Shipped◆Logged◆Merged◆Verified◆Blocked◆Released◆Shipped◆Logged◆Merged◆Verified◆Blocked◆Released◆
Sunday
Jun 212026
4 releases
New FeatureSHIP-33
Secure sign-in, developer tokens, and the identity layer that stays out of your way
Three things shipped this week that all share a thread: getting into autter should be fast, safe, and never the reason work stalls. CLI sign-in is now secure by default. Account setup lost its friction. And personal access tokens give developers a proper way to connect their tools without sharing credentials.
CLI sign-in and account setup
The old flow had too many steps and not enough guardrails. The new one uses secure authentication by default, cuts the setup path in half, and gets you into a working environment faster.
- Secure CLI sign-in
- No more plaintext credentials or manual config files.
- Streamlined account setup
- Fewer steps from signup to first scan.
- Personal access tokens
- Connect developer tools without sharing org-wide secrets.
AI authorship insights
autter now tracks how code was created. Every pull request shows whether a change was human-written, AI-assisted, or AI-generated. This is not a judgement. It is context. Reviewers see provenance. Leads see patterns. Nobody has to guess.
ImprovementSHIP-32
Sharper reviews, quieter noise, and analytics that actually tell you something
The review engine got better in the way that matters most: more accurate findings, clearer comments, and fewer false positives. When autter speaks up on a PR, it is because something real needs attention, not because a heuristic fired on a pattern it half-understood.
Code review
- More accurate findings
- Fewer false positives reaching reviewers.
- Clearer comments
- Suggested fixes are easier to understand and apply.
- Faster fix suggestions
- Less time between finding and resolution.
- Infra and config security checks
- Catches misconfigurations before they ship.
- Improved dependency reporting
- Vulnerability notifications with actionable detail.
Analytics
Pull request and repository activity metrics are now clearer and more complete. You can see what is actually happening across your codebase without building your own dashboards.
GitHub integration
- Reviewer assignment works correctly across team configurations.
- Error messaging tells you what went wrong and what to do about it.
- Code indexing is more reliable for large projects: no more silent failures on big repos.
New FeatureSHIP-31
Interactive demos and the faster front door
Two changes to how people first experience autter. Demo workspaces are now interactive. You can click through a real environment instead of watching a video. And the demo signup flow lost its rough edges, so the path from curiosity to hands-on is shorter.
- Interactive demo workspaces
- Explore a real environment without creating an account.
- Smoother demo signup
- Fewer steps, fewer dropoffs, faster time-to-value.
- Faster org creation
- New organizations spin up quicker and more reliably.
ImprovementSHIP-30
The quiet stuff that keeps everything running
Not everything that ships is visible from the outside. This week: progress notifications now include direct links to completed work, important account and billing actions are fully tracked, and deployment reliability improved across the board.
- Progress notifications with direct links
- Go straight to the result instead of searching for it.
- Complete audit trail
- Every important account and billing change is logged and traceable.
- Improved deployment reliability
- Fewer incidents, faster recovery.
Ship the gates, ship the guardrails, then get out of the way.
Sunday
Jun 142026
3 releases
New FeatureSHIP-29
The review that sees everything
The PR review engine went from “good coverage” to “nothing gets past it.” It now checks for things most teams only catch after something goes wrong: static security, secrets, dependency and license compliance, CI/CD misconfigurations, auth and permissions, database migrations, frontend health, code hygiene.
PR review: broader, sharper, quieter
- Dependency impact analysis
- Reviews understand what a dependency change actually touches downstream.
- Typosquatting detection
- Packages that look like popular libraries but aren't get flagged before they land.
- Cross-file consumer checks
- Changing an API? autter checks who's calling it before approving the change.
- False positive reduction
- Fewer findings that waste your time. The ones that remain are the ones that matter.
Infrastructure-as-code scanning
IaC scanning is live. Terraform plans, CloudFormation templates, and Kubernetes manifests are now checked for misconfigurations before they ship. Three engines run independently, so coverage gaps from any single scanner get caught by the others. If you have ever deployed a security group that was wider than you intended, this is for that.
A review engine earns trust by catching real problems and staying quiet about everything else.
ImprovementSHIP-28
Scan results that explain themselves
Scan results are no longer a list you have to interpret. They are a surface you can act from: every finding explains itself, and the ones that don't can be handed straight to autter for a fix.
