Governed, Observable & Declarative Machine Learning Framework
Project description
GODML
Governed, Observable & Declarative Machine Learning Framework
Production-grade MLOps for teams that need traceability, compliance, and a verified supply chain — without the infrastructure overhead.
Quick start
pip install godml
godml init my-project
godml run -f godml.yml
That's it. No cloud account required for local training.
What is GODML?
GODML is a Python framework that wraps the full ML lifecycle — data prep, training, evaluation, monitoring, and deployment — behind a single declarative YAML config. Every run produces a signed, auditable artifact trail.
Raw data → Compliance check → Train → Evaluate → Registry → Deploy → Monitor
(PII/GDPR) (XGB/RF/LR) (cross-val) (MLflow) (Docker) (drift)
Why GODML over plain sklearn + MLflow?
| Problem | Without GODML | With GODML |
|---|---|---|
| Reproducibility | Manual notebooks | Declarative YAML, locked hashes |
| Compliance | Ad-hoc checks | Built-in PCI-DSS, GDPR, HIPAA |
| Supply chain | No SBOM | SLSA L3 provenance + signed SBOM |
| Audit trail | Scattered logs | Unified lineage per run |
| Multi-model | Custom glue code | Registry + notebook_api |
Installation
Core (no optional deps)
pip install godml
With extras
pip install "godml[advisor]" # LLM-powered recommendations (gpt4all)
pip install "godml[deep]" # LSTM forecasting (tensorflow + keras)
pip install "godml[aws]" # SageMaker deployment
pip install "godml[api]" # REST inference server (fastapi + uvicorn)
pip install "godml[dev]" # Full dev suite (tests, lint, coverage)
Configuration
A minimal godml.yml:
name: customer-churn
version: 1.0.0
provider: mlflow
dataset:
uri: ./data/churn.csv
hash: auto
model:
type: xgboost
hyperparameters:
max_depth: 6
learning_rate: 0.1
n_estimators: 300
metrics:
- name: auc
threshold: 0.85
- name: accuracy
threshold: 0.80
governance:
owner: ml-team@company.com
tags:
- compliance: gdpr
- environment: production
deploy:
realtime: true
batch_output: ./outputs/predictions.csv
Run it:
godml run -f godml.yml
Notebook API
For interactive work in Jupyter:
from godml import GodmlNotebook
nb = GodmlNotebook()
nb.load_data("./data/churn.csv", target="churn")
nb.train_model("xgboost", {"max_depth": 6, "n_estimators": 300})
nb.evaluate(["auc", "accuracy", "f1"])
nb.save_model("churn_v1")
AI-powered advisor
from godml.notebook_api import advisor_full_report, tune_model
# Get model + metric recommendations for your dataset
report = advisor_full_report(df, target="churn")
print(report["recommended_models"]) # ['xgboost', 'random_forest']
print(report["data_quality"]) # quality score + issues
# Auto-tune with Optuna
result = tune_model(
model_type="xgboost",
X=X_train, y=y_train,
max_trials=50,
metric="auc",
)
print(f"Best AUC: {result['best_score']:.4f}")
Supported model types
| Key | Algorithm |
|---|---|
xgboost / xgb |
XGBoost |
random_forest / rf |
scikit-learn RandomForest |
logistic_regression / logreg |
scikit-learn LogisticRegression |
lstm |
LSTM forecasting (requires [deep]) |
Compliance
from godml.compliance_service import PciDssCompliance, GdprCompliance
compliance = PciDssCompliance()
clean_df = compliance.apply(df) # masks PAN, CVV, account numbers
gdpr = GdprCompliance()
report = gdpr.apply(df) # anonymizes PII per GDPR rules
Built-in compliance modules: PCI-DSS, GDPR, HIPAA, SOX.
Custom rules: subclass BaseCompliance and implement apply(df).
Architecture
┌──────────────────────────────────────────────────────┐
│ GODML Framework │
├────────────────┬─────────────┬───────────────────────┤
│ Interfaces │ Notebook │ CLI │ REST API │
├────────────────┴─────────────┴───────────────────────┤
│ Core Services │
│ ┌───────────┐ ┌───────────┐ ┌──────────────────────┐│
│ │ Advisor │ │ Config │ │ Pipeline Engine ││
│ └───────────┘ └───────────┘ └──────────────────────┘│
├──────────────────────────────────────────────────────┤
│ ML Services │
│ ┌───────────┐ ┌───────────┐ ┌──────────────────────┐│
│ │ DataPrep │ │ Model │ │ Monitoring ││
│ │ +PII scan │ │ Registry │ │ +Drift detection ││
│ └───────────┘ └───────────┘ └──────────────────────┘│
├──────────────────────────────────────────────────────┤
│ Providers: MLflow │ SageMaker │ Docker │ Local │
└──────────────────────────────────────────────────────┘
Supply chain & security
GODML ships with a SLSA Level 3 supply chain — every release is built in an isolated GitHub Actions environment with unforgeable provenance.
