If this tool helps your compliance work, a ⭐ on GitHub helps others discover it.
EU AI Act compliance toolkit for developers. Scan your codebase, get a deadline-aware action plan, and generate an auditor-ready evidence package — certifiable with ArkForge Trust Layer.
August 2, 2026 enforcement deadline — 117 days remaining.
Need audit-grade proof? Certify every scan with ArkForge Trust Layer — tamper-proof, timestamped compliance evidence. 500 free proofs/month.
| Feature | Description |
|---|---|
generate_compliance_roadmap |
Week-by-week action plan to reach compliance before your deadline |
generate_annex4_package |
Auditor-ready ZIP with all 8 Annex IV sections populated from your code |
certify_compliance_report |
Cryptographic proof via Trust Layer (EU AI Act Art. 12) |
| Content scoring | check_compliance now scores document content (0-100), not just existence |
| Article mapping | Every finding mapped to specific EU AI Act article |
git clone https://github.com/ark-forge/mcp-eu-ai-act.git
cd mcp-eu-ai-act
pip install mcp
python3 server.pyRuns on Python 3.10+.
git clone https://github.com/ark-forge/mcp-eu-ai-act.git
cd mcp-eu-ai-act
python3 -m venv .venv && source .venv/bin/activate
pip install -r requirements.txt
python3 server.pypip install pytest
pytest tests/ -vAdd to claude_desktop_config.json:
{
"mcpServers": {
"eu-ai-act": {
"command": "python3",
"args": ["/path/to/mcp-eu-ai-act/server.py"]
}
}
}claude mcp add eu-ai-act python3 /path/to/mcp-eu-ai-act/server.pyAdd to .cursor/mcp.json:
{
"mcpServers": {
"eu-ai-act": {
"command": "python3",
"args": ["/path/to/mcp-eu-ai-act/server.py"]
}
}
}pip install uvicorn
python3 server.py --http
# Listening on 0.0.0.0:8089Detects AI framework usage in source code and config/manifest files. Supports 16 frameworks across Python, JS, TS, Go, Java, and Rust.
Key parameters: project_path (string, required)
Example output:
{
"files_scanned": 42,
"ai_files": [
{"file": "src/chat.py", "frameworks": ["openai"]},
{"file": "requirements.txt", "frameworks": ["openai"], "source": "config"}
],
"detected_models": {"openai": ["src/chat.py", "requirements.txt"]}
}Scores document content quality (0-100) and maps each finding to a specific EU AI Act article. Score ≥40 = pass. Fully backward compatible with v1.
Key parameters: project_path (string, required), risk_category (string, default: limited)
Example output (v2):
{
"risk_category": "high",
"compliance_score": "4/6",
"compliance_percentage": 66.7,
"content_scores": {
"RISK_MANAGEMENT.md": 82,
"TRANSPARENCY.md": 45,
"DATA_GOVERNANCE.md": 12
},
"article_map": {
"art_9": {"status": "pass", "score": 82},
"art_10": {"status": "fail", "score": 12},
"art_13": {"status": "pass", "score": 45}
}
}Deadline-aware, week-by-week action plan to reach EU AI Act compliance before August 2, 2026. Sequences quick wins first using a criticality × 1/effort algorithm.
Key parameters: project_path (string, required), risk_category (string), target_date (string, ISO format, default: 2026-08-02)
Example output:
{
"weeks_remaining": 16,
"phases": [
{
"week": 1,
"action": "Add TRANSPARENCY.md with user disclosure statement",
"article": "Art. 13",
"effort_days": 1,
"priority": "critical"
},
{
"week": 2,
"action": "Draft risk management procedure covering Art. 9 requirements",
"article": "Art. 9",
"effort_days": 3,
"priority": "high"
}
],
"estimated_completion_week": 8
}Runs scan + compliance check, returns a combined report with two-level output: executive summary for DPO/legal and technical breakdown for developers. Article-by-article citations included.
Key parameters: project_path (string, required), risk_category (string, default: limited)
Example output:
{
"executive_summary": {
"compliance_percentage": 67,
"deadline": "2026-08-02",
"days_remaining": 117,
"gap_count": 3,
"verdict": "Action required — 3 gaps must be addressed before deadline"
},
"technical_breakdown": {
"art_9": {"status": "fail", "missing": ["hazard identification section", "residual risk log"]},
"art_13": {"status": "pass", "score": 78}
},
"recommendations": [
{"article": "Art. 9", "action": "Add hazard identification section to RISK_MANAGEMENT.md", "effort": "2 days"}
]
}Classifies your AI system into an EU AI Act risk category from a plain-text description. Matches against Art. 5 (prohibited), Annex III (high-risk), Art. 52 (limited), and minimal.
