Metadata-Version: 2.4
Name: ai-act-conformity
Version: 0.1.0
Summary: Scaffold EU AI Act Annex IV technical-documentation + FRIA templates with verbatim-cited regulatory text and a SHA-256-chained manifest.
Author-email: plusUltra Labs <plusultra.dev@proton.me>
License: MIT
Project-URL: Homepage, https://github.com/plusultra-tools/ai-act-conformity-pack
Project-URL: Repository, https://github.com/plusultra-tools/ai-act-conformity-pack
Project-URL: Issues, https://github.com/plusultra-tools/ai-act-conformity-pack/issues
Project-URL: Changelog, https://github.com/plusultra-tools/ai-act-conformity-pack/blob/main/CHANGELOG.md
Keywords: ai-act,eu-regulation,compliance,conformity-assessment,annex-iv,fria,regulation-2024-1689
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Legal Industry
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: Software Development :: Quality Assurance
Requires-Python: >=3.10
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: pydantic>=2.0
Requires-Dist: pyyaml>=6.0
Provides-Extra: dev
Requires-Dist: pytest>=7.0; extra == "dev"
Requires-Dist: pytest-cov>=4.0; extra == "dev"
Dynamic: license-file

# ai-act-conformity-pack

> Emit EU AI Act Annex IV technical-documentation + FRIA evidence-pack scaffolds with verbatim-cited regulatory text and a hash-chained manifest. OSS Python CLI + GitHub Action.

[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
[![Python](https://img.shields.io/badge/python-3.10%20%7C%203.11%20%7C%203.12-blue)](pyproject.toml)
[![Status](https://img.shields.io/badge/status-pre--release-orange)]()

---

## Why this exists

Annex IV of [Regulation (EU) 2024/1689](https://eur-lex.europa.eu/eli/reg/2024/1689/oj) (the AI Act) lists nine sections of technical documentation that every provider of a high-risk AI system must compile before placing the system on the market. The text is dense, normative, and unforgiving:

- Section 1 alone has eight sub-points (a-h), some conditional on hardware vs. API delivery.
- Section 2 has eight sub-points covering data lineage, validation procedures, cybersecurity, and pre-determined change controls.
- Section 9 requires a post-market monitoring plan tied to Article 72.

Teams scaffold these documents by hand, copy-pasting Annex IV text from PDFs, and inevitably drift from the canonical wording. The [Digital Omnibus political agreement of 7 May 2026](https://digital-strategy.ec.europa.eu/) deferred high-risk deadlines (Annex III high-risk to **2027-12-02**; Annex I product-integrated to **2028-08-02**), but it did **not** simplify Annex IV. The structure is still nine sections. The wording is still verbatim-binding.

This project ships:

1. A scaffolder that emits a 9-file evidence-pack skeleton per Annex IV.
2. A FRIA (Fundamental Rights Impact Assessment) template per Article 27.
3. A hash-chained manifest mapping each section to the exact Article/Annex paragraph it derives from, so an auditor can re-verify the chain end-to-end.
4. A GitHub Action wrapper that runs scaffold + completeness validation on every commit.

The verbatim regulatory text bundled in `src/ai_act_conformity/data/annex_iv.yaml` is sourced from [artificialintelligenceact.eu](https://artificialintelligenceact.eu/annex/4/) and cross-checked against the EUR-Lex consolidated text at [eli/reg/2024/1689](https://eur-lex.europa.eu/eli/reg/2024/1689/oj).

---

## What it does

### Install

```bash
pip install ai-act-conformity
```

### Scaffold an Annex IV evidence-pack

```bash
aiact-conformity scaffold \
  --system-name "ClinicalTriageAI v2.1" \
  --risk-tier high-risk-annex-iii \
  --output evidence-pack/
```

Emits:

```
evidence-pack/
├── 1_general_description.md
├── 2_detailed_description.md
├── 3_data_and_data_governance.md
├── 4_logging_and_traceability.md
├── 5_risk_management.md
├── 6_changes_and_versions.md
├── 7_lifecycle_design.md
├── 8_human_oversight.md
└── 9_conformity_assessment.md
```

Each file ships with:
- The verbatim Annex IV text for that section (quoted, with source URL).
- A "What you must provide" checklist derived from the sub-points (a, b, c...).
- An empty "Evidence" block for the team to fill in.

### Emit a FRIA template

```bash
aiact-conformity fria-template --output fria.md
```

Generates the Article 27 Fundamental Rights Impact Assessment template with the six required content elements (paragraph 1, points a-f).

### Build a hash-chained manifest

```bash
aiact-conformity manifest --regime ai-act --output manifest.json
```

Produces a JSON manifest mapping each Annex IV section to:
- The specific Article + Annex paragraph it derives from.
- A SHA-256 of the verbatim regulatory text (so drift from the source is immediately visible).
- A rolling SHA-256 chain across all sections (tamper-evident).

Same hash-chain pattern as our [dcm-anon](https://github.com/plusultra-tools/dicom-anon-api) DICOM anonymizer and [cra-sbom-evidence](https://github.com/plusultra-tools/sbom-evidence-action) CRA SBOM evidence emitter.

### GitHub Action

```yaml
# .github/workflows/ai-act.yml
name: AI Act evidence pack
on: [push, pull_request]
jobs:
  evidence:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: plusultra-tools/ai-act-conformity-action@v1
        with:
          system-name: ${{ github.event.repository.name }}
          risk-tier: high-risk-annex-iii
          output-dir: evidence-pack/
```

CI fails if any of the nine Annex IV section files is missing or empty beyond the scaffolded headers.

---

## What it does NOT do

- **It is not legal advice.** A conformity assessment under Article 43 still requires a notified body for Annex III systems. This tool emits the *documentation skeleton* — your legal/regulatory team owns the content.
- **It does not auto-classify risk tier.** Whether your system is "high-risk under Annex III", "Annex I product-integrated", "limited-risk", or "minimal-risk" is a judgement call the operator makes. The tool takes `--risk-tier` as input; it does not infer it.
- **It does not run the conformity assessment.** Annex IV Section 8 requires the EU declaration of conformity referred to in Article 47. Drafting and signing that declaration is the provider's responsibility.
- **It is not a substitute for the harmonised standards work.** Section 7 lists harmonised standards applied; CEN-CENELEC JTC 21 is still publishing them. The tool reminds you to list them; it does not pick them for you.

---

## Pricing

- **OSS (this repo, MIT):** the CLI + GitHub Action are free, forever.
- **Hosted SaaS (planned, Stripe €49-99/mo):** retained audit logs across releases, multi-product workspace, continuous Annex-IV-section completion monitoring, drift alerts when EUR-Lex publishes amendments. Waitlist on the Carrd landing page.

Why the split? Most teams need the scaffolder once per system. Teams shipping multiple high-risk systems, or operating in regulated sectors (medical devices, automotive, banking), need the continuous monitoring layer.

---

## Honest about timeline

The AI Act prohibitions (Article 5) entered into force on **2025-02-02**. GPAI obligations (Chapter V) entered into force on **2025-08-02**. The Digital Omnibus political agreement of 7 May 2026 deferred:

- Annex III high-risk obligations: **2027-12-02** (was 2026-08-02).
- Annex I product-integrated high-risk obligations: **2028-08-02** (was 2027-08-02).
- Article 50 transparency obligations: **2026-12-02** (post-Omnibus).

Urgency is therefore *moderate but real*: any high-risk AI system entering the EU market in 2027 or 2028 needs Annex IV documentation in place. Teams that start in late 2027 will be in the same scramble that hit GDPR-2018 latecomers.

Commission's [Article 50 transparency guidelines](https://digital-strategy.ec.europa.eu/) were published 2026-05-08, with consultation open until 2026-06-03 — Article 50 deliverables (transparency disclosures for AI-generated content) are out of scope for this tool's v0.1 (which focuses on Annex IV + FRIA).

---

## Citing

If you use this tool in a conformity assessment package, please cite:

```
@software{plusultra_ai_act_conformity_2026,
  author       = {plusUltra Labs},
  title        = {ai-act-conformity-pack: Annex IV evidence-pack scaffolder for Regulation (EU) 2024/1689},
  year         = {2026},
  publisher    = {Zenodo},
  doi          = {10.5281/zenodo.<DOI-pending>}
}
```

DOI will be minted on the v0.1.0 release.

---

## License

MIT — see [LICENSE](LICENSE).

---

## Related projects

- [dcm-anon](https://github.com/plusultra-tools/dicom-anon-api) — DICOM anonymizer with verbatim DICOM PS3.15 Annex E + UNE-EN ISO 25237 citations and SHA-chain audit. Same evidence-pack pattern.
- [cra-sbom-evidence](https://github.com/plusultra-tools/sbom-evidence-action) — Cyber Resilience Act SBOM evidence emitter with CycloneDX + verbatim Regulation (EU) 2024/2847 Annex I citations.

---

## Contributing

Issues and PRs welcome. Security reports: see [SECURITY.md](SECURITY.md).