| Artifact | Standard | Signature | Transparency |
|---|---|---|---|
sbom.spdx.json |
SPDX 2.3 | Cosign OIDC (keyless) | Rekor log |
sbom.cyclonedx.json |
CycloneDX 1.6 | SLSA provenance | GitHub Release assets |
provenance.intoto.jsonl |
SLSA v1 / in-toto | slsa-github-generator | Rekor log |
Verify the SBOM yourself
# Download from GitHub Releases
cosign verify-blob \
--bundle sbom.spdx.bundle \
--certificate-identity-regexp "https://github.com/DAGMALIA/godml/.github/workflows/safety_scan.yml" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
sbom.spdx.json
Verify SLSA provenance
slsa-verifier verify-artifact dist/godml-*.whl \
--provenance-path provenance.intoto.jsonl \
--source-uri github.com/DAGMALIA/godml \
--source-tag v1.1.0
CI security controls
| Control | Tool | Status |
|---|---|---|
| SAST | Bandit | ✅ Blocks on HIGH/CRITICAL |
| Dependency CVEs | pip-audit + Safety | ✅ Weekly + per PR |
| SHA-pinned actions | Dependabot | ✅ Auto-pinned |
| PyPI publish | OIDC Trusted Publisher | ✅ No API tokens |
| Branch protection | GitHub Ruleset | ✅ PR + status checks |
| Tag protection | GitHub Ruleset | ✅ v* immutable |
| Score | OpenSSF Scorecard | ✅ Published weekly |
CLI reference
godml init <project> # scaffold new project
godml run -f godml.yml # execute pipeline from config
godml deploy <project> <env> # deploy model to environment
godml --version # print version
Roadmap
v1.2.0 — Q3 2026
- Interactive drift dashboard (Streamlit)
- A/B testing framework
- Optuna distributed tuning
v1.3.0 — Q4 2026
- Kubernetes operator
- Real-time streaming inference
- Multi-tenant model registry
v2.0.0 — 2027
- Multi-cloud provider abstraction (Vertex AI, Azure ML)
- Federated learning support
- SOC2 / ISO27001 documentation kit
Contributing
git clone https://github.com/DAGMALIA/godml.git
cd godml
pip install -e ".[dev]"
pytest tests/ --cov=godml
See CONTRIBUTING.md for branch conventions and PR checklist.
License
MIT — see LICENSE.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
godml-1.1.0.tar.gz
(84.3 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
godml-1.1.0-py3-none-any.whl
(111.3 kB
view details)
File details
Details for the file godml-1.1.0.tar.gz.
File metadata
- Download URL: godml-1.1.0.tar.gz
- Upload date:
- Size: 84.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b403c67e357f70cb399278fd80bd715596f5e7a4c0a05de25bf0b717c636c68e
|
|
| MD5 |
402e771c54351c134762250a9593ba9d
|
|
| BLAKE2b-256 |
fc043162b9d008ab19355c69dd255350851dd9df82acadff7e281ca4990fce8c
|
Provenance
The following attestation bundles were made for godml-1.1.0.tar.gz:
Publisher:
release.yml on DAGMALIA/godml
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
godml-1.1.0.tar.gz -
Subject digest:
b403c67e357f70cb399278fd80bd715596f5e7a4c0a05de25bf0b717c636c68e - Sigstore transparency entry: 1991019034
- Sigstore integration time:
-
Permalink:
DAGMALIA/godml@5e8d2ab7bb7b96233b7130f651b21a53e68ecaa5 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/DAGMALIA
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@5e8d2ab7bb7b96233b7130f651b21a53e68ecaa5 -
Trigger Event:
workflow_dispatch
-
Statement type:
File details
Details for the file godml-1.1.0-py3-none-any.whl.
File metadata
- Download URL: godml-1.1.0-py3-none-any.whl
- Upload date:
- Size: 111.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bdcea63075930adb15d56909c447d82a7bbd9603b7e597229769c150f336788f
|
|
| MD5 |
0e06b380d329f129f5580839add8a551
|
|
| BLAKE2b-256 |
243211cad25341798af0015c513e06743b4e34b48cc9451cbccfa8880258de69
|
Provenance
The following attestation bundles were made for godml-1.1.0-py3-none-any.whl:
Publisher:
release.yml on DAGMALIA/godml
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
godml-1.1.0-py3-none-any.whl -
Subject digest:
bdcea63075930adb15d56909c447d82a7bbd9603b7e597229769c150f336788f - Sigstore transparency entry: 1991019092
- Sigstore integration time:
-
Permalink:
DAGMALIA/godml@5e8d2ab7bb7b96233b7130f651b21a53e68ecaa5 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/DAGMALIA
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@5e8d2ab7bb7b96233b7130f651b21a53e68ecaa5 -
Trigger Event:
workflow_dispatch
-
Statement type:
