March 3, 2026
Tamper tantrum over AI receipts
Show HN: Open-Source Article 12 Logging Infrastructure for the EU AI Act
Dev drops an AI 'black box' for EU rules; commenters cry 'hashes aren’t enough'
TLDR: A dev shipped a simple open-source logger to meet the EU AI Act’s audit requirements, chaining events to spot edits. The community’s hottest take: hash chains alone won’t cut it—add trusted timestamps—sparking a debate over whether “good enough” auditing satisfies the law and real-world tampering risks.
A developer just unveiled a free, open-source tool to help companies obey the EU’s new AI reporting rules—think a tamper-detecting diary for every AI decision. The EU AI Act’s Article 12 requires automatic event recording and six-month retention for high‑risk systems, so this library wraps your AI model, logs every call to structured files, chains entries with SHA‑256 for tamper detection, and even includes a CLI to replay what happened. There’s a coverage check for missing events too. Full details live in their blog and repo: systima.ai.
But the comment section wasted zero time poking holes. The top vibe: “Hashes aren’t a lie detector.” One user warned that anyone can forge an alternative hash chain and pressed for external timestamps like OpenTimestamps to lock logs to reality. Cue the classic internet split: compliance folks cheering a practical, plug‑and‑play “paper trail,” while skeptics rolled eyes at yet another “blockchain-but-not” moment. The memes flew—“AI receipts,” “EU’s Ring camera for robots,” and “append-only, but make it boring.” The real drama? Whether the law demands truly tamper‑proof logs or just “good enough” auditing. In short, it’s a clever tool, but the crowd wants proof-of-time, not just hashes.
Key Points
- •Article 12 of the EU AI Act requires automatic event recording and six-month retention for high-risk AI systems starting in August.
- •The author built a free, open-source TypeScript library for Node apps using the Vercel AI SDK to meet these requirements.
- •The library logs every inference to JSONL in an S3 bucket, chains entries with SHA-256 for tamper detection, and enforces a 180-day retention floor.
- •A CLI is provided to reconstruct specific AI decisions and verify log integrity; a coverage command flags likely logging gaps.
- •The tool is simple (TS, Vercel AI SDK middleware, S3 or local filesystem, linear hash chaining) and works with the Mastra framework; a blog post links to the repo.