Engineering tickets, in public.

Customer can upgrade from Pro to Business in /enterprise/console without contacting sales.

Buyer review surfaced friction. Business plan currently requires email back and forth. Self-serve unlocks roughly $6K to $12K MRR per month at current funnel rate.

• Stripe Checkout flow for $999/mo Business plan reachable from the enterprise console.
• Webhook updates plan tier in tenant_record.
• Gated /v1/* endpoints respect the new tier within 60 seconds of webhook receipt.
• Receipt sent via Resend.
• Onboarding checklist surfaced post-upgrade.

Capture enterprise leads with a structured intake that auto-creates a deal in CRM.

Currently the /enterprise CTA routes to mailto:. Loses about 40 percent of intent signal because the lead does not know what to write.

• Form with 6 fields (company, role, employees, vertical, intended use, target start date).
• POSTs to /v1/lead/enterprise.
• Persists to enterprise_leads table.
• Emails sales@kolm.ai with structured payload.
• Thank-you page with Calendly embed.

Move /health-insurance from "vertical microsite" to "decision-stage landing" with case-study slot, ROI calculator validation, and BAA fast-track CTA.

Page exists but reads as informational. External review wants conversion: scheduled demo above 5 percent, BAA started above 2 percent.

• Hero CTA changed from "Get API key" to "Start BAA fast-track" routing to /enterprise#baa.
• ROI calculator persists inputs in URL hash for share-back.
• One placeholder case-study card with "be the first" affordance.
• Three outbound links to /healthcare/assessment, /baa, /cookbook/soap-redactor.
• Testimonial slot for design partner; meta description updated.

Each of the six health-insurance template cards on /health-insurance gets its own /cookbook/health-insurance/<slug> page with exact prompt, eval-set excerpt, K-score result, and a "fork this" affordance.

Today the cards are blurbs. A buyer reviewing claims adjudication needs to see the actual prompt and spec to validate fit.

• Six new pages: claims-adjudication, prior-auth-review, fraud-detector, member-support-triage, risk-adjustment-coder, provider-credentialing.
• Each around 150 to 200 lines.
• Each linked from its /health-insurance card and from the /cookbook index.
• Each carries a kolm pull insurance/<slug> CLI snippet.

Public URL renders any receipt by hash with full chain verification, no auth required.

External review noted that receipts are claimed but no one outside the tenant can see one. A public receipt URL is social proof plus an audit trail external observers can verify.

• GET /r/:hash returns rendered HTML showing receipt fields, HMAC chain status (valid or broken), ring depth, signed-at timestamp, source artifact hash.
• Tenant identity redacted by default unless the customer opts public.
• OG card auto-generated for share previews.

Composite action kolm-ai/verify-action@v1 that on PR runs kolm inspect on every changed .kolm and posts a K-score diff as a check.

Customer feedback: "I want CI to fail if a teammate degrades a model." Automated K-score gate makes the artifact in the repo trustworthy.

• Composite action at github.com/kolm-ai/verify-action.
• Reads .kolm changes from the PR; runs kolm inspect.
• Posts K-score table as a PR comment.
• Sets check status (pass if all artifacts at or above the configured floor).
• README with quickstart YAML.

Clarify that customer opt-in subprocessors (Anthropic, OpenAI, Google) flow down per tenant via the customer's contracted BAA with that vendor, not via kolm.

A privacy officer DD round identified ambiguity in current Schedule 1 row 5 (Subprocessor flow-down).

• Schedule 1 row 5 expanded with three sentences.
• New clarifying note at the end of Schedule 1 with an example flow: "Acme uses kolm + Anthropic. Acme has BAA with Anthropic directly. kolm passes Acme's PHI through redactor before relay."
• /baa version bumped to 1.1 in the changelog footer.

Run a pre-built .kolm artifact in-browser via WebAssembly with no install.

Founder feedback called the install-CLI step a friction wall for evaluators. A web playground is zero-friction first kolm output in 30 seconds.

• WASM build of the inference path under 4 MB.
• Loads phi-redactor.kolm from /registry-pack.
• User pastes input, sees output plus K-score plus receipt hash.
• "Copy as curl" button shows the equivalent CLI invocation.
• Works in Chrome, Safari, Firefox, Edge latest.

HMAC key for /v1/account/compliance-package signatures rotates quarterly with verification preservation.

SOC 2 Type II observation window starts Q4 2026. Key rotation evidence is required for the cryptographic-control criterion.

• KOLM_COMPLIANCE_HMAC_V2 env var added.
• Key version embedded in JWS header (kid field).
• Previous key kept active for 90 days post-rotation.
• Compliance package fetcher accepts both keys during rollover.
• Rotation runbook documented; quarterly cron suggested but not auto-rotated.

Internal-only dashboard showing K-score distribution, compile latency p50/p95/p99, audit-log volume, top-10 tenants by usage, error rate by endpoint.

We read these via ad hoc PostgreSQL queries today. A self-serve view means faster ops decisions.

• New page gated on admin-key sessionStorage (same pattern as /admin).
• Reads from a new /v1/admin/metrics endpoint.
• Six widgets above the fold.
• Auto-refresh every 30 seconds; dark only (no light mode).
• CSV export per widget.

VS Code extension that on open of any .kolm file shows manifest, K-score, and receipt status in a side panel.

About 60 percent of design partners are in VS Code or Cursor. Inline preview is a stickier integration than the CLI.

• Extension published to the VS Code marketplace under @kolm-ai/kolm-vscode.
• Opens a .kolm and parses the ZIP locally (no upload).
• Shows K-score breakdown, recipe list, receipt chain.
• "Verify" button runs offline.
• Cookbook templates accessible via the command palette.

Engage a HITRUST-authorized External Assessor to scope the r2 assessment and identify SOC 2 Type II inheritance.

Healthcare buyers ask for HITRUST as a tier-2 signal. Scoping in Q1 2027 keeps the Q2 2027 attestation target on track.

• Assessor selected (target: HITRUST-listed firm, fixed-fee under $80K).
• Scoping kickoff scheduled.
• Inheritance map drafted: which SOC 2 Type II controls satisfy which HITRUST requirements.
• Revised /security#in-progress copy with concrete dates.