meridian-mcp 0.3.1

Meridian — Local-first AI compliance scanner. DPDPA 2023 · RBI FREE-AI · SEBI AI/ML · EU AI Act. Works with any LLM provider.

Meridian

Local-first AI compliance scanner via Model Context Protocol.
Scan your codebase for violations of DPDPA 2023, RBI FREE-AI, SEBI AI/ML, and the EU AI Act — directly inside Cursor, Claude Desktop, or Windsurf.

---

What it does

Meridian exposes six MCP tools that any AI coding assistant can call:

Tool	Description
scan_repository	Scan a local repo for compliance violations — returns a Markdown report with line numbers, regulatory citations, and fixes
evaluate_policy	Check a privacy policy, DPA, or model card for compliance gaps
explain_violation	Get a plain-English explanation of any regulatory clause with exact penalties
show_models	List all supported LLM providers and configuration instructions
cache_status	Show or clear the local SQLite scan cache
check_health	Verify server config, detected API keys, and licence status

How scanning works

Your code → AST slicer → Stage 1 (Evaluator LLM) → candidate violations
                       → Stage 2 (Critic LLM)    → confirmed violations
                       → SHA-256 SQLite cache     → zero cost on re-scan

• Stage 1 finds candidate violations across all file × framework pairs concurrently
• Stage 2 runs a second LLM to disprove HIGH/CRITICAL findings, eliminating false positives
• Cache skips re-evaluation of unchanged files — only new or modified code is sent to the API

Supported frameworks

Framework	Tier	Key penalties
dpdpa — DPDPA 2023 + Rules 2025	Free	₹250 Cr security failure · ₹200 Cr breach notification · ₹200 Cr children's data
rbi — RBI FREE-AI Aug 2025	Pro	7 Sutras — fairness, explainability, security, accountability
eu — EU AI Act Art. 9	Pro	€30M / 6% global turnover for high-risk system failures
sebi — SEBI AI/ML Guidelines Jun 2025	Pro	SEBI §5.1–§5.5 pillars

---

Supported LLM providers

Meridian uses litellm — you bring your own API key, Meridian never touches your credentials.

Provider	Key env var	Example models
Anthropic	ANTHROPIC_API_KEY	claude-opus-4-8, claude-haiku-4-5
OpenAI	OPENAI_API_KEY	gpt-5.4-pro, gpt-5.4-nano
Gemini	GEMINI_API_KEY	gemini/gemini-3.5-flash
Groq	GROQ_API_KEY	groq/meta-llama/llama-4-maverick-17b-128e-instruct
OpenRouter	OPENROUTER_API_KEY	openrouter/anthropic/claude-opus-4-8
AWS Bedrock	AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY + AWS_REGION_NAME	bedrock/anthropic.claude-opus-4-8-20260501-v1:0
Ollama (local)	(none)	ollama/llama4:scout, ollama/mistral

You can mix providers — e.g. Anthropic for Stage 1 and Groq for Stage 2 (cheapest critic):

MERIDIAN_EVALUATOR_MODEL=claude-opus-4-8
MERIDIAN_CRITIC_MODEL=groq/llama-3.1-8b-instant

---

Installation

Requirements: Python 3.11+

# Clone and create virtual environment
git clone https://github.com/KNambiarDJsc/Meridian.git
cd Meridian
python -m venv .venv
.venv\Scripts\activate        # Windows
# source .venv/bin/activate   # macOS / Linux

# Install (runtime only)
pip install -e .

# Install with dev/test tools
pip install -e ".[dev]"

# Install with a specific provider SDK
pip install -e ".[anthropic]"   # Claude
pip install -e ".[openai]"      # GPT
pip install -e ".[groq]"        # Groq / Llama
pip install -e ".[bedrock]"     # AWS Bedrock
pip install -e ".[all-providers]"  # everything

---

MCP server setup

Cursor (~/.cursor/mcp.json)

{
  "mcpServers": {
    "meridian-compliance": {
      "command": "python",
      "args": ["-m", "meridian.server"],
      "cwd": "/absolute/path/to/Meridian",
      "env": {
        "ANTHROPIC_API_KEY": "sk-ant-...",
        "MERIDIAN_EVALUATOR_MODEL": "claude-opus-4-8",
        "MERIDIAN_CRITIC_MODEL": "claude-haiku-4-5"
      }
    }
  }
}

Claude Desktop (claude_desktop_config.json)

{
  "mcpServers": {
    "meridian-compliance": {
      "command": "python",
      "args": ["-m", "meridian.server"],
      "cwd": "/absolute/path/to/Meridian",
      "env": {
        "ANTHROPIC_API_KEY": "sk-ant-..."
      }
    }
  }
}

