{
  "report": "Guardia AI self-scan — EU AI Act compliance report",
  "subject": "Guardia AI (this product), scanned by its own repository scanner",
  "scanned_at": "2026-07-05T00:42:40Z",
  "scanner": "Guardia AI repository scanner — the same detection engine shipped in our GitHub Action and GitLab CI/CD component",
  "scope": "Full Guardia AI monorepo: backend (FastAPI), frontend (Next.js), GitHub Action, GitLab component",
  "risk_level": "limited",
  "risk_explanation": "AI usage detected; none of it biometric, safety-critical, or in an Annex III high-risk area. The transparency tier (Article 50) applies because Guardia includes an AI chat assistant that interacts with users — our obligation is to disclose that it is AI, which we do.",
  "classification": {
    "engine": "Guardia AI rule-based risk classifier",
    "risk_level": "limited",
    "confidence": 72,
    "summary": "Guardia AI is classified as LIMITED RISK. Transparency obligations apply (Article 50). 0 gap(s) found.",
    "annex_iii_category": null,
    "compliance_gaps_found": 0
  },
  "ai_detected": [
    {
      "detection": "openai (npm SDK)",
      "category": "LLM API",
      "files": [
        "frontend/package.json",
        "frontend/app/api/ai/chat/route.ts",
        "frontend/app/api/ai/generate/route.ts"
      ],
      "what_it_actually_is": "The OpenAI-compatible SDK pointed at Groq (api.groq.com). Powers two assistive features: the compliance chat assistant (Llama 3.1 8B) and documentation drafting (Llama 3.3 70B). Both produce advisory text that a human reviews and edits; neither makes decisions.",
      "eu_ai_act_note": "Deployer of a general-purpose model via API. Article 50 transparency applies to the chat assistant: it is clearly labelled as AI."
    },
    {
      "detection": "scikit-learn",
      "category": "ML Framework",
      "files": ["backend/requirements.txt"],
      "what_it_actually_is": "Used together with fairlearn to COMPUTE statistical fairness metrics (demographic parity, equalized odds) on model outputs customers upload for bias reports. No model is trained or deployed; it is measurement, not inference.",
      "eu_ai_act_note": "Not an AI system making outputs about persons; it is the measurement tooling for our bias reports."
    },
    {
      "detection": "GROQ_API_KEY (configuration)",
      "category": "Credential env key",
      "files": ["frontend/.env.local.example", "frontend/netlify.toml"],
      "what_it_actually_is": "The deployment credential for the Groq-hosted LLM features above.",
      "eu_ai_act_note": "Consistent with the declared LLM usage — no undeclared AI providers configured."
    }
  ],
  "not_ai": [
    {
      "component": "Repository scanner (core product)",
      "why": "Deterministic pattern matching against published signature lists (AI libraries, model names, endpoints, credential keys). No ML model involved; identical output on identical input."
    },
    {
      "component": "Risk classification engine",
      "why": "Rule-based mapping to EU AI Act articles (Article 5, Annex III) with cited sources. No ML model involved."
    },
    {
      "component": "FRIA, Annex IV, ISO 42001 modules",
      "why": "Structured templates and rule-based applicability checks. LLM assistance is optional, labelled, and editable."
    }
  ],
  "remediation_log": [
    {
      "date": "2026-07-05",
      "finding": "Stale OPENAI_API_KEY references in render.yaml, netlify.toml, .env.local.example and the /status health check, left over from before our switch to Groq-hosted models.",
      "found_by": "This self-scan (config-detection layer)",
      "action": "Removed the stale references and fixed the health check to test the credential actually in use (GROQ_API_KEY). Fixed the same day."
    }
  ],
  "methodology_notes": [
    "The scan was run with the same detection module we ship to customers (github-action/detection.py, kept identical in gitlab-component/).",
    "The scanner's own signature databases (lists of AI library names inside repo_scanner.py and detection.py) are string constants, not dependencies; the detection engine distinguishes signature definitions from real imports and manifests since our June false-positive fixes.",
    "Anyone with repository access can reproduce this report by running the scanner against the repo root."
  ],
  "disclaimer": "This is a self-assessment generated with Guardia AI's own tooling and reviewed by a human. It is documentation of our good-faith analysis, not legal advice and not a certification."
}
