Metadata-Version: 2.4
Name: meridian-mcp
Version: 0.3.3
Summary: Meridian — Local-first AI compliance scanner. DPDPA 2023 · RBI FREE-AI · SEBI AI/ML · EU AI Act. Works with any LLM provider.
Project-URL: Homepage, https://meridiancompliance.framer.website
Project-URL: Repository, https://github.com/KNambiarDJsc/Meridian
Project-URL: Issues, https://github.com/KNambiarDJsc/Meridian/issues
License: Apache-2.0
License-File: LICENSE
Requires-Python: >=3.11
Requires-Dist: fastmcp<3.0,>=2.0
Requires-Dist: litellm>=1.40
Requires-Dist: pydantic>=2.0
Requires-Dist: pyyaml>=6.0
Requires-Dist: tenacity>=8.0
Provides-Extra: all-providers
Requires-Dist: anthropic>=0.40; extra == 'all-providers'
Requires-Dist: boto3>=1.34; extra == 'all-providers'
Requires-Dist: groq>=0.9; extra == 'all-providers'
Requires-Dist: openai>=1.40; extra == 'all-providers'
Provides-Extra: anthropic
Requires-Dist: anthropic>=0.40; extra == 'anthropic'
Provides-Extra: bedrock
Requires-Dist: boto3>=1.34; extra == 'bedrock'
Provides-Extra: dev
Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
Requires-Dist: pytest>=8.0; extra == 'dev'
Provides-Extra: groq
Requires-Dist: groq>=0.9; extra == 'groq'
Provides-Extra: openai
Requires-Dist: openai>=1.40; extra == 'openai'
Description-Content-Type: text/markdown

<p align="center">
  <img src=".github/brand/logo-full.svg" alt="Meridian — AI Compliance Intelligence" width="720">
</p>

# Meridian


**Local-first AI compliance scanner via Model Context Protocol.**  
Scan your codebase for violations of DPDPA 2023, RBI FREE-AI, SEBI AI/ML, and the EU AI Act — directly inside Cursor, Claude Desktop, or Windsurf.

[![Python 3.11+](https://img.shields.io/badge/python-3.11%2B-0F2A4A.svg)](https://www.python.org/downloads/)
[![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-0F2A4A.svg)](LICENSE)
[![EU AI Act](https://img.shields.io/badge/EU%20AI%20Act-Article%209-F4A024.svg)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689)
[![DPDPA 2023](https://img.shields.io/badge/India-DPDPA%202023-F4A024.svg)](https://www.meity.gov.in/dpdpa)
[![Zero telemetry](https://img.shields.io/badge/telemetry-zero-0B7A4B.svg)](#privacy)

---

## What it does

Meridian exposes six MCP tools that any AI coding assistant can call:

| Tool | Description |
|---|---|
| `scan_repository` | Scan a local repo for compliance violations — returns a Markdown report with line numbers, regulatory citations, and fixes |
| `evaluate_policy` | Check a privacy policy, DPA, or model card for compliance gaps |
| `explain_violation` | Get a plain-English explanation of any regulatory clause with exact penalties |
| `show_models` | List all supported LLM providers and configuration instructions |
| `cache_status` | Show or clear the local SQLite scan cache |
| `check_health` | Verify server config, detected API keys, and licence status |

### How scanning works

```
Your code → AST slicer → Stage 1 (Evaluator LLM) → candidate violations
                       → Stage 2 (Critic LLM)    → confirmed violations
                       → SHA-256 SQLite cache     → zero cost on re-scan
```

- **Stage 1** finds candidate violations across all file × framework pairs concurrently
- **Stage 2** runs a second LLM to disprove HIGH/CRITICAL findings, eliminating false positives
- **Cache** skips re-evaluation of unchanged files — only new or modified code is sent to the API

### Supported frameworks

| Framework | Tier | Key penalties |
|---|---|---|
| `dpdpa` — DPDPA 2023 + Rules 2025 | **Free** | ₹250 Cr security failure · ₹200 Cr breach notification · ₹200 Cr children's data |
| `rbi` — RBI FREE-AI Aug 2025 | Pro | 7 Sutras — fairness, explainability, security, accountability |
| `eu` — EU AI Act Art. 9 | Pro | €30M / 6% global turnover for high-risk system failures |
| `sebi` — SEBI AI/ML Guidelines Jun 2025 | Pro | SEBI §5.1–§5.5 pillars |

---

## Supported LLM providers

Meridian uses [litellm](https://github.com/BerriAI/litellm) — **you bring your own API key, Meridian never touches your credentials.**

| Provider | Key env var | Example models |
|---|---|---|
| Anthropic | `ANTHROPIC_API_KEY` | `claude-opus-4-8`, `claude-haiku-4-5` |
| OpenAI | `OPENAI_API_KEY` | `gpt-5.4-pro`, `gpt-5.4-nano` |
| Gemini | `GEMINI_API_KEY` | `gemini/gemini-3.5-flash` |
| Groq | `GROQ_API_KEY` | `groq/meta-llama/llama-4-maverick-17b-128e-instruct` |
| OpenRouter | `OPENROUTER_API_KEY` | `openrouter/anthropic/claude-opus-4-8` |
| AWS Bedrock | `AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY` + `AWS_REGION_NAME` | `bedrock/anthropic.claude-opus-4-8-20260501-v1:0` |
| Ollama (local) | *(none)* | `ollama/llama4:scout`, `ollama/mistral` |

You can mix providers — e.g. Anthropic for Stage 1 and Groq for Stage 2 (cheapest critic):

```
MERIDIAN_EVALUATOR_MODEL=claude-opus-4-8
MERIDIAN_CRITIC_MODEL=groq/llama-3.1-8b-instant
```

## Installation & Setup

Meridian can be run as a local CLI compliance scanner, or connected directly to an MCP-capable client like **Cursor**, **Claude Desktop**, or **Windsurf**.

### Option A: The quick way (no install, using `uvx`)
If you have `uv` installed, you don't even need to pre-install Meridian! You can run it instantly or register it as an MCP server using `uvx`:
```json
"meridian-compliance": {
  "command": "uvx",
  "args": ["meridian-mcp"],
  "env": {
    "GROQ_API_KEY": "gsk_...",
    "MERIDIAN_EVALUATOR_MODEL": "groq/llama3-8b-8192",
    "MERIDIAN_CRITIC_MODEL": "groq/llama3-8b-8192"
  }
}
```

### Option B: Installing via `pip` (PyPI)
Install the packages and binaries globally or to your active python environment:
```bash
pip install meridian-mcp
```
This installs two executables on your system path:
1. `meridian-mcp`: The MCP Server command.
2. `meridian-ci`: The CI/CD CLI command-line scanner.

---

## MCP Server Setup

Connect Meridian to your AI editor so your assistant can scan your repository and answer compliance questions.

### 1. Cursor (`~/.cursor/mcp.json` or GUI settings)
Add a new MCP server in **Cursor Settings -> Features -> MCP**:
- **Name**: `meridian-compliance`
- **Type**: `command`
- **Command**: `meridian-mcp` (use the absolute path to your Python env's `meridian-mcp` executable if it's not globally on your PATH)
- **Environment Variables**:
  - `GROQ_API_KEY`: `your-key-here` (or `ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, etc.)

Or paste the following configuration directly into your `mcp.json` file:
```json
{
  "mcpServers": {
    "meridian-compliance": {
      "command": "meridian-mcp",
      "env": {
        "GROQ_API_KEY": "YOUR_GROQ_API_KEY"
      }
    }
  }
}
```

### 2. Claude Desktop (`%APPDATA%\Claude\claude_desktop_config.json`)
Add the following to your configuration:
```json
{
  "mcpServers": {
    "meridian-compliance": {
      "command": "meridian-mcp",
      "env": {
        "GROQ_API_KEY": "YOUR_GROQ_API_KEY"
      }
    }
  }
}
```

---

## Local CLI Usage (`meridian-ci`)

Once installed via pip, you can scan any local project directory for compliance rules:

```bash
# 1. Set your LLM API Key (using Groq, Anthropic, or OpenAI)
export GROQ_API_KEY="gsk_..."

# 2. Run the scanner
meridian-ci --dir . --frameworks dpdpa
```

