Meridian
Local-first AI compliance scanner via Model Context Protocol, scanning codebases for violations of DPDPA 2023, RBI FREE-AI, SEBI AI/ML, and the EU AI Act.
README
<p align="center"> <img src=".github/brand/logo-full.svg" alt="Meridian — AI Compliance Intelligence" width="720"> </p>
Meridian
Local-first AI compliance scanner via Model Context Protocol.
Scan your codebase for violations of DPDPA 2023, RBI FREE-AI, SEBI AI/ML, and the EU AI Act — directly inside Cursor, Claude Desktop, Windsurf, or Antigravity.
What it does
Meridian exposes six MCP tools that any AI coding assistant can call:
| Tool | Description |
|---|---|
scan_repository |
Scan a local repo for compliance violations — returns a Markdown report with line numbers, regulatory citations, and fixes |
evaluate_policy |
Check a privacy policy, DPA, or model card for compliance gaps |
explain_violation |
Get a plain-English explanation of any regulatory clause with exact penalties |
show_models |
List all supported LLM providers and configuration instructions |
cache_status |
Show or clear the local SQLite scan cache |
check_health |
Verify server config, detected API keys, and licence status |
How scanning works
Your code → AST slicer → Stage 1 (Evaluator LLM) → candidate violations
→ Stage 2 (Critic LLM) → confirmed violations
→ SHA-256 SQLite cache → zero cost on re-scan
- Stage 1 finds candidate violations across all file × framework pairs concurrently
- Stage 2 runs a second LLM to disprove HIGH/CRITICAL findings, eliminating false positives
- Cache skips re-evaluation of unchanged files — only new or modified code is sent to the API
Supported frameworks
| Framework | Tier | Key penalties |
|---|---|---|
dpdpa — DPDPA 2023 + Rules 2025 |
Free | ₹250 Cr security failure · ₹200 Cr breach notification · ₹200 Cr children's data |
rbi — RBI FREE-AI Aug 2025 |
Pro | 7 Sutras — fairness, explainability, security, accountability |
eu — EU AI Act Art. 9 |
Pro | €30M / 6% global turnover for high-risk system failures |
sebi — SEBI AI/ML Guidelines Jun 2025 |
Pro | SEBI §5.1–§5.5 pillars |
Supported LLM providers
Meridian uses litellm — you bring your own API key, Meridian never touches your credentials.
| Provider | Key env var | Example models |
|---|---|---|
| Anthropic | ANTHROPIC_API_KEY |
claude-opus-4-8, claude-haiku-4-5 |
| OpenAI | OPENAI_API_KEY |
gpt-5.4-pro, gpt-5.4-nano |
| Gemini | GEMINI_API_KEY |
gemini/gemini-3.5-flash |
| Groq | GROQ_API_KEY |
groq/meta-llama/llama-4-maverick-17b-128e-instruct |
| OpenRouter | OPENROUTER_API_KEY |
openrouter/anthropic/claude-opus-4-8 |
| AWS Bedrock | AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY + AWS_REGION_NAME |
bedrock/anthropic.claude-opus-4-8-20260501-v1:0 |
| Ollama (local) | (none) | ollama/llama4:scout, ollama/mistral |
You can mix providers — e.g. Anthropic for Stage 1 and Groq for Stage 2 (cheapest critic):
MERIDIAN_EVALUATOR_MODEL=claude-opus-4-8
MERIDIAN_CRITIC_MODEL=groq/llama-3.1-8b-instant
Installation & Setup
Meridian can be run as a local CLI compliance scanner, or connected directly to an MCP-capable client like Cursor, Claude Desktop, Windsurf, or Antigravity.
Option A: The quick way (no install, using uvx)
If you have uv installed, you don't even need to pre-install Meridian! You can run it instantly or register it as an MCP server using uvx:
"meridian-compliance": {
"command": "uvx",
"args": ["meridian-mcp"],
"env": {
"GROQ_API_KEY": "gsk_...",
"MERIDIAN_EVALUATOR_MODEL": "groq/llama3-8b-8192",
"MERIDIAN_CRITIC_MODEL": "groq/llama3-8b-8192"
}
}
Option B: Installing via pip (PyPI)
Install the packages and binaries globally or to your active python environment:
pip install meridian-mcp
This installs two executables on your system path:
meridian-mcp: The MCP Server command.meridian-ci: The CI/CD CLI command-line scanner.
