PHPackages                             padosoft/laravel-ai-act-compliance - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Utility &amp; Helpers](/categories/utility)
4. /
5. padosoft/laravel-ai-act-compliance

ActiveLibrary[Utility &amp; Helpers](/categories/utility)

padosoft/laravel-ai-act-compliance
==================================

AI Act compliance bundle for Laravel AI applications

v1.5.1(2w ago)02.6kMITPHPPHP ^8.2CI passing

Since May 14Pushed 2w agoCompare

[ Source](https://github.com/padosoft/laravel-ai-act-compliance)[ Packagist](https://packagist.org/packages/padosoft/laravel-ai-act-compliance)[ RSS](/packages/padosoft-laravel-ai-act-compliance/feed)WikiDiscussions main Synced 1w ago

READMEChangelog (9)Dependencies (11)Versions (14)Used By (0)

laravel-ai-act-compliance
=========================

[](#laravel-ai-act-compliance)

 **The first Laravel-native toolkit for EU AI Act + GDPR compliance.**
 Plug it into any Laravel AI app. Audit-ready out of the box.

 [![Latest Version on Packagist](https://camo.githubusercontent.com/d3b28b78c62a91a11401246feb8404422d1a526bf9cd77ac61e5d1d28fd70e8d/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f7061646f736f66742f6c61726176656c2d61692d6163742d636f6d706c69616e63652e7376673f7374796c653d666c61742d73717561726526636f6c6f723d626c756576696f6c6574)](https://packagist.org/packages/padosoft/laravel-ai-act-compliance) [![Total Downloads](https://camo.githubusercontent.com/f4ca63501a727421033039791234833936ea2a08144ff3ef9d222e304d0aebd0/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f7061646f736f66742f6c61726176656c2d61692d6163742d636f6d706c69616e63652e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/padosoft/laravel-ai-act-compliance) [![CI](https://camo.githubusercontent.com/2ed66cd80f2342628d154ad1909dffa59891db9cc3b9530ea512d17fb92ac987/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f7061646f736f66742f6c61726176656c2d61692d6163742d636f6d706c69616e63652f74657374732e796d6c3f6272616e63683d6d61696e267374796c653d666c61742d737175617265266c6162656c3d4349)](https://github.com/padosoft/laravel-ai-act-compliance/actions) [![MIT License](https://camo.githubusercontent.com/152aa2a37725b9fd554b28ff24d270f6071c67927a63e6d635a55c8e188e20c7/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d4d49542d677265656e3f7374796c653d666c61742d737175617265)](LICENSE.md) [![PHP 8.2+](https://camo.githubusercontent.com/6caa15003495643be73f70c6033009042189b7d38acf492a3d5fd04ffbb45059/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e322532422d3737374242343f7374796c653d666c61742d737175617265266c6f676f3d706870266c6f676f436f6c6f723d7768697465)](#prerequisites) [![Laravel 11/12/13](https://camo.githubusercontent.com/37f3d5a5a787401d3dbec5a32a7de6a6e973ea266309e69a97e184d1ef4ef57f/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c61726176656c2d3131253230253743253230313225323025374325323031332d4646324432303f7374796c653d666c61742d737175617265266c6f676f3d6c61726176656c266c6f676f436f6c6f723d7768697465)](#prerequisites) [![EU AI Act compliant](https://camo.githubusercontent.com/971d5659afe395d01787fd1ddc72d46077c06c335f22fb4c67b9fe9248772c1b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f455525323041492532304163742d636f6d706c69616e742d3063346136653f7374796c653d666c61742d737175617265)](#-ai-act--gdpr-mapping) [![GDPR](https://camo.githubusercontent.com/34d3ff469fbc26c9dde3b0fa5b759f47d71a636eb90537811de5e80e88184cb8/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f474450522d4172742e2532303135253246313725324633302d3063346136653f7374796c653d666c61742d737175617265)](#-ai-act--gdpr-mapping) [![AI vibe-coding pack](https://camo.githubusercontent.com/5f889bbc418e4e92aaed19b1d52b4d4ed618991168313a35dccab7c5090f2c87/68747470733a2f2f696d672e736869656c64732e696f2f62616467652ff09f9a802d4149253230766962652d2d636f64696e672532307061636b2d79656c6c6f773f7374796c653d666c61742d737175617265)](#-ai-vibe-coding-pack-included)

