Project Snapshot๏ƒ

Version: 7.4.0
Status: Canonical
Stage: Stage 1

Overview๏ƒ

ai-slop-gate is a policy-driven AI, supply-chain and compliance gate for code and infrastructure.

Core Principles๏ƒ

  • โœ… No Hidden Logic - All behavior is explicit and configurable

  • โœ… Policy is Source of Truth - Policy files define all rules

  • โœ… Compliance is Sidecar - Compliance checks are optional extensions

  • โœ… Engine is Pure - Core engine has no side effects

  • โœ… CLI is Thin - CLI only handles argument parsing and wiring

  • โœ… Tests Lock Contracts - Tests verify contracts, not implementation details

  • โœ… Cache is Cost Control - Caching prevents duplicate LLM token spending

Supported Languages & Technologies๏ƒ

  • โœ… Ruby (Full support)

  • โœ… Python (Full support)

  • โœ… JavaScript / TypeScript (Full support)

  • โœ… Java (Full support)

  • โœ… C++ (Full support)

  • โœ… C# (Full support)

  • โœ… Docker (Full support)

  • โœ… Kubernetes (Full support)

  • โœ… Terraform (Full support)

Execution Model๏ƒ

The tool follows a clear execution flow:

  1. CLI parses flags

  2. Policy is loaded and resolved

  3. Providers collect or analyze inputs

  4. LLM providers are optionally wrapped by CachedProvider

  5. Compliance sidecar optionally runs

  6. Policy engine evaluates observations

  7. Decision is produced

  8. Reporters render output

  9. Exit code is derived from decision

  10. Release pipeline runs (determine version โ†’ build โ†’ sign โ†’ publish)

CLI Commands๏ƒ

init๏ƒ

Initialize a new policy file.

run๏ƒ

Execute analysis based on policy.

Key Flags:

  • --policy - Path to policy.yml (required)

  • --provider - Provider name (static, k8s-runtime, supply-chain, llm)

  • --input-file - Input file for providers

  • --compliance - Force enable compliance sidecar

  • --enforcement - never | advisory | blocking

  • --verbose - Emit full resolved state and observations

Policy Structure๏ƒ

Policies are defined in policy.yml with the following sections:

  • enforcement - Enforcement mode (advisory, blocking, never)

  • ai_provider - LLM provider configuration

  • compliance - Compliance rules and profiles

  • profiles - Reusable compliance profiles (default, eu, eu-strict)

  • rules - Custom policy rules

Built-in Providers๏ƒ

Static Analysis Providers๏ƒ

  • StaticProvider

  • StaticSecurityProvider

  • StaticPipelineProvider

  • ESLintProvider

  • StaticDockerProvider

  • StaticJSProvider

  • StaticPythonProvider

  • StaticTSJSProvider

  • StaticRubyProvider

  • StaticJavaProvider

  • StaticCSharpProvider

  • StaticCppProvider

Infrastructure Providers๏ƒ

  • K8sRuntimeProvider

  • KubernetesStaticProvider

  • TerraformPlanProvider

  • TerraformStaticProvider

Supply Chain Providers๏ƒ

  • SupplyChainProvider

  • TrivyProvider

  • SBOMProvider

Cache System๏ƒ

Purpose: Prevent repeated LLM token spending

Scope: LLM providers only

Cache Key Components:

  • Provider ID

  • Model name

  • Compliance profile

  • Policy hash

  • Normalized input fingerprint

Cache Invalidation Triggers:

  • Input content change

  • Policy change

  • Profile change

  • Model change

Backends:

  • File (default) - .ai-slop-cache/

  • Memory (tests only)

Compliance Profiles๏ƒ

default๏ƒ

Inherits base compliance configuration

eu๏ƒ

Enforces GPL/AGPL license ban and EU data residency requirements

eu-strict๏ƒ

Blocking enforcement with strict EU compliance rules

Decision Modes๏ƒ

  • allow - No issues detected (exit code 0)

  • advisory - Issues detected but not blocking (exit code 0)

  • blocking - Issues detected, blocking deployment (exit code 1)

Reporters๏ƒ

  • stdout - Human-readable terminal output

  • github_pr - GitHub Pull Request comments

  • github_checks - GitHub Checks annotations

Release Pipeline๏ƒ

Versioning Strategy๏ƒ

Semantic versioning based on conventional commits:

  • fix: โ†’ patch bump

  • feat: โ†’ minor bump

  • BREAKING CHANGE: โ†’ major bump

Multi-Architecture Support๏ƒ

  • linux/amd64

  • linux/arm64

Security Features๏ƒ

  • Image Signing - Cosign key-pair signing

  • SBOM Generation - Syft-generated SBOM

  • Vulnerability Scanning - Trivy scanning

Distribution๏ƒ

  • Registry: ghcr.io/public

  • Visibility: Public

  • Tags: vX.Y.Z, latest, sha-<short>

Non-Goals๏ƒ

  • โŒ Automatic code fixing

  • โŒ Code rewriting

  • โŒ Business logic inside CLI

  • โŒ Provider-specific policy logic

  • โŒ Caching for non-LLM providers

Required Secrets for Release๏ƒ

  • GHCR_TOKEN - Write access to GitHub Container Registry

  • COSIGN_PRIVATE_KEY - Private key for image signing

  • COSIGN_PASSWORD - Password protecting cosign.key

  • GITHUB_TOKEN - Automated changelog/release creation