EU AI Act Compliance Scanner

How it worksv0.1 · M18
How it works

Application workflow

End-to-end pipeline from project submission to compliance report. Each stage runs in-process inside the same Next.js node container; progress is streamed to the browser over Server-Sent Events.

1

Ingest

A user submits the project to scan.

Git URL

simple-git clones the public repository at depth 1 into a per-scan workspace under data/scans/<id>/src.

ZIP upload

multipart upload extracted with unzipper. A zip-slip guard rejects any entry escaping the scan root.

2

Index

One pass over the workspace builds a structured project context.

File tree

Capped 2000 files, ignoring node_modules / .git / build outputs. Detects primary languages.

Key files

README, SECURITY.md, model cards, datasheets, CI configs, manifests (package.json, pyproject.toml, Cargo.toml).

AST excerpts

Per-article keyword grep. For TS/JS the TypeScript compiler returns the enclosing function/class. For Python an indent-aware walk returns the def/class block.

3

Fan-out — 10 article agents in parallel

Each agent runs through Vercel AI SDK with a Zod-typed Verdict schema. Provider-pluggable: Anthropic, OpenAI, or any OpenAI-compatible endpoint. Per-agent timeout (90s default) + 2 retries with exponential backoff.

art6
Risk classification (Art 6 + Annex III)
art9
Risk management system (Art 9)
art10
Data and data governance (Art 10)
art11
Technical documentation (Art 11 + Annex IV)
art12
Record-keeping / logging (Art 12)
art13
Transparency (Art 13)
art14
Human oversight (Art 14)
art15
Accuracy, robustness, cybersecurity (Art 15)
art50
GPAI & user-facing transparency (Art 50)
art72
Post-market monitoring (Art 72)
Orchestrator agent

Receives all 10 verdicts and emits a calibrated overall score (Art 9, 10, 11, 15 weighted higher) plus an executive summary highlighting top risks and strengths.

4

Stream

Verdicts surface in the UI the moment each agent finishes — no batch wait.

SSE events

A singleton EventEmitter dispatches status / verdict / complete / error to a /api/scan/:id/stream Server-Sent Events handler.

UI hydration

EventSource client replaces skeleton placeholders with real Cards as each verdict arrives. Progress bars and findings update live.

5

Persist

Authoritative state lives in SQLite; the cloned source plus a JSON snapshot are kept on disk.

SQLite (better-sqlite3)

Tables: scans (one row per submission) and verdicts (nine rows per scan). Indexed on scan_id.

data/scans/<id>/report.json

Full report mirrored alongside the cloned source for offline inspection and reproducibility.

6

Report

The user reviews the verdict — a tick/cross summary with drill-downs and an optional PDF export.

Dashboard

KPI strip, per-article aggregate heatmap, recent-scans table on /.

Per-scan report

9-card grid with status, score bar, summary, file:line findings + recommendations.

PDF export

Server-side pdfkit produces a paginated A4 report at /api/scan/:id/pdf.

Try it
Submit a project and watch the agents stream in.
Go to dashboard