MCP Scorecard

ServersPublishersPlatformsBlogAPI
Mission StatementGitHub
← All posts
Spotlight  March 1, 2026

Tamper-Proof Audit Trails for the EU AI Act — Five Months Out

An MCP server builds HMAC-SHA256 hash-chained audit logs for AI systems operating under European regulations. The EU AI Act's high-risk obligations take effect August 2, 2026. The clock is ticking.
MCP Scorecard Research
io.github.jellewas

The EU AI Act (Regulation 2024/1689) mandates that high-risk AI systems maintain "automatic recording of events (logs)" — Article 12. High-risk obligations take effect August 2, 2026. That is five months from today.

io.github.jellewas/eu-audit-mcp is built specifically for this deadline.

The Architecture

The server creates tamper-evident audit trails using HMAC-SHA256 hash chains. Each log entry's hash includes the previous entry's hash — if anyone modifies a historical record, the chain breaks and the tampering is detectable. This isn't a policy promise; it's a cryptographic guarantee. Ten MCP tools cover event logging, inference tracking, data access documentation, session tracing, compliance verification, erasure handling, and hash chain validation.

PII and GDPR

The server integrates Microsoft Presidio for automatic PII detection with European pattern recognition — catching EU-format phone numbers, national IDs, and addresses that US-trained detectors miss. GDPR Article 17 erasure requests are handled while maintaining audit integrity: the PII is removed but the hash chain records that an erasure occurred and why, preserving the audit trail's completeness.

Regulatory Checklist

A built-in compliance verification tool validates against EU AI Act Articles 12 and 19 (logging and record-keeping for high-risk systems) and GDPR Article 30 (records of processing activities). It produces a structured checklist showing which obligations are met and which have gaps.

What to Know

Built by jellewas. Apache-2.0 license. Python. Runs entirely on local SQLite — no cloud dependencies, no external services, all data stays on your infrastructure. Zero stars — this is brand new and extremely niche. But compliance tooling has never been about popularity. It is about deadlines, and this one is five months away.

Companies deploying AI in the EU — or selling AI products to EU customers — need logging infrastructure that satisfies the regulation. The hash chain approach ensures that if a regulator asks "show me your logs," you can cryptographically prove they haven't been altered after the fact. That is the entire point of Article 12.

Score: 58. No flags. Apache-2.0.

Sources: jellewas — GitHub · eu-audit-mcp — repo · EU AI Act — Regulation 2024/1689 · Scorecard: io.github.jellewas (score 58)

← Four Guardrails for Autonomous Agents: Context, Norms, Think, UndoOne Developer, Thirteen Government APIs, Zero Data Cost →
Article Type
Pulse5Spotlight26Trend5
Archive
March 202618February 202618
Publishers Mentioned
io.github.kubeshark2tools.edgar2io.github.pyth-network2io.github.qso-graph2io.github.mansurjisan2io.github.vitas2io.github.meltingpixelsai2io.github.D4Vinci2io.github.Codeturion2io.github.martc032io.github.jellewas2dev.codepathfinder2
~ ~ ~
mcp-scorecard.ai  ·  2026