Autter

Changelog

Everything we ship — new features, improvements, and fixes.

New Feature

Secure Sign-In, Developer Tokens, and the Identity Layer That Stays Out of Your Way

Jun 21, 2026

Three things shipped this week that all share a thread: getting into autter should be fast, safe, and never the reason work stalls. CLI sign-in is now secure by default. Account setup lost its friction. And personal access tokens give developers a proper way to connect their tools without sharing credentials or asking permission.

CLI Sign-In and Account Setup

The old flow had too many steps and not enough guardrails. The new one uses secure authentication by default, cuts the setup path in half, and gets you into a working environment faster.

What ChangedWhat It Means
Secure CLI sign-inNo more plaintext credentials or manual config files
Streamlined account setupFewer steps from signup to first scan
Personal access tokensConnect developer tools without sharing org-wide secrets

AI Authorship Insights

autter now tracks how code was created. Every pull request shows whether a change was human-written, AI-assisted, or AI-generated. This is not a judgement — it is context. Reviewers see provenance. Leads see patterns. Nobody has to guess.

Improvement

Sharper Reviews, Quieter Noise, and Analytics That Actually Tell You Something

Jun 21, 2026

The review engine got better in the way that matters most: more accurate findings, clearer comments, and fewer false positives. When autter speaks up on a PR, it is because something real needs attention — not because a heuristic fired on a pattern it half-understood.

Code Review

What ChangedWhat It Means
More accurate findingsFewer false positives reaching reviewers
Clearer commentsSuggested fixes are easier to understand and apply
Faster fix suggestionsLess time between finding and resolution
Infrastructure and config security checksCatches misconfigurations before