- Finding detail modals
- Every finding opens into a full explanation, not a one-line summary.
- AI fix suggestions
- Ask autter for a recommended fix directly from any finding.
- Business logic invariant views
- The specific rule, the specific violation, and the specific evidence.
- Content-shaped loading states
- Scan results load progressively instead of appearing all at once.
New FeatureSHIP-27
The billing that runs itself
autter now has a full billing system with native subscription management. Teams can sign up, pick a plan, and start paying without a single manual step on our end.
- Plan tiers and subscriptions
- Pick a plan, upgrade or downgrade, and usage adjusts automatically.
- Hosted checkout
- Pay without leaving autter, with UPI and B2B invoicing included.
- Invoice generation and backfill
- Current and historical invoices available on demand.
- Usage visibility
- Your current usage is always visible in the sidebar and billing settings.
A billing system earns trust by disappearing entirely. Billing should be something you set up once and never think about unless you want to.
Sunday
Jun 72026
3 releases
New FeatureSHIP-26
The gate gets teeth
The merge gate shipped weeks ago. This week it became the kind of gate you actually trust: a full PR review engine and fifteen categories of automated checks. The previous version could block a merge. This one explains why it blocked it.
PR review engine
- Chapter generation
- PRs are broken into reviewable chapters, not treated as a single diff.
- Inline comments
- Review findings appear exactly where the code changed.
- Summary utilities
- Every PR gets a structured overview before a reviewer opens a file.
- Gate panels and overview UI
- Merge-blocking status is visible, not buried in a check run.
- Local and Fargate runners
- Review runs wherever your infrastructure already lives.
Fifteen review checks
Static security. CI/CD security. API contract validation. Dependency and license compliance. Typosquatting detection. Secret scanning. Infrastructure-as-code misconfiguration. Race condition analysis. Logging hygiene. Privacy surface detection. Rate limiting coverage. Architectural conformance. Policy engine evaluation. AI slop detection. Each check writes to its own findings surface, and policy violations get deterministic hashes so repeated findings are tracked, not duplicated.
A gate that checks fifteen things and tells you which one failed is not a gate. It is a review team that never takes a day off.
ImprovementSHIP-25
A review surface built for humans
All that machinery is only useful if the humans doing the reviewing can read it. The PR review UI got the treatment: scannable activity, a proper diff engine, and comments that feel like conversation.
PR review UI
- Monaco-based diff viewer
- Diffs render with the same engine your editor uses.
- Conversation timeline
- Comments, suggestions, and gate decisions in chronological order.
- Keyboard shortcuts
- Navigate reviews without reaching for a mouse.
- Activity feed styling
- Review events are scannable instead of a raw log.
Comments, mentions, and GIFs
Inline comments now support full Markdown. Mentions are wired in. The GIF picker is live. This is the kind of feature that makes review conversations feel like conversations instead of form submissions.
ImprovementSHIP-24
Richer webhooks and Slack routing
Webhook ingestion got sharper, and PR review and scan events now route to Slack with per-event webhook support. Teams configure which events fire, where they land, and whether a gate decision triggers a notification or stays silent.
- Delivery logging
- PR events are logged with enough detail to debug routing.
- Writeback detection
- autter's own comments no longer trigger recursive review processing.
- Gate-skip tracking
- See what bypassed enforcement and when.
- Automatic schema bootstrapping
- New repos need no manual setup before gates start working.
Sunday
May 312026
3 releases
New FeatureSHIP-23
The merge gate goes live
The merge gate is no longer a concept. This week autter shipped merge-blocking PR review gates, a full review pipeline with diff parsing and summary generation, and the webhook infrastructure to drive it all natively through GitHub.
PR review pipeline
- Diff parsing and summaries
- Every PR gets a structured breakdown before review agents run.
- Merge-blocking review gates
- Review output is evaluated before a pull request is allowed to merge.
- Durable PR tracking
- Revisions, metadata, and migration safeguards for org databases.
- GitHub-native webhooks
- PR, review, and comment events route through rebuilt handlers.
Secret scanning, rebuilt on TruffleHog
Detection runs across full git history, not just the current state. The previous version found secrets. This one tells you which ones are live, which ones rotated, and where in history they first appeared. Semgrep rule coverage also expanded across auth bypass, injection, cryptographic misuse, SSRF, XSS, and more.
A comment on a PR is advice. A blocked merge is enforcement. This week autter started enforcing.
