Meridian
Local-first AI compliance scanner via Model Context Protocol, scanning codebases for violations of DPDPA 2023, RBI FREE-AI, SEBI AI/ML, and the EU AI Act.
README
<p align="center"> <img src=".github/brand/logo-full.svg" alt="Meridian — AI Compliance Intelligence" width="720"> </p>
Meridian
Local-first AI compliance scanner via Model Context Protocol.
Scan your codebase for violations of DPDPA 2023, RBI FREE-AI, SEBI AI/ML, and the EU AI Act — directly inside Cursor, Claude Desktop, Windsurf, or Antigravity.
What it does
Meridian exposes six MCP tools that any AI coding assistant can call:
| Tool | Description |
|---|---|
scan_repository |
Scan a local repo for compliance violations — returns a Markdown report with line numbers, regulatory citations, and fixes |
evaluate_policy |
Check a privacy policy, DPA, or model card for compliance gaps |
explain_violation |
Get a plain-English explanation of any regulatory clause with exact penalties |
show_models |
List all supported LLM providers and configuration instructions |
cache_status |
Show or clear the local SQLite scan cache |
check_health |
Verify server config, detected API keys, and licence status |
How scanning works
Your code → AST slicer → Stage 1 (Evaluator LLM) → candidate violations
→ Stage 2 (Critic LLM) → confirmed violations
→ SHA-256 SQLite cache → zero cost on re-scan
- Stage 1 finds candidate violations across all file × framework pairs concurrently
- Stage 2 runs a second LLM to disprove HIGH/CRITICAL findings, eliminating false positives
- Cache skips re-evaluation of unchanged files — only new or modified code is sent to the API
Supported frameworks
| Framework | Tier | Key penalties |
|---|---|---|
dpdpa — DPDPA 2023 + Rules 2025 |
Free | ₹250 Cr security failure · ₹200 Cr breach notification · ₹200 Cr children's data |
rbi — RBI FREE-AI Aug 2025 |
Pro | 7 Sutras — fairness, explainability, security, accountability |
eu — EU AI Act Art. 9 |
Pro | €30M / 6% global turnover for high-risk system failures |
sebi — SEBI AI/ML Guidelines Jun 2025 |
Pro | SEBI §5.1–§5.5 pillars |
Supported LLM providers
Meridian uses litellm — you bring your own API key, Meridian never touches your credentials.
| Provider | Key env var | Example models |
|---|---|---|
| Anthropic | ANTHROPIC_API_KEY |
claude-opus-4-8, claude-haiku-4-5 |
| OpenAI | OPENAI_API_KEY |
gpt-5.4-pro, gpt-5.4-nano |
| Gemini | GEMINI_API_KEY |
gemini/gemini-3.5-flash |
| Groq | GROQ_API_KEY |
groq/meta-llama/llama-4-maverick-17b-128e-instruct |
| OpenRouter | OPENROUTER_API_KEY |
openrouter/anthropic/claude-opus-4-8 |
| AWS Bedrock | AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY + AWS_REGION_NAME |
bedrock/anthropic.claude-opus-4-8-20260501-v1:0 |
| Ollama (local) | (none) | ollama/llama4:scout, ollama/mistral |
You can mix providers — e.g. Anthropic for Stage 1 and Groq for Stage 2 (cheapest critic):
MERIDIAN_EVALUATOR_MODEL=claude-opus-4-8
MERIDIAN_CRITIC_MODEL=groq/llama-3.1-8b-instant
Installation & Setup
Meridian can be run as a local CLI compliance scanner, or connected directly to an MCP-capable client like Cursor, Claude Desktop, Windsurf, or Antigravity.
