m compliance_agent scan .`
|
|
497
|
+
- **PDF generation fails** → `brew install pango` (macOS), or just use
|
|
498
|
+
`--format markdown` / `--format json`
|
|
499
|
+
- **Too many findings** → `--exclude "tests/*"` or `--severity high`
|
|
500
|
+
|
|
501
|
+
## Development
|
|
502
|
+
|
|
503
|
+
```bash
|
|
504
|
+
git clone https://github.com/latreon/compliance-agent.git
|
|
505
|
+
cd compliance-agent
|
|
506
|
+
uv sync
|
|
507
|
+
uv run pytest # tests with coverage
|
|
508
|
+
uv run compliance-agent scan . # dogfood: scan this repo
|
|
509
|
+
```
|
|
510
|
+
|
|
511
|
+
## Contributing
|
|
512
|
+
|
|
513
|
+
Contributions welcome! See [CONTRIBUTING.md](CONTRIBUTING.md).
|
|
514
|
+
|
|
515
|
+
Priority areas:
|
|
516
|
+
|
|
517
|
+
- New detector patterns (LlamaIndex, Haystack)
|
|
518
|
+
- Additional templates for other articles
|
|
519
|
+
- Integration with more AI frameworks
|
|
520
|
+
- Documentation improvements
|
|
521
|
+
|
|
522
|
+
## Roadmap
|
|
523
|
+
|
|
524
|
+
- [ ] PyPI release + GitHub Action on the Marketplace
|
|
525
|
+
- [ ] Project config file (`compliance.yaml`) for declared posture and scan defaults
|
|
526
|
+
- [ ] SARIF output for GitHub code scanning integration
|
|
527
|
+
- [ ] JS/TS project scanning
|
|
528
|
+
|
|
529
|
+
## Resources
|
|
530
|
+
|
|
531
|
+
- [EU AI Act (Regulation (EU) 2024/1689) — full text](https://eur-lex.europa.eu/eli/reg/2024/1689/oj)
|
|
532
|
+
- [EU AI Act explorer](https://artificialintelligenceact.eu/)
|
|
533
|
+
|
|
534
|
+
## License
|
|
535
|
+
|
|
536
|
+
MIT License — see [LICENSE](LICENSE).
|
|
537
|
+
|
|
538
|
+
## Disclaimer
|
|
539
|
+
|
|
540
|
+
This tool provides technical analysis, not legal advice. Consult qualified legal
|
|
541
|
+
counsel for EU AI Act compliance decisions.
|