This is the no-jargon version of the website. Every other page on fastpace.net is written for engineers and security people. This page is for everyone else — managers, lawyers, auditors, your aunt who wants to know what you do for work.
One read-through ≈ 12 minutes. No code samples. Lots of analogies. We re-define every term as we go and again in the glossary at the bottom.
fastpace is software you install on your laptop, alongside your AI coding assistant. (An AI coding assistant is a program that writes code for you when you ask — Claude Code, Codex, and Gemini CLI are the popular ones in 2026.) When the AI writes code, fastpace quietly watches and writes down what happened, like a court reporter. Later, if anyone asks "did the AI really write this code? Was it allowed to? What did we ask it to do?" — fastpace can prove the answer.
That's it. That's the whole pitch. Everything else on this page is the how and the why.
Think of a busy restaurant kitchen. A chef cooks the meal. A camera on the wall films the kitchen. Health inspectors arrive a month later and ask, "Was the chicken cooked to the right temperature?" The footage is the answer. The chef cooked the food; the camera proved how. fastpace is the camera — for AI writing code instead of chefs cooking food.
AI coding assistants are great at writing code fast. But they create three new headaches that nobody used to have:
When code goes wrong, the company needs to know whether a person or an AI wrote the bad line. Right now, there's no record. It all just looks like "the developer committed code." fastpace keeps a labeled receipt for every AI-written line.
Imagine an intern who wanders into the CFO's office and starts opening filing cabinets. Most companies have rules — "this team can touch these files, that team can't." AI assistants don't naturally follow those rules. fastpace enforces them.
Banks, hospitals, and government contractors get audited. Auditors want paperwork. fastpace Teamduces the paperwork automatically — every time the AI does anything, a stamped, tamper-proof line of evidence is filed.
A new employee at a hospital can't just walk into the pharmacy and start handing out medication. They badge in, the system logs who they are, what they took, and when. That paperwork has been standard for decades. AI assistants have been writing real code for two years with none of it. fastpace is the badge reader.
fastpace is built from five small pieces that snap together. Each piece is simple. The magic is in how they fit.
In medieval times, each lord had a unique wax seal pressed into hot wax to prove a letter came from them. fastpace gives your laptop a digital version of that seal — a long random number called an Ed25519 keypair. It lives in a private folder on your computer. Nothing leaves your machine; the seal stays yours.
Every other piece below gets stamped with this seal. If somebody forges evidence, they can't fake the seal — the math says so.
Imagine an old library where every book checked out is written into a logbook, one line at a time, in pen. The librarian also writes the previous entry's checksum at the start of each new line. If you sneak in and erase yesterday's entry, the chain of checksums breaks — and everyone can see exactly which line was tampered with.
fastpace's audit chain is exactly that. Every time the AI does something, a new line is appended. Each line references the one before it. Tampering shows up immediately when anyone runs the verifier.
Every time the AI writes or edits a file, fastpace prints a
receipt and saves it. The receipt records the
model name (e.g. claude-opus-4.7), the runtime
(Bedrock? Azure? local?), the moment in time, and a one-way
fingerprint of what was asked and what came back.
Important: the receipt does NOT save the actual prompt or the actual response — only their fingerprints (a kind of mathematical summary you can't reverse). Privacy first, evidence second.
Museums put a plaque next to each painting: artist name, date, donor, condition. fastpace adds a similar plaque to every git commit (a "commit" is just a saved snapshot of the code). The plaque is a few extra lines at the bottom of the commit's note that say things like:
That single plaque is enough to walk all the way back to the receipt (brick #3) and the audit-chain entry (brick #2) and the seal that signed both (brick #1).
When you ship a package internationally, you fill out a customs form: what's inside, how much each item is worth, where it came from. Software releases need the same kind of form for AI now. Once a quarter (or per release), fastpace produces a single document — the AI Bill of Materials (AI BOM for short) — that lists every model, every agent, every API used, in a standard format auditors and procurement teams already know how to read.
The format is called CycloneDX-AI. It's an open standard, so the BOM works in any tool that already speaks CycloneDX — which most enterprise procurement tools do.
Each brick rests on the one below. The seal at the bottom signs everything above it.
Five bricks give you evidence. Two more give you safety: rules to prevent the AI from going off-piste, and an alarm for when it does anyway.
