Meridian — Local-first AI compliance scanner. DPDPA 2023 · RBI FREE-AI · SEBI AI/ML · EU AI Act. Works with any LLM provider.
Project description
Meridian
Local-first AI compliance scanner via Model Context Protocol.
Scan your codebase for violations of DPDPA 2023, RBI FREE-AI, SEBI AI/ML, and the EU AI Act — directly inside Cursor, Claude Desktop, or Windsurf.
What it does
Meridian exposes six MCP tools that any AI coding assistant can call:
| Tool | Description |
|---|---|
scan_repository |
Scan a local repo for compliance violations — returns a Markdown report with line numbers, regulatory citations, and fixes |
evaluate_policy |
Check a privacy policy, DPA, or model card for compliance gaps |
explain_violation |
Get a plain-English explanation of any regulatory clause with exact penalties |
show_models |
List all supported LLM providers and configuration instructions |
cache_status |
Show or clear the local SQLite scan cache |
check_health |
Verify server config, detected API keys, and licence status |
How scanning works
Your code → AST slicer → Stage 1 (Evaluator LLM) → candidate violations
→ Stage 2 (Critic LLM) → confirmed violations
→ SHA-256 SQLite cache → zero cost on re-scan
- Stage 1 finds candidate violations across all file × framework pairs concurrently
- Stage 2 runs a second LLM to disprove HIGH/CRITICAL findings, eliminating false positives
- Cache skips re-evaluation of unchanged files — only new or modified code is sent to the API
Supported frameworks
| Framework | Tier | Key penalties |
|---|---|---|
dpdpa — DPDPA 2023 + Rules 2025 |
Free | ₹250 Cr security failure · ₹200 Cr breach notification · ₹200 Cr children's data |
rbi — RBI FREE-AI Aug 2025 |
Pro | 7 Sutras — fairness, explainability, security, accountability |
eu — EU AI Act Art. 9 |
Pro | €30M / 6% global turnover for high-risk system failures |
sebi — SEBI AI/ML Guidelines Jun 2025 |
Pro | SEBI §5.1–§5.5 pillars |
Supported LLM providers
Meridian uses litellm — you bring your own API key, Meridian never touches your credentials.
| Provider | Key env var | Example models |
|---|---|---|
| Anthropic | ANTHROPIC_API_KEY |
claude-opus-4-8, claude-haiku-4-5 |
| OpenAI | OPENAI_API_KEY |
gpt-5.4-pro, gpt-5.4-nano |
| Gemini | GEMINI_API_KEY |
gemini/gemini-3.5-flash |
| Groq | GROQ_API_KEY |
groq/meta-llama/llama-4-maverick-17b-128e-instruct |
| OpenRouter | OPENROUTER_API_KEY |
openrouter/anthropic/claude-opus-4-8 |
| AWS Bedrock | AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY + AWS_REGION_NAME |
bedrock/anthropic.claude-opus-4-8-20260501-v1:0 |
| Ollama (local) | (none) | ollama/llama4:scout, ollama/mistral |
You can mix providers — e.g. Anthropic for Stage 1 and Groq for Stage 2 (cheapest critic):
MERIDIAN_EVALUATOR_MODEL=claude-opus-4-8
MERIDIAN_CRITIC_MODEL=groq/llama-3.1-8b-instant
Installation & Setup
Meridian can be run as a local CLI compliance scanner, or connected directly to an MCP-capable client like Cursor, Claude Desktop, or Windsurf.
Option A: The quick way (no install, using uvx)
If you have uv installed, you don't even need to pre-install Meridian! You can run it instantly or register it as an MCP server using uvx:
"meridian-compliance": {
"command": "uvx",
"args": ["meridian-mcp"],
"env": {
"GROQ_API_KEY": "gsk_...",
"MERIDIAN_EVALUATOR_MODEL": "groq/llama3-8b-8192",
"MERIDIAN_CRITIC_MODEL": "groq/llama3-8b-8192"
}
}
Option B: Installing via pip (PyPI)
Install the packages and binaries globally or to your active python environment:
pip install meridian-mcp
This installs two executables on your system path:
meridian-mcp: The MCP Server command.meridian-ci: The CI/CD CLI command-line scanner.
MCP Server Setup
Connect Meridian to your AI editor so your assistant can scan your repository and answer compliance questions.
1. Cursor (~/.cursor/mcp.json or GUI settings)
Add a new MCP server in Cursor Settings -> Features -> MCP:
- Name:
meridian-compliance - Type:
command - Command:
meridian-mcp(use the absolute path to your Python env'smeridian-mcpexecutable if it's not globally on your PATH) - Environment Variables:
GROQ_API_KEY:your-key-here(orANTHROPIC_API_KEY,OPENAI_API_KEY, etc.)
Or paste the following configuration directly into your mcp.json file:
{
"mcpServers": {
"meridian-compliance": {
"command": "meridian-mcp",
"env": {
"GROQ_API_KEY": "YOUR_GROQ_API_KEY"
}
}
}
}
2. Claude Desktop (%APPDATA%\Claude\claude_desktop_config.json)
Add the following to your configuration:
{
"mcpServers": {
"meridian-compliance": {
"command": "meridian-mcp",
"env": {
"GROQ_API_KEY": "YOUR_GROQ_API_KEY"
}
}
}
}
Local CLI Usage (meridian-ci)
Once installed via pip, you can scan any local project directory for compliance rules:
# 1. Set your LLM API Key (using Groq, Anthropic, or OpenAI)
export GROQ_API_KEY="gsk_..."
