Skip to content

Quick Start

Run your first Opencomplai compliance check in under 15 minutes.

Prerequisites

Python 3.11+ and pip.

Bash
python3 --version  # must be 3.11 or higher
PowerShell
python --version   # must be 3.11 or higher

python vs python3

On Windows the interpreter is usually python/pip; on macOS/Linux it is usually python3/pip3. Use whichever resolves on your machine.

Install the SDK and CLI

Bash
pip install opencomplai
PowerShell
pip install opencomplai

Pre-release — install from source

opencomplai is at 0.1.0.dev0 and is not yet on PyPI. Install from source instead. The local core and cli packages must be installed in the same command as the SDK (they are not on PyPI, so pip cannot resolve them separately) — see Installation for tabbed macOS/Linux and Windows commands. Running pip install -e packages/sdk-python on its own fails with No matching distribution found for opencomplai-cli. See Installation for the uv alternative and full details.

The install provides the opencomplai command. Verify it (there is no --version flag — use --help):

Bash
opencomplai --help
PowerShell
opencomplai --help

Initialise your system manifest

Bash
opencomplai init \
  --system-id "my-model" \
  --intended-purpose "customer support chatbot"
PowerShell
opencomplai init --system-id "my-model" --intended-purpose "customer support chatbot"

Line continuations differ by shell

bash/zsh continue a command with a trailing backslash \. PowerShell uses a backtick `. The simplest cross-platform form is to keep the whole command on one line, as shown in the PowerShell tab.

This creates system-manifest.json in the current directory and sets up ~/.opencomplai/ (Ed25519 signing keypair + config) on first run. Expected output:

Text Only
Signing keypair generated C:\Users\you\.opencomplai
  install_id: 7f3c...
Manifest written to system-manifest.json
  system_id:         my-model
  intended_purpose:  customer support chatbot
  compliance_target: EU_AI_ACT

Next step: run opencomplai check to assess compliance.

On subsequent runs the first line instead reads Signing keypair already exists at ... — that is expected and harmless.

Run your first compliance check

Bash
opencomplai check
PowerShell
opencomplai check

Expected output for the customer support chatbot purpose (a MINIMAL-risk use case, so the check passes):

Text Only
Evals: no eval sample set supplied (skipped)

Opencomplai Compliance Check
  system_id:    my-model
  commit_ref:   HEAD
  result:       PASS
  duration_ms:  0
  signed:       no (OSS unsigned)

  Artifact written to compliance-artifact.json

The Evals: no eval sample set supplied (skipped) line appears only when you do not pass --sample-set (see Run pipeline evaluators below).

A compliance-artifact.json is written to the current directory — this is the machine-readable ScanStatusArtifact consumed by CI gates.

Exit codes

0 = PASS, 1 = CONTROL_FAIL, 2 = VALIDATION_FAIL, 3 = POLICY_BLOCK, 4 = TRAP_DETECTED. See Exit codes for the full table.

Try the other compliance outcomes

The result is driven by the manifest's intended_purpose. Re-run init with a different purpose, then check, to see each EU AI Act outcome. (Each init overwrites system-manifest.json in the current directory.)

intended_purpose EU AI Act basis result failed_controls Exit
customer support chatbot Minimal risk PASS 0
recruitment screening of candidates Annex III high-risk (employment) CONTROL_FAIL EU_AIA_ART6_HIGH_RISK 1
social scoring of citizens Article 5 prohibited practice POLICY_BLOCK EU_AIA_ART5_UNACCEPTABLE 3

Example — the high-risk case:

Bash
opencomplai init --system-id "hiring" \
  --intended-purpose "recruitment screening of candidates"
opencomplai check
PowerShell
opencomplai init --system-id "hiring" --intended-purpose "recruitment screening of candidates"
opencomplai check
Text Only
Opencomplai Compliance Check
  system_id:    hiring
  commit_ref:   HEAD
  result:       CONTROL_FAIL
  duration_ms:  0
  signed:       no (OSS unsigned)
  failed_controls: EU_AIA_ART6_HIGH_RISK

  Artifact written to compliance-artifact.json

TRAP_DETECTED (exit 4)

The substantial-modification trap (EU_AIA_ART25_MODIFICATION_TRAP) is only raised in service-backed mode (the Docker stack), not by the local CLI engine. See Deployment Quickstart.

Run pipeline evaluators on your own data

To check safety, bias, and data-leakage against real model outputs, pass an EvalSampleSet JSON with --sample-set. Its system_id must match the manifest. A clean sample passes; outputs containing toxic text, prompt injection, or PII (SSN, secrets, credit cards) fail.

Create eval-set.json:

JSON
{
  "eval_set_id": "demo-clean-v1",
  "system_id": "my-model",
  "commit_ref": "HEAD",
  "outputs": [
    "The system classified the request as low risk.",
    "No sensitive data was included in the model response."
  ],
  "prompts": ["Summarize the compliance status for this release."],
  "declared_output_fields": ["answer", "confidence", "risk_class"]
}
Bash
opencomplai check --sample-set eval-set.json
PowerShell
opencomplai check --sample-set eval-set.json
Text Only
Opencomplai Compliance Check
  system_id:    my-model
  commit_ref:   HEAD
  result:       PASS
  duration_ms:  0
  signed:       no (OSS unsigned)
  eval_outcome:      pass

  Artifact written to compliance-artifact.json

If an output contained, say, SSN 123-45-6789 or ignore previous instructions, the result would be CONTROL_FAIL with failed_controls: EVAL_SAFETY_LEXICAL_V1, EVAL_DATA_LEAKAGE_V1 (exit 1).

JSON output for CI

Bash
opencomplai check --output json
PowerShell
opencomplai check --output json

The --output json flag prints the full ScanStatusArtifact to stdout:

JSON
{
  "install_id": "a1b2c3d4-...",
  "system_id": "my-model",
  "commit_ref": "HEAD",
  "result": "pass",
  "failed_controls": [],
  "evidence_hashes": [],
  "rationale_hash": "sha256:...",
  "duration_ms": 0,
  "pending_verifications_count": 0,
  "signature": null,
  "eval_summary": null
}

eval_summary is null unless you passed --sample-set; signature is null unless you passed --sign.

Use in GitHub Actions

YAML
- name: Opencomplai compliance check
  run: |
    pip install opencomplai
    opencomplai init \
      --system-id "${{ env.MODEL_NAME }}" \
      --intended-purpose "${{ env.USE_CASE }}"
    opencomplai check --scan-mode ci

A non-zero exit code automatically fails the CI step.

Full Docker deployment

For the full platform (Evidence Vault, Documentation Generator, badges, and service-backed workflows including TRAP_DETECTED), see Deployment Quickstart.

Next steps