Shift-Left AI Compliance
Catch EU AI Act violations and scrub PII at the route boundary with zero latency. Open-source, self-hostable, and built for developers.
AI-First Integration
The One-Shot Copilot Prompt
We know you're already building with AI. Instead of reading docs, just copy and paste this prompt directly into Cursor, GitHub Copilot, or ChatGPT to have it auto-configure your entire repository for EU AI Act compliance.
Please configure my codebase for EU AI Act Compliance using Attestly: 1. Run `npm install @attestly/compliance-core` and `npm install -D @attestly/cli` 2. I know `npx @attestly/cli init` is interactive, so please bypass it and directly create an `ai-manifest.json` at the root with my allowed AI models and set the euRiskCategory based on my system domain. 3. Directly create a global Next.js `middleware.ts` (or update my existing one) and inject the `withAttestlyCompliance` wrapper from `@attestly/compliance-core`. 4. Run `npx @attestly/cli scan` to verify my API routes are 100% compliant.
@attestly/cli
A full local developer suite
The CLI is not just an initializer; it is a full local developer suite.
- The Scaffolder (init)
Generates a strictly typed `ai-manifest.json` by walking developers through an interactive terminal interview about their EU AI Act risk categories and system domains.
- The Static Scanner (scan)
Parses the local codebase to find unversioned AI models and unprotected API routes before the code is ever executed.
- Attestly Studio (studio)
Spins up a local Vite-based dashboard on port 5050 that subscribes to Server-Sent Events, providing a real-time visual feed of compliance blocks and PII scrubbing, with a direct handoff to the Attestly SaaS.
@attestly/compliance-core
The zero-dependency enforcement engine
This is the zero-dependency enforcement engine that protects the route boundary without tanking Lighthouse metrics.
- Zero-Latency PII Scrubbing
A highly optimized regex pipeline that strips standard PII (Emails, SSNs, CCs, API Keys) from payloads in milliseconds, protecting Time-to-First-Byte (TTFB).
- EU AI Act Kill Switch (Rule A)
Automatically intercepts and returns a 400 Bad Request if a payload attempts to execute a prohibited practice (e.g., social scoring, emotion recognition).
- Law Enforcement Auto-Escalation (Rule B)
Detects if the system domain falls under Annex III and forcefully upgrades the risk tier to ensure compliance.
- Conditional Traceability (Rule C)
Strictly enforces that all High-Risk systems include proper logging metadata (like sessionId and purpose) before allowing the AI client to fire.
- Strict Model Locking
Rejects generic model strings (like gpt-4) and enforces strict versioning (gpt-4-0613) to guarantee auditability.
Shift-Left AI Compliance
Zero-latency AI compliance firewall.
Catch EU AI Act violations and scrub PII at the route boundary before it hits OpenAI. Zero dependencies. Zero latency.
The Zero-Latency PII Scrubber
Stop leaking user data to LLMs. Attestly intercepts and scrubs PII in under 5ms using native web APIs.
import { openai } from '@ai-sdk/openai';import { streamText } from 'ai';import { withAttestlyStream } from '@attestly/compliance-core';export const POST = withAttestlyStream(async (req) => {const { messages } = await req.json();// PII is scrubbed before streamText is ever calledconst result = await streamText({model: openai('gpt-4o'), messages,});return result.toDataStreamResponse();});Codebase to Compliance. Automatically.
Once your app is built, run the Attestly CLI scanner. It statically analyzes your codebase, reads your ai-manifest.json, maps your imports, and generates legally binding Trust Centers, DPAs, and Privacy Policies.