Key parameters: system_description (string, required)
Example output:
{
"suggested_category": "high",
"confidence": "high",
"matched_criteria": ["Annex III, Category 4 — AI in employment decisions"],
"obligations_summary": "Technical documentation, risk management, human oversight, data governance, transparency"
}Returns starter markdown templates for each required compliance document. Save them in docs/ and fill in the bracketed sections.
Key parameters: risk_category (string, default: high)
For high risk: Risk Management (Art. 9), Technical Documentation (Art. 11), Data Governance (Art. 10), Human Oversight (Art. 14), Robustness (Art. 15), Transparency (Art. 13).
Generates an auditor-ready ZIP with all 8 Annex IV sections populated from your actual project files. Optionally certifies with Trust Layer for cryptographic proof.
Key parameters: project_path (string, required), sign_with_trust_layer (bool, default: false), trust_layer_key (string, optional)
Example output:
{
"package_path": "/tmp/annex4_myproject_20260407.zip",
"sha256": "a3f8c2d1...",
"sections_populated": 8,
"sections_missing_data": ["section_6_accuracy_metrics"],
"proof_id": "prf_01j9z8x7w6v5u4t3s2r1",
"verification_url": "https://trust.arkforge.tech/verify/prf_01j9z8x7w6v5u4t3s2r1"
}Certifies any compliance report with ArkForge Trust Layer. Returns a tamper-proof proof_id and public verification URL for your auditor (EU AI Act Art. 12 audit trail).
Key parameters: report_data (string, JSON-serialized report), trust_layer_key (string, required)
Example output:
{
"proof_id": "prf_01j9z8x7w6v5u4t3s2r1",
"timestamp": "2026-04-07T14:32:00Z",
"sha256": "a3f8c2d1e4b5...",
"verification_url": "https://trust.arkforge.tech/verify/prf_01j9z8x7w6v5u4t3s2r1",
"article": "EU AI Act Art. 12"
}Scans for personal data processing patterns: PII fields, tracking pixels, geolocation, file uploads, cookie patterns. Maps to GDPR Art. 22/35 requirements.
Key parameters: project_path (string, required)
Runs GDPR + EU AI Act scans simultaneously and identifies dual-compliance hotspots — files where both regulations apply at once.
Key parameters: project_path (string, required), risk_category (string, default: limited)
Example output:
{
"hotspots": [
{
"file": "src/hiring_model.py",
"eu_ai_act_risk": "high",
"gdpr_risk": "high",
"overlap_patterns": ["AI+PII", "AI+automated_decision"],
"combined_articles": ["EU AI Act Art. 14", "GDPR Art. 22"],
"priority": "critical"
}
],
"key_insight": "2 files require simultaneous GDPR + EU AI Act remediation"
}The only MCP that generates cryptographically certified compliance evidence.
# Step 1: Generate Annex IV package and certify it
generate_annex4_package(
project_path="/path/to/project",
sign_with_trust_layer=True,
trust_layer_key="your_trust_layer_key"
)
# → Returns proof_id + public verification URL for your auditor
# Step 2: Or certify any compliance report directly
certify_compliance_report(
report_data='{"compliance_percentage": 87, "risk_category": "high"}',
trust_layer_key="your_trust_layer_key"
)Free Trust Layer account: 500 certified proofs/month → arkforge.tech
| Plan | Price | Includes |
|---|---|---|
| Free | €0 | 5 scans/day · scan_project + suggest_risk_category |
| Pro | €29/month | Unlimited scans · all 10 tools · compliance roadmap · Annex IV package |
| Certified | €99/month | Everything in Pro + Trust Layer certification on every report |
A separate HTTP API (paywall_api.py) provides rate-limited REST endpoints for CI/CD and external clients.
python3 paywall_api.py
# Listening on 0.0.0.0:8091| Method | Path | Auth | Description |
|---|---|---|---|
GET |
/api/v1/status |
None | Service status + your rate limit |
GET |
/api/usage |
None | Current free-tier usage for your IP |
POST |
/api/v1/scan |
Free/Pro | Scan a project for AI frameworks |
POST |
/api/v1/check-compliance |
Free/Pro | Check EU AI Act compliance |
POST |
/api/v1/generate-report |
Free/Pro | Full compliance report |
POST |
/api/v1/scan-repo |
Free (rate-limited) | Scan a GitHub repo by URL |
POST |
/api/checkout |
None | Stripe checkout session |
POST |
/api/webhook |
Stripe sig | Stripe webhook handler |
Free tier: 5 scans/day per IP, no sign-up required.
