CGF in 5 minutes

The Compliance Graph Format turns a codebase into a signed, verifiable compliance graph. Four verbs, one bundle, no spreadsheets.

The pipeline

   ┌──────────┐      ┌───────────┐      ┌───────────┐      ┌───────────┐
   │ Ingest   │ ───► │  Check    │ ───► │  Bundle   │ ───► │  Verify   │
   │ (graph)  │      │ (claims)  │      │ (sign)    │      │ (policy)  │
   └──────────┘      └───────────┘      └───────────┘      └───────────┘
        │                  │                  │                  │
        ▼                  ▼                  ▼                  ▼
   graph.json         check.{md,txt}    dossier.cgfevidence    pass / fail
                      SARIF report      (Ed25519 + TSA)        + violations

The four verbs

cgf ingest                                # → .cgf/graph.json
cgf check                                 # → .cgf/check.{txt,md}
cgf bundle --out dossier.cgfevidence      # signed bundle
cgf verify dossier.cgfevidence            # cryptographic + policy

• ingest walks your repo and emits a deterministic graph: code files, symbols, models, prompts, datasets, endpoints, policies, controls, risks, evidence, approvals, deploys, actors, disclosures.
• check runs claim packs (EU AI Act, GDPR Art. 30, SOC 2 CC, CGF-JP) against the graph and writes structured violations.
• bundle seals the graph + claims + narrative into a single .cgfevidence file with one or more Ed25519 signatures and an optional RFC 3161 timestamp.
• verify reads any bundle, anywhere, online or offline, and reports whether the signatures, timestamp and trust policy all hold.

The vocabulary

| Concept | What it is | Where it lives | |---|---|---| | Graph | Typed nodes + typed edges | .cgf/graph.json | | Claim pack | Rule set for one regime | src/lib/cgf/claim-packs/ | | Narrative | Human-readable dossier | cgf narrative | | Bundle | Signed .cgfevidence | cgf bundle / inspectBundle() | | Trust Store | Trusted keys + TSAs | .dpw/compliance/trust-store.json | | Trust Policy | Min signers, must-be-trusted, … | TrustPolicy | | Policy Preset | Saved TrustPolicy | .dpw/compliance/policy-presets.json |

Why a graph?

Because compliance questions are graph questions:

• "Which endpoints touch personal data?" — walk Endpoint → reads → Dataset.
• "Which models lack a risk assessment?" — find Model nodes with no inbound Risk → applies_to edge.
• "Which deploys were approved by whom?" — Approval → gates → Deploy → shipped → Endpoint.

Once the graph is signed, the answers stop being opinion and become evidence. The narrative is rendered from the graph, not the other way around — so it can never disagree with the underlying facts.

TypeScript API

import {
  ingest, runClaims, renderNarrative,
  BundleBuilder, verifyWithPolicy, TrustStore,
} from '@/lib/cgf';

const graph     = await ingest(root);
const claims    = await runClaims(graph);
const narrative = renderNarrative({ graph, claims }, { format: 'md' });

const bytes = await new BundleBuilder()
  .withGraph(graph)
  .withClaims(claims)
  .withNarrative(narrative)
  .signEd25519(privateKey)
  .timestamp('https://freetsa.org/tsr')
  .build();

const result = await verifyWithPolicy(bytes, trustStore, {
  minSigners: 2,
  requireAllTrusted: true,
  requireTimestamp: true,
});

Reading next

• The .cgfevidence bundle format — file layout, signature schema, RFC 3161 token.
• Evidence packs — EU AI Act, GDPR, SOC 2, CGF-JP.
• Trust store & policy presets — keys, TSAs, cross-machine flow.
• CLI reference — every command and flag.
• Whitepaper: Alignment by Construction.