Option A: The quick way (no install, using uvx)
If you have uv installed, you don't even need to pre-install Meridian! You can run it instantly or register it as an MCP server using uvx:
"meridian-compliance": {
"command": "uvx",
"args": ["meridian-mcp"],
"env": {
"GROQ_API_KEY": "gsk_...",
"MERIDIAN_EVALUATOR_MODEL": "groq/llama3-8b-8192",
"MERIDIAN_CRITIC_MODEL": "groq/llama3-8b-8192"
}
}
Option B: Installing via pip (PyPI)
Install the packages and binaries globally or to your active python environment:
pip install meridian-mcp
This installs two executables on your system path:
meridian-mcp: The MCP Server command.meridian-ci: The CI/CD CLI command-line scanner.
MCP Server Setup
Connect Meridian to your AI editor so your assistant can scan your repository and answer compliance questions.
1. Cursor (~/.cursor/mcp.json or GUI settings)
Add a new MCP server in Cursor Settings -> Features -> MCP:
- Name:
meridian-compliance - Type:
command - Command:
meridian-mcp(use the absolute path to your Python env'smeridian-mcpexecutable if it's not globally on your PATH) - Environment Variables:
GROQ_API_KEY:your-key-here(orANTHROPIC_API_KEY,OPENAI_API_KEY, etc.)
Or paste the following configuration directly into your mcp.json file:
{
"mcpServers": {
"meridian-compliance": {
"command": "meridian-mcp",
"env": {
"GROQ_API_KEY": "YOUR_GROQ_API_KEY"
}
}
}
}
2. Claude Desktop (%APPDATA%\Claude\claude_desktop_config.json)
Add the following to your configuration:
{
"mcpServers": {
"meridian-compliance": {
"command": "meridian-mcp",
"env": {
"GROQ_API_KEY": "YOUR_GROQ_API_KEY"
}
}
}
}
3. Antigravity (~/.antigravity/mcp.json or GUI settings)
Add a new MCP server in Antigravity Settings -> Features -> MCP:
- Name:
meridian-compliance - Type:
command - Command:
meridian-mcp(use the absolute path to your Python env'smeridian-mcpexecutable if it's not globally on your PATH) - Environment Variables:
GROQ_API_KEY:your-key-here(orANTHROPIC_API_KEY,OPENAI_API_KEY, etc.)
Or paste the following configuration directly into your mcp.json file:
{
"mcpServers": {
"meridian-compliance": {
"command": "meridian-mcp",
"env": {
"GROQ_API_KEY": "YOUR_GROQ_API_KEY"
}
}
}
}
Meridian Architecture
Below is a diagram illustrating the architecture of Meridian and its integration with various AI coding assistants:
flowchart TD
subgraph Clients["AI Coding Assistants (MCP Clients)"]
direction LR
A1[Meridian CI/CD]
A2[Cursor]
A3[Windsurf]
A4[Claude Desktop]
A5[Antigravity]
end
subgraph Server["Meridian (MCP Server)"]
B1[FastMCP Server]
B2[Async Orchestrator]
B3[AST Parser]
B4[Security Redactor]
subgraph Scanning["Scanning Logic"]
C1[Stage 1: Evaluator LLM]
C2[Stage 2: Critic LLM]
end
B5[(SQLite Cache)]
B6[Licensing Gate]
end
subgraph External["External Services"]
direction LR
D1[Anthropic/OpenAI/Groq/Gemini]
D2[Regulatory Databases]
end
A1 -- Local CLI --> B2
A2 -- MCP Protocol --> B1
A3 -- MCP Protocol --> B1
A4 -- MCP Protocol --> B1
A5 -- MCP Protocol --> B1
B1 --> B2
B2 --> B3
B2 <--> B5
B3 --> B4
B4 --> C1
C1 --> C2
C1 -- LiteLLM --> D1
C2 -- LiteLLM --> D1
C2 --> B6
B6 -. Pro License .-> D2
Local CLI Usage (meridian-ci)
Once installed via pip, you can scan any local project directory for compliance rules:
# 1. Set your LLM API Key (using Groq, Anthropic, or OpenAI)
export GROQ_API_KEY="gsk_..."
