Download the PHP package padosoft/laravel-ai-act-compliance without Composer

On this page you can find all versions of the php package padosoft/laravel-ai-act-compliance. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package laravel-ai-act-compliance

laravel-ai-act-compliance

The first Laravel-native toolkit for EU AI Act + GDPR compliance.
Plug it into any Laravel AI app. Audit-ready out of the box.

Official documentation

Latest Version on Packagist Total Downloads CI

Why · Features · Killer modules · Quick start · AI Act mapping · Architecture · Host contracts · Extend · Testing · Vibe-coding pack


🚀 AI vibe-coding pack included

Every padosoft/* package ships with a .claude/ directory containing:

Just composer require padosoft/laravel-ai-act-compliance and the pack is auto-discovered when you open the project in Claude Code. No setup required. If you don't use Claude Code, the pack is invisible — it never affects runtime behaviour.


📖 Table of contents


🎯 Why this exists

The EU AI Act enters full force in 2026–2027. Python has Lakera Guard, Fairlearn, Aequitas. Laravel has nothing.

If you ship a Laravel app that uses an LLM, you need:

You can build all of this yourself in 2-3 months, or you can composer require padosoft/laravel-ai-act-compliance and ship next week.

Who's this for

You This package
Building a Laravel SaaS that uses GPT / Claude / Gemini ✅ Yes
Adding a chat agent to an enterprise Laravel app ✅ Yes
Operating in the EU, EEA, UK, Switzerland ✅ Yes
Selling to enterprise customers asking for SOC 2 / ISO 27001 / ISO 42001 ✅ Yes
Already shipped a Laravel AI feature without a compliance plan ✅ Yes — install yesterday
Pure backoffice CRUD with no AI ❌ Not your problem (yet)

Comparable products

Product Stack Open source Scope
Lakera Guard Python No (SaaS) Guardrails + PII
Fairlearn Python Yes Fairness metrics only
Aequitas Python Yes Bias audit only
AWS Audit Manager AWS-only No Generic compliance, not AI-specific
padosoft/laravel-ai-act-compliance Laravel/PHP MIT Full AI Act + GDPR stack

✨ Features at a glance

Module What it does Article
Disclosure @aiDisclosure Blade directive + ai-act.disclosure middleware injects an "I'm AI" banner per AI Act Art. 50 AI Act Art. 50
Risk Register CRUD on AI use cases tagged with risk category (unacceptable / high / limited / low) + Annex III mapping AI Act Art. 6 + Annex III
DSAR Queue + service + ExportUserDataJob / DeleteUserDataJob + 30-day SLA tracking + breach escalation GDPR Art. 15 / 16 / 17
BiasMonitoring CohortParityMetric contract + BiasMonitorService + BiasSnapshot storage + drift detection AI Act Art. 10 + Art. 15
HumanReviewTracker Decision approval queue with state machine (pending / approved / rejected / escalated) AI Act Art. 14
Incident Ticket model + state transitions + severity routing + escalation tree (CISO / DPO / CEO / Legal) AI Act Art. 73
Consent Polymorphic ConsentRecord + ai-act.consent middleware + revocation timeline GDPR Art. 7
Cybersecurity Per-user rate limit, session anomaly detection, 2FA helper AI Act Art. 15
ComplianceAttestation Auditor-ready PDF generator (Article 30 records of processing) AI Act Art. 11 + GDPR Art. 30
BiasMonitoring v1.2 Pluggable CohortParityMetric registry: DemographicParityMetric (default), EqualizedOddsMetric, CalibrationMetricmetric_name + metric_version + article_evidence_json persisted per snapshot AI Act Art. 10 + Art. 15
Alerting v1.3 Real-time cohort-drift cascade: alert_routes (Crypt-encrypted webhooks) → Slack → Discord → always-CC email; throttle + circuit breaker + severity-escalation bypass AI Act Art. 9
RegulatoryFeed v1.4 EU AI Act amendment auto-flagger: RSS 2.0 + Atom 1.0 (XXE-safe), ImpactedClauseDetector config-driven regex map, RegulatoryFeedPoller + ai-act:regulatory-poll Artisan command, per-tenant idempotency AI Act Art. 9 / 50
MultiTenancy v1.5 First-class tenants registry (slug-unique, tier + status enums, config_overrides_json), request-scoped TenantContext, TenantConfigResolver, ai-act.tenant-context middleware (404 / 423 / 410 / pass-through), CrossTenantOverviewService (no-N+1 GROUP BY tenant_id) AI Act Art. 9 + GDPR Art. 30

Every module is config-gated (default safe) + migration-published + tested.


