v0.1.0
Opencomplai Community Edition v0.1.0
Initial public release — deterministic, rule-based EU AI Act risk classification and compliance tooling, shipped as code rather than spreadsheets and “it depends.”
| Version | v0.1.0 |
| Tag | v0.1.0 |
| Commit | d2e783c |
| Date | 2026-06-28 |
| License | AGPL-3.0 (Enterprise Edition commercial license available at opencomplai.com) |
| Scale | 394 files · +46,448 lines · single initial public commit (0 parents) |
This tree is the first public drop of the Community Edition. There was no meaningful prior public history; the entire product surface lands in one commit. Packages are pre-release — install from source (PyPI publish for v0.1.0 was intended to follow once CI was stable on this tree).
Highlights
- Deterministic risk engine — rule-based classification against Act text. No ML, no LLMs, nothing probabilistic.
- Developer CLI with contractual exit codes — CI can branch on exit status without parsing JSON.
- Canonical CI artifact —
opencomplai checkwritescompliance-artifact.json(ScanStatusArtifact). - Hosted multi-tenant path — gateway, risk engine, evidence vault, doc generator, egress proxy.
- Air-gap ready stack — Docker Compose + fail-closed egress allowlist.
- Browser EU AI Act Checker — no account; offline via
opencomplai checker --local. - Release signing — Ed25519 keypair in
~/.opencomplai/;--signonopencomplai check. - Supply-chain tooling — SBOM generation (
scripts/verify-sbom.sh); AI-package CI gate.
What's included
packages/core — classification engine
Deterministic, rule-based risk classification. Input: SystemManifest. Output: RiskResult (classification, applicable obligations, reasoning chain).
Four checks against Act text:
- Unacceptable risk (Art. 5) —
UnacceptableRiskRule - Annex III high-risk categories —
AnnexIIIClassifierRule - Profiling detection —
ProfilingDetectionRule - Substantial modification —
SubstantialModificationRule
Also in core: compliance checker engine, dossier, eval engine (bias / leakage / safety evaluators), repo scanner / detectors, signing, state machine, verification, telemetry, purge.
packages/cli — developer workflow
| Command | Purpose |
|---|---|
opencomplai init |
Create a system manifest |
opencomplai check |
Run assessment; write compliance-artifact.json |
opencomplai checker |
EU AI Act checker (incl. --local) |
opencomplai verify-output |
Verify assessment output |
opencomplai docs generate |
Generate documentation |
opencomplai sync metadata |
Sync metadata |
opencomplai risk classify |
Risk classification |
opencomplai validate-manifest |
Validate manifest |
opencomplai dashboard |
Dashboard |
packages/sdk-python — pip-installable surface
Exports: ScanStatusArtifact, SystemManifest, RiskResult, AssessmentInput, ModelMetadata.
services/ — hosted multi-tenant path
| Service | Stack | Role |
|---|---|---|
| gateway-api | TypeScript + Fastify, OpenAPI-first | Auth, validation, routing |
| risk-engine | FastAPI | Wraps packages/core |
| evidence-vault | — | Append-only Merkle-linked LedgerEvents + content-addressed artifact store; /v1/evidence/verify-chain |
| doc-generator | — | Annex IV-style dossiers from stored evidence |
| egress-proxy | — | Outbound allowlist (EGRESS_ALLOWED_DESTINATIONS); fail-closed by default |
gateway-api routes include:
/v1/sync/metadata/v1/docs/generate/v1/verify/claims/v1/evidence/events/v1/risk/classify/v1/manifests/validate
Infra
infra/compose— Docker Compose: five services + PostgreSQL, Redis, Prometheus, Grafana. Copy.env.example→.env, add API key,docker compose up.infra/migrations— Alembic schema for the vault.infra/docker— Dockerfiles per service.
Docs
Published via MkDocs at docs.opencomplai.com:
- EU AI Act Checker — browser wizard (scope, Annex III, GPAI thresholds, provider/deployer obligations). No account. Offline:
opencomplai checker --local. - CLI, SDK, deployment (including air-gap), architecture, concepts, contributing, troubleshooting.
Samples & community
- Sample system:
examples/sample-system CONTRIBUTING.md,CLA.md,SECURITY.md,CODE_OF_CONDUCT.md- Issue templates, PR template, Dependabot
Contractual guarantees
CLI exit codes (stable for CI)
| Code | Meaning |
|---|---|
0 |
PASS |
1 |
CONTROL_FAIL |
2 |
VALIDATION_FAIL |
3 |
POLICY_BLOCK |
4 |
TRAP_DETECTED (unacceptable-risk prohibition) |
CI pipelines may branch on these exit codes without parsing JSON.
Canonical artifact
opencomplai check writes compliance-artifact.json (ScanStatusArtifact) as the canonical CI gate output.
Security & design principles
- Permanently rule-based — the classification engine is intentionally and permanently deterministic. No ML / LLM classification path.
- AI inventory gate — CI blocks unapproved LLM/ML dependencies unless signed off in
docs/security/ai-inventory.md. - Egress fail-closed —
egress-proxyallowlists outbound destinations (EGRESS_ALLOWED_DESTINATIONS); default deny (air-gap ready). - Evidence integrity — append-only Merkle-linked ledger events; chain verification via
/v1/evidence/verify-chain. - Release signing — Ed25519 keypair under
~/.opencomplai/; optional--signonopencomplai check. - SBOM —
scripts/verify-sbom.sh. - Active CI
ci-python.yml— ruff lint; tests for every Python package/service; live CLI self-test; DLP invariant verification;pip-audit; AI-package gate.docs-build.yml— MkDocs + checker widget.
Getting started
git clone https://github.com/Opencomplai/opencomplai
cd opencomplai
pip install -e packages/core -e packages/cli -e packages/sdk-python
# or: uv sync
opencomplai init --system-id my-model --intended-purpose "customer support chatbot"
opencomplai checkCompose stack: copy infra/compose/.env.example → .env, add an API key, then docker compose up.
Full documentation: docs.opencomplai.com
Known limitations / pre-release notes
- Not on PyPI yet for this release. Install from source as shown above. PyPI publish for v0.1.0 was intended once CI was stable on this tree.
- Packages are marked pre-release per CHANGELOG.
- This is the initial public drop as a single commit; treat APIs and artifact schemas as v0.1.0 baseline, not a long-lived prior public contract.
Breaking changes / migration
N/A — initial release. No prior public version to migrate from. Consumers adopting v0.1.0 are establishing a first baseline.
Editions
| Edition | Scope |
|---|---|
| Community Edition | This repository — AGPL-3.0 |
| Enterprise Edition | Hosted premium dashboard, SSO, additional rule engines, commercial support — opencomplai.com |
License & contributing
- License: AGPL-3.0
- Contributing: see
CONTRIBUTING.mdandCLA.md - Security: see
SECURITY.md - Code of conduct: see
CODE_OF_CONDUCT.md
Links
| Resource | URL |
|---|---|
| Release commit | d2e783c |
| Repository | https://github.com/Opencomplai/opencomplai |
| Documentation | https://docs.opencomplai.com |
| Website | https://opencomplai.com |
Commit title: Initial public release — Opencomplai v0.1.0