ArgusSquared

Argus checks every PR against global AI and data rules plus your model lineage, then gives you a clear go, no-go, or escalate with citations so you can ship fast and stay compliant.

Comment

Inspiration

Every team we’ve worked on moves fast. PRs get opened, reviewed, merged. Then a few weeks later someone from legal drops into Slack:

“Wait, this affects EU users. Did we run a risk assessment?”

Compliance always happens after the merge, when it’s painful and awkward. We kept asking the same question: why doesn’t this check happen at the PR stage, automatically, before the code ships?

That’s why we built Argus.

What it does

Argus is a GitHub App that reviews every pull request before it’s merged.

When a PR opens, Argus reads the changes, figures out what the code is doing, checks it against relevant laws like CCPA, the EU AI Act, and BIPA, and looks at your data lineage to see whether sensitive data is involved.

Then it gives one of three decisions directly in GitHub:

Merge

Block

Escalate to a human

Each decision comes with legal citations and clear next steps, so engineers know exactly why something passed or what needs to change before it can merge.

Everything runs in one process, on one port. No microservices. No complex infra.

How we built it

The backend is Node.js with Express. Every PR runs through a six-stage pipeline:

Parse the GitHub webhook

Classify the change intent with OpenAI

Search official legal sources using Tavily

Query a Neo4j graph to trace data lineage

Synthesize a verdict with GPT-4o

Enforce the result through the GitHub Checks API

Challenges we ran into

Trustworthy legal citations were the hardest part. We had to strictly limit search results to official government and legal domains. Otherwise, we’d risk citing blog posts instead of actual statutes.

The live dashboard also took more work than expected. We had to make sure the correct run ID reached the browser, manage the SSE connection lifecycle cleanly, avoid false “connection lost” errors, and ensure the GitHub “Details” link always pointed to the right audit.

Accomplishments that we're proud of

Argus doesn’t block based on vibes. It blocks with cited statutes.

If the LLM is unavailable, there’s a deterministic fallback so the gate never silently fails.

And the entire system — webhook, pipeline, and enforcement — runs as a single service. It’s simple and practical, not over-engineered.

What we learned

Compliance works better as a structured pipeline than as one big prompt. Breaking it into intent, research, evidence, and decision made the output more reliable and easier to debug.

We also learned that developer experience matters just as much as correctness. Posting the decision directly on the PR, with clear citations and concrete next steps, made it something teams would actually use instead of ignore.

What's next for Argus

We’re expanding coverage to more jurisdictions and adding configurable risk thresholds, so teams can choose when Argus should warn versus block. We’re also building support for company-specific policy layers, so internal rules can sit on top of the legal framework.

Another focus is industry-specific compliance. Some sectors, like insurance, operate under dense, highly detailed regulations. We’re working toward tailoring Argus for those environments, with support for niche statutes and field-specific requirements instead of just broad privacy laws.

Long term, we want tighter integrations with audit logs and ticketing systems so every block or escalation automatically creates a traceable record for compliance teams.

Built With

Share this project:

Updates