No description
7cd86fb88a
Some checks failed
Build Pipeline / Build Binaries (push) Failing after 3m39s
Build Pipeline / Build Docker Images (push) Has been skipped
Build Pipeline / Sign HIPAA Config (push) Has been skipped
Build Pipeline / Generate SLSA Provenance (push) Has been skipped
Checkout test / test (push) Successful in 6s
CI Pipeline / Test (ubuntu-latest on self-hosted) (push) Failing after 1s
CI Pipeline / Dev Compose Smoke Test (push) Has been skipped
CI Pipeline / Security Scan (push) Has been skipped
CI Pipeline / Test Scripts (push) Has been skipped
CI Pipeline / Test Native Libraries (push) Has been skipped
CI Pipeline / Native Library Build Matrix (push) Has been skipped
Contract Tests / Spec Drift Detection (push) Failing after 11s
Contract Tests / API Contract Tests (push) Has been skipped
Deploy API Docs / Build API Documentation (push) Failing after 5s
Deploy API Docs / Deploy to GitHub Pages (push) Has been skipped
Documentation / build-and-publish (push) Failing after 40s
Test Matrix / test-native-vs-pure (cgo) (push) Failing after 14s
Test Matrix / test-native-vs-pure (native) (push) Failing after 35s
Test Matrix / test-native-vs-pure (pure) (push) Failing after 18s
CI Pipeline / Trigger Build Workflow (push) Failing after 1s
Build CLI with Embedded SQLite / build (arm64, aarch64-linux) (push) Has been cancelled
Build CLI with Embedded SQLite / build (x86_64, x86_64-linux) (push) Has been cancelled
Build CLI with Embedded SQLite / build-macos (arm64) (push) Has been cancelled
Build CLI with Embedded SQLite / build-macos (x86_64) (push) Has been cancelled
Security Scan / Security Analysis (push) Has been cancelled
Security Scan / Native Library Security (push) Has been cancelled
Verification & Maintenance / V.1 - Schema Drift Detection (push) Has been cancelled
Verification & Maintenance / V.4 - Custom Go Vet Analyzers (push) Has been cancelled
Verification & Maintenance / V.7 - Audit Chain Integrity (push) Has been cancelled
Verification & Maintenance / V.6 - Extended Security Scanning (push) Has been cancelled
Verification & Maintenance / V.10 - OpenSSF Scorecard (push) Has been cancelled
Verification & Maintenance / Verification Summary (push) Has been cancelled
- Introduce audit, plugin, and scheduler API handlers - Add spec_embed.go for OpenAPI spec embedding - Create modular build scripts (cli, go, native, cross-platform) - Add deployment cleanup and health-check utilities - New ADRs: hot reload, audit store, SSE updates, RBAC, caching, offline mode, KMS regions, tenant offboarding - Add KMS configuration schema and worker variants - Include KMS benchmark tests |
||
|---|---|---|
| .forgejo/workflows | ||
| .gitea | ||
| api | ||
| build | ||
| cli | ||
| cmd | ||
| configs | ||
| db | ||
| deployments | ||
| docs | ||
| examples | ||
| internal | ||
| monitoring | ||
| native | ||
| podman | ||
| redis | ||
| scripts | ||
| tests | ||
| tools | ||
| .dockerignore | ||
| .env.example | ||
| .flake8 | ||
| .gitignore | ||
| .golangci.yml | ||
| .golintrc | ||
| CHANGELOG.md | ||
| DEVELOPMENT.md | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| Makefile | ||
| pyproject.toml | ||
| README.md | ||
| SECURITY.md | ||
FetchML
A lightweight ML experiment platform with a tiny Zig CLI and a Go backend. Designed for homelabs and small teams.
Installation (recommended)
FetchML publishes pre-built release artifacts (CLI + Go services) on GitHub Releases.
If you prefer a one-shot check (recommended for most users), you can use:
./scripts/verify_release.sh --dir . --repo <org>/<repo>
-
Download the right archive for your platform
-
Verify
checksums.txtsignature (recommended)
The release includes a signed checksums.txt plus:
checksums.txt.sigchecksums.txt.cert
Verify the signature (keyless Sigstore) using cosign:
cosign verify-blob \
--certificate checksums.txt.cert \
--signature checksums.txt.sig \
--certificate-identity-regexp "^https://github.com/jfraeysd/fetch_ml/.forgejo/workflows/release-mirror.yml@refs/tags/v.*$" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
checksums.txt
-
Verify the SHA256 checksum against
checksums.txt -
Extract and install
Example (CLI on Linux x86_64):
# Download
curl -fsSLO https://github.com/jfraeysd/fetch_ml/releases/download/<tag>/ml-linux-x86_64.tar.gz
curl -fsSLO https://github.com/jfraeysd/fetch_ml/releases/download/<tag>/checksums.txt
curl -fsSLO https://github.com/jfraeysd/fetch_ml/releases/download/<tag>/checksums.txt.sig
curl -fsSLO https://github.com/jfraeysd/fetch_ml/releases/download/<tag>/checksums.txt.cert
# Verify
cosign verify-blob \
--certificate checksums.txt.cert \
--signature checksums.txt.sig \
--certificate-identity-regexp "^https://github.com/jfraeysd/fetch_ml/.forgejo/workflows/release-mirror.yml@refs/tags/v.*$" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
checksums.txt
sha256sum -c --ignore-missing checksums.txt
# Install
tar -xzf ml-linux-x86_64.tar.gz
chmod +x ml-linux-x86_64
sudo mv ml-linux-x86_64 /usr/local/bin/ml
ml --help
Quick start
# Clone and run (dev)
git clone <your-repo>
cd fetch_ml
make dev-up
# Or build the CLI locally
cd cli && make all
./zig-out/bin/ml --help
What you get
- Zig CLI (
ml): Tiny, fast local client. Uses~/.ml/config.tomlandFETCH_ML_CLI_*env vars. - Go backends: API server, worker, and a TUI for richer remote features.