 [Why](#-why-this-exists) · [Features](#-features-at-a-glance) · [Killer modules](#-killer-modules) · [Quick start](#-quick-start-jr-proof-5-minutes) · [AI Act mapping](#-ai-act--gdpr-mapping) · [Architecture](#-architecture) · [Host contracts](#-host-contracts) · [Extend](#-extension-points) · [Testing](#-testing) · [Vibe-coding pack](#-ai-vibe-coding-pack-included)

---

🚀 AI vibe-coding pack included
------------------------------

[](#-ai-vibe-coding-pack-included)

Every `padosoft/*` package ships with a `.claude/` directory containing:

- **Skills** (`.claude/skills/`) — pre-loaded by Claude Code when trigger conditions match. The compliance package skills know how to wire DSAR contracts, register cohort metrics, gate consent middleware, and persist incident state transitions.
- **Agents** (`.claude/agents/`) — `compliance-reviewer` checks DSAR delete cascades + bias drift thresholds + state-machine transition coverage before you push.
- **Rules** (`.claude/rules/`) — codified review rules distilled from real Copilot findings (escape DSAR LIKE input, never log DSAR subject email at INFO, always audit-trail consent revocations).

Just `composer require padosoft/laravel-ai-act-compliance` and the pack is auto-discovered when you open the project in Claude Code. **No setup required.** If you don't use Claude Code, the pack is invisible — it never affects runtime behaviour.

---

📖 Table of contents
-------------------

[](#-table-of-contents)

- [Why this exists](#-why-this-exists)
- [Features at a glance](#-features-at-a-glance)
- [Killer modules](#-killer-modules)
- [Quick start (jr-proof, 5 minutes)](#-quick-start-jr-proof-5-minutes)
- [Configuration](#-configuration)
- [AI Act + GDPR mapping](#-ai-act--gdpr-mapping)
- [Architecture](#-architecture)
- [Host contracts](#-host-contracts)
- [Modules in detail](#-modules-in-detail)
- [HTTP API surface](#-http-api-surface)
- [Extension points](#-extension-points)
- [Testing](#-testing)
- [Companion package: admin SPA](#-companion-package-admin-spa)
- [Roadmap](#-roadmap)
- [Changelog](#-changelog)
- [Contributing](#-contributing)
- [Security](#-security)
- [Credits](#-credits)
- [License](#-license)

---

🎯 Why this exists
-----------------

[](#-why-this-exists)

> The EU AI Act enters full force in 2026–2027. Python has Lakera Guard, Fairlearn, Aequitas. **Laravel has nothing.**

If you ship a Laravel app that uses an LLM, you need:

- **Disclosure** to end users (AI Act Art. 50)
- A **risk register** that maps each use case to AI Act categories (Art. 6 + Annex III)
- **DSAR** (Data Subject Access Requests) per GDPR Art. 15 / 16 / 17 with 30-day SLA tracking
- **Bias monitoring** with cohort parity + drift (Art. 10 + Art. 15)
- **Human review tracking** with a state machine (Art. 14)
- **Incident management** with escalation routing (Art. 73)
- **Consent** ledger with revocation timeline (GDPR Art. 7)
- **Cybersecurity** middleware (rate limit, session anomaly, 2FA helper)
- **Compliance attestation** PDF generator for auditors (Art. 11 + Art. 30)

You can build all of this yourself in 2-3 months, or you can `composer require padosoft/laravel-ai-act-compliance` and ship next week.

