Metadata-Version: 2.4
Name: meridian-mcp
Version: 0.3.0
Summary: Meridian — Local-first AI compliance scanner. DPDPA 2023 · RBI FREE-AI · SEBI AI/ML · EU AI Act. Works with any LLM provider.
Project-URL: Homepage, https://meridiancompliance.framer.website
Project-URL: Repository, https://github.com/KNambiarDJsc/Meridian
Project-URL: Issues, https://github.com/KNambiarDJsc/Meridian/issues
License: Apache-2.0
License-File: LICENSE
Requires-Python: >=3.11
Requires-Dist: fastmcp>=2.0
Requires-Dist: litellm>=1.40
Requires-Dist: pydantic>=2.0
Requires-Dist: pyyaml>=6.0
Requires-Dist: tenacity>=8.0
Provides-Extra: all-providers
Requires-Dist: anthropic>=0.40; extra == 'all-providers'
Requires-Dist: boto3>=1.34; extra == 'all-providers'
Requires-Dist: groq>=0.9; extra == 'all-providers'
Requires-Dist: openai>=1.40; extra == 'all-providers'
Provides-Extra: anthropic
Requires-Dist: anthropic>=0.40; extra == 'anthropic'
Provides-Extra: bedrock
Requires-Dist: boto3>=1.34; extra == 'bedrock'
Provides-Extra: dev
Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
Requires-Dist: pytest>=8.0; extra == 'dev'
Provides-Extra: groq
Requires-Dist: groq>=0.9; extra == 'groq'
Provides-Extra: openai
Requires-Dist: openai>=1.40; extra == 'openai'
Description-Content-Type: text/markdown

<p align="center">
  <img src=".github/brand/logo-full.svg" alt="Meridian — AI Compliance Intelligence" width="720">
</p>

# Meridian


**Local-first AI compliance scanner via Model Context Protocol.**  
Scan your codebase for violations of DPDPA 2023, RBI FREE-AI, SEBI AI/ML, and the EU AI Act — directly inside Cursor, Claude Desktop, or Windsurf.

[![Python 3.11+](https://img.shields.io/badge/python-3.11%2B-0F2A4A.svg)](https://www.python.org/downloads/)
[![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-0F2A4A.svg)](LICENSE)
[![EU AI Act](https://img.shields.io/badge/EU%20AI%20Act-Article%209-F4A024.svg)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689)
[![DPDPA 2023](https://img.shields.io/badge/India-DPDPA%202023-F4A024.svg)](https://www.meity.gov.in/dpdpa)
[![Zero telemetry](https://img.shields.io/badge/telemetry-zero-0B7A4B.svg)](#privacy)

---

## What it does

Meridian exposes six MCP tools that any AI coding assistant can call:

| Tool | Description |
|---|---|
| `scan_repository` | Scan a local repo for compliance violations — returns a Markdown report with line numbers, regulatory citations, and fixes |
| `evaluate_policy` | Check a privacy policy, DPA, or model card for compliance gaps |
| `explain_violation` | Get a plain-English explanation of any regulatory clause with exact penalties |
| `show_models` | List all supported LLM providers and configuration instructions |
| `cache_status` | Show or clear the local SQLite scan cache |
| `check_health` | Verify server config, detected API keys, and licence status |

### How scanning works

```
Your code → AST slicer → Stage 1 (Evaluator LLM) → candidate violations
                       → Stage 2 (Critic LLM)    → confirmed violations
                       → SHA-256 SQLite cache     → zero cost on re-scan
```

- **Stage 1** finds candidate violations across all file × framework pairs concurrently
- **Stage 2** runs a second LLM to disprove HIGH/CRITICAL findings, eliminating false positives
- **Cache** skips re-evaluation of unchanged files — only new or modified code is sent to the API

### Supported frameworks

| Framework | Tier | Key penalties |
|---|---|---|
| `dpdpa` — DPDPA 2023 + Rules 2025 | **Free** | ₹250 Cr security failure · ₹200 Cr breach notification · ₹200 Cr children's data |
| `rbi` — RBI FREE-AI Aug 2025 | Pro | 7 Sutras — fairness, explainability, security, accountability |
| `eu` — EU AI Act Art. 9 | Pro | €30M / 6% global turnover for high-risk system failures |
| `sebi` — SEBI AI/ML Guidelines Jun 2025 | Pro | SEBI §5.1–§5.5 pillars |

