Everything we ship,the day we ship it.

No release theater, no quarterly roundups. This is the running record of what left the shop and landed in production, grouped by the day it happened.

33
releases logged
15
shipping days
14
weeks and counting

Sunday

Jun 212026

4 releases

New Feature

Secure sign-in, developer tokens, and the identity layer that stays out of your way

Three things shipped this week that all share a thread: getting into autter should be fast, safe, and never the reason work stalls. CLI sign-in is now secure by default. Account setup lost its friction. And personal access tokens give developers a proper way to connect their tools without sharing credentials.

CLI sign-in and account setup

The old flow had too many steps and not enough guardrails. The new one uses secure authentication by default, cuts the setup path in half, and gets you into a working environment faster.

Secure CLI sign-in
No more plaintext credentials or manual config files.
Streamlined account setup
Fewer steps from signup to first scan.
Personal access tokens
Connect developer tools without sharing org-wide secrets.

AI authorship insights

autter now tracks how code was created. Every pull request shows whether a change was human-written, AI-assisted, or AI-generated. This is not a judgement. It is context. Reviewers see provenance. Leads see patterns. Nobody has to guess.

Improvement

Sharper reviews, quieter noise, and analytics that actually tell you something

The review engine got better in the way that matters most: more accurate findings, clearer comments, and fewer false positives. When autter speaks up on a PR, it is because something real needs attention, not because a heuristic fired on a pattern it half-understood.

Code review

More accurate findings
Fewer false positives reaching reviewers.
Clearer comments
Suggested fixes are easier to understand and apply.
Faster fix suggestions
Less time between finding and resolution.
Infra and config security checks
Catches misconfigurations before they ship.
Improved dependency reporting
Vulnerability notifications with actionable detail.

Analytics

Pull request and repository activity metrics are now clearer and more complete. You can see what is actually happening across your codebase without building your own dashboards.

GitHub integration

  • Reviewer assignment works correctly across team configurations.
  • Error messaging tells you what went wrong and what to do about it.
  • Code indexing is more reliable for large projects: no more silent failures on big repos.
New Feature

Interactive demos and the faster front door

Two changes to how people first experience autter. Demo workspaces are now interactive. You can click through a real environment instead of watching a video. And the demo signup flow lost its rough edges, so the path from curiosity to hands-on is shorter.

Interactive demo workspaces
Explore a real environment without creating an account.
Smoother demo signup
Fewer steps, fewer dropoffs, faster time-to-value.
Faster org creation
New organizations spin up quicker and more reliably.
Improvement

The quiet stuff that keeps everything running

Not everything that ships is visible from the outside. This week: progress notifications now include direct links to completed work, important account and billing actions are fully tracked, and deployment reliability improved across the board.

Progress notifications with direct links
Go straight to the result instead of searching for it.
Complete audit trail
Every important account and billing change is logged and traceable.
Improved deployment reliability
Fewer incidents, faster recovery.

Ship the gates, ship the guardrails, then get out of the way.

Sunday

Jun 142026

3 releases

New Feature

The review that sees everything

The PR review engine went from “good coverage” to “nothing gets past it.” It now checks for things most teams only catch after something goes wrong: static security, secrets, dependency and license compliance, CI/CD misconfigurations, auth and permissions, database migrations, frontend health, code hygiene.

PR review: broader, sharper, quieter

Dependency impact analysis
Reviews understand what a dependency change actually touches downstream.
Typosquatting detection
Packages that look like popular libraries but aren't get flagged before they land.
Cross-file consumer checks
Changing an API? autter checks who's calling it before approving the change.
False positive reduction
Fewer findings that waste your time. The ones that remain are the ones that matter.

Infrastructure-as-code scanning

IaC scanning is live. Terraform plans, CloudFormation templates, and Kubernetes manifests are now checked for misconfigurations before they ship. Three engines run independently, so coverage gaps from any single scanner get caught by the others. If you have ever deployed a security group that was wider than you intended, this is for that.

A review engine earns trust by catching real problems and staying quiet about everything else.

Improvement

Scan results that explain themselves

Scan results are no longer a list you have to interpret. They are a surface you can act from: every finding explains itself, and the ones that don't can be handed straight to autter for a fix.