💎 Killer modules

These three are what make the package WOW:

1. DSAR queue that handles the regulatory ugliness for you

You implement two contracts:

The package handles everything else:

2. Cohort-parity bias monitoring

BiasMonitorService then snapshots the metric on a schedule, alerts on drift > 0.05, and feeds the result to the admin SPA Bias Monitor screen — no chart code to write.

3. Incident manager with state-machine + escalation routing

State transitions are immutable, audit-trailed, and validated. Escalation routing (CISO → DPO → CEO) fires automatically based on severity × configured policy.

4. Real-time alerting cascade (v1.3)

What you get for free:

5. Regulatory-feed auto-flagger (v1.4)

What lands on the DPO desk:

6. DPO multi-org tenant management (v1.5)

Operationally:


⚡ Quick start (jr-proof, 5 minutes)

Even if you've never installed a Laravel package before, you'll be running by the end of this section.

0. Prerequisites

You need:

If any of these are missing, install them first. We'll wait. ☕

1. Install the package

That's it for installation. The Laravel auto-discovery wires the service provider for you.

2. Publish the migrations + config

You should see new files appear under database/migrations/ (8 new migrations) and config/ai-act-compliance.php.

3. Run the migrations

Verify the tables landed:

If you see => 0 (not an error), you're golden.

4. Implement the two host contracts

Create app/Compliance/MyAppUserDataExporter.php:

Create app/Compliance/MyAppUserDataDeleter.php:

5. Bind the contracts in your service provider

Open app/Providers/AppServiceProvider.php and add to register():

6. Add the disclosure middleware (if you have an AI chat surface)

In bootstrap/app.php (Laravel 11+) or app/Http/Kernel.php (Laravel 10):

Then on any route group that renders an AI response:

7. Smoke-test it

If the DSAR row landed, you're compliant-ready.

8. (Optional) Install the admin SPA companion

Then visit /admin/ai-act-compliance — the full 8-screen React SPA (Overview / DSAR / Consent / Risks / Incidents / Bias / DPO / Settings) renders behind your Laravel auth.

See padosoft/laravel-ai-act-compliance-admin for screenshots and a complete tour.


⚙️ Configuration

Every knob lives in config/ai-act-compliance.php. The defaults are intentionally safe-by-default; nothing fires unless you explicitly enable it.


📜 AI Act + GDPR mapping

Every module maps explicitly to an article. This is the audit-trail your DPO + auditor will love.

Article Title Module
AI Act Art. 5 Prohibited AI practices RiskRegister (category=unacceptable)
AI Act Art. 6 High-risk AI systems RiskRegister (category=high)
AI Act Art. 10 Data and data governance BiasMonitoring
AI Act Art. 11 Technical documentation ComplianceAttestation
AI Act Art. 12 Logging (host responsibility — package provides audit hooks)
AI Act Art. 14 Human oversight HumanReviewTracker
AI Act Art. 15 Accuracy + robustness BiasMonitoring + Cybersecurity
AI Act Art. 50 Disclosure of AI-generated content Disclosure middleware + Blade directive
AI Act Art. 73 Serious incident notification Incident
AI Act Annex III High-risk use cases RiskRegister categorisation
GDPR Art. 7 Conditions for consent Consent
GDPR Art. 15 Right of access DSAR (type=export)
GDPR Art. 16 Right to rectification DSAR (type=rectify)
GDPR Art. 17 Right to erasure DSAR (type=delete)
GDPR Art. 30 Records of processing ComplianceAttestation
GDPR Art. 32 Security of processing Cybersecurity
GDPR Art. 33 Breach notification Incident (severity=critical)
ISO 42001 §6.2 AI risk management RiskRegister + BiasMonitoring
ISO 27001 / SOC 2 Information security Cybersecurity + Incident

🏗️ Architecture

The package never owns your domain data. It owns the compliance ledger (DSAR queue, risk register, incident tickets, consent records, bias snapshots, attestations) and the audit trail. Your domain models stay untouched — you just implement the two UserDataExporter / UserDataDeleter contracts to tell the package how to walk your tables.


