Scope your EU AI Act Article 26 deployer obligations and the Annex IV documents to demand from your provider — in about 60 seconds, from your terminal.
# Works today, straight from GitHub:
npx github:TAIKER656/audit-in-a-box-cli
# Short form — landing on npm shortly:
npx audit-in-a-boxFree, runs locally, stores nothing, no telemetry. A scoping aid — not legal advice.
Most mid-market SaaS teams sign with an AI provider without knowing which parts of Article 26 apply to them, or which Annex IV documents they should have asked for before signing. This tool walks you through a short set of questions and prints:
- Article 26 cluster — the 6 universal paragraphs every high-risk deployer carries, plus the conditional paragraphs your answers trigger.
- Annex IV demand letter — the technical-documentation sections to request from your provider, split into baseline / pre-deployment evidence / provider-internal.
- An estimated scope tier to gauge how broad your obligations are.
Every output is anchored to Regulation (EU) 2024/1689.
Examples use the short
audit-in-a-boxform. Until it lands on npm, substitutegithub:TAIKER656/audit-in-a-box-cli(e.g.npx github:TAIKER656/audit-in-a-box-cli --json).
# Interactive
npx audit-in-a-box
# Non-interactive (scriptable / CI)
npx audit-in-a-box --role deployer --area employment \
--input-data --workplace --affects-persons --gdpr
# JSON for downstream tooling
npx audit-in-a-box --role deployer --area employment --json
# Save a Markdown report
npx audit-in-a-box --role deployer --area employment --report scope.mdRun npx audit-in-a-box --help for the full flag list.
| Colour | Meaning |
|---|---|
| Green | Always applies / always demand |
| Amber | Triggered by your context / pre-deployment evidence |
| Grey | Provider internal-only — do not insist on full disclosure |
- This is a scoping aid, not legal advice, and not a substitute for a full audit.
- The question flow simplifies real edge cases (GPAI deployment, provider-and-deployer in one entity, sector-specific rules).
- Article 26 also cross-references Article 14 (human oversight) and Article 9 (risk management) — a complete audit checks all three.
- Verify against the primary text: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689
Need the full picture? Audit-in-a-Box™ — https://eucomplyhub.com
The deployer-side framing behind this tool was shaped by two builders whose public work informed the question design. This is acknowledgment of influence — not an endorsement by them.
- Stone Shi / CLARIXO — pre-drift inheritance and Valid-State Continuity. The four questions (which state transition was accepted; was it pre-authorised; was it flagged or silently inherited; was there an override window before inheritance became lineage) shaped the conditional-trigger design.
- CONTROLTOWER OS / Gerard Foy — progression admissibility framing around evidence, authority, ownership, context, consequence awareness, and refusal/escalation logic before AI-supported work moves toward operational consequence.
Runs entirely on your machine. No inputs are stored or transmitted. There is no telemetry.
MIT — see LICENSE.