A new sous-chef gets handed a sheet that says: "you may use this fridge, this stove, these knives. You may not enter the walk-in freezer. Maximum 4 hours per shift." fastpace's Scope Manifest is that sheet for AI agents.
For each AI agent (the planner, the reviewer, etc.) you declare: which tools it can use, which folders it can touch, which commands it can run, and how much it can do per session. If the AI tries to step outside, fastpace blocks the action before it happens and writes the attempt to the audit log so you can see who tried what.
Even with rules, sometimes things go sideways. fastpace watches each AI agent's typical behavior over the last two weeks (how many files it touches per session, how long sessions last, how many commands it runs). If today's session suddenly looks very different — way more files, way more commands — the circuit breaker trips: the agent is paused until a human checks in.
Just like the breaker box in your house: a normal current flows fine, but a surge pops the switch. The exact threshold (e.g. "2.5 times the normal range") is configurable per company.
Most of the magic happens silently. But there's a deliberate pattern fastpace nudges developers toward — five doors you walk through, in order, for any non-trivial change.
This is what we mean when we call ourselves "spec-driven development, upgraded." Old-school spec-driven development stops at the spec. fastpace keeps walking: spec → design → plan → code → proof.
When you run fastpace init in a project, here's what
actually happens. (You don't need to remember any of these names —
just know they exist.)
A small program named fastpace (alias fp)
you run from a terminal. Tiny — under a megabyte — and ships
with zero outside dependencies, so nothing you didn't ask for
sneaks in via the supply chain.
Things you type to the AI to trigger a named operation:
/fp-write-prd, /fp-prd-to-erd,
/fp-erd-to-execplan, /fp-pr-summary,
/fp-discover, /fp-resume, and about
twenty more. Each one is a recipe — the AI follows the recipe
instead of inventing the steps from scratch.
fastpace ships seven AI personalities, each with a narrow job: planner, prd-guru, erd-guru, execution-planner, reviewer, doc-writer, onboarder. Each has a kitchen-rules sheet (the Scope Manifest). When the lead AI delegates a task, it picks the right specialist.
Tiny programs the AI runtime calls before and after every action. You'd never run them by hand — they fire automatically. They write audit lines, write receipts, scan for secrets in code, block dangerous commands, redact prompts, and so on. Each hook does one job.
A single file called fastpace.config.yaml in the
project's root. Lets you turn hooks on or off, name your
protected branches, list which AI runtimes you allow, and so
on. Plain text, version-controlled — your auditors get a
history of every config change for free.
A folder called fastpace/context/ containing four
living documents: architecture.md (how the
system is shaped), patterns.md (idioms your
team uses), decisions.md (why choices were
made), and glossary.md (your domain terms).
Whenever the AI does something, it reads these first so it
sounds like your team, not like a generic AI.
Run fastpace ui and a small website opens in your
browser. It runs on your laptop — nothing leaves the machine.
It's a window into the files fastpace has been writing in the
background.
Every entry in the librarian's logbook, scrollable, with a green check next to each tamper-verified line. If anyone edited a line by hand, you'd see a red break here.
Every receipt, sortable by AI model, agent, or time window. Click one and you see who signed it, when, against which runtime — but never the prompt itself (because we don't store that).
Short notes about features-in-flight: "if this changes, also change that." Helps the next person (or the next AI) avoid breaking things.
A score from 1 (the AI knows your code) to 5 (the AI knows your team's vocabulary, history, and rationale). The dashboard shows you what to add next to climb the ladder.
All the docs you and the AI have produced, browsable like a wiki. Each one links to the commits it produced and the receipts those commits used.
How often the AI's first try landed without correction. A running grade, per agent, that gets better as your context ladder climbs.
On audit day, fastpace lets the customer answer five questions that previously had no good answer. Each answer is reproducible — the auditor can re-run the verifier and watch the chain hold.
fastpace verify-provenance <commit> →
walks the museum plaque → finds the receipt → finds the
audit-chain entry → returns the proof tree.
fastpace verify → walks every link in the chain
→ reports the line of any break.
fastpace aibom show v1.4.0 → returns the customs
declaration in CycloneDX-AI format. Hand to procurement.
fastpace comes in two flavors under the same brand name. You can start with the free one forever, or upgrade to the paid one with a single command — no reinstall, same binary.