# 2. Run the scanner
meridian-ci --dir . --frameworks dpdpa
CI/CD Pipeline Gate
Block PR merges on critical compliance violations by integrating meridian-ci as a step in your pipeline:
# .github/workflows/compliance.yml
- name: Run Meridian compliance gate
run: meridian-ci --dir . --frameworks dpdpa --fail-on critical
env:
GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
Options:
--dir: Directory to scan (defaults to.)--frameworks: Frameworks to scan (dpdpa,rbi,eu,sebi)--fail-on: Block PRs/builds on violations at or above this severity (low,medium,high,critical)--output: Output format (text,markdown,json)--max-files: Maximum number of files to process
Environment Variables
Configure these optional variables to adjust model defaults:
| Variable | Default | Description |
|---|---|---|
MERIDIAN_EVALUATOR_MODEL |
claude-opus-4-8 |
Stage 1 model — finds candidate violations |
MERIDIAN_CRITIC_MODEL |
claude-haiku-4-5 |
Stage 2 model — filters out false positives |
MERIDIAN_MAX_CONCURRENT |
5 |
Max concurrent LLM requests |
MERIDIAN_LICENSE_KEY |
(none) | Pro license key — unlocks RBI, EU, and SEBI rulesets |
Quick start (inside your AI assistant)
Once the MCP server is connected:
check_health() # verify setup and detected keys
show_models() # see all providers and config options
scan_repository(path=".", frameworks="dpdpa") # scan current repo
evaluate_policy(policy_text="...") # check a privacy policy
explain_violation(statutory_clause="DPDPA §6(1)") # plain-English explanation
cache_status() # view cache stats
cache_status(clear=True) # wipe cache
Project structure
src/meridian/
├── server.py # MCP server — 6 tools exposed via FastMCP
├── scanner.py # Async orchestrator — file × framework concurrency
├── evaluator.py # Dual-stage litellm evaluator with cache and retry
├── config.py # Multi-provider LLM config (load_config, validate_config)
├── ast_parser.py # Language-aware code slicer (Python, JS/TS, SQL, YAML)
├── prompts.py # Regulatory prompts for all four frameworks
├── models.py # Pydantic models — Violation, FileScanResult, ScanReport
├── cache.py # SQLite SHA-256 scan cache (~/.meridian/cache.db)
├── security.py # Secret redactor — strips API keys/JWTs before LLM calls
├── licensing.py # Licence gate — free (DPDPA) vs Pro (RBI, EU, SEBI)
└── cli.py # meridian-ci — CI/CD gate binary
Contributing & Running Tests
If you want to contribute to Meridian or run the test suite locally:
# 1. Clone the repository
git clone https://github.com/KNambiarDJsc/Meridian.git
cd Meridian
# 2. Create and activate a virtual environment
python -m venv .venv
.venv\Scripts\activate # Windows
source .venv/bin/activate # macOS / Linux
# 3. Install in editable mode with development dependencies
pip install -e ".[dev]"
# 4. Run the test suite
pytest tests/ -v
All 47 tests covering AST parsing, cache, prompts, and CLI logic pass locally without making any external API calls.
Privacy
- Zero telemetry. Meridian sends no usage data anywhere.
- Keys never leave your machine. API keys are read from your environment and passed directly to the provider SDK — Meridian has no server, no proxy, no logging of credentials.
- Code stays local until you call a tool. The secret redactor (
security.py) strips API keys, JWTs, and high-entropy strings from code slices before they are sent to any LLM. - Cache is local. Scan results are stored in
~/.meridian/cache.dbon your machine only.
Pricing / licence
| Tier | Frameworks | How to get |
|---|---|---|
| Free (Apache 2.0) | DPDPA 2023 | Use immediately, no key needed |
| Pro | DPDPA + RBI FREE-AI + EU AI Act + SEBI AI/ML | Set MERIDIAN_LICENSE_KEY — meridian.so/pro |
License
Apache 2.0 — see LICENSE.
<!-- mcp-name: io.github.KNambiarDJsc/meridian-mcp -->
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.