MCP Server Setup
Connect Meridian to your AI editor so your assistant can scan your repository and answer compliance questions.
1. Cursor (~/.cursor/mcp.json or GUI settings)
Add a new MCP server in Cursor Settings -> Features -> MCP:
- Name:
meridian-compliance - Type:
command - Command:
meridian-mcp(use the absolute path to your Python env'smeridian-mcpexecutable if it's not globally on your PATH) - Environment Variables:
GROQ_API_KEY:your-key-here(orANTHROPIC_API_KEY,OPENAI_API_KEY, etc.)
Or paste the following configuration directly into your mcp.json file:
{
"mcpServers": {
"meridian-compliance": {
"command": "meridian-mcp",
"env": {
"GROQ_API_KEY": "YOUR_GROQ_API_KEY"
}
}
}
}
2. Claude Desktop (%APPDATA%\Claude\claude_desktop_config.json)
Add the following to your configuration:
{
"mcpServers": {
"meridian-compliance": {
"command": "meridian-mcp",
"env": {
"GROQ_API_KEY": "YOUR_GROQ_API_KEY"
}
}
}
}
3. Antigravity (~/.antigravity/mcp.json or GUI settings)
Add a new MCP server in Antigravity Settings -> Features -> MCP:
- Name:
meridian-compliance - Type:
command - Command:
meridian-mcp(use the absolute path to your Python env'smeridian-mcpexecutable if it's not globally on your PATH) - Environment Variables:
GROQ_API_KEY:your-key-here(orANTHROPIC_API_KEY,OPENAI_API_KEY, etc.)
Or paste the following configuration directly into your mcp.json file:
{
"mcpServers": {
"meridian-compliance": {
"command": "meridian-mcp",
"env": {
"GROQ_API_KEY": "YOUR_GROQ_API_KEY"
}
}
}
}
Meridian Architecture
Below is a diagram illustrating the architecture of Meridian and its integration with various AI coding assistants:
flowchart TD
subgraph Clients["AI Coding Assistants (MCP Clients)"]
direction LR
A1[Meridian CI/CD]
A2[Cursor]
A3[Windsurf]
A4[Claude Desktop]
A5[Antigravity]
end
subgraph Server["Meridian (MCP Server)"]
B1[FastMCP Server]
B2[Async Orchestrator]
B3[AST Parser]
B4[Security Redactor]
subgraph Scanning["Scanning Logic"]
C1[Stage 1: Evaluator LLM]
C2[Stage 2: Critic LLM]
end
B5[(SQLite Cache)]
B6[Licensing Gate]
end
subgraph External["External Services"]
direction LR
D1[Anthropic/OpenAI/Groq/Gemini]
D2[Regulatory Databases]
end
A1 -- Local CLI --> B2
A2 -- MCP Protocol --> B1
A3 -- MCP Protocol --> B1
A4 -- MCP Protocol --> B1
A5 -- MCP Protocol --> B1
B1 --> B2
B2 --> B3
B2 <--> B5
B3 --> B4
B4 --> C1
C1 --> C2
C1 -- LiteLLM --> D1
C2 -- LiteLLM --> D1
C2 --> B6
B6 -. Pro License .-> D2
Local CLI Usage (meridian-ci)
Once installed via pip, you can scan any local project directory for compliance rules:
# 1. Set your LLM API Key (using Groq, Anthropic, or OpenAI)
export GROQ_API_KEY="gsk_..."