New FeatureSHIP-22
Public reports you can hand to anyone
Scan results can now leave the building. Share a scan with a public link, export a branded PDF, and let the report guide readers toward next steps instead of ending with a findings list.
Scan sharing and reports
- Public share tokens
- Generate a link anyone can view without an autter account.
- Branded report pages
- Shared reports look like they came from your security team, not a raw tool.
- PDF export
- Structured sections with branded cover and closing pages.
Supply chain and dependency risk
- Deterministic risk scoring
- Severity and risk factors are reproducible, not model-dependent.
- Lockfile-aware resolution
- autter resolves what you actually installed, not what your manifest says.
- Exploit chain tracking
- Critical CVEs with no published fix get chain cards, detail views, and narratives.
New FeatureSHIP-21
The first knowledge graph
The first version of a knowledge graph that maps how your codebase actually connects. Graphify-backed indexing is live: graph tables, indexer orchestration, and deployment wiring all shipped, and repository dependency views now include connectivity data from the graph.
Also in this release
- The codebase-scan chat experience is now powered by AI SDK.
- Documentation generation uses task-specific model routing: each writer gets the model best suited to its job.
- Fullscreen viewing and copy support across architecture-map surfaces.
Saturday
May 232026
3 releases
New FeatureSHIP-20
The full scan surface
Everything we have been building the scan engine toward shipped this week. Secret scanning, SAST, container scanning, SBOM, supply chain analysis, API surface analysis, policy compliance, AI slop detection, database findings, code quality, and business logic analysis all landed with findings, enrichment, Captain Patch suggestions, and issue linkage.
Scan infrastructure
- Agent pipeline tables
- Every agent's output is tracked, counted, and attributed.
- Runtime preflight checks
- Agents verify the environment before executing, not midway through.
- strace runtime tracking
- Runtime behavior is observed and stored alongside static findings.
The scanners
- Secret scanning with live validation, allowlists, rotation mapping, and direct issue creation.
- CodeQL is live as a fourth scanning engine; SAST findings include enrichment and suggestions.
- Trivy container scanning, unified dependency audits, and richer license findings.
- AI slop detection: hallucinated imports, placeholder logic, and low-confidence outputs.
- Per-organization SBOM artifacts with CycloneDX support and file risk history through commits.
A merge gate is only as strong as what it checks. This week we finished building the checklist.
New FeatureSHIP-19
Issue sync: Linear, Jira, and GitHub
Findings are only useful if they end up where your team plans work. Issues now flow both ways between autter and your tracker, with logs, backfill, and persistent action items.
- Bidirectional sync
- Issues created in autter stay in sync with your issue tracker.
- External issue creation
- Push a finding to your tracker directly from autter.
- Sync logs
- Every sync event is recorded and auditable.
- Backfill support
- Historical findings can be synced, not just new ones.
New FeatureSHIP-18
Exploit enrichment and chain tracing
A CVE number tells you almost nothing. Findings are now enriched with exploit probability, standardized severity, external intelligence, and, where paths connect, full exploit chains.
- EPSS + CVSS scoring
- Exploit probability and standardized severity attached to each CVE.
- OSV and Exa enrichment
- Vulnerability databases and external intelligence feed into findings.
- Complexity scoring
- Findings are ranked by how hard they are to exploit.
- Exploit chain tracing
- Connected vulnerability paths are tracked as chains, not isolated findings.
Sunday
May 172026
2 releases
ImprovementSHIP-17
The docs engine, upgraded
The documentation engine got faster and more complete: the kind of upgrade that makes generated docs something you actually trust instead of something you politely ignore.
Documentation engine
- Manual generation trigger
- Teams can regenerate docs on demand, not just on scan.
- Job status tracking
- Generation progress is visible, not a black box.
- Type-safe modular internals
- A pipeline we can extend without breaking things.
Wiki and architecture
- Wiki search powered by proper full-text indexing, with better navigation, zoom, and typography.
- Architecture visualization inside generated documentation.
- File content surfaced directly in search results.
A wiki you trust beats documentation you maintain. This week we made it trustworthy.
New FeatureSHIP-16
The first auditor agent
autter shipped its first domain-specific agent: a Payment Gateway Auditor that targets the risk surface specific to payment flows. Under the hood, agent execution got meaningfully faster and smarter about context.
Agent execution improvements
- Batch inserts + parallelism
- Findings write in bulk and agents run concurrently without contention.
