Production & publishing
- Legal framing (read this)
- Handling data & PII
- Installing
- Documentation site (GitHub Pages)
- Performance & cost
Legal framing (read this)
This toolkit is a due-diligence aid, not a compliance product. It does not make you “AML compliant”. Sanctions/VAT results are deterministic facts; the AI is advisory and never decides hard pass/fail. Always keep a human in the loop where the outcome requires review.
Operationalise that: act on requiresHumanReview(), route flagged counterparties to a person,
and keep the due-diligence proof (CheckResult::$proofId + timestamp) for your records.
Handling data & PII
- The library persists only a proof identifier + timestamp in
CheckResult; it does not silently store PII. Adapters keep the provider’s raw payload inraw- avoid putting unnecessary PII there in custom drivers. - The AI cache key is
Counterparty::fingerprint()(a hash of normalised identifiers, no display name). - Some credentials embed personal data (a CEIDG bearer token contains a PESEL) - treat them as secrets and rotate any that leak.
Installing
All four packages are published on Packagist under the
gawrys/ vendor with lockstep ^0.1 versions, so a
plain composer require resolves them - no extra repositories entries needed:
composer require gawrys/counterparty-core
composer require gawrys/counterparty-ai # optional advisory AI
composer require gawrys/counterparty-laravel # Laravel bridge
composer require gawrys/counterparty-bundle # Symfony bundle
Pin the constraint you want (^0.1) and let Composer handle updates. Releasing and publishing
new versions is covered in Contributing - it’s a maintainer concern.
Documentation site (GitHub Pages)
The docs are a Jekyll + just-the-docs site. On a private repo, GitHub Pages requires a paid plan (Pro/Team); the published site is public regardless (Enterprise can restrict it). On the free plan the docs repo must be public.
Performance & cost
- Cache AI results (PSR-16) - already keyed by counterparty + report + prompt version.
- Use a cheap model for triage and a stronger one only for flagged cases.
- Registry/sanctions HTTP calls dominate latency; run verification asynchronously for user-facing flows and consider a short-TTL cache in front of your PSR-18 client.