Every trust primitive a single developer needs. Open source. Audit-traced. Yours forever, even if you never pay us a cent.
Limit: single developer, single repo. Beyond that, you'll want Team.
Everything in community, plus the org-level machinery a security team or auditor will ask for once you've got more than one developer.
trust.yourcompany.comFor: any team beyond a single developer, or anyone with a SOC 2 / ISO 42001 / EU AI Act audit on the calendar.
Any team's first 5 seats are free for the first 12 months. Pay only for seat 6 and beyond during year one; the first 5 become billable at the seat anniversary. OSS maintainers and educators get Team free for 12 months, and practicing audit firms get Team free with no seat cap (we'd rather your auditor recommend us than sell to them). Email sales@fastpace.net if any of those describe you.
And if you're enterprise — say, a bank or a hospital with regulatory requirements that don't fit a list — there's a fourth tier (fastpace enterprise) with air-gapped installs, custom compliance mappings, a named CSM, and an MSA. Pricing is custom; talk to sales.
As of May 2026, fastpace Platform sits between Team and Enterprise at $99/editor-seat/mo annual. It exists for the eng org that has outgrown Team's table-stakes and wants the differentiators a real internal Platform team would build — except they don't have the budget for a real internal Platform team. Platform adds team-aggregated learnings, DORA metrics sliced by AI vs human, cross-repo refactor agent, prompt library, MCP server registry, incident replay, drift detector, and (as of v0.36.0) the bus-factor / vendor-lock-in / heat-map / coverage-gap dashboard described in Part 10 below. See the full pricing page for the four-tier ladder.
If you ran a platform-engineering team and your job was to keep the AI-coding surface healthy across a fleet of repos, here are the numbers you'd put on a dashboard. The fastpace Platform tier computes them for you. Each one is a CLI command, a dashboard tile, and a fleet rollup on the org dashboard.
fastpace bus-factor.
fastpace heatmap.
fastpace lock-in.
coverage/lcov.info. The AI's untested footprint.
Command: fastpace coverage.
fastpace token-budget check.
fastpace redteam-fleet report.
Each of these has a card on the new
"Metrics / Platform (Wave 4)" tab in the
local dashboard (run fastpace ui), and rolls up
across the fleet on the org dashboard's Overview view. All 23
Wave-4 commands are documented in the
Platform tier of the pricing page
and the CHANGELOG.
And in v0.40.0 — the "ship layer". The same release brought five more commands that don't produce metrics, but produce artifacts — the kind a release-train would otherwise live without:
fastpace release-notes --since v0.39.0 reads commits + manifests + linked
tickets and produces a markdown release-notes doc grouped by feature / fix / security /
breaking / internal. The thing every engineer used to spend an hour writing — now 30
seconds of review on auto-generated output.
fastpace release track shows what's in main but not yet in any tag,
risk-ranked by lines × age × whether AI-touched. Plus "your team typically tags
every 21 days; you're 7 days late" — the overdue signal that triggers the
release conversation without a meeting.
fastpace release link v1.4.2 --fixes v1.4.1 + release graph —
declare and visualize which release fixed which previous release's bug. Makes the
customer-facing changelog explicable: "v1.4.2 fixed a regression introduced in
v1.4.1."
fastpace deploy record --tag v0.40.0 --env production writes a signed
JSON attestation to fastpace/deploys/<id>.json AND appends a
deploy.recorded event to the audit chain. Now "who shipped this to
production, when?" has a forensic answer.
fastpace retro --release v0.40.0 composes commits + AI sessions + recent
learnings + hook-blocks resolved + postmortems + AI cost for the release window into a
markdown retro. Replaces "someone needs to write the retro this week" with
"here's the draft, fill in the human bits."
These show up on the Releases tab in fastpace ui and roll
up across the fleet at GET /api/org/releases on the org dashboard — release
cadence, recent deploys, overdue-tag count.