- Team context
- Agents know which team owns a scope before they score it.
- Calibrated risk scoring
- Scoring is tuned against actual severity signals.
Also in this release
- Custom teams and member assignment, managed directly from settings.
- A dedicated repository issues tab.
Sunday
May 102026
2 releases
New FeatureSHIP-15
Custom agents and guided config
Custom agents are no longer a flat list. They have categories, trigger configuration, and richer API support. Configuring one is now a step-by-step flow with streaming updates and visible progress, and teams can take a prebuilt agent, adjust its schema and behavior, and edit it through the same UI.
New FeatureSHIP-14
The documentation generation pipeline
autter shipped its first documentation generation pipeline, turning indexed codebase knowledge into something readable. Wiki routes, documentation query APIs, markdown rendering, sidebar navigation, and full-text searchable generated docs are all in.
- Codebase graph construction
- autter maps the structure of your repo before generating any docs.
- Dependency edge tracking
- Relationships between modules are first-class inputs to generation.
- Module clustering
- Related code is grouped before documentation is written.
- Risk flag integration
- High-risk areas surface in the docs, not just in findings.
The agents know your codebase. The docs make it legible. This week connected both.
Monday
May 42026
2 releases
New FeatureSHIP-13
CVE watch: scheduled monitoring
We started watching for vulnerabilities on a schedule instead of waiting for someone to ask. Recurring background checks run against your dependencies, and what they find is data, not log lines.
- Recurring background checks
- Your dependencies are checked on a schedule, not on request.
- Concurrency controls
- Multiple repos can be scanned without stepping on each other.
- Graceful shutdown handling
- Long-running checks no longer leave findings half-written.
- First-class findings schema
- Vulnerabilities and upgrade suggestions are data, not log lines.
ImprovementSHIP-12
Repository overview and smarter search
The repository workspace got a real face this week. Health views matured, and search got smarter in ways you can feel.
- The repository page rebuilt around dedicated tabs: activity, dependencies, API data, health, onboarding.
- Org-wide search with suggestions, page-visit awareness, and an animated header trigger with rotating prompts.
- Deeper dependency intelligence with automatic registry and version enrichment.
- AI response caching, Vercel AI Gateway migration, and loading skeletons across the repo experience.
Monday
Apr 272026
3 releases
New FeatureSHIP-11
The repository wiki
Searchable repository discovery, structured documentation pages, table-of-contents navigation, breadcrumbs, keyboard shortcuts, and an AI-assisted “ask” flow for exploring codebase knowledge directly.
Also in this release
- Richer treatment for third-party packages: classification, docs resolution, usage insights.
- Endpoint indexing across multiple frameworks, connected to test coverage.
ImprovementSHIP-10
Pull request review, rebuilt
The PR review experience got rebuilt from the ground up: dedicated tabs for AI review, checks, and commits. Inline comments. File tree navigation. Unified and split diff viewing.
Also in this release
- Configurable event-based notifications, weekly digests, and Slack/webhook test flows.
- Shipped agentic-sales, a small open-source AI sales toolkit, as a side project.
New FeatureSHIP-09
The graph: architectural insights
A substantial expansion of the indexing engine. This is the week autter started reasoning about your codebase the way a senior engineer does: end-to-end indexing across scope detection, file hotspots, dependency resolution, and scope health metrics.
- Reverse dependency analysis
- autter knows what depends on what, in both directions.
- Call graph analysis
- Function-level relationships are tracked across the codebase.
- Scope dependency graphs
- Coupling and layering between scopes are visible, not implied.
- AI-augmented health and risk
- Structural issues, hotspots, and tech-debt signals surface per scope.
A scanner finds problems. A graph explains them. This week was about the graph.
Monday
Apr 202026
2 releases
ImprovementSHIP-08
The indexing pipeline levels up
Not every week produces a headline feature. This one produced the thing that makes headline features work reliably: a significantly smarter indexer.
- Repository context detection
- autter identifies what kind of codebase it is looking at before scanning.
- Scope profiling
- The indexer understands which parts of the repo relate to which others.
- Full dependency resolution
- The whole graph gets traced, not just top-level packages.
- Scope health metrics
- A health signal per scope, not just per file.
The indexer is what makes autter's findings trustworthy instead of just plentiful. This week it got meaningfully better.
