Quick Start¶
Run your first Opencomplai compliance check in under 15 minutes.
Prerequisites¶
Python 3.11+ and pip.
python vs python3
On Windows the interpreter is usually python/pip; on macOS/Linux it is usually python3/pip3. Use whichever resolves on your machine.
Install the SDK and CLI¶
Pre-release — install from source
opencomplai is at 0.1.0.dev0 and is not yet on PyPI. Install from source instead. The local core and cli packages must be installed in the same command as the SDK (they are not on PyPI, so pip cannot resolve them separately) — see Installation for tabbed macOS/Linux and Windows commands. Running pip install -e packages/sdk-python on its own fails with No matching distribution found for opencomplai-cli. See Installation for the uv alternative and full details.
The install provides the opencomplai command. Verify it (there is no --version flag — use --help):
Initialise your system manifest¶
Line continuations differ by shell
bash/zsh continue a command with a trailing backslash \. PowerShell uses a backtick `. The simplest cross-platform form is to keep the whole command on one line, as shown in the PowerShell tab.
This creates system-manifest.json in the current directory and sets up ~/.opencomplai/ (Ed25519 signing keypair + config) on first run. Expected output:
Signing keypair generated C:\Users\you\.opencomplai
install_id: 7f3c...
Manifest written to system-manifest.json
system_id: my-model
intended_purpose: customer support chatbot
compliance_target: EU_AI_ACT
Next step: run opencomplai check to assess compliance.
On subsequent runs the first line instead reads Signing keypair already exists at ... — that is expected and harmless.
Run your first compliance check¶
Expected output for the customer support chatbot purpose (a MINIMAL-risk use case, so the check passes):
Evals: no eval sample set supplied (skipped)
Opencomplai Compliance Check
system_id: my-model
commit_ref: HEAD
result: PASS
duration_ms: 0
signed: no (OSS unsigned)
Artifact written to compliance-artifact.json
The Evals: no eval sample set supplied (skipped) line appears only when you do not pass --sample-set (see Run pipeline evaluators below).
A compliance-artifact.json is written to the current directory — this is the machine-readable ScanStatusArtifact consumed by CI gates.
Exit codes
0 = PASS, 1 = CONTROL_FAIL, 2 = VALIDATION_FAIL, 3 = POLICY_BLOCK, 4 = TRAP_DETECTED. See Exit codes for the full table.
Try the other compliance outcomes¶
The result is driven by the manifest's intended_purpose. Re-run init with a different purpose, then check, to see each EU AI Act outcome. (Each init overwrites system-manifest.json in the current directory.)
intended_purpose | EU AI Act basis | result | failed_controls | Exit |
|---|---|---|---|---|
customer support chatbot | Minimal risk | PASS | — | 0 |
recruitment screening of candidates | Annex III high-risk (employment) | CONTROL_FAIL | EU_AIA_ART6_HIGH_RISK | 1 |
social scoring of citizens | Article 5 prohibited practice | POLICY_BLOCK | EU_AIA_ART5_UNACCEPTABLE | 3 |
Example — the high-risk case:
Opencomplai Compliance Check
system_id: hiring
commit_ref: HEAD
result: CONTROL_FAIL
duration_ms: 0
signed: no (OSS unsigned)
failed_controls: EU_AIA_ART6_HIGH_RISK
Artifact written to compliance-artifact.json
TRAP_DETECTED (exit 4)
The substantial-modification trap (EU_AIA_ART25_MODIFICATION_TRAP) is only raised in service-backed mode (the Docker stack), not by the local CLI engine. See Deployment Quickstart.
Run pipeline evaluators on your own data¶
To check safety, bias, and data-leakage against real model outputs, pass an EvalSampleSet JSON with --sample-set. Its system_id must match the manifest. A clean sample passes; outputs containing toxic text, prompt injection, or PII (SSN, secrets, credit cards) fail.
Create eval-set.json:
{
"eval_set_id": "demo-clean-v1",
"system_id": "my-model",
"commit_ref": "HEAD",
"outputs": [
"The system classified the request as low risk.",
"No sensitive data was included in the model response."
],
"prompts": ["Summarize the compliance status for this release."],
"declared_output_fields": ["answer", "confidence", "risk_class"]
}
Opencomplai Compliance Check
system_id: my-model
commit_ref: HEAD
result: PASS
duration_ms: 0
signed: no (OSS unsigned)
eval_outcome: pass
Artifact written to compliance-artifact.json
If an output contained, say, SSN 123-45-6789 or ignore previous instructions, the result would be CONTROL_FAIL with failed_controls: EVAL_SAFETY_LEXICAL_V1, EVAL_DATA_LEAKAGE_V1 (exit 1).
JSON output for CI¶
The --output json flag prints the full ScanStatusArtifact to stdout:
{
"install_id": "a1b2c3d4-...",
"system_id": "my-model",
"commit_ref": "HEAD",
"result": "pass",
"failed_controls": [],
"evidence_hashes": [],
"rationale_hash": "sha256:...",
"duration_ms": 0,
"pending_verifications_count": 0,
"signature": null,
"eval_summary": null
}
eval_summary is null unless you passed --sample-set; signature is null unless you passed --sign.
Use in GitHub Actions¶
- name: Opencomplai compliance check
run: |
pip install opencomplai
opencomplai init \
--system-id "${{ env.MODEL_NAME }}" \
--intended-purpose "${{ env.USE_CASE }}"
opencomplai check --scan-mode ci
A non-zero exit code automatically fails the CI step.
Full Docker deployment¶
For the full platform (Evidence Vault, Documentation Generator, badges, and service-backed workflows including TRAP_DETECTED), see Deployment Quickstart.
Next steps¶
- CLI reference: check · init · exit codes
- Deployment guide: Deployment Quickstart
- Extending rules: Adding Rules
- Not sure which EU AI Act obligations apply? EU AI Act Checker
- Cross-check your manifest's declared purpose against code signals: Detect AI in your code