Finding detail modals
Every finding opens into a full explanation, not a one-line summary.
AI fix suggestions
Ask autter for a recommended fix directly from any finding.
Business logic invariant views
The specific rule, the specific violation, and the specific evidence.
Content-shaped loading states
Scan results load progressively instead of appearing all at once.
New Feature

The billing that runs itself

autter now has a full billing system with native subscription management. Teams can sign up, pick a plan, and start paying without a single manual step on our end.

Plan tiers and subscriptions
Pick a plan, upgrade or downgrade, and usage adjusts automatically.
Hosted checkout
Pay without leaving autter, with UPI and B2B invoicing included.
Invoice generation and backfill
Current and historical invoices available on demand.
Usage visibility
Your current usage is always visible in the sidebar and billing settings.

A billing system earns trust by disappearing entirely. Billing should be something you set up once and never think about unless you want to.

Sunday

Jun 72026

3 releases

New Feature

The gate gets teeth

The merge gate shipped weeks ago. This week it became the kind of gate you actually trust: a full PR review engine and fifteen categories of automated checks. The previous version could block a merge. This one explains why it blocked it.

PR review engine

Chapter generation
PRs are broken into reviewable chapters, not treated as a single diff.
Inline comments
Review findings appear exactly where the code changed.
Summary utilities
Every PR gets a structured overview before a reviewer opens a file.
Gate panels and overview UI
Merge-blocking status is visible, not buried in a check run.
Local and Fargate runners
Review runs wherever your infrastructure already lives.

Fifteen review checks

Static security. CI/CD security. API contract validation. Dependency and license compliance. Typosquatting detection. Secret scanning. Infrastructure-as-code misconfiguration. Race condition analysis. Logging hygiene. Privacy surface detection. Rate limiting coverage. Architectural conformance. Policy engine evaluation. AI slop detection. Each check writes to its own findings surface, and policy violations get deterministic hashes so repeated findings are tracked, not duplicated.

A gate that checks fifteen things and tells you which one failed is not a gate. It is a review team that never takes a day off.

Improvement

A review surface built for humans

All that machinery is only useful if the humans doing the reviewing can read it. The PR review UI got the treatment: scannable activity, a proper diff engine, and comments that feel like conversation.

PR review UI

Monaco-based diff viewer
Diffs render with the same engine your editor uses.
Conversation timeline
Comments, suggestions, and gate decisions in chronological order.
Keyboard shortcuts
Navigate reviews without reaching for a mouse.
Activity feed styling
Review events are scannable instead of a raw log.

Comments, mentions, and GIFs

Inline comments now support full Markdown. Mentions are wired in. The GIF picker is live. This is the kind of feature that makes review conversations feel like conversations instead of form submissions.

Improvement

Richer webhooks and Slack routing

Webhook ingestion got sharper, and PR review and scan events now route to Slack with per-event webhook support. Teams configure which events fire, where they land, and whether a gate decision triggers a notification or stays silent.

Delivery logging
PR events are logged with enough detail to debug routing.
Writeback detection
autter's own comments no longer trigger recursive review processing.
Gate-skip tracking
See what bypassed enforcement and when.
Automatic schema bootstrapping
New repos need no manual setup before gates start working.

Sunday

May 312026

3 releases

New Feature

The merge gate goes live

The merge gate is no longer a concept. This week autter shipped merge-blocking PR review gates, a full review pipeline with diff parsing and summary generation, and the webhook infrastructure to drive it all natively through GitHub.

PR review pipeline

Diff parsing and summaries
Every PR gets a structured breakdown before review agents run.
Merge-blocking review gates
Review output is evaluated before a pull request is allowed to merge.
Durable PR tracking
Revisions, metadata, and migration safeguards for org databases.
GitHub-native webhooks
PR, review, and comment events route through rebuilt handlers.

Secret scanning, rebuilt on TruffleHog

Detection runs across full git history, not just the current state. The previous version found secrets. This one tells you which ones are live, which ones rotated, and where in history they first appeared. Semgrep rule coverage also expanded across auth bypass, injection, cryptographic misuse, SSRF, XSS, and more.