ImprovementSHIP-07
Onboarding and a lot of plumbing
The first-run experience for new organizations is more guided now, and infrastructure that was held together with assumptions is now held together with actual logic.
- Guided onboarding: autter asks about your setup upfront and walks you through the first scan.
- Webhook testing directly from organization settings.
- More resilient database provisioning with better retry logic.
- Stronger backend logging, health check visibility, and AI pipeline instrumentation.
Thursday
Apr 162026
1 release
ImprovementSHIP-06
Onboarding that gets out of the way
Getting set up with autter should not feel like configuring a server. This week we focused on making the first few minutes feel less like work.
What changed
- Guided organization setup: each step comes with actual context, not just a progress bar and a prayer.
- Cleaner motion and transitions across the dashboard and login experience.
- Meaningful hardening for secrets management, host configuration, and deployment setup.
- Dynamic database migrations: provisioning handles schema changes gracefully during setup.
- Better observability: improved route logging, health checks, and Slack integration.
Why it matters
First impressions compound. If setup is confusing, people assume the product is confusing. The goal is for setup to feel so unremarkable that you forget it happened. We are getting there.
Sunday
Apr 122026
1 release
New FeatureSHIP-05
Self-service scan initiation
The codebase scan is now something you can start yourself.
What you can do now
- Start a scan from the dashboard or onboarding flow. No manual handoff required.
- Get notified when it is done, via email and Slack.
- See full dependency coverage: every package tracked, cross-referenced, and auditable over time.
- Branch-aware scanning: scans run against the right branch, not whatever was last pushed.
What gets scanned
- Security vulnerabilities
- Known CVEs, exposed secrets, injection patterns.
- Dependencies
- Every package, version, and license in your repo.
- AI-generated code quality
- Hallucinated imports, placeholder logic, low-signal patterns.
- Blast radius
- Which parts of the codebase a change touches and how far it reaches.
Seven out of ten users in our concierge cohort said they would pay for this. That is why we shipped it.
ImprovementSHIP-04
Streaming progress and auto-open setup
Small week. Useful change.
- Streaming progress during setup: watch organization creation happen step by step instead of waiting on a static loading state and hoping it finishes.
- The organization creation dialog now opens from the right place in the dashboard flow automatically.
Not every changelog is dramatic. Sometimes you just fix the thing that was quietly annoying everyone.
Sunday
Mar 292026
2 releases
New FeatureSHIP-03
The multi-agent scan engine
This is where the engine got built. We shipped the multi-agent scanning foundation: a set of specialized agents that each look at a different risk surface in your codebase. Each agent has one job. They run independently and their findings roll up into a single, prioritized report.
What the scan engine covers
- Security vulnerabilities in your code and dependencies.
- Open source licenses across every package you are using.
- Supply chain risk from third-party dependencies.
- Configuration problems in infrastructure definitions.
- Container security across your Docker setup.
- Policy compliance against your org's own rules.
- Business logic issues that static analysis typically misses.
- Runtime behavior signals that show how code behaves under real conditions.
A comment on a PR is advice. A blocked merge is enforcement. Everything we built this week is in service of the second one.
New FeatureSHIP-02
GitHub PR automation and the first dashboard
autter can now comment on pull requests, post check runs, and flag issues directly in GitHub without you leaving your workflow, and the first version of the analytics dashboard is live alongside it.
- GitHub PR automation: comments, check runs, and flagged issues without leaving your workflow.
- The first analytics dashboard, with date-range filters and multiple tabs.
- Expanded codebase intelligence: hotspot detection, dependency mapping, legacy code signals.
Sunday
Mar 222026
1 release
New FeatureSHIP-01
Week one: we built the product
Week one. We built the product. Not a prototype. Not a proof of concept. The actual product, with the foundations required to sign up a real user, connect a real repository, and enforce a real merge gate.
What shipped
- Authentication
- Email login with one-time codes and passkeys. Trusted devices. Welcome flows.
- Organization management
- Teams, billing, source control, review preferences, custom agents, AI config.
- GitHub integration
- App installation, pull request views, and the first repository insights.
- Codebase intelligence
- Architecture graphs, hotspot metrics, and learning signals over time.
- Dashboard and navigation
- Loaders, toasts, responsive layouts, sidebars, search, and the branding system.
Captain Patch is officially on duty.
The log continues.
New entries land most weeks. Come back Saturday, or better, put Autter on a pull request and watch the gate work.
Hire Autter