OpenAI / Groq / other providers

"env": {
  "OPENAI_API_KEY": "sk-...",
  "MERIDIAN_EVALUATOR_MODEL": "gpt-5.4-pro",
  "MERIDIAN_CRITIC_MODEL": "gpt-5.4-nano"
}

Local models (Ollama, no API key needed)

"env": {
  "MERIDIAN_EVALUATOR_MODEL": "ollama/llama4:scout",
  "MERIDIAN_CRITIC_MODEL": "ollama/mistral"
}

AWS Bedrock (air-gapped / India data residency)

"env": {
  "AWS_ACCESS_KEY_ID": "AKIA...",
  "AWS_SECRET_ACCESS_KEY": "...",
  "AWS_REGION_NAME": "ap-south-1",
  "MERIDIAN_EVALUATOR_MODEL": "bedrock/anthropic.claude-opus-4-8-20260501-v1:0",
  "MERIDIAN_CRITIC_MODEL": "bedrock/anthropic.claude-haiku-4-5-20251001-v1:0"
}

---

Environment variables

Variable	Default	Description
MERIDIAN_EVALUATOR_MODEL	claude-opus-4-8	Stage 1 model — finds violations
MERIDIAN_CRITIC_MODEL	claude-haiku-4-5	Stage 2 model — disproves false positives
MERIDIAN_MAX_CONCURRENT	5	Max concurrent LLM requests (semaphore cap)
MERIDIAN_LICENSE_KEY	(none)	Pro licence key — unlocks RBI, EU, SEBI frameworks

---

CI/CD gate (meridian-ci)

Block PR merges on CRITICAL violations with a single step:

# .github/workflows/compliance.yml
- name: Meridian Compliance Gate
  run: meridian-ci --dir . --frameworks dpdpa --fail-on critical
  env:
    ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
    MERIDIAN_EVALUATOR_MODEL: claude-opus-4-8
    MERIDIAN_CRITIC_MODEL: claude-haiku-4-5

Exit codes:

Code	Meaning
0	All checks passed
1	Violations at or above --fail-on threshold found
2	Configuration error (missing API key, bad env var)

Options:

meridian-ci --dir .
            --frameworks dpdpa,rbi
            --fail-on critical|high|medium|low
            --max-files 80
            --output text|markdown|json

---

Quick start (inside your AI assistant)

Once the MCP server is connected:

check_health()                                 # verify setup and detected keys
show_models()                                  # see all providers and config options
scan_repository(path=".", frameworks="dpdpa")  # scan current repo
evaluate_policy(policy_text="...")             # check a privacy policy
explain_violation(statutory_clause="DPDPA §6(1)")  # plain-English explanation
cache_status()                                 # view cache stats
cache_status(clear=True)                       # wipe cache

---

Project structure

src/meridian/
├── server.py      # MCP server — 6 tools exposed via FastMCP
├── scanner.py     # Async orchestrator — file × framework concurrency
├── evaluator.py   # Dual-stage litellm evaluator with cache and retry
├── config.py      # Multi-provider LLM config (load_config, validate_config)
├── ast_parser.py  # Language-aware code slicer (Python, JS/TS, SQL, YAML)
├── prompts.py     # Regulatory prompts for all four frameworks
├── models.py      # Pydantic models — Violation, FileScanResult, ScanReport
├── cache.py       # SQLite SHA-256 scan cache (~/.meridian/cache.db)
├── security.py    # Secret redactor — strips API keys/JWTs before LLM calls
├── licensing.py   # Licence gate — free (DPDPA) vs Pro (RBI, EU, SEBI)
└── cli.py         # meridian-ci — CI/CD gate binary

---

Running tests

pip install -e ".[dev]"
pytest tests/ -v

47 tests covering models, AST parsing, security redaction, cache, licensing, prompts, scanner, and config — all pass without any API calls.

---

Privacy

• Zero telemetry. Meridian sends no usage data anywhere.
• Keys never leave your machine. API keys are read from your environment and passed directly to the provider SDK — Meridian has no server, no proxy, no logging of credentials.
• Code stays local until you call a tool. The secret redactor (security.py) strips API keys, JWTs, and high-entropy strings from code slices before they are sent to any LLM.
• Cache is local. Scan results are stored in ~/.meridian/cache.db on your machine only.

---

Pricing / licence

Tier	Frameworks	How to get
Free (Apache 2.0)	DPDPA 2023	Use immediately, no key needed
Pro	DPDPA + RBI FREE-AI + EU AI Act + SEBI AI/ML	Set MERIDIAN_LICENSE_KEY — meridian.so/pro

---

License

Apache 2.0 — see LICENSE.