Wave 5c.A shipped the ship-layer table-stakes in v0.40 (above). Between v0.41 and v0.45 fastpace shipped four more sub-waves that round out the platform — the items below are real, not roadmap.
fastpace deploy verify <env> runs post-deploy probes
(HTTP status + schema + smoke command + metric baseline) and signs the
verdict. fastpace release-window check blocks deploys
outside the policy window (e.g. no Friday 4pm pushes) unless
--force. fastpace rollback assess <tag>
risk-grades a candidate rollback — what migrations need reversing, what
features depend on the rolled-back commits.
fastpace changelog --audience customer|engineer|auditor
projects the same changelog three ways. And a new
MetricsSource connector ships with Datadog, Prometheus, and
Sentry adapters — every external query emits a chained
metrics-source.queried event so the auditor can reconstruct
what observability data fastpace pulled and when.
fastpace control evidence generate <controlId> walks
the project and emits one signed EvidenceItem per applicable
artifact (run-manifest, audit-log slice, policy bundle, AI-BOM,
deploy attestation). fastpace control monitor walks every
known control, regenerates expired evidence, and emits
control.monitored. fastpace evidence pack <framework>
--audience auditor bundles a real zip with a signed manifest +
verification.sh that recomputes every entry's sha256.
fastpace gap-analysis <framework> tells you exactly
which controls have evidence, which don't, and which suggestions to act on.
fastpace plan ingest <source> pulls items from GitHub
Issues, Linear, Jira, or a file into fastpace/plan/items.jsonl.
fastpace plan match runs the Spike-001 hybrid matcher —
first ticket-ID direct match, then embedding similarity, then LLM on the
residual — to figure out which commits actually delivered which plan
item. fastpace plan drift surfaces items with no
corresponding commits past their SLA. plan estimate / brief /
capacity / triage / summary round out the layer; the
--audience stakeholder|engineer flag projects the summary
differently for execs and ICs.
fastpace review summarize <pr> produces intent + risk
+ scope + suggested reviewers. review risk scores 0–100
across surface-area / hot-files / prior incidents / churn velocity.
review coverage shows the test-coverage delta.
review consistency spots style/pattern drift.
review provenance reconstructs per-line AI attribution from
signed run-manifests. review suggest-reviewers uses
bus-factor + file-touch history. And — the key piece — fastpace
review meta <pr> spins up a separate
meta-reviewer persona that critiques the first-pass review itself
for what it missed; the meta output emits
review.meta.completed and renders with a magenta
[meta-review] banner so it's visibly distinct.
fastpace control-dedup --frameworks <a,b,…> identifies
controls across SOC 2, ISO 27001, ISO 42001, and NIST AI RMF that share
evidence — and ships the matches as suggestions only; the
auditor decides. fastpace framework register lets a
Platform-tier customer register a custom framework with their own
control IDs and evidence requirements. fastpace auditor invite
<email> issues an Ed25519-signed time-limited read-only
token (fp-auditor.v1.<payload>.<sig>) scoped to
a single framework's evidence. fastpace subprocessor attest
<name> records flow-down attestations from sub-processors
(Stripe, AWS, …) for GDPR Art. 28 / SOC 2.
fastpace evidence-inbox is the self-serve inbox where
customers and auditors file requests and the install fulfils them by
linking to existing evidence packs.
fastpace evidence-expiry --report lists evidence past its
freshness window so nothing silently goes stale.
Across v0.40 → v0.45 that's 30+ new commands — every
one emits signed, hash-chained audit events, so the auditor can
reconstruct what happened and when. The full surface is in
fastpace --help; the threat model and STRIDE walks are at
trust.fastpace.net.
Equally important — to avoid the sales-pitch effect — here's what fastpace doesn't claim to be.
We don't make the AI; we sit beside it. Bring whichever model you've already approved.
Everything runs on the developer's laptop. Nothing routes through fastpace's servers; we don't have any.
We store fingerprints of prompts and responses, never the text itself. Privacy first.
It's evidence that feeds those frameworks; the framework auditing itself still happens.
We don't grade the code's quality. We prove what produced it. Code review tools sit alongside us.
Every artifact is a plain file in your git repo. If you stop paying us tomorrow, the evidence is yours.
A pocket dictionary for the rest of the website. Each term is defined in one sentence, the way a coworker would say it at lunch.
/fp-write-prd.If you finished this and want to go deeper, here's a suggested order. (None of it requires you to be a developer.)
Still confused? Email us. We wrote this page because someone we love asked us "but what do you actually do?" — if a section here didn't land, tell us and we'll rewrite it.