A comment on a PR is advice. A blocked merge is enforcement. This week autter started enforcing.

New Feature

Public reports you can hand to anyone

Scan results can now leave the building. Share a scan with a public link, export a branded PDF, and let the report guide readers toward next steps instead of ending with a findings list.

Scan sharing and reports

Public share tokens
Generate a link anyone can view without an autter account.
Branded report pages
Shared reports look like they came from your security team, not a raw tool.
PDF export
Structured sections with branded cover and closing pages.

Supply chain and dependency risk

Deterministic risk scoring
Severity and risk factors are reproducible, not model-dependent.
Lockfile-aware resolution
autter resolves what you actually installed, not what your manifest says.
Exploit chain tracking
Critical CVEs with no published fix get chain cards, detail views, and narratives.
New Feature

The first knowledge graph

The first version of a knowledge graph that maps how your codebase actually connects. Graphify-backed indexing is live: graph tables, indexer orchestration, and deployment wiring all shipped, and repository dependency views now include connectivity data from the graph.

Also in this release

  • The codebase-scan chat experience is now powered by AI SDK.
  • Documentation generation uses task-specific model routing: each writer gets the model best suited to its job.
  • Fullscreen viewing and copy support across architecture-map surfaces.

Saturday

May 232026

3 releases

New Feature

The full scan surface

Everything we have been building the scan engine toward shipped this week. Secret scanning, SAST, container scanning, SBOM, supply chain analysis, API surface analysis, policy compliance, AI slop detection, database findings, code quality, and business logic analysis all landed with findings, enrichment, Captain Patch suggestions, and issue linkage.

Scan infrastructure

Agent pipeline tables
Every agent's output is tracked, counted, and attributed.
Runtime preflight checks
Agents verify the environment before executing, not midway through.
strace runtime tracking
Runtime behavior is observed and stored alongside static findings.

The scanners

  • Secret scanning with live validation, allowlists, rotation mapping, and direct issue creation.
  • CodeQL is live as a fourth scanning engine; SAST findings include enrichment and suggestions.
  • Trivy container scanning, unified dependency audits, and richer license findings.
  • AI slop detection: hallucinated imports, placeholder logic, and low-confidence outputs.
  • Per-organization SBOM artifacts with CycloneDX support and file risk history through commits.

A merge gate is only as strong as what it checks. This week we finished building the checklist.

New Feature

Issue sync: Linear, Jira, and GitHub

Findings are only useful if they end up where your team plans work. Issues now flow both ways between autter and your tracker, with logs, backfill, and persistent action items.

Bidirectional sync
Issues created in autter stay in sync with your issue tracker.
External issue creation
Push a finding to your tracker directly from autter.
Sync logs
Every sync event is recorded and auditable.
Backfill support
Historical findings can be synced, not just new ones.
New Feature

Exploit enrichment and chain tracing

A CVE number tells you almost nothing. Findings are now enriched with exploit probability, standardized severity, external intelligence, and, where paths connect, full exploit chains.

EPSS + CVSS scoring
Exploit probability and standardized severity attached to each CVE.
OSV and Exa enrichment
Vulnerability databases and external intelligence feed into findings.
Complexity scoring
Findings are ranked by how hard they are to exploit.
Exploit chain tracing
Connected vulnerability paths are tracked as chains, not isolated findings.

Sunday

May 172026

2 releases

Improvement

The docs engine, upgraded

The documentation engine got faster and more complete: the kind of upgrade that makes generated docs something you actually trust instead of something you politely ignore.

Documentation engine

Manual generation trigger
Teams can regenerate docs on demand, not just on scan.
Job status tracking
Generation progress is visible, not a black box.
Type-safe modular internals
A pipeline we can extend without breaking things.

Wiki and architecture

  • Wiki search powered by proper full-text indexing, with better navigation, zoom, and typography.
  • Architecture visualization inside generated documentation.
  • File content surfaced directly in search results.

A wiki you trust beats documentation you maintain. This week we made it trustworthy.

