Introduction

Attestly provides a suite of open-source packages to help you build a robust AI compliance layer directly into your application.

@attestly/cli

The CLI is not just an initializer; it is a full local developer suite.

• The Scaffolder (init): Generates a strictly typed ai-manifest.json by walking developers through an interactive terminal interview about their EU AI Act risk categories and system domains.
• The Static Scanner (scan): Parses the local codebase to find unversioned AI models and unprotected API routes before the code is ever executed.
• Attestly Studio (studio): Spins up a local Vite-based dashboard on port 5050 that subscribes to Server-Sent Events, providing a real-time visual feed of compliance blocks and PII scrubbing, with a direct handoff to the Attestly SaaS.

Installation

npx @attestly/cli init

@attestly/compliance-core

This is the zero-dependency enforcement engine that protects the route boundary without tanking Lighthouse metrics.

• Zero-Latency PII Scrubbing: A highly optimized regex pipeline that strips standard PII (Emails, SSNs, CCs, API Keys) from payloads in milliseconds, protecting Time-to-First-Byte (TTFB).
• EU AI Act Kill Switch (Rule A): Automatically intercepts and returns a 400 Bad Request if a payload attempts to execute a prohibited practice (e.g., social scoring, emotion recognition).
• Law Enforcement Auto-Escalation (Rule B): Detects if the system domain falls under Annex III and forcefully upgrades the risk tier to ensure compliance.
• Conditional Traceability (Rule C): Strictly enforces that all High-Risk systems include proper logging metadata (like sessionId and purpose) before allowing the AI client to fire.
• Strict Model Locking: Rejects generic model strings (like gpt-4) and enforces strict versioning (gpt-4-0613) to guarantee auditability.

Installation

npm install @attestly/compliance-core

The "One-Shot" AI Setup Prompt

We know you're already building with AI. Instead of manually configuring routes, just copy and paste this prompt directly into Cursor, GitHub Copilot, or ChatGPT to have it auto-configure your entire repository:

Please configure my codebase for EU AI Act Compliance using Attestly:

1. Run npm install @attestly/compliance-core and npm install -D @attestly/cli
2. I know npx @attestly/cli init is interactive, so please bypass it and directly create an ai-manifest.json at the root with my allowed AI models and set the euRiskCategory based on my system domain.
3. Directly create a global Next.js middleware.ts (or update my existing one) and inject the withAttestlyCompliance wrapper from @attestly/compliance-core.
4. Run npx @attestly/cli scan to verify my API routes are 100% compliant.

Global Middleware (Recommended)

Instead of wrapping every single API route, the absolute easiest way to secure your application is to drop the wrapper into your Next.js middleware.ts.

import { withAttestlyCompliance } from '@attestly/compliance-core';
import manifest from './ai-manifest.json';
import { NextResponse } from 'next/server';

export default withAttestlyCompliance(async (req) => {
  return NextResponse.next();
}, manifest);

export const config = {
  matcher: '/api/:path*',
};

The Attestly CLI scanner will automatically detect this global middleware and instantly mark all your downstream AI routes as protected!

Per-Route Usage (Alternative)

If you prefer fine-grained control, you can wrap individual routes:

import { openai } from '@ai-sdk/openai';
import { streamText } from 'ai';
import { withAttestlyStream } from '@attestly/compliance-core';
import manifest from '../../../ai-manifest.json';

export const POST = withAttestlyStream(async (req) => {
  const { messages } = await req.json();
  
  // PII is scrubbed before streamText is ever called
  const result = await streamText({
    model: openai('gpt-4o'),
    messages,
  });
  
  return result.toDataStreamResponse();
}, manifest);