daitaidaitai大体
/
Blog

2026-05-02 · cgf / release

CGF v1.0 is here

CGF v1.0 is here

Code Daimyo — May 2026

Compliance in 2026 is still mostly a PDF problem. A team builds a feature, ships a model, deploys an endpoint — and somewhere, in a different tool, a different team takes screenshots, fills out a spreadsheet, and emails an auditor. Six months later nobody can reconstruct what was true on the day of the release.

We think that's absurd. Code has Git, signatures, reproducible builds and diffs. Compliance evidence deserves the same primitives. That's what CGF — Compliance Graph Format — is, and today we are releasing v1.0.

What CGF is

A small, opinionated toolchain that turns a codebase into a signed, verifiable compliance graph:

  • Graph — code files, symbols, models, prompts, datasets, endpoints, policies, controls, risks, evidence, approvals, deploys, actors and disclosures, with typed edges between them.
  • Claim packs — pluggable rule sets for regimes like EU AI Act (Articles 9, 13, 15), GDPR Article 30 and SOC 2 Common Criteria.
  • Bundle — a single .cgfevidence file with Ed25519 signatures and RFC 3161 timestamps. Verifiable on any machine, online or offline.
  • Trust store + policy presets — local key registry and reusable policy invariants (min signers, must-be-trusted, timestamp required, …).

Four verbs: ingest → check → bundle → verify.

Why a graph?

Because compliance questions are graph questions:

  • "Which endpoints touch personal data?" — walk Endpoint → reads → Dataset.
  • "Which models lack a risk assessment?" — find Model nodes with no inbound Risk → applies_to edge.
  • "Which deploys were approved by whom?" — Approval → gates → Deploy → shipped → Endpoint.

Once the graph is signed, the answers become evidence, not opinion.

What's in v1.0

  • Full EU AI Act high-risk pack — Articles 9, 13 and 15 with structured violations and human-readable narratives.
  • Multi-signer Ed25519 signing with optional RFC 3161 timestamps from any TSA you trust.
  • Trust Store with export/import — move trust between laptops, CI runners and air-gapped audit machines with one JSON file.
  • Bundle Inspector UI with drag-and-drop for .cgfevidence files and a baseline ↔ head diff view.
  • Bundle Creator wizard — five steps from source to signed bundle.
  • Policy presets — built-in (Open, Minimal trust, EU AI Act high-risk, Banking grade) and user-defined.
  • cgf doctor for end-to-end health checks.
  • 206 / 206 tests passing.

Try it

cgf ingest
cgf check
cgf bundle --out dossier.cgfevidence
cgf verify dossier.cgfevidence

Or open DPW, drop a .cgfevidence file into the Bundle Inspector, and watch the diff appear.

What's next

  • CI-native verification — GitHub Action and GitLab template so PRs fail when compliance regresses.
  • Compliance Portal — a hosted viewer for auditors that consumes .cgfevidence bundles directly.
  • Connector packs — first-class ingestors for the most common ML experiment trackers, feature stores and policy engines.
  • daitai-algebra integration — invariants you can actually prove, not just assert.

If your team ships AI products under the EU AI Act, or you are tired of screenshotting your way through a SOC 2 audit, we would love your feedback.

The Code Daimyo team