New Feature

The first auditor agent

autter shipped its first domain-specific agent: a Payment Gateway Auditor that targets the risk surface specific to payment flows. Under the hood, agent execution got meaningfully faster and smarter about context.

Agent execution improvements

Batch inserts + parallelism
Findings write in bulk and agents run concurrently without contention.
Team context
Agents know which team owns a scope before they score it.
Calibrated risk scoring
Scoring is tuned against actual severity signals.

Also in this release

  • Custom teams and member assignment, managed directly from settings.
  • A dedicated repository issues tab.

Sunday

May 102026

2 releases

New Feature

Custom agents and guided config

Custom agents are no longer a flat list. They have categories, trigger configuration, and richer API support. Configuring one is now a step-by-step flow with streaming updates and visible progress, and teams can take a prebuilt agent, adjust its schema and behavior, and edit it through the same UI.

New Feature

The documentation generation pipeline

autter shipped its first documentation generation pipeline, turning indexed codebase knowledge into something readable. Wiki routes, documentation query APIs, markdown rendering, sidebar navigation, and full-text searchable generated docs are all in.

Codebase graph construction
autter maps the structure of your repo before generating any docs.
Dependency edge tracking
Relationships between modules are first-class inputs to generation.
Module clustering
Related code is grouped before documentation is written.
Risk flag integration
High-risk areas surface in the docs, not just in findings.

The agents know your codebase. The docs make it legible. This week connected both.

Monday

May 42026

2 releases

Improvement

Repository overview and smarter search

The repository workspace got a real face this week. Health views matured, and search got smarter in ways you can feel.

  • The repository page rebuilt around dedicated tabs: activity, dependencies, API data, health, onboarding.
  • Org-wide search with suggestions, page-visit awareness, and an animated header trigger with rotating prompts.
  • Deeper dependency intelligence with automatic registry and version enrichment.
  • AI response caching, Vercel AI Gateway migration, and loading skeletons across the repo experience.

Monday

Apr 272026

3 releases

New Feature

The repository wiki

Searchable repository discovery, structured documentation pages, table-of-contents navigation, breadcrumbs, keyboard shortcuts, and an AI-assisted “ask” flow for exploring codebase knowledge directly.

Also in this release

  • Richer treatment for third-party packages: classification, docs resolution, usage insights.
  • Endpoint indexing across multiple frameworks, connected to test coverage.
Improvement

Pull request review, rebuilt

The PR review experience got rebuilt from the ground up: dedicated tabs for AI review, checks, and commits. Inline comments. File tree navigation. Unified and split diff viewing.

Also in this release

  • Configurable event-based notifications, weekly digests, and Slack/webhook test flows.
  • Shipped agentic-sales, a small open-source AI sales toolkit, as a side project.
New Feature

The graph: architectural insights

A substantial expansion of the indexing engine. This is the week autter started reasoning about your codebase the way a senior engineer does: end-to-end indexing across scope detection, file hotspots, dependency resolution, and scope health metrics.

Reverse dependency analysis
autter knows what depends on what, in both directions.
Call graph analysis
Function-level relationships are tracked across the codebase.
Scope dependency graphs
Coupling and layering between scopes are visible, not implied.
AI-augmented health and risk
Structural issues, hotspots, and tech-debt signals surface per scope.

A scanner finds problems. A graph explains them. This week was about the graph.

Monday

Apr 202026

2 releases

Improvement

The indexing pipeline levels up

Not every week produces a headline feature. This one produced the thing that makes headline features work reliably: a significantly smarter indexer.

Repository context detection
autter identifies what kind of codebase it is looking at before scanning.
Scope profiling
The indexer understands which parts of the repo relate to which others.
Full dependency resolution
The whole graph gets traced, not just top-level packages.
Scope health metrics
A health signal per scope, not just per file.

The indexer is what makes autter's findings trustworthy instead of just plentiful. This week it got meaningfully better.

Improvement

Onboarding and a lot of plumbing

The first-run experience for new organizations is more guided now, and infrastructure that was held together with assumptions is now held together with actual logic.

