Skip to content

v0.71.3 — Compliance / annex / audit / energy

Choose a tag to compare

View all tags
@MakazhanAlpamys MakazhanAlpamys released this 01 Jun 14:38
· 52 commits to main since this release
v0.71.3
22d5c4f

Sixth patch in the post-v0.71.0 chain — the EU AI Act + carbon + audit surfaces deferred from v0.59.0 go live. Pure-Python; smoke-validated on a real RTX 3050.

What's New

  • Energy & CO2 measurementsoup train --track-energy wraps the training window in a codecarbon offline tracker (no IP-geolocation network call) and reports kWh / CO2 / grid intensity, feeding them into --annex-xi. --energy-country <ISO3> picks the grid for the CO2 estimate (default USA). New EnergyTracker context manager; graceful no-op when codecarbon is absent.
  • PDF compliance docssoup train --annex-xi report.pdf renders a reportlab PDF of the EU AI Act Annex XI/XII (a .md path still renders markdown). The top crawled domains of your training corpus are auto-extracted and listed.
  • Per-command audit log — every soup command now appends one HIPAA/SOC2-shaped record to ~/.soup/audit.jsonl (secrets redacted, args capped). Opt out with soup --no-audit-log <cmd> or SOUP_NO_AUDIT_LOG=1. Tail/rotate with soup audit-log.
  • Signed Soup Cans (v3)soup can pack --attest <statement.json> (repeatable) embeds in-toto Statements into a v3 can manifest; v1/v2 cans still load.
  • Airgap reproducibility receiptssoup airgap-bundle --repro-receipt <receipt.json> embeds an SR 11-7 receipt as repro-receipt.json (auto-detected from <model>/repro-receipt.json when not supplied).

Closes #180, #181, #182, #183, #184, #188.

Install / Upgrade

pip install -U soup-cli            # core
pip install -U 'soup-cli[carbon]' # + codecarbon for --track-energy
pip install -U 'soup-cli[pdf]'    # + reportlab for --annex-xi *.pdf

Security

  • soup can pack --attest rejects oversize attestation files by raw size before parsing them into memory (memory-exhaustion defence).
  • All new file-loading paths (attestation JSON, airgap receipt, training-corpus scan, PDF write) are cwd-contained + TOCTOU symlink-rejected + size-capped.
  • The audit auto-log redacts hf_ / sk- / Bearer tokens across every field, uses 0o600 + O_NOFOLLOW, and never crashes the CLI on a broken log.

Known Limitations

  • codecarbon energy figures are hardware-estimated — on hosts without RAPL/NVML, codecarbon falls back to a CPU-TDP constant; the kWh is an estimate, not a meter reading. The CO2 / grid intensity reflect the --energy-country grid (kWh is country-independent). This is a codecarbon characteristic, not a Soup defect.
  • --track-energy feeds --annex-xi only — the measurement is not yet auto-threaded into soup bom emit; the BOM attach_energy surface (v0.59.0) remains a manual call.
  • Audit auto-log is default-ON — a deliberate behaviour change for the regulated-org use case (local file under ~/.soup, not telemetry); opt out per-invocation or via env.
  • PDF rendering is block-level — headings / bullets / paragraphs only; inline emphasis is not interpreted. Operator-controlled strings are XML-escaped.
  • measure_run_energy stays a duration-only None-returning fallback — it cannot read instantaneous power from a wall-clock number; use EnergyTracker for a real start/stop measurement.

🤖 Generated with Claude Code

Assets 2
Loading