Releases: konjoai/squash
v3.1.0
v3.0.2 β Konjo Edition Demo v2: Real Ollama Models, Side-by-Side, Animated
squash-ai v3.0.2: Complete overhaul of squash demo. Scans real Ollama GGUF models (smollm, qwen2.5, qwen3, tinyllama), dual-framework comparison EU AI Act vs NIST AI RMF, animated ASCII banner, side-by-side Rich table, file accordions in HTML report, interactive demo panels.
v3.0.1 β Konjo Edition Demo + CI fixes
squash-ai v3.0.1
Patch release shipping the Konjo Edition demo overhaul and all CI gate fixes from the v3.0.0 tag.
Fixed
squash democrash on Python 3.12+ β duplicatediff/webhooksubparser conflict- Demo output directory vanishing (temp dir deleted before user could open it)
- mypy strict gate failures in CI (unused
type: ignore,risk.pytype annotations) - Nightly OSV-Scanner
@v1tag deleted upstream β bumped to@v2.0.2 - PyPI publish rejected SBOM
.cdx.jsonas invalid distribution format - SLSA
upload-assetsServer Error when triggered viaworkflow_dispatch
Added β Konjo Edition Demo
- Animated four-act CLI: Setup β Scan β Verdict β Output
- Output persists at
~/Desktop/squash-demo/TIMESTAMP/β never deleted - HTML compliance report auto-opens in browser; Finder/Explorer opens output folder
squash/demo_report.pyβ self-contained 15 KB HTML executive summary with Konjo aesthetic--no-open,--no-color,--exploreflags;[demo]optional-dep group for Rich
Install
pip install squash-ai==3.0.1
# With animated CLI colors:
pip install "squash-ai[demo]==3.0.1"v3.0.0 β Bulletproof Edition (Phase G)
squash-ai v3.0.0 β Bulletproof Edition
Major release. Every Tier-0/1 attestation is now byte-identical on rerun, every signed payload flows through RFC 8785 canonical JSON, every cert ID is deterministic (uuid5, never uuid4), every clock is injectable, and every release wheel + Docker image carries SLSA Build Level 3 provenance verifiable end-to-end via `squash self-verify`.
Highlights
Cryptographic primitives (Phase G.2βG.3)
squash/canon.pyβ RFC 8785 (JCS) canonical JSON encoder with rfc8785 library + stdlib fallbacksquash/clock.pyβ injectable Clock protocol;with_clock()context managersquash/ids.pyβdeterministic_uuid(payload)β uuid5,cert_id()β 16-hex suffixsquash/input_manifest.pyβ SHA-256 every file before analysis (Step 0)squash/tsa.pyβ RFC 3161 trusted-timestamp client (hand-rolled DER encoder)squash/self_verify.pyβ full chain walker: input_manifest β canonical body β Ed25519 β RFC 3161 β SLSA- CLI:
squash self-verify,squash verify --check-timestamp
134 new Phase-G tests β property, negative, edge, concurrency, security, snapshot suites + 2 atheris fuzz harnesses (100K iterations nightly). 5,362 tests total.
CI gates rebuilt β 6-job CI (test 3.10/3.11/3.12 Β· coverage Β· reproducibility Β· mypy strict Β· security Β· SBOM), nightly mutation/fuzz/OSV/perf, SLSA publish pipeline.
Demo Day package β squash demo --walkthrough / squash demo --server; demo/server.py boots in <1.2 s, demo/index.html with 5 live interactive panels.
Reproducibility killer fix β data_lineage.py:252 cert_id no longer mixes datetime.now() into the hash input.
CI fixes included in this tag
- Resolved argparse
conflicting subparsercrash on Python 3.12+ (diffβsbom-diff,webhookβk8s-webhook) - Fixed 5 unused
type: ignorecomments (mypy strict gate) - Fixed
risk.pytype annotations (dictβdict[str, Any]) - Updated OSV-Scanner action from deleted
@v1to@v2.0.2 - Added
build-wheel.ymlβ pre-built wheel artefact on every push
Install
pip install squash-ai==3.0.0
# or (faster)
uv pip install squash-ai==3.0.0Verify SLSA provenance
gh attestation verify squash_ai-3.0.0-py3-none-any.whl --repo konjoai/squashFull changelog: https://github.com/konjoai/squash/blob/main/CHANGELOG.md
v2.7.0 β AI Compliance Infrastructure: Full Enterprise Stack
squash-ai v2.7.0
Squash violations, not velocity.
93 days to EU AI Act enforcement β August 2, 2026.
pip install squash-ai
What is squash?
Squash is AI compliance as code. It runs in your CI pipeline, attests every model you ship, and generates cryptographically signed compliance artifacts that regulators, auditors, and procurement teams accept as proof. One command covers EU AI Act Annex IV, NIST AI RMF, ISO 42001, GDPR, FedRAMP, Colorado AI Act, NYC Local Law 144, SEC AI disclosure requirements, and more.
What's in v2.7.0
This release completes the full enterprise compliance stack across four parallel tracks, adding 12 new modules and over 1,400 new tests since v1.4.0.
π΄ C1 β squash freeze β Emergency Response Orchestrator
The red button. One command revokes an attestation, blocks GitOps deployment via ArgoCD/Flux webhook, fires Slack/Teams/webhook alerts to all configured channels, and generates an EU AI Act Article 73 regulatory incident disclosure draft. Atomically orchestrates five existing subsystems. Exit codes map directly to incident severity for CI/CD integration.
squash freeze --attestation-id att://acme/fraud-detector --reason "drift breach" --severity criticalπ΅ D1 β GitHub App β Auto-Attest Check Runs
Install once at the GitHub organization level. Every pull request that touches a model file gets an automatic squash attestation as a Check Run β pass/fail status, policy verdict table, and a block on merge if compliance fails. Turns one champion into a company-wide deployment without a sales call.
π΅ D2 β AI Identity Attestation
92% of organizations lack visibility into their AI identities. squash attest-identity verifies AI agent OAuth scopes, least-privilege policy, and token rotation schedules against Okta, Azure Active Directory, and AWS IAM. Generates a signed identity attestation mapping directly to NIST AI RMF GOVERN and EU AI Act Article 9.
π΅ D3 β Procurement Scoring API
GET /v1/score/{vendor} β a structured compliance score for any organization that has published Trust Packages to the squash attestation registry. The compliance credit score for AI. Embeds into GRC platforms, M&A due diligence workflows, and procurement tools.
π΅ D4 β Multi-Jurisdiction Compliance Matrix
A multinational LLM deployment touches 6+ jurisdictions on average. Today the legal mapping is a one-week consulting engagement per deployment. squash compliance-matrix --regions eu,us,uk,sg,ca produces a (requirement Γ jurisdiction) matrix in under 30 seconds β covering 11 jurisdictions, 15 requirements, 9 regulatory frameworks β with a greedy gap analyser that sequences remediation by coverage-per-fix.
squash compliance-matrix --regions eu,us,uk,sg --models ./models/ --remediation --fail-on-gapπ΅ D5 β Industry Compliance Benchmarking
"How do we compare?" Every enterprise QBR asks this question. squash industry-benchmark places your compliance profile against 8 curated sector baselines (n=2,124, sourced from KPMG/Accenture/MIT Sloan/Clifford Chance) using Gaussian CDF percentile placement with k-anonymity (MIN_K=5) and differential privacy noise.
squash industry-benchmark report --sector financial-services
# β Your EU AI Act score: 84th percentile. FS average: 71st. Gap to top quartile: 3 controls.π΅ D6 β SOC 2 Type II Evidence Bundle
squash soc2 --generate-evidence assembles an auditor-ready evidence bundle mapping existing squash attestation artifacts to SOC 2 trust service criteria. Not a substitute for a licensed CPA audit β but the single feature that makes enterprise procurement conversations possible.
Full Changelog Since v1.4.0
| Version | Feature | Track |
|---|---|---|
| 2.7.0 | Industry Compliance Benchmarking | D5 |
| 2.6.0 | Multi-Jurisdiction Compliance Matrix (11 jurisdictions) | D4 |
| 2.5.0 | GitHub App β Auto-Attest Check Runs | D1 |
| 2.4.0 | squash freeze Emergency Response Orchestrator β |
C1 |
| 2.3.0 | AI Identity Attestation (Okta / Azure AD / AWS IAM) | D2 |
| 2.2.0 | Runtime Hallucination Monitor (EU AI Act Art. 9) | C10 |
| 2.1.0 | Hallucination Rate Attestation ($67.4B headline) | C7 |
| 2.0.0 | AI Washing Detection (SEC examination priority) | C2 |
| 1.16.0 | Model Genealogy + Copyright Contamination Cert | C11 |
| 1.15.0 | AI Insurance Risk Package (Munich Re / Coalition) | C6 |
| 1.15.0 | Carbon / Energy Attestation (CSRD Scope 2/3) | C9 |
| 1.14.0 | Regulatory Audit Simulation (110-question mock exam) | C5 |
| 1.13.0 | Regulatory Watch Daemon (SEC/NIST/EUR-Lex live) | C4 |
| 1.12.0 | Model Deprecation Watch | C8 |
| 1.11.0 | AI Identity Attestation foundations | D2 |
| 1.10.0 | Procurement Scoring API | D3 |
| 1.9.0 | LoRA / Adapter Poisoning Detection | B8 |
| 1.9.0 | License Conflict Detector (200+ LLM licenses) | B10 |
| 1.9.0 | Data Poisoning + Pipeline Integrity Attestation | B9 |
| 1.9.0 | Blockchain Anchoring (Ethereum OP_RETURN) | B6 |
| 1.9.0 | Drift SLA Certificate (PSI/KS monitoring) | B7 |
| 1.8.0 | Terraform + Pulumi Provider (Go) | B4 |
| 1.8.0 | Chain + Pipeline Attestation (LangChain, RAG, agents) | Sprint 11 |
| 1.8.0 | Registry Auto-Attest Gates (MLflow / W&B / SageMaker) | Sprint 12 |
| 1.8.0 | Startup + Team + Enterprise pricing tiers | Sprint 13 |
By the Numbers
| Metric | Count |
|---|---|
| Python modules | 85 |
| Tests passing | 5,290 |
| CLI commands | 28+ |
| Integrations | 30+ |
| Regulatory frameworks | 14 |
| Jurisdictions covered | 11 |
Key Integrations
CI/CD: GitHub Actions Β· GitLab CI Β· Jenkins Β· CircleCI Β· Azure DevOps Β· ArgoCD Β· Flux
ML: MLflow Β· Weights & Biases Β· HuggingFace Β· SageMaker Β· Vertex AI Β· LangChain
IaC: Terraform provider (Go) Β· Pulumi (Python + TypeScript) Β· Helm chart
API Gateways: Kong Β· AWS API Gateway Β· FastAPI middleware Β· Django middleware
Observability: Prometheus /metrics Β· OpenTelemetry Β· Datadog Β· Honeycomb Β· Jaeger
Notifications: Slack Β· Teams Β· JIRA Β· Linear Β· GitHub Issues Β· HMAC webhooks
IAM: Okta Β· Azure Active Directory Β· AWS IAM
Quick Start
pip install squash-ai
# Zero-install demo
squash demo
# Attest a model against EU AI Act, sign, and publish
squash attest ./models/my-model --policy eu-ai-act --sign --publish
# Scan any HuggingFace model before downloading
squash scan hf://microsoft/phi-3-mini-4k-instruct
# Multi-jurisdiction compliance matrix
squash compliance-matrix --regions eu,us,uk --models ./models/ --remediation
# Emergency freeze
squash freeze --model-path ./models/fraud-detector --reason "CVE detected" --severity critical
# See where you stand vs. your industry
squash industry-benchmark report --sector financial-servicesRegulatory Deadlines
| Deadline | Regulation | squash feature |
|---|---|---|
| Jun 30, 2026 | Colorado AI Act (SB 24-205) | compliance-matrix --regions us-co |
| Aug 2, 2026 | EU AI Act general enforcement | squash attest --policy eu-ai-act |
| Ongoing | SEC AI washing examination priority | squash detect-washing |
| Ongoing | NYC Local Law 144 bias audits | squash bias-audit --standard nyc-ll144 |
License
Apache 2.0 β free for individuals and open source projects.
Commercial use at scale: see getsquash.dev for Startup ($499/mo), Team ($899/mo), and Enterprise pricing.
squash-ai is built by Konjo AI. Squash violations, not velocity.