### Who's this for

[](#whos-this-for)

YouThis packageBuilding a Laravel SaaS that uses GPT / Claude / Gemini✅ YesAdding a chat agent to an enterprise Laravel app✅ YesOperating in the EU, EEA, UK, Switzerland✅ YesSelling to enterprise customers asking for SOC 2 / ISO 27001 / ISO 42001✅ YesAlready shipped a Laravel AI feature without a compliance plan✅ Yes — install yesterdayPure backoffice CRUD with no AI❌ Not your problem (yet)### Comparable products

[](#comparable-products)

ProductStackOpen sourceScopeLakera GuardPythonNo (SaaS)Guardrails + PIIFairlearnPythonYesFairness metrics onlyAequitasPythonYesBias audit onlyAWS Audit ManagerAWS-onlyNoGeneric compliance, not AI-specific**`padosoft/laravel-ai-act-compliance`****Laravel/PHP****MIT****Full AI Act + GDPR stack**---

✨ Features at a glance
----------------------

[](#-features-at-a-glance)

ModuleWhat it doesArticle**Disclosure**`@aiDisclosure` Blade directive + `ai-act.disclosure` middleware injects an "I'm AI" banner per AI Act Art. 50AI Act Art. 50**Risk Register**CRUD on AI use cases tagged with risk category (`unacceptable` / `high` / `limited` / `low`) + Annex III mappingAI Act Art. 6 + Annex III**DSAR**Queue + service + `ExportUserDataJob` / `DeleteUserDataJob` + 30-day SLA tracking + breach escalationGDPR Art. 15 / 16 / 17**BiasMonitoring**`CohortParityMetric` contract + `BiasMonitorService` + `BiasSnapshot` storage + drift detectionAI Act Art. 10 + Art. 15**HumanReviewTracker**Decision approval queue with state machine (pending / approved / rejected / escalated)AI Act Art. 14**Incident**Ticket model + state transitions + severity routing + escalation tree (CISO / DPO / CEO / Legal)AI Act Art. 73**Consent**Polymorphic `ConsentRecord` + `ai-act.consent` middleware + revocation timelineGDPR Art. 7**Cybersecurity**Per-user rate limit, session anomaly detection, 2FA helperAI Act Art. 15**ComplianceAttestation**Auditor-ready PDF generator (Article 30 records of processing)AI Act Art. 11 + GDPR Art. 30**BiasMonitoring v1.2**Pluggable `CohortParityMetric` registry: `DemographicParityMetric` (default), `EqualizedOddsMetric`, `CalibrationMetric` — `metric_name` + `metric_version` + `article_evidence_json` persisted per snapshotAI Act Art. 10 + Art. 15**Alerting v1.3**Real-time cohort-drift cascade: `alert_routes` (Crypt-encrypted webhooks) → Slack → Discord → always-CC email; throttle + circuit breaker + severity-escalation bypassAI Act Art. 9**RegulatoryFeed v1.4**EU AI Act amendment auto-flagger: RSS 2.0 + Atom 1.0 (XXE-safe), `ImpactedClauseDetector` config-driven regex map, `RegulatoryFeedPoller` + `ai-act:regulatory-poll` Artisan command, per-tenant idempotencyAI Act Art. 9 / 50**MultiTenancy v1.5**First-class `tenants` registry (slug-unique, tier + status enums, config\_overrides\_json), request-scoped `TenantContext`, `TenantConfigResolver`, `ai-act.tenant-context` middleware (404 / 423 / 410 / pass-through), `CrossTenantOverviewService` (no-N+1 `GROUP BY tenant_id`)AI Act Art. 9 + GDPR Art. 30Every module is **config-gated** (default safe) + **migration-published** + **tested**.

