Self-serve security posture for fastpace
Everything a CISO, security architect, or procurement lead needs to evaluate fastpace — attestations, sub-processors, security questionnaires, threat model, and a self-serve evidence-package request flow. Updated continuously; this is the canonical source.
fastpace is the vendor-neutral governance & compliance layer: one signed evidence chain, one policy, and one context source across Claude Code, Codex, and Gemini CLI. The same guardrails and signed capture deploy to each (one hook codebase, generated per vendor), so the evidence you hand an auditor doesn't move when your team swaps models.
Why a separate portal?
The marketing site explains what fastpace does. This portal proves it. Everything here is artifact-driven — sub-processors, attestation statuses, and questionnaires are stored as JSON in version control, so changes have a git history a procurement reviewer can audit.
Updated for v0.48.0 (July 2026)
v0.48.0 ships the vendor-neutral control plane: one hook
codebase generated into native plugins for Claude Code, Codex, and Gemini
CLI (fastpace plugin build), one policy compiled to each
vendor's enforcement (fastpace plugin policy), one context
source projected to each (fastpace plugin context), and
fastpace posture — provenance coverage, audit-chain
integrity, shadow-AI detection, the cross-vendor
assistant mix, and per-vendor policy conformance. The
threat model below covers these plus the audit-chain event types,
platform-team metrics rollup, BYOK key vault, and the metrics-source
connector trust boundary. See threat model →
Recent sub-waves: 5c.B (v0.41.0 — deploy verify, release-window,
rollback assess, audience-projected changelog, MetricsSource adapters) ·
5d.A (v0.42.0 — per-control evidence generator, continuous control monitor,
auditor-portable evidence packs, gap-analysis) ·
5a (v0.43.0 — plan-execution drift reconciliation with the Spike-001
hybrid matcher) ·
5b (v0.44.0 — multi-pass PR review with a second-layer
meta-reviewer persona) ·
5d.B (v0.45.0 — Ed25519-signed auditor invites, sub-processor flow-down
attestation, custom-framework registration, evidence-request inbox).
For the latest outcome guarantees (audit-chain coverage, framework readiness, plus four new candidates landing in v0.37 contract revision) see fastpace.net/outcomes. The full ELI5'd catalog of every metric fastpace produces is at fastpace.net/metrics.
Quick access
AI-Native Maturity (consent-gated)
Customers running fastpace ≥ 0.28 publish a signed Maturity Scorecard — a 0–100 number across nine industry-standard AI-native engineering competencies (Project Setup, Spec-Driven Development, Context Management, Testing, Harness Engineering, Architectural Guardrails, Review Maturity, AI SDLC Metrics, Prompt Engineering). Updates auto-flow from each developer's machine via F3.11 audit replication; the trust portal averages across the org. Per-customer scores are only published with explicit consent — most prospects use this internally first.
Architecture in two sentences
Local by construction. The core fastpace runtime — skills, agents, hooks, local UI — runs on the developer's machine and never transmits source code or prompts to a fastpace-operated service. The optional org dashboard is self-hosted and only ingests signed audit summaries (counts, hashes, trends) — never code, never prompts, never responses.
No telemetry.
fastpace ships zero telemetry. Updates are explicit
(npm update -g @fastpace-ai/fp then
fastpace update). The runtime that touches your code is
open source and auditable.
Verify it from the terminal
Three commands prove what's installed and what each install has done.
fastpace verify — walks the F0.2 hash-chained audit log
and reports any tampering since install.
fastpace inventory — lists every agent, runtime, MCP
server, and identity active on this machine.
fastpace snapshot --since YYYY-MM-DD — packages ADRs,
the audit log, run manifests, and AI-BOMs into one auditor-ready
tarball. The evidence-request flow is the
portal-side wrapper around this.