### CI/CD Pipeline Gate
Block PR merges on critical compliance violations by integrating `meridian-ci` as a step in your pipeline:

```yaml
# .github/workflows/compliance.yml
- name: Run Meridian compliance gate
  run: meridian-ci --dir . --frameworks dpdpa --fail-on critical
  env:
    GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
```

**Options:**
- `--dir`: Directory to scan (defaults to `.`)
- `--frameworks`: Frameworks to scan (`dpdpa`, `rbi`, `eu`, `sebi`)
- `--fail-on`: Block PRs/builds on violations at or above this severity (`low`, `medium`, `high`, `critical`)
- `--output`: Output format (`text`, `markdown`, `json`)
- `--max-files`: Maximum number of files to process

---

## Environment Variables

Configure these optional variables to adjust model defaults:

| Variable | Default | Description |
|---|---|---|
| `MERIDIAN_EVALUATOR_MODEL` | `claude-opus-4-8` | Stage 1 model — finds candidate violations |
| `MERIDIAN_CRITIC_MODEL` | `claude-haiku-4-5` | Stage 2 model — filters out false positives |
| `MERIDIAN_MAX_CONCURRENT` | `5` | Max concurrent LLM requests |
| `MERIDIAN_LICENSE_KEY` | *(none)* | Pro license key — unlocks RBI, EU, and SEBI rulesets |

---

## Quick start (inside your AI assistant)

Once the MCP server is connected:

```
check_health()                                 # verify setup and detected keys
show_models()                                  # see all providers and config options
scan_repository(path=".", frameworks="dpdpa")  # scan current repo
evaluate_policy(policy_text="...")             # check a privacy policy
explain_violation(statutory_clause="DPDPA §6(1)")  # plain-English explanation
cache_status()                                 # view cache stats
cache_status(clear=True)                       # wipe cache
```

---

## Project structure

```
src/meridian/
├── server.py      # MCP server — 6 tools exposed via FastMCP
├── scanner.py     # Async orchestrator — file × framework concurrency
├── evaluator.py   # Dual-stage litellm evaluator with cache and retry
├── config.py      # Multi-provider LLM config (load_config, validate_config)
├── ast_parser.py  # Language-aware code slicer (Python, JS/TS, SQL, YAML)
├── prompts.py     # Regulatory prompts for all four frameworks
├── models.py      # Pydantic models — Violation, FileScanResult, ScanReport
├── cache.py       # SQLite SHA-256 scan cache (~/.meridian/cache.db)
├── security.py    # Secret redactor — strips API keys/JWTs before LLM calls
├── licensing.py   # Licence gate — free (DPDPA) vs Pro (RBI, EU, SEBI)
└── cli.py         # meridian-ci — CI/CD gate binary
```

---

## Contributing & Running Tests

If you want to contribute to Meridian or run the test suite locally:

```bash
# 1. Clone the repository
git clone https://github.com/KNambiarDJsc/Meridian.git
cd Meridian

# 2. Create and activate a virtual environment
python -m venv .venv
.venv\Scripts\activate        # Windows
source .venv/bin/activate     # macOS / Linux

# 3. Install in editable mode with development dependencies
pip install -e ".[dev]"

# 4. Run the test suite
pytest tests/ -v
```

All 47 tests covering AST parsing, cache, prompts, and CLI logic pass locally without making any external API calls.

---

## Privacy

- **Zero telemetry.** Meridian sends no usage data anywhere.
- **Keys never leave your machine.** API keys are read from your environment and passed directly to the provider SDK — Meridian has no server, no proxy, no logging of credentials.
- **Code stays local until you call a tool.** The secret redactor (`security.py`) strips API keys, JWTs, and high-entropy strings from code slices before they are sent to any LLM.
- **Cache is local.** Scan results are stored in `~/.meridian/cache.db` on your machine only.

---

## Pricing / licence

| Tier | Frameworks | How to get |
|---|---|---|
| **Free** (Apache 2.0) | DPDPA 2023 | Use immediately, no key needed |
| **Pro** | DPDPA + RBI FREE-AI + EU AI Act + SEBI AI/ML | Set `MERIDIAN_LICENSE_KEY` — [meridian.so/pro](https://meridian.so/pro) |

---

## License

Apache 2.0 — see [LICENSE](LICENSE).

---
<!-- mcp-name: io.github.KNambiarDJsc/meridian-mcp -->
