Last updated: 2026-05-07 β Sprint 27 C4 shipped (
squash watch-regulatory) Status: Living document β updated on every commit Horizon: April 2026 β October 2027
EU AI Act high-risk enforcement: August 2, 2026 β 94 days.
Every sprint between today and August 2 is worth more than any sprint after. The whole product strategy is anchored to one truth: regulators no longer want promises β they want receipts.
squash is the receipt machine.
Phase 1 β Phase 2 β Phase 3 β Phase 4 β Phase 5 β Phase 6 β Phase 7
MVP Beta GA Scale Enterprise Platform Moat
(done) (done) (done) (done) (done) (now) (next)
Current: Phase 6 β Platform (W219+). Shipping parallel tracks weekly.
Track A (Revenue) Track B (Product) Track C (Safety) Track D (Enterprise)
ββββββββββββββββ ββββββββββββββββββββ ββββββββββββββββ ββββββββββββββββββββ
Monetisation Reach + defensibility Technical defensibility
β β β
βββ A1 fly deploy βββ B1 HF Public Scanner βββ C1 squash freeze β
βββ D1 GitHub App
βββ A2 PyPI publish βββ B2 Branded PDF βββ C2 AI Washing Detect βββ D2 AI Identity Attest
βββ A3 Domain + Stripe βββ B3 Email Digest βββ C3 Approval Workflow βββ D3 Procurement Score API
βββ A4 Website Live βββ B4 Terraform/Pulumi βββ C4 Regulatory Watch βββ D4 Multi-Jurisdiction
βββ B5 API Gateway Plugin
Current sprint (W221βW222, May 5β6): C1 squash freeze β
β 2-day headline win.
Next sprint (W223βW225, May 7β12): C2 AI Washing Detection + B2 Branded PDF.
May 5 ββββββββββββββββββββββββββββββ W221 Day 1 β squash freeze: write freeze.py + tests
May 6 ββββββββββββββββββββββββββββββ W222 Day 2 β squash freeze: CLI + PR + demo GIF
Launch anchors (unchanged):
ββ L1 Public Beta β Jul 11
ββ L2 Show HN β Jul 14 (squash freeze IS the demo)
ββ L3 Product Hunt β Jul 21
ββ L4 EU Enforcement Day β Aug 2
β
C1 squash freeze is the headline win. Two days of work, zero new modules, orchestrates five existing modules (attestation_registry, webhook_delivery, gitops, incident, notifications) into one CLI command. The "red button" CISOs will demo to boards. Highest drama-per-hour-of-effort ratio in the roadmap.
| Item | Status | Target | Owner |
|---|---|---|---|
| A1 fly.io deploy | β done | Live URL | Wesley |
| A2 PyPI publish | β done | pip install squash-ai |
Wesley |
| A3 Domain + Stripe | π active | getsquash.dev + billing | Wesley |
| A4 Website live | π next | Landing page + pricing | Wesley |
| Item | Status | Target | Owner |
|---|---|---|---|
| B1 β | HF Public Scanner β squash scan hf://owner/model |
4 days β shipped | β 2026-04-30 |
| B2 Branded PDF | π | Compliance leave-behind | Wesley |
| B3 Email Digest | π | Weekly regulatory summary | Wesley |
| B4 Terraform/Pulumi | π | IaC compliance modules | Wesley |
| B5 API Gateway Plugin | π | Kong/Apigee plugin | Wesley |
| Track | Feature | Est. | Dates | Deps | Anchor stat | Sprint |
|---|---|---|---|---|---|---|
| C1 β | squash freeze β emergency response orchestrator |
shipped 2026-05-06 | A3, B1 | 20% have a tested AI incident-response plan. freeze.py: FreezeOrchestrator, 5-step atomicity, Ed25519 signing, ledger. 38 tests. |
Sprint 19 (W221βW222) β | |
| C2 β | AI Washing Detection β squash detect-washing |
shipped 2026-04-30 | B1, B2 | SEC #1 AI exam priority 2026. washing_detector.py: 28 patterns, 9 claim types, 12 divergence rules, 95.7% recall. 38 tests. |