Pro tier: Unlimited scans, X-API-Key header. 29 EUR/month via arkforge.tech/en/mcp-eu-ai-act.html.
curl -X POST https://arkforge.tech/mcp/api/v1/scan \
-H "Content-Type: application/json" \
-d '{"project_path": "/path/to/your/project"}'For the REST API (Stripe payments, email notifications), create a settings.env:
STRIPE_LIVE_SECRET_KEY=sk_live_...
STRIPE_WEBHOOK_SECRET=whsec_...
TRUST_LAYER_INTERNAL_SECRET=<random-64-char-hex>
SMTP_HOST=ssl0.ovh.net
IMAP_USER=contact@example.com
IMAP_PASSWORD=...Set SETTINGS_ENV_PATH to the file location (defaults to /opt/claude-ceo/config/settings.env).
| Framework | Detection covers |
|---|---|
| OpenAI | GPT-3.5, GPT-4, GPT-4o, o1, o3, embeddings |
| Anthropic | Claude (Opus, Sonnet, Haiku) |
| Google Gemini | Gemini Pro, Ultra, 1.5, 2, 3, Flash |
| Vertex AI | Google Cloud AI Platform |
| Mistral | Mistral Large/Medium/Small, Mixtral, Codestral, Magistral |
| Cohere | Command-R, Command-R+, embeddings |
| HuggingFace | Transformers, Diffusers, Accelerate, SmolAgents |
| TensorFlow | Keras, .h5 model files |
| PyTorch | .pt/.pth model files, nn.Module |
| LangChain | Core, Community, OpenAI, Anthropic integrations |
| AWS Bedrock | Bedrock Runtime, Agent Runtime |
| Azure OpenAI | Azure AI OpenAI Service |
| Ollama | Local model inference |
| LlamaIndex | VectorStoreIndex, SimpleDirectoryReader |
| Replicate | Cloud model inference |
| Groq | Fast inference API |
Detection works on both source code imports and dependency declarations in config files.
| Category | Examples | Key obligations |
|---|---|---|
| Unacceptable | Social scoring, mass biometric surveillance | Prohibited |
| High | Recruitment, credit scoring, law enforcement | Documentation, risk management, human oversight |
| Limited | Chatbots, content generation | Transparency, user disclosure, content marking |
| Minimal | Spam filters, video games | None |
- Static analysis only — detects imports and patterns, not runtime behavior
- Cannot determine risk category automatically from code alone (use
suggest_risk_categorywith a description) check_compliancescores content quality — documents with boilerplate/placeholder text will score low- File scanning limited to 5,000 files and 1 MB per file
- Certain system paths are blocked from scanning for security
This scanner is the first service sold autonomously through the ArkForge Trust Layer — a certifying proxy that turns API calls into verifiable, paid, tamper-proof transactions.
Agent Client → Trust Layer → EU AI Act Scanner
pays certifies delivers
| Component | Description | Repo |
|---|---|---|
| Trust Layer | Certifying proxy — billing, proof chain, verification | ark-forge/trust-layer |
| MCP EU AI Act | Compliance toolkit (this repo) | ark-forge/mcp-eu-ai-act |
| Proof Spec | Open specification + test vectors for the proof format | ark-forge/proof-spec |
| Agent Client | Autonomous buyer — proof-of-concept of a non-human customer | ark-forge/arkforge-agent-client |
- Questions / integration help → GitHub Discussions Q&A
- Bug reports → Open an issue
- Feature requests → Open an issue or join the discussion
- Share your experience → Tell us what compliance gaps you found
- v3: GPAI obligations module (Art. 51-55, Code of Practice July 2025)
- v3: GitHub Action for CI/CD compliance gates
- v3: Runtime agentic compliance enforcement (Art. 14)
Found this useful? A ⭐ on GitHub helps other compliance teams discover the toolkit. Takes 2 seconds and helps a lot.
MIT