---

💎 Killer modules
----------------

[](#-killer-modules)

These three are what make the package WOW:

### 1. DSAR queue that handles the regulatory ugliness for you

[](#1-dsar-queue-that-handles-the-regulatory-ugliness-for-you)

You implement two contracts:

```
class MyAppExporter implements \Padosoft\AiActCompliance\DSAR\Contracts\UserDataExporter
{
    public function export(\App\Models\User $user): array {
        return [
            'profile' => $user->only(['id', 'name', 'email']),
            'orders' => $user->orders()->get()->toArray(),
            'chats' => $user->chats()->withTrashed()->get()->toArray(),
        ];
    }
}

class MyAppDeleter implements \Padosoft\AiActCompliance\DSAR\Contracts\UserDataDeleter
{
    public function delete(\App\Models\User $user, array $scope): void {
        $user->orders()->delete();
        $user->chats()->forceDelete();
        $user->delete();
    }
}
```

The package handles **everything else**:

- Identity verification (SPID / OAuth / email link)
- 30-day SLA tracking + automatic warning at SLA - 5 days + breach escalation
- ZIP packaging + signed download URL
- Audit trail (immutable `dsar_audit` rows)
- Notification cascade (email + Slack webhook)
- Article reference annotations on every DSAR

### 2. Cohort-parity bias monitoring

[](#2-cohort-parity-bias-monitoring)

```
class RefusalRateMetric implements \Padosoft\AiActCompliance\BiasMonitoring\Contracts\CohortParityMetric
{
    public function compute(array $context = []): array {
        // Your domain logic: count refusals per cohort in $context['window_days']
        return [
            'cohort' => $context['cohort'],
            'score' => 1 - ($refusals / $total),
            'delta' => $baseline - (1 - $refusals / $total),
            'flagged' => /* delta > threshold */,
        ];
    }
}

// In your AppServiceProvider:
app('ai-act.bias')->register('refusal_rate', RefusalRateMetric::class);
```

`BiasMonitorService` then snapshots the metric on a schedule, alerts on drift &gt; 0.05, and feeds the result to the admin SPA Bias Monitor screen — **no chart code to write**.

### 3. Incident manager with state-machine + escalation routing

[](#3-incident-manager-with-state-machine--escalation-routing)

```
$ticket = app('ai-act.incidents')->open([
    'title' => 'Hallucination on legal queries (IT cohort)',
    'severity' => IncidentSeverity::High,
    'affected_users' => $userIds,
    'articles' => ['AI Act Art. 14', 'AI Act Art. 15'],
]);

app('ai-act.incidents')->transition($ticket, IncidentStatus::Triage);
app('ai-act.incidents')->transition($ticket, IncidentStatus::Mitigating, [
    'mitigation' => 'Deployed v2.4.2 with extended IBAN regex.',
]);
```

State transitions are **immutable, audit-trailed, and validated**. Escalation routing (CISO → DPO → CEO) fires automatically based on `severity` × configured policy.

### 4. Real-time alerting cascade (v1.3)

[](#4-real-time-alerting-cascade-v13)

```
// Default OFF. Enable + seed an alert_routes row + you're done.
config(['ai-act-compliance.alerting.enabled' => true]);

AlertRoute::query()->create([
    'tenant_id' => 'acme',
    'channel' => 'slack',
    'webhook_url' => 'https://hooks.slack.com/services/...',  // auto-encrypted at rest
    'enabled' => true,
]);

// Whenever BiasMonitorService::capture() ingests a drift snapshot
// above the configured threshold, the queued listener fans out:
//   Slack → Discord → ALWAYS email (audit trail)
```

What you get for free:

- **Cascade-level throttle pre-check** — a previously-delivered Slack alert for `(tenant, cohort)` ends the cascade so it never silently slides through to Discord.
- **Severity-escalation bypass** — a `low` inside the cooldown window never suppresses a subsequent `critical`. Art. 9 requires it.
- **Per-channel circuit breaker** that trips after N consecutive failures and self-resets on natural cooldown elapse.
- **Email cascade is exempt from the throttle** because it's the auditable backup trail — every drift event is recorded.

