A few more technical details for those interested:
Why Rust/WASM? I needed the audit to be lightning-fast and portable across different CI environments without requiring the user to install complex dependencies. WASM allowed me to package the entire Tree-sitter logic into a single, sandboxed binary that runs locally.
Deterministic Logic: We map specific code patterns and metadata (model provenance, data usage) against the Article 11 requirements of the EU AI Act. If the manifest doesn't change, the hash doesn't change—making it a reliable build artifact.
The Edge Layer: While the audit is local, we use Cloudflare D1 for the immutable ledger to sign the integrity reports, ensuring they are tamper-proof.
I'm here to answer any questions about the WASM implementation or how we're translating the EU AI Act into deterministic code!
I’m building Sentinel, an independent engineering project focused on the technical requirements of the EU AI Act.
Most compliance tools today are LLM-wrappers. The problem is that LLMs are non-deterministic—using an LLM to audit another LLM for legal compliance creates a circular dependency that doesn't hold up under technical scrutiny.
Sentinel follows a 90/10 Radical Efficiency rule: 90% of the audit is handled by a deterministic engine (Regex, Tree-sitter, and WebAssembly) that runs at $0 computational cost. We use AI only for the remaining 10% of high-level reasoning.
The Baseline Audit:
I recently ran a baseline audit on 265 major AI repositories (including vLLM, Dify, and Microsoft OSS components). Most scored 100/100 on our Risk Scale because they lack an automated "Technical File" (Article 11) or verifiable audit trails.
Technical Stack:
Privacy-First: The core binary is compiled in WASM. It executes locally in your GitHub Actions runner. Your source code never leaves your infrastructure.
Edge-Native: We use Cloudflare D1 for the immutable ledger and Workers for the signed integrity reports.
Artifact-Based: It turns Article 11 compliance into a standard build artifact (a signed JSON/Markdown file).
I’m moving away from the "SaaS subscription" model towards a "Sovereign Asset" approach—the logic is compiled, the execution is local, and compliance is a deterministic outcome of the build process.
I’d love to hear your thoughts on using WASM for local regulatory auditing.
I’ve been working on a way to automate the heavy lifting of the EU AI Act for engineering teams. Most "AI Governance" tools are just high-level dashboards, so I built Sentinel-AI-Compliance.
It’s a GitHub Action powered by a WASM-compiled binary. It follows a 90/10 rule: 90% of the audit is solved deterministically (Regex/Tree-sitter) for $0 cost, and AI is only used as a "higher instance" for the remaining 10%.
To test it, I ran Sentinel against 265 high-profile AI repositories (including vLLM, Dify, and Microsoft projects). The results: Over 90% hit a 100/100 Risk Score, primarily due to missing Art. 10 (Data Governance) and Art. 14 (Human Oversight) manifests.
Why WASM?
Privacy-First: The binary runs entirely within your CI/CD pipeline. Your code never leaves your infrastructure.*
Speed: Scans manifest files in milliseconds.*
Deterministic: No LLM hallucinations in the compliance trail.*
This is an independent engineering project focusing on making compliance a "git push" away rather than a legal nightmare.
I’d love to hear your thoughts on the deterministic vs. AI approach to compliance!
Why Rust/WASM? I needed the audit to be lightning-fast and portable across different CI environments without requiring the user to install complex dependencies. WASM allowed me to package the entire Tree-sitter logic into a single, sandboxed binary that runs locally.
Deterministic Logic: We map specific code patterns and metadata (model provenance, data usage) against the Article 11 requirements of the EU AI Act. If the manifest doesn't change, the hash doesn't change—making it a reliable build artifact.
The Edge Layer: While the audit is local, we use Cloudflare D1 for the immutable ledger to sign the integrity reports, ensuring they are tamper-proof.
I'm here to answer any questions about the WASM implementation or how we're translating the EU AI Act into deterministic code!