CGF

The Compliance Graph Format is a portable container for cryptographic evidence about a software artifact. A CGF bundle — .cgfevidence on disk — is a directed graph where every node is typed (Code.File, Model, Dataset,Policy, Endpoint, Risk,Control, Approval, Deploy,Disclosure, …) and every edge is a typed relationship that a claim pack can walk.

Bundles are sealed with Ed25519 multi-signer signatures and optional RFC 3161 trusted timestamps, so a dossier produced today is still verifiable decades from now without trusting the original publisher's infrastructure. v1.0 ships claim packs for the EU AI Act high-risk regime (Articles 9, 13, 15), GDPR Article 30, SOC 2 Common Criteria, and the CGF-JP regional profile.

The whole pipeline is four verbs: ingest → check → bundle → verify.

Compliance today is a parallel universe. Engineers write code in git; compliance teams write Word documents about what the engineers said the code does, and the two never touch. The result is documentation that decays the moment the next commit lands.

CGF folds compliance back into the build. The same key that signs your release tag signs the graph that describes how that release was produced. An auditor with a CGF reader verifies a year of evidence in seconds; an auditor without one still gets a human-readable narrative rendered from the graph, plus a JSON file no vendor software is needed to read.

Two releases produce two bundles, and two bundles produce a structured diff — added models, removed disclosures, changed approvals — so reviews stop starting from zero.