- TUI over SSH:
ml monitorlaunches the TUI on the server, keeping the local CLI minimal. - CI/CD: Cross‑platform builds with
zig build-exeand Go releases.
Testing & Security
FetchML maintains 100% test coverage (49/49 requirements) for all security and reproducibility controls:
- Unit tests: 150+ tests covering security, reproducibility, and core functionality
- Property-based tests: gopter-based invariant verification
- Integration tests: Cross-tenant isolation, audit verification, PHI redaction
- Fault injection: Prepared tests for toxiproxy integration
- Custom lint analyzers:
fetchml-vetenforces security at compile time
See docs/TEST_COVERAGE_MAP.md for detailed coverage tracking and DEVELOPMENT.md for testing guidelines.
CLI usage
# Configure
cat > ~/.ml/config.toml <<EOF
worker_host = "127.0.0.1"
worker_user = "dev_user"
worker_base = "/tmp/ml-experiments"
worker_port = 22
api_key = "your-api-key"
EOF
# Core commands
ml status
ml queue my-job
ml cancel my-job
ml dataset list
ml monitor # SSH to run TUI remotely
# Research features (see docs/src/research-features.md)
ml queue train.py --hypothesis "LR scaling..." --tags ablation
ml outcome set run_abc --outcome validates --summary "Accuracy +2%"
ml find --outcome validates --tag lr-test
ml compare run_abc run_def
ml privacy set run_abc --level team
ml export run_abc --anonymize
ml dataset verify /path/to/data
Phase 1 (V1) notes
- Task schema supports optional
snapshot_id(opaque identifier) anddataset_specs(structured dataset inputs). Ifdataset_specsis present it takes precedence over legacydatasets/--datasetsargs. - Snapshot restore (S1) stages verified
snapshot_idinto each task workspace and exposes it viaFETCH_ML_SNAPSHOT_DIRandFETCH_ML_SNAPSHOT_ID. Ifsnapshot_store.enabled: truein the worker config, the worker will pull<prefix>/<snapshot_id>.tar.gzfrom an S3-compatible store (e.g. MinIO), verifysnapshot_sha256, and cache it underdata_dir/snapshots/sha256/<snapshot_sha256>. - Prewarm (best-effort) can fetch datasets for the next queued task while another task is running. Prewarm state is surfaced in
ml status --jsonunder the optionalprewarmfield. - Env prewarm (best-effort) can build a warmed Podman image keyed by
deps_manifest_sha256and reuse it for later tasks.
Changelog
See CHANGELOG.md.
Build
Native C++ Libraries (Optional)
FetchML includes optional C++ native libraries for performance. See docs/src/native-libraries.md for detailed build instructions.
Quick start:
make native-build # Build native libs
make native-smoke # Run smoke test
go build -tags native_libs # Enable native libraries
Standard Build
# CLI (Zig)
cd cli && make all # release-small
make tiny # extra-small
make fast # release-fast
# Go backends
make cross-platform # builds for Linux/macOS/Windows
Deploy
- Dev:
docker-compose up -d - Prod: Use the provided systemd units or containers on Rocky Linux.
Docs
See docs/ for detailed guides:
docs/src/native-libraries.md– Native C++ libraries (build, test, deploy)docs/src/zig-cli.md– CLI referencedocs/src/quick-start.md– Full setup guidedocs/src/deployment.md– Production deploymentdocs/src/research-features.md– Research workflow features (narrative capture, outcomes, search)docs/src/privacy-security.md– Privacy levels, PII detection, anonymized export
CLI Architecture (2026-02)
The Zig CLI has been refactored for improved maintainability:
- Modular 3-layer architecture:
core/(foundation),local//server/(mode-specific),commands/(routers) - Unified context:
core.context.Contexthandles mode detection, output formatting, and dispatch - Code reduction:
experiment.zigreduced from 836 to 348 lines (58% reduction) - Bug fixes: Resolved 15+ compilation errors across multiple commands
See cli/README.md for detailed architecture documentation.
Source code
The FetchML source code is intentionally not hosted on GitHub.
The canonical source repository is available at: <SOURCE_REPO_URL>.
License
FetchML is source-available for transparency and auditability. It is not open-source.
See LICENSE.