  • Guided onboarding: autter asks about your setup upfront and walks you through the first scan.
  • Webhook testing directly from organization settings.
  • More resilient database provisioning with better retry logic.
  • Stronger backend logging, health check visibility, and AI pipeline instrumentation.

Thursday

Apr 162026

1 release

Improvement

Onboarding that gets out of the way

Getting set up with autter should not feel like configuring a server. This week we focused on making the first few minutes feel less like work.

What changed

  • Guided organization setup: each step comes with actual context, not just a progress bar and a prayer.
  • Cleaner motion and transitions across the dashboard and login experience.
  • Meaningful hardening for secrets management, host configuration, and deployment setup.
  • Dynamic database migrations: provisioning handles schema changes gracefully during setup.
  • Better observability: improved route logging, health checks, and Slack integration.

Why it matters

First impressions compound. If setup is confusing, people assume the product is confusing. The goal is for setup to feel so unremarkable that you forget it happened. We are getting there.

Sunday

Apr 122026

1 release

New Feature

Self-service scan initiation

The codebase scan is now something you can start yourself.

What you can do now

  • Start a scan from the dashboard or onboarding flow. No manual handoff required.
  • Get notified when it is done, via email and Slack.
  • See full dependency coverage: every package tracked, cross-referenced, and auditable over time.
  • Branch-aware scanning: scans run against the right branch, not whatever was last pushed.

What gets scanned

Security vulnerabilities
Known CVEs, exposed secrets, injection patterns.
Dependencies
Every package, version, and license in your repo.
AI-generated code quality
Hallucinated imports, placeholder logic, low-signal patterns.
Blast radius
Which parts of the codebase a change touches and how far it reaches.

Seven out of ten users in our concierge cohort said they would pay for this. That is why we shipped it.

Sunday

Apr 52026

1 release

Improvement

Streaming progress and auto-open setup

Small week. Useful change.

  • Streaming progress during setup: watch organization creation happen step by step instead of waiting on a static loading state and hoping it finishes.
  • The organization creation dialog now opens from the right place in the dashboard flow automatically.

Not every changelog is dramatic. Sometimes you just fix the thing that was quietly annoying everyone.

Sunday

Mar 292026

2 releases

New Feature

The multi-agent scan engine

This is where the engine got built. We shipped the multi-agent scanning foundation: a set of specialized agents that each look at a different risk surface in your codebase. Each agent has one job. They run independently and their findings roll up into a single, prioritized report.

What the scan engine covers

  • Security vulnerabilities in your code and dependencies.
  • Open source licenses across every package you are using.
  • Supply chain risk from third-party dependencies.
  • Configuration problems in infrastructure definitions.
  • Container security across your Docker setup.
  • Policy compliance against your org's own rules.
  • Business logic issues that static analysis typically misses.
  • Runtime behavior signals that show how code behaves under real conditions.

A comment on a PR is advice. A blocked merge is enforcement. Everything we built this week is in service of the second one.

New Feature

GitHub PR automation and the first dashboard

autter can now comment on pull requests, post check runs, and flag issues directly in GitHub without you leaving your workflow, and the first version of the analytics dashboard is live alongside it.

  • GitHub PR automation: comments, check runs, and flagged issues without leaving your workflow.
  • The first analytics dashboard, with date-range filters and multiple tabs.
  • Expanded codebase intelligence: hotspot detection, dependency mapping, legacy code signals.

Sunday

Mar 222026

1 release

New Feature

Week one: we built the product

Week one. We built the product. Not a prototype. Not a proof of concept. The actual product, with the foundations required to sign up a real user, connect a real repository, and enforce a real merge gate.

What shipped

Authentication
Email login with one-time codes and passkeys. Trusted devices. Welcome flows.
Organization management
Teams, billing, source control, review preferences, custom agents, AI config.
GitHub integration
App installation, pull request views, and the first repository insights.
Codebase intelligence
Architecture graphs, hotspot metrics, and learning signals over time.
Dashboard and navigation
Loaders, toasts, responsive layouts, sidebars, search, and the branding system.

Captain Patch is officially on duty.

The log continues.

New entries land most weeks. Come back Saturday, or better, put Autter on a pull request and watch the gate work.

Hire Autter
Page view mode