📐 Host contracts

Two contracts only. Both live under Padosoft\AiActCompliance\DSAR\Contracts.

A third optional contract — Padosoft\AiActCompliance\BiasMonitoring\Contracts\CohortParityMetric — lets you plug arbitrary bias metrics into the monitor.


📚 Modules in detail

Disclosure

Risk Register

DSAR

Bias Monitoring

Alerting (v1.3)

RegulatoryFeed (v1.4)

MultiTenancy (v1.5)

Human Review Tracker

Incident

Consent

Cybersecurity

Compliance Attestation


🌐 HTTP API surface

Every endpoint sits behind your host's auth middleware (Sanctum / Passport / session) and is gated by the configured policy. Routes are auto-registered if ai-act-compliance.routes.enabled is true.

Verb Path Controller Gate
GET /api/ai-act-compliance/overview ComplianceOverviewController@index viewCompliance
GET /api/ai-act-compliance/dsar DsarController@index manageDsar
POST /api/ai-act-compliance/dsar DsarController@store manageDsar
POST /api/ai-act-compliance/dsar/{id}/approve DsarController@approve manageDsar
POST /api/ai-act-compliance/dsar/{id}/reject DsarController@reject manageDsar
GET /api/ai-act-compliance/risks RiskRegisterController@index manageRisks
POST /api/ai-act-compliance/risks RiskRegisterController@store manageRisks
GET /api/ai-act-compliance/incidents IncidentController@index manageIncidents
POST /api/ai-act-compliance/incidents IncidentController@store manageIncidents
POST /api/ai-act-compliance/incidents/{id}/transition IncidentController@transition manageIncidents
GET /api/ai-act-compliance/consent ConsentController@index manageConsent
POST /api/ai-act-compliance/consent/grant ConsentController@grant (subject self-service)
POST /api/ai-act-compliance/consent/revoke ConsentController@revoke (subject self-service)
GET /api/ai-act-compliance/bias BiasController@index manageBias
GET /api/ai-act-compliance/human-reviews HumanReviewController@index manageHumanReviews
POST /api/ai-act-compliance/attestation/generate ComplianceAttestationController@generate manageAttestation
GET /api/ai-act-compliance/settings SettingsController@index viewSettings
GET /api/ai-act-compliance/alerts/dispatches (v1.3) AlertDispatchController@index manageAlerts
POST /api/ai-act-compliance/alerts/dispatches/{id}/retry (v1.3) AlertDispatchController@retry manageAlerts
GET /api/ai-act-compliance/regulatory-amendments (v1.4) RegulatoryAmendmentController@index manageRegulatory
PATCH /api/ai-act-compliance/regulatory-amendments/{id} (v1.4) RegulatoryAmendmentController@update manageRegulatory
POST /api/ai-act-compliance/regulatory-amendments/poll (v1.4) RegulatoryAmendmentController@poll manageRegulatory
GET /api/ai-act-compliance/tenants (v1.5) TenantController@index manageTenants
POST /api/ai-act-compliance/tenants (v1.5) TenantController@store manageTenants
GET /api/ai-act-compliance/tenants/{slug} (v1.5) TenantController@show manageTenants
PATCH /api/ai-act-compliance/tenants/{slug} (v1.5) TenantController@update manageTenants

The admin SPA companion consumes this surface verbatim — your custom UI does too.


