Skip to content

v0.1.0

Choose a tag to compare

@OpenComplaiCTO OpenComplaiCTO released this 17 Jul 08:11

Opencomplai Community Edition v0.1.0

Initial public release — deterministic, rule-based EU AI Act risk classification and compliance tooling, shipped as code rather than spreadsheets and “it depends.”

Version v0.1.0
Tag v0.1.0
Commit d2e783c
Date 2026-06-28
License AGPL-3.0 (Enterprise Edition commercial license available at opencomplai.com)
Scale 394 files · +46,448 lines · single initial public commit (0 parents)

This tree is the first public drop of the Community Edition. There was no meaningful prior public history; the entire product surface lands in one commit. Packages are pre-release — install from source (PyPI publish for v0.1.0 was intended to follow once CI was stable on this tree).


Highlights

  • Deterministic risk engine — rule-based classification against Act text. No ML, no LLMs, nothing probabilistic.
  • Developer CLI with contractual exit codes — CI can branch on exit status without parsing JSON.
  • Canonical CI artifactopencomplai check writes compliance-artifact.json (ScanStatusArtifact).
  • Hosted multi-tenant path — gateway, risk engine, evidence vault, doc generator, egress proxy.
  • Air-gap ready stack — Docker Compose + fail-closed egress allowlist.
  • Browser EU AI Act Checker — no account; offline via opencomplai checker --local.
  • Release signing — Ed25519 keypair in ~/.opencomplai/; --sign on opencomplai check.
  • Supply-chain tooling — SBOM generation (scripts/verify-sbom.sh); AI-package CI gate.

What's included

packages/core — classification engine

Deterministic, rule-based risk classification. Input: SystemManifest. Output: RiskResult (classification, applicable obligations, reasoning chain).

Four checks against Act text:

  1. Unacceptable risk (Art. 5)UnacceptableRiskRule
  2. Annex III high-risk categoriesAnnexIIIClassifierRule
  3. Profiling detectionProfilingDetectionRule
  4. Substantial modificationSubstantialModificationRule

Also in core: compliance checker engine, dossier, eval engine (bias / leakage / safety evaluators), repo scanner / detectors, signing, state machine, verification, telemetry, purge.

packages/cli — developer workflow

Command Purpose
opencomplai init Create a system manifest
opencomplai check Run assessment; write compliance-artifact.json
opencomplai checker EU AI Act checker (incl. --local)
opencomplai verify-output Verify assessment output
opencomplai docs generate Generate documentation
opencomplai sync metadata Sync metadata
opencomplai risk classify Risk classification
opencomplai validate-manifest Validate manifest
opencomplai dashboard Dashboard

packages/sdk-python — pip-installable surface

Exports: ScanStatusArtifact, SystemManifest, RiskResult, AssessmentInput, ModelMetadata.

services/ — hosted multi-tenant path

Service Stack Role
gateway-api TypeScript + Fastify, OpenAPI-first Auth, validation, routing
risk-engine FastAPI Wraps packages/core
evidence-vault Append-only Merkle-linked LedgerEvents + content-addressed artifact store; /v1/evidence/verify-chain
doc-generator Annex IV-style dossiers from stored evidence
egress-proxy Outbound allowlist (EGRESS_ALLOWED_DESTINATIONS); fail-closed by default

gateway-api routes include:

  • /v1/sync/metadata
  • /v1/docs/generate
  • /v1/verify/claims
  • /v1/evidence/events
  • /v1/risk/classify
  • /v1/manifests/validate

Infra

  • infra/compose — Docker Compose: five services + PostgreSQL, Redis, Prometheus, Grafana. Copy .env.example.env, add API key, docker compose up.
  • infra/migrations — Alembic schema for the vault.
  • infra/docker — Dockerfiles per service.

Docs

Published via MkDocs at docs.opencomplai.com:

  • EU AI Act Checker — browser wizard (scope, Annex III, GPAI thresholds, provider/deployer obligations). No account. Offline: opencomplai checker --local.
  • CLI, SDK, deployment (including air-gap), architecture, concepts, contributing, troubleshooting.

Samples & community

  • Sample system: examples/sample-system
  • CONTRIBUTING.md, CLA.md, SECURITY.md, CODE_OF_CONDUCT.md
  • Issue templates, PR template, Dependabot

Contractual guarantees

CLI exit codes (stable for CI)

Code Meaning
0 PASS
1 CONTROL_FAIL
2 VALIDATION_FAIL
3 POLICY_BLOCK
4 TRAP_DETECTED (unacceptable-risk prohibition)

CI pipelines may branch on these exit codes without parsing JSON.

Canonical artifact

opencomplai check writes compliance-artifact.json (ScanStatusArtifact) as the canonical CI gate output.


Security & design principles

  • Permanently rule-based — the classification engine is intentionally and permanently deterministic. No ML / LLM classification path.
  • AI inventory gate — CI blocks unapproved LLM/ML dependencies unless signed off in docs/security/ai-inventory.md.
  • Egress fail-closedegress-proxy allowlists outbound destinations (EGRESS_ALLOWED_DESTINATIONS); default deny (air-gap ready).
  • Evidence integrity — append-only Merkle-linked ledger events; chain verification via /v1/evidence/verify-chain.
  • Release signing — Ed25519 keypair under ~/.opencomplai/; optional --sign on opencomplai check.
  • SBOMscripts/verify-sbom.sh.
  • Active CI
    • ci-python.yml — ruff lint; tests for every Python package/service; live CLI self-test; DLP invariant verification; pip-audit; AI-package gate.
    • docs-build.yml — MkDocs + checker widget.

Getting started

git clone https://github.com/Opencomplai/opencomplai
cd opencomplai
pip install -e packages/core -e packages/cli -e packages/sdk-python
# or: uv sync

opencomplai init --system-id my-model --intended-purpose "customer support chatbot"
opencomplai check

Compose stack: copy infra/compose/.env.example.env, add an API key, then docker compose up.

Full documentation: docs.opencomplai.com


Known limitations / pre-release notes

  • Not on PyPI yet for this release. Install from source as shown above. PyPI publish for v0.1.0 was intended once CI was stable on this tree.
  • Packages are marked pre-release per CHANGELOG.
  • This is the initial public drop as a single commit; treat APIs and artifact schemas as v0.1.0 baseline, not a long-lived prior public contract.

Breaking changes / migration

N/A — initial release. No prior public version to migrate from. Consumers adopting v0.1.0 are establishing a first baseline.


Editions

Edition Scope
Community Edition This repository — AGPL-3.0
Enterprise Edition Hosted premium dashboard, SSO, additional rule engines, commercial support — opencomplai.com

License & contributing


Links

Resource URL
Release commit d2e783c
Repository https://github.com/Opencomplai/opencomplai
Documentation https://docs.opencomplai.com
Website https://opencomplai.com

Commit title: Initial public release — Opencomplai v0.1.0