---

## Supported LLM providers

Meridian uses [litellm](https://github.com/BerriAI/litellm) — **you bring your own API key, Meridian never touches your credentials.**

| Provider | Key env var | Example models |
|---|---|---|
| Anthropic | `ANTHROPIC_API_KEY` | `claude-opus-4-8`, `claude-haiku-4-5` |
| OpenAI | `OPENAI_API_KEY` | `gpt-5.4-pro`, `gpt-5.4-nano` |
| Gemini | `GEMINI_API_KEY` | `gemini/gemini-3.5-flash` |
| Groq | `GROQ_API_KEY` | `groq/meta-llama/llama-4-maverick-17b-128e-instruct` |
| OpenRouter | `OPENROUTER_API_KEY` | `openrouter/anthropic/claude-opus-4-8` |
| AWS Bedrock | `AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY` + `AWS_REGION_NAME` | `bedrock/anthropic.claude-opus-4-8-20260501-v1:0` |
| Ollama (local) | *(none)* | `ollama/llama4:scout`, `ollama/mistral` |

You can mix providers — e.g. Anthropic for Stage 1 and Groq for Stage 2 (cheapest critic):

```
MERIDIAN_EVALUATOR_MODEL=claude-opus-4-8
MERIDIAN_CRITIC_MODEL=groq/llama-3.1-8b-instant
```

---

## Installation

**Requirements:** Python 3.11+

```bash
# Clone and create virtual environment
git clone https://github.com/KNambiarDJsc/Meridian.git
cd Meridian
python -m venv .venv
.venv\Scripts\activate        # Windows
# source .venv/bin/activate   # macOS / Linux

# Install (runtime only)
pip install -e .

# Install with dev/test tools
pip install -e ".[dev]"

# Install with a specific provider SDK
pip install -e ".[anthropic]"   # Claude
pip install -e ".[openai]"      # GPT
pip install -e ".[groq]"        # Groq / Llama
pip install -e ".[bedrock]"     # AWS Bedrock
pip install -e ".[all-providers]"  # everything
```

---

## MCP server setup

### Cursor (`~/.cursor/mcp.json`)

```json
{
  "mcpServers": {
    "meridian-compliance": {
      "command": "python",
      "args": ["-m", "meridian.server"],
      "cwd": "/absolute/path/to/Meridian",
      "env": {
        "ANTHROPIC_API_KEY": "sk-ant-...",
        "MERIDIAN_EVALUATOR_MODEL": "claude-opus-4-8",
        "MERIDIAN_CRITIC_MODEL": "claude-haiku-4-5"
      }
    }
  }
}
```

### Claude Desktop (`claude_desktop_config.json`)

```json
{
  "mcpServers": {
    "meridian-compliance": {
      "command": "python",
      "args": ["-m", "meridian.server"],
      "cwd": "/absolute/path/to/Meridian",
      "env": {
        "ANTHROPIC_API_KEY": "sk-ant-..."
      }
    }
  }
}
```

### OpenAI / Groq / other providers

```json
"env": {
  "OPENAI_API_KEY": "sk-...",
  "MERIDIAN_EVALUATOR_MODEL": "gpt-5.4-pro",
  "MERIDIAN_CRITIC_MODEL": "gpt-5.4-nano"
}
```

### Local models (Ollama, no API key needed)

```json
"env": {
  "MERIDIAN_EVALUATOR_MODEL": "ollama/llama4:scout",
  "MERIDIAN_CRITIC_MODEL": "ollama/mistral"
}
```

### AWS Bedrock (air-gapped / India data residency)

```json
"env": {
  "AWS_ACCESS_KEY_ID": "AKIA...",
  "AWS_SECRET_ACCESS_KEY": "...",
  "AWS_REGION_NAME": "ap-south-1",
  "MERIDIAN_EVALUATOR_MODEL": "bedrock/anthropic.claude-opus-4-8-20260501-v1:0",
  "MERIDIAN_CRITIC_MODEL": "bedrock/anthropic.claude-haiku-4-5-20251001-v1:0"
}
```