### 5. Regulatory-feed auto-flagger (v1.4)

[](#5-regulatory-feed-auto-flagger-v14)

```
# Schedule it daily — defaults OFF; opt in via AI_ACT_REGULATORY_FEED_ENABLED=true.
php artisan ai-act:regulatory-poll
```

What lands on the DPO desk:

- Every new EU AI Act amendment ingested as a `regulatory_amendments` row with the impacted article clauses pre-detected (`AI Act Art. 5` → critical, `Art. 10 / 14 / 15 / 27` → high, etc.).
- Case-insensitive regex map accepts plural `Articles 5 and 9` / `Arts. 9-15`.
- XXE-safe parser (`LIBXML_NONET` blocks network access; we deliberately do NOT pass `LIBXML_NOENT`).
- Per-tenant composite UNIQUE `(tenant_id, source_driver, external_id)` — concurrent polls converge cleanly, no duplicate rows.
- `RegulatoryAmendmentDetected` event with `SerializesModels` so downstream listeners persist a model id, not the full payload.

### 6. DPO multi-org tenant management (v1.5)

[](#6-dpo-multi-org-tenant-management-v15)

```
Tenant::query()->create([
    'slug' => 'acme',                           // unique 50-char id
    'name' => 'Acme Inc.',
    'subscription_tier' => 'enterprise',
    'dpo_email' => 'dpo@acme.example',
    'config_overrides_json' => [
        // Per-tenant override of ANY ai-act-compliance.* key
        'bias.disparity_threshold' => 0.02,
    ],
]);

// Mount the middleware on whatever route group you serve to operators:
Route::middleware('ai-act.tenant-context')->group(function () {
    Route::get('/api/admin/ai-act-compliance/...', ...);
});

// Every package service reads the active tenant via:
$current = app(TenantContext::class)->current();
$threshold = app(TenantConfigResolver::class)->resolve('bias.disparity_threshold', 0.05);
```

Operationally:

- Request-scoped binding via `$this->app->scoped(TenantContext::class)` — Octane-safe.
- `X-Tenant-Id` header (or `?tenant=` query) resolves the slug; unknown → 404, suspended → 423 Locked, archived → 410 Gone.
- `CrossTenantOverviewService` aggregates platform-wide KPIs in one `GROUP BY tenant_id` query per table — no N+1 as tenant count grows.

---

⚡ Quick start (jr-proof, 5 minutes)
-----------------------------------

[](#-quick-start-jr-proof-5-minutes)

> Even if you've never installed a Laravel package before, you'll be running by the end of this section.

### 0. Prerequisites

[](#0-prerequisites)

You need:

- **PHP 8.2+** — run `php -v` and confirm
- **Laravel 11, 12 or 13** in your project — `php artisan --version`
- **A database** — MySQL / PostgreSQL / SQLite all work
- **Composer** — `composer --version`

If any of these are missing, install them first. We'll wait. ☕

### 1. Install the package

[](#1-install-the-package)

```
composer require padosoft/laravel-ai-act-compliance
```

That's it for installation. The Laravel auto-discovery wires the service provider for you.

### 2. Publish the migrations + config

[](#2-publish-the-migrations--config)

```
php artisan vendor:publish --tag=ai-act-compliance-migrations
php artisan vendor:publish --tag=ai-act-compliance-config
```

You should see new files appear under `database/migrations/` (8 new migrations) and `config/ai-act-compliance.php`.

### 3. Run the migrations

[](#3-run-the-migrations)

```
php artisan migrate
```

Verify the tables landed:

```
php artisan tinker
>>> \Padosoft\AiActCompliance\DSAR\Models\DsarRequest::query()->count();
=> 0
>>> exit
```

If you see `=> 0` (not an error), you're golden.

### 4. Implement the two host contracts

[](#4-implement-the-two-host-contracts)

Create `app/Compliance/MyAppUserDataExporter.php`:

```