# 2. Run the scanner
meridian-ci --dir . --frameworks dpdpa
CI/CD Pipeline Gate
Block PR merges on critical compliance violations by integrating meridian-ci as a step in your pipeline:
# .github/workflows/compliance.yml
- name: Run Meridian compliance gate
run: meridian-ci --dir . --frameworks dpdpa --fail-on critical
env:
GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
Options:
--dir: Directory to scan (defaults to.)--frameworks: Frameworks to scan (dpdpa,rbi,eu,sebi)--fail-on: Block PRs/builds on violations at or above this severity (low,medium,high,critical)--output: Output format (text,markdown,json)--max-files: Maximum number of files to process
Environment Variables
Configure these optional variables to adjust model defaults:
| Variable | Default | Description |
|---|---|---|
MERIDIAN_EVALUATOR_MODEL |
claude-opus-4-8 |
Stage 1 model — finds candidate violations |
MERIDIAN_CRITIC_MODEL |
claude-haiku-4-5 |
Stage 2 model — filters out false positives |
MERIDIAN_MAX_CONCURRENT |
5 |
Max concurrent LLM requests |
MERIDIAN_LICENSE_KEY |
(none) | Pro license key — unlocks RBI, EU, and SEBI rulesets |
Quick start (inside your AI assistant)
Once the MCP server is connected:
check_health() # verify setup and detected keys
show_models() # see all providers and config options
scan_repository(path=".", frameworks="dpdpa") # scan current repo
evaluate_policy(policy_text="...") # check a privacy policy
explain_violation(statutory_clause="DPDPA §6(1)") # plain-English explanation
cache_status() # view cache stats
cache_status(clear=True) # wipe cache
Project structure
src/meridian/
├── server.py # MCP server — 6 tools exposed via FastMCP
├── scanner.py # Async orchestrator — file × framework concurrency
├── evaluator.py # Dual-stage litellm evaluator with cache and retry
├── config.py # Multi-provider LLM config (load_config, validate_config)
├── ast_parser.py # Language-aware code slicer (Python, JS/TS, SQL, YAML)
├── prompts.py # Regulatory prompts for all four frameworks
├── models.py # Pydantic models — Violation, FileScanResult, ScanReport
├── cache.py # SQLite SHA-256 scan cache (~/.meridian/cache.db)
├── security.py # Secret redactor — strips API keys/JWTs before LLM calls
├── licensing.py # Licence gate — free (DPDPA) vs Pro (RBI, EU, SEBI)
└── cli.py # meridian-ci — CI/CD gate binary
Contributing & Running Tests
If you want to contribute to Meridian or run the test suite locally:
# 1. Clone the repository
git clone https://github.com/KNambiarDJsc/Meridian.git
cd Meridian
# 2. Create and activate a virtual environment
python -m venv .venv
.venv\Scripts\activate # Windows
source .venv/bin/activate # macOS / Linux
# 3. Install in editable mode with development dependencies
pip install -e ".[dev]"
# 4. Run the test suite
pytest tests/ -v
All 47 tests covering AST parsing, cache, prompts, and CLI logic pass locally without making any external API calls.
Privacy
- Zero telemetry. Meridian sends no usage data anywhere.
- Keys never leave your machine. API keys are read from your environment and passed directly to the provider SDK — Meridian has no server, no proxy, no logging of credentials.
- Code stays local until you call a tool. The secret redactor (
security.py) strips API keys, JWTs, and high-entropy strings from code slices before they are sent to any LLM. - Cache is local. Scan results are stored in
~/.meridian/cache.dbon your machine only.
Pricing / licence
| Tier | Frameworks | How to get |
|---|---|---|
| Free (Apache 2.0) | DPDPA 2023 | Use immediately, no key needed |
| Pro | DPDPA + RBI FREE-AI + EU AI Act + SEBI AI/ML | Set MERIDIAN_LICENSE_KEY — meridian.so/pro |
License
Apache 2.0 — see LICENSE.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file meridian_mcp-0.3.3.tar.gz.
File metadata
- Download URL: meridian_mcp-0.3.3.tar.gz
- Upload date:
- Size: 42.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d76761a10ae7c1af09387e2d5aa885e30f0a95e27f05a29edc36d7d31beb65f6
|
|
| MD5 |
2d5162513acb9030d5532f6cfd62b1c3
|
|
| BLAKE2b-256 |
69b332588bba881d8248ab10a49c7f9b198265693f9e74d9bb62255f74f27a35
|
File details
Details for the file meridian_mcp-0.3.3-py3-none-any.whl.
File metadata
- Download URL: meridian_mcp-0.3.3-py3-none-any.whl
- Upload date:
- Size: 41.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
665335c32024f628229f445f283248ad847344204344eed6866dd85cf88799f4
|
|
| MD5 |
d283ba287b5782844ed4cc9ddd94c0d5
|
|
| BLAKE2b-256 |
e74bef7a513617cdce330a01c49c9b0055ead0bf7299024c85fa71f8de9bc75d
|