---

## Environment variables

| Variable | Default | Description |
|---|---|---|
| `MERIDIAN_EVALUATOR_MODEL` | `claude-opus-4-8` | Stage 1 model — finds violations |
| `MERIDIAN_CRITIC_MODEL` | `claude-haiku-4-5` | Stage 2 model — disproves false positives |
| `MERIDIAN_MAX_CONCURRENT` | `5` | Max concurrent LLM requests (semaphore cap) |
| `MERIDIAN_LICENSE_KEY` | *(none)* | Pro licence key — unlocks RBI, EU, SEBI frameworks |

---

## CI/CD gate (`meridian-ci`)

Block PR merges on CRITICAL violations with a single step:

```yaml
# .github/workflows/compliance.yml
- name: Meridian Compliance Gate
  run: meridian-ci --dir . --frameworks dpdpa --fail-on critical
  env:
    ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
    MERIDIAN_EVALUATOR_MODEL: claude-opus-4-8
    MERIDIAN_CRITIC_MODEL: claude-haiku-4-5
```

**Exit codes:**

| Code | Meaning |
|---|---|
| `0` | All checks passed |
| `1` | Violations at or above `--fail-on` threshold found |
| `2` | Configuration error (missing API key, bad env var) |

**Options:**

```
meridian-ci --dir .
            --frameworks dpdpa,rbi
            --fail-on critical|high|medium|low
            --max-files 80
            --output text|markdown|json
```

---

## Quick start (inside your AI assistant)

Once the MCP server is connected:

```
check_health()                                 # verify setup and detected keys
show_models()                                  # see all providers and config options
scan_repository(path=".", frameworks="dpdpa")  # scan current repo
evaluate_policy(policy_text="...")             # check a privacy policy
explain_violation(statutory_clause="DPDPA §6(1)")  # plain-English explanation
cache_status()                                 # view cache stats
cache_status(clear=True)                       # wipe cache
```

---

## Project structure

```
src/meridian/
├── server.py      # MCP server — 6 tools exposed via FastMCP
├── scanner.py     # Async orchestrator — file × framework concurrency
├── evaluator.py   # Dual-stage litellm evaluator with cache and retry
├── config.py      # Multi-provider LLM config (load_config, validate_config)
├── ast_parser.py  # Language-aware code slicer (Python, JS/TS, SQL, YAML)
├── prompts.py     # Regulatory prompts for all four frameworks
├── models.py      # Pydantic models — Violation, FileScanResult, ScanReport
├── cache.py       # SQLite SHA-256 scan cache (~/.meridian/cache.db)
├── security.py    # Secret redactor — strips API keys/JWTs before LLM calls
├── licensing.py   # Licence gate — free (DPDPA) vs Pro (RBI, EU, SEBI)
└── cli.py         # meridian-ci — CI/CD gate binary
```

---

## Running tests

```bash
pip install -e ".[dev]"
pytest tests/ -v
```

47 tests covering models, AST parsing, security redaction, cache, licensing, prompts, scanner, and config — all pass without any API calls.

---

## Privacy

- **Zero telemetry.** Meridian sends no usage data anywhere.
- **Keys never leave your machine.** API keys are read from your environment and passed directly to the provider SDK — Meridian has no server, no proxy, no logging of credentials.
- **Code stays local until you call a tool.** The secret redactor (`security.py`) strips API keys, JWTs, and high-entropy strings from code slices before they are sent to any LLM.
- **Cache is local.** Scan results are stored in `~/.meridian/cache.db` on your machine only.

---

## Pricing / licence

| Tier | Frameworks | How to get |
|---|---|---|
| **Free** (Apache 2.0) | DPDPA 2023 | Use immediately, no key needed |
| **Pro** | DPDPA + RBI FREE-AI + EU AI Act + SEBI AI/ML | Set `MERIDIAN_LICENSE_KEY` — [meridian.so/pro](https://meridian.so/pro) |

---

## License

Apache 2.0 — see [LICENSE](LICENSE).