# 2. Run the scanner
meridian-ci --dir . --frameworks dpdpa
CI/CD Pipeline Gate
Block PR merges on critical compliance violations by integrating meridian-ci as a step in your pipeline:
# .github/workflows/compliance.yml
- name: Run Meridian compliance gate
run: meridian-ci --dir . --frameworks dpdpa --fail-on critical
env:
GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
Options:
--dir: Directory to scan (defaults to.)--frameworks: Frameworks to scan (dpdpa,rbi,eu,sebi)--fail-on: Block PRs/builds on violations at or above this severity (low,medium,high,critical)--output: Output format (text,markdown,json)--max-files: Maximum number of files to process
Environment Variables
Configure these optional variables to adjust model defaults:
| Variable | Default | Description |
|---|---|---|
MERIDIAN_EVALUATOR_MODEL |
claude-opus-4-8 |
Stage 1 model — finds candidate violations |
MERIDIAN_CRITIC_MODEL |
claude-haiku-4-5 |
Stage 2 model — filters out false positives |
MERIDIAN_MAX_CONCURRENT |
5 |
Max concurrent LLM requests |
MERIDIAN_LICENSE_KEY |
(none) | Pro license key — unlocks RBI, EU, and SEBI rulesets |
Quick start (inside your AI assistant)
Once the MCP server is connected:
check_health() # verify setup and detected keys
show_models() # see all providers and config options
scan_repository(path=".", frameworks="dpdpa") # scan current repo
evaluate_policy(policy_text="...") # check a privacy policy
explain_violation(statutory_clause="DPDPA §6(1)") # plain-English explanation
cache_status() # view cache stats
cache_status(clear=True) # wipe cache
Project structure
src/meridian/
├── server.py # MCP server — 6 tools exposed via FastMCP
├── scanner.py # Async orchestrator — file × framework concurrency
├── evaluator.py # Dual-stage litellm evaluator with cache and retry
├── config.py # Multi-provider LLM config (load_config, validate_config)
├── ast_parser.py # Language-aware code slicer (Python, JS/TS, SQL, YAML)
├── prompts.py # Regulatory prompts for all four frameworks
├── models.py # Pydantic models — Violation, FileScanResult, ScanReport
├── cache.py # SQLite SHA-256 scan cache (~/.meridian/cache.db)
├── security.py # Secret redactor — strips API keys/JWTs before LLM calls
├── licensing.py # Licence gate — free (DPDPA) vs Pro (RBI, EU, SEBI)
└── cli.py # meridian-ci — CI/CD gate binary
Contributing & Running Tests
If you want to contribute to Meridian or run the test suite locally:
# 1. Clone the repository
git clone https://github.com/KNambiarDJsc/Meridian.git
cd Meridian
# 2. Create and activate a virtual environment
python -m venv .venv
.venv\Scripts\activate # Windows
source .venv/bin/activate # macOS / Linux
# 3. Install in editable mode with development dependencies
pip install -e ".[dev]"
# 4. Run the test suite
pytest tests/ -v
All 47 tests covering AST parsing, cache, prompts, and CLI logic pass locally without making any external API calls.
Privacy
- Zero telemetry. Meridian sends no usage data anywhere.
- Keys never leave your machine. API keys are read from your environment and passed directly to the provider SDK — Meridian has no server, no proxy, no logging of credentials.
- Code stays local until you call a tool. The secret redactor (
security.py) strips API keys, JWTs, and high-entropy strings from code slices before they are sent to any LLM. - Cache is local. Scan results are stored in
~/.meridian/cache.dbon your machine only.
Pricing / licence
| Tier | Frameworks | How to get |
|---|---|---|
| Free (Apache 2.0) | DPDPA 2023 | Use immediately, no key needed |
| Pro | DPDPA + RBI FREE-AI + EU AI Act + SEBI AI/ML | Set MERIDIAN_LICENSE_KEY — meridian.so/pro |
License
Apache 2.0 — see LICENSE.
<!-- mcp-name: io.github.KNambiarDJsc/meridian-mcp -->
推荐服务器
Baidu Map
百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。
Playwright MCP Server
一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。
Magic Component Platform (MCP)
一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。
Audiense Insights MCP Server
通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。
VeyraX
一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。
graphlit-mcp-server
模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。
Kagi MCP Server
一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。
e2b-mcp-server
使用 MCP 通过 e2b 运行代码。
Neon MCP Server
用于与 Neon 管理 API 和数据库交互的 MCP 服务器
Exa MCP Server
模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。