🔌 Extension points

You want to… Wire this
Plug in a custom bias metric Implement CohortParityMetric (+ optional NamedCohortMetric), register via MetricRegistry::register($name, $class)
Customise DSAR ZIP packaging Override the ai-act-compliance.dsar.exporter binding in your service provider
Add a new locale Publish locales: php artisan vendor:publish --tag=ai-act-compliance-locales
Use Browsershot instead of DomPDF Set ai-act-compliance.attestation.pdf_renderer = 'browsershot'
Route incidents to PagerDuty / Opsgenie Implement EscalationDriverInterface, register via the config map
Hook into the state-machine transitions Listen to Padosoft\AiActCompliance\Support\ComplianceEvents
Add a new alert channel (Teams, PagerDuty, …) Implement AlertChannel, add to ai-act-compliance.alerting.channels config map
Override the clause-detection regex map Set ai-act-compliance.regulatory_feed.impacted_clause_patterns in your config (host wins)
Plug in a new regulatory-feed driver (NIS2 / GDPR DPB / sector-specific) Implement RegulatoryFeedDriver, add to ai-act-compliance.regulatory_feed.drivers
Override any package config per tenant Persist {"<dotted.key>": value} into tenants.config_overrides_json; read via TenantConfigResolver::resolve()

🧪 Testing

Live testsuite (opt-in)

The package ships a tests/Live/ directory that exercises real regulatory reference systems (SPID handshake fixtures, EU AI Act API). It is disabled by default — CI runs Unit + Feature only.

Enable explicitly when you need it:

CI matrix

GitHub Actions tests against PHP 8.3 / 8.4 / 8.5 × Laravel 11 / 12 / 13.


🎨 Companion package: admin SPA

padosoft/laravel-ai-act-compliance-admin is the React 19 + TypeScript admin SPA. It cross-mounts into any Laravel app under /admin/ai-act-compliance and consumes the HTTP API surface above. 8 screens:

Screen What it does
Overview KPI tiles + activity feed + DSAR depth chart + Article 30 attestation card
DSAR Filterable table + bulk actions + drawer with timeline + data scope
Consent Per-feature grid + per-user matrix
Risks Category summary tiles + filter sidebar + card grid + detail drawer
Incidents 4-lane kanban + drawer with timeline + mitigations + escalation tree
Bias Cohort parity SVG chart + drift multi-line chart + flagged samples
DPO Data flow diagram + retention table + deletion log + attestation modal
Settings Feature flags + env vars (with show/hide secrets) + webhook destinations

Then visit /admin/ai-act-compliance in your browser. Done.


🗺️ Roadmap


📋 Changelog

See CHANGELOG.md for the full release history.

Recent highlights:


🤝 Contributing

PRs welcome. Before opening one:

  1. Run composer test locally and confirm it's green
  2. Add a test for your change
  3. Follow the existing code style (Laravel Pint default)
  4. Update CHANGELOG.md under ## [Unreleased]

For major changes (new module, new contract, breaking API), open an issue first so we can discuss the design.


🔒 Security

If you discover a security vulnerability, please email [email protected] instead of opening a public issue. We'll acknowledge within 48 hours.

This package follows responsible disclosure. We publish security advisories at GitHub Security Advisories once the fix has shipped.


🙏 Credits


📄 License

The MIT License (MIT). See LICENSE.md for details.


Made with 🇮🇹 by Padosoft · Powering AskMyDocs


All versions of laravel-ai-act-compliance with dependencies

PHP Build Version
Package Version
Requires php Version ^8.2
ext-libxml Version *
ext-simplexml Version *
illuminate/support Version ^11.0|^12.0|^13.0
illuminate/database Version ^11.0|^12.0|^13.0
illuminate/http Version ^11.0|^12.0|^13.0
illuminate/routing Version ^11.0|^12.0|^13.0
illuminate/console Version ^11.0|^12.0|^13.0
illuminate/events Version ^11.0|^12.0|^13.0
illuminate/mail Version ^11.0|^12.0|^13.0
illuminate/queue Version ^11.0|^12.0|^13.0
illuminate/contracts Version ^11.0|^12.0|^13.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package padosoft/laravel-ai-act-compliance contains the following files

Loading the files please wait ...