Sprint 20 (W223βW225) β | |
| C3 β | Approval Workflow β squash approve (signed reviewer record) |
5 days | May 13β19 | B2, B3, B4 | EU AI Act Art. 9 human-oversight requirement | Sprint 23 (W232βW234) |
| C4 β | Regulatory Watch Daemon β primary-source polling + gap analysis | shipped 2026-05-07 | B4, D1 | Daily-touch product = retention | Sprint 27 (W243βW245) β | |
| C5 | Audit Simulation β squash simulate-audit --regulator EU-AI-Act |
10 days | Jun 2β13 | D1, D2, B5 | 78% can't pass audit in 90 days | Sprint 22 (W229βW231) |
| C2 | AI Washing Detection β squash detect-washing |
5 days | May 7β12 | B1, B2 | SEC #1 AI exam priority 2026 | Sprint 20 (W223βW225) |
| C3 | Approval Workflow β squash approve |
5 days | May 13β19 | B2, B3 | EU AI Act Art. 9 | Sprint 23 |
| C6 β | Insurance Risk Package β squash insurance-package |
shipped | Munich Re / Coalition adapters | Sprint 24 (W235βW237) β | ||
| C7 β | Hallucination Attestation β squash hallucination-attest |
shipped | $67.4B hallucination liability market | Sprint 20 β | ||
| C8 | DORA Compliance β squash dora |
5 days | Jun | B4, D1 | DORA enforcement Jan 2025 | Sprint 28 |
| C9 | Carbon Footprint Attestation β squash attest-carbon |
3 days | Jun | B1 | ESG reporting requirements | Sprint 29 |
| C10 β | Runtime Hallucination Monitor β squash hallucination-monitor |
shipped 2026-04-30 | D3 | EU AI Act Art. 72 incident reporting | Sprint 20 β |
| Track | Feature | Est. | Dates | Deps | Anchor stat | Sprint |
|---|---|---|---|---|---|---|
| D1 | GitHub App β 1-click repo integration | 5 days | May 20 | A3, B1 | 82% use GitHub | Sprint 21 |
| D2 | AI Identity Attestation β squash attest-identity |
5 days | Jun | C3, D1 | Zero-trust AI supply chain | Sprint 25 |
| D3 | Procurement Score API β B2B buyer due diligence | 7 days | Jun | D1, D2 | $2.1B procurement AI market | Sprint 26 |
| D4 | Multi-Jurisdiction Matrix β squash compliance-matrix |
5 days | Jul | D3, C4 | EU+US+UK+Singapore coverage | Sprint 27 |
| Launch | Event | Date | Gate | Hook |
|---|---|---|---|---|
| L1 | Public Beta | Jul 11 | A1βA4, B1βB2, C1, design-partner quote | Loom 3-min demo video |
| L2 | Show HN | Jul 14, 9am ET (Tuesday) | C1 live (squash freeze demo) |
Draft already in docs/launch/hn-post.md |
| L3 | Product Hunt | Jul 21 | Pre-arranged hunter, gallery design done | "Squash violations, not velocity." |
| L4 | EU Enforcement Day | Aug 2 β T+0 | All preceding launches | "Squash users are compliant. Are you?" |
| Tier | Price | Limit | Target |
|---|---|---|---|
| Open | Free | 1 model/month | OSS developers |
| Pro | $99/mo | 20 models/month | Startups, researchers |
| Team | $499/mo | 100 models/month | ML teams |
| Enterprise | Custom | Unlimited + SLA | F500, regulators |
| Month | MRR | Customers | Notes |
|---|---|---|---|
| Jul 2026 | $5K | 50 Pro | Post-L1 launch |
| Aug 2026 | $25K | 200 Pro + 10 Team | EU enforcement wave |
| Oct 2026 | $100K | 500 Pro + 50 Team + 5 Ent | Growth phase |
| Jan 2027 | $300K | 1000+ across tiers | Platform network effects |
| Jul 2027 | $833K | Scale | $10M ARR run rate |
squash (open-core CLI + SDK)
βββ squash/
β βββ scanner.py # ModelScanner β security + compliance scan
β βββ policy.py # PolicyEngine β 10+ framework evaluation
β βββ attest.py # AttestPipeline β signed attestation record
β βββ sbom_builder.py # CycloneDXBuilder β ML-BOM generation
β βββ spdx_builder.py # SpdxBuilder β SPDX AI Profile
β βββ oms_signer.py # OmsSigner β Sigstore keyless signing
β βββ vex.py # VexEvaluator β CVE/vulnerability tracking
β βββ provenance.py # ProvenanceCollector β dataset lineage
β βββ governor.py # SquashGovernor β drift detection
β βββ risk.py # AiRiskAssessor β EU AI Act risk taxonomy
β βββ incident.py # IncidentResponder β Art. 73 packages
β βββ freeze.py # FreezeOrchestrator β emergency response β
C1
β βββ notifications.py # Notification fanout (Slack/PD/email)
β βββ webhook_delivery.py # WebhookDelivery β subscriber fanout
β βββ attestation_registry.py # AttestationRegistry β live/revoked
β βββ audit_log.py # AuditLog β append-only tamper-evident log
β βββ hallucination.py # HallucinationDetector β runtime monitor
β βββ washing_detector.py # AIWashingDetector β 28 patterns β
C2
β βββ insurance.py # InsuranceBuilder β risk packages β
C6
β βββ annex_iv_generator.py # AnnexIVGenerator β Art. 11 docs
β βββ nist_rmf.py # NistRmfScanner β NIST AI RMF 1.0
β βββ cli.py # squash CLI entry point
βββ squash/integrations/
β βββ sagemaker.py # AWS SageMaker adapter
β βββ ray.py # Ray Serve decorator
β βββ kubernetes.py # K8s admission webhook
βββ tests/ # 4384+ tests (pytest)
Duration: 2 days (W221βW222, May 5β6) Status: β SHIPPED 2026-05-06 Anchor stat: 20% of organizations have a tested AI incident response plan.
What ships:
squash/freeze.pyβFreezeOrchestratordriving 5 sub-steps atomicallytests/test_freeze.pyβ 55 tests with full DI-stub offline coveragesquash freezeCLI wired incli.py- v3.2.0 β v3.3.0
The 5 Sub-Steps (atomicity model):
- Registry Revoke (legally binding β abort if fails)
- Webhook Broadcast (non-fatal β partial delivery beats nothing)
- Signed Ledger Entry (Ed25519 audit trail, append-only JSONL)
- Notification Fanout (Slack / PagerDuty / email)
- Incident Package (Article 73 disclosure draft on disk)
Key design decisions:
- DI-injected collaborators for every sub-step β fast, offline tests
FreezeReceiptrecords outcome of every step β tamper-evident via SHA-256 + optional Ed25519- Ledger at
~/.squash/freeze_ledger.jsonl(configurable via--state-dir) squash freeze ledgerandsquash freeze verifysub-commands
Exit codes:
0β all 5 steps succeeded1β revoke ok, but β₯1 broadcast step failed2β revoke failed (no side-effects performed)3β configuration / argument error
Duration: 5 days (W223βW225, May 7β12) Status: β SHIPPED 2026-04-30 Anchor stat: SEC flagged AI washing as #1 enforcement priority for 2026.
What shipped:
squash/washing_detector.pyβ 28 patterns, 9 claim types, 12 divergence rules- 38 tests, 95.7% recall on test corpus
squash detect-washingCLI command
Duration: 5 days (W226βW228, May 14β19) Status: π planned Anchor stat: 82% of ML teams use GitHub.
What ships:
- GitHub App with OAuth + webhook
squash-botPR comments with compliance summary- 1-click repo integration from getsquash.dev
Duration: 10 days (W229βW231, May 20βJun 2) Status: π planned Anchor stat: 78% of organizations can't pass an AI audit in 90 days.
Duration: 5 days (W232βW234, Jun 3β9) Status: β SHIPPED Anchor stat: EU AI Act Art. 9 requires human oversight for high-risk AI.
Duration: 3 days (W235βW237) Status: β SHIPPED Anchor stat: $47B AI liability insurance market by 2030.
What shipped:
squash/insurance.pyβInsuranceBuilderwith Munich Re + Coalition adapterssquash insurance-packageCLIModelRiskProfile,InsurancePackagedataclasses
Objective: Make squash the most audit-ready open-source AI compliance tool on the planet.
pytest-covwired in CI- Branch coverage tracked per module
- Tier 0 modules: 90%+ coverage gate
mutmuton Tier 0 modules (oms_signer, anchor, attest, slsa, chain_attest)- Mutation score gate: β₯ 80%
squash self-verifyβ walks the entire attestation chain- Verifies every Ed25519 signature in the audit log
atherisfuzzing on parser entrypoints (SBOM, VEX, policy)- β₯ 100K iterations per target in CI
- Strict mypy on Tier 0 modules
- ruff E/F/W/I enforced repo-wide
| Metric | Value | Target |
|---|---|---|
| Total tests | 4384 (pre-C1) | 4400+ |
| Coverage (overall) | tracked | 80%+ Tier 0 |
| Mutation score (Tier 0) | tracked | 80%+ |
| CI time | < 120s | < 90s |
| Tier | Modules | Coverage Gate | Mutation Gate |
|---|---|---|---|
| 0 (critical) | oms_signer, anchor, attest, slsa, chain_attest | 90% | 80% |
| 1 (high) | freeze, scanner, policy, vex, governor | 80% | 70% |
| 2 (standard) | All other squash/* | 60% | β |
| Week | Track A | Track B | Track C | Track D | Track E |
|---|---|---|---|---|---|
| Apr 28βMay 2 | A1 fly deploy (done) Β· A2 PyPI publish (1 hr) | β | β | β | β |
| May 5β6 | A3 Domain + Stripe (1d) | B1 HF Scanner (4d) β | C1 squash freeze β
(2d) |
β | β |
| May 7β10 | A4 Website live (3d) | B1 cont. Β· B2 Branded PDF (2d) | C2 AI Washing Detection (5d) Β· C7 Hallucination Attest β ($67.4B) | β | β |
| May 12β19 | β Track A done | B3 Email Digest (2d) | C3 Approval Workflow Β· C7 cont. | β | β |
| May 20β28 | β | B4 Terraform/Pulumi (5d) | C4 Regulatory Watch (7d) | D1 GitHub App (5d) | β |
| Jun 2β9 | β | B5 API Gateway Plugin (5d) | C5 Audit Simulation (10d) | D2 AI Identity (5d) | β |
| Jun 10β20 | β | β | C5 cont. | D3 Procurement API (7d) | β |
| Jun 23βJul 4 | β | β | C8 DORA (5d) | D4 Multi-Jurisdiction (5d) | β |
| Jul 7β11 | β | β | C9 Carbon (3d) | β | L1 Public Beta |
| Jul 14 | β | β | β | β | L2 Show HN |
| Jul 21 | β | β | β | β | L3 Product Hunt |
| Aug 2 | β | β | β | β | L4 EU Enforcement Day |
The critical path to L1 (Jul 11 Public Beta):
A1 (done) β A2 (done) β A3 β A4 β L1
B1 (done) β B2 β L1
C1 β
(done) β L2
C2 β
(done) β L1
Key dependencies:
- B1 + B2 + C1 (by May 10) β unblock L1. Public Beta Launch (Jul 11) requires the HF scanner live, the branded PDF as sales leave-behind, and
squash freezeas the headline demo. - C1 live by mid-May β headline asset for L2 (Show HN, Jul 14, 9am ET).
squash freezeIS the HN demo. The post body GIF should show the red-button command. Draft already indocs/launch/hn-post.md. - Track D D3/D4/D5 (by Jul 31) β unblock the Aug 2 narrative. Procurement scoring API, multi-jurisdiction matrix, and identity attestation make the enterprise pitch.
| Partner | Segment | Status | Use Case |
|---|---|---|---|
| [REDACTED] | FinTech | Active pilot | EU AI Act + DORA compliance |
| [REDACTED] | HealthTech | Evaluating | FDA AI/ML SaMD + HIPAA |
| [REDACTED] | InsurTech | Active pilot | Underwriting model attestation |
| [REDACTED] | GovTech | Prospect | FedRAMP + CMMC certification |
Design partner ask: 30-min monthly call + testimonial for launch.
| Primitive | Usage | Standard |
|---|---|---|
| Ed25519 | Attestation signing, freeze receipt signing | RFC 8032 |
| SHA-256 | Payload hashing, SBOM component hashes | FIPS 180-4 |
| HMAC-SHA256 | Webhook delivery signatures | RFC 2104 |
| Sigstore | Keyless signing (CI/CD integration) | Sigstore spec |
- Append-only: Ledger files are never overwritten
- Tamper-evident: Every entry carries a SHA-256 hash of its canonical JSON
- Signed (optional): Ed25519 signature when a private key is available
- Human-readable: JSONL format β
jqandgrepwork without squash installed
| Framework | CLI Flag | Module | Status |
|---|---|---|---|
| EU AI Act (Annex IV) | --policy eu-ai-act |
annex_iv_generator.py |
β |
| NIST AI RMF 1.0 | --policy nist-ai-rmf |
nist_rmf.py |
β |
| ISO 42001 | --policy iso-42001 |
policy.py |
β |
| OWASP LLM Top 10 | --policy owasp-llm-top10 |
policy.py |
β |
| FedRAMP | --policy fedramp |
policy.py |
β |
| CMMC 2.0 | --policy cmmc |
policy.py |
β |
| SOC 2-AI | --policy soc2-ai |
policy.py |
β |
| HITRUST | --policy hitrust |
policy.py |
β |
| GDPR-AI | --policy gdpr-ai |
policy.py |
β |
| DORA | --policy dora |
policy.py |
β |
| EU CRA | --policy eu-cra |
policy.py |
β |
| SLSA | slsa-attest |
slsa.py |
β |
/\
/ \
/ E2E \ β 50 tests (CLI integration)
/ββββββββ\
/ Integration \ β 500 tests (module-to-module)
/ββββββββββββββββ\
/ Unit Tests \ β 3800+ tests (pure logic, DI stubs)
/ββββββββββββββββββββ\
- No network calls in unit tests. Every external collaborator is DI-injected and stubbed.
- No file system side-effects without tmp_path. Every test that writes uses pytest's
tmp_path. - No sleep() in tests. Async tests use
asyncio; sync tests are instant. - Every new module gets a test file.
squash/foo.pyβtests/test_foo.py. - Parameterize over enums. Don't write 5 tests for 5 severity levels β use
@pytest.mark.parametrize.
squash/__init__.py:__version__pyproject.toml:[project] version- Both must match. CI checks this.
- Major (X.0.0): Breaking API changes (extremely rare)
- Minor (X.Y.0): New features, new CLI commands
- Patch (X.Y.Z): Bug fixes, test additions, docs
Current: v3.4.0 (Sprint 27 C4 β squash watch-regulatory)
- All tests pass (
pytest -x) - Version bumped in
__init__.pyANDpyproject.toml - CHANGELOG entry added
- PR reviewed and merged
-
git tag vX.Y.Z && git push --tags -
python -m build && twine upload dist/* - fly.io deploy triggered
These are the statistics used in launch copy, sales materials, and PR pitches. All sourced.
| Stat | Source | Used in |
|---|---|---|
| 20% have tested AI incident response plan | IBM Security 2024 | C1 freeze |
| SEC AI washing as #1 enforcement priority | SEC 2026 exam priorities | C2 |
| $47B AI liability insurance market by 2030 | Allied Market Research | C6 |
| 78% can't pass AI audit in 90 days | Gartner 2025 | C5 |
| 82% of ML teams use GitHub | GitHub State of the Octoverse | D1 |
| EU AI Act enforcement: Aug 2, 2026 | Official Journal of the EU | All |
| $67.4B hallucination liability exposure | Swiss Re 2025 | C7 |
Next review: May 14, 2026 β review Track A completion + Track B/C/D progress against the parallel grid; assess C7 ($67.4B headline) as L2 demo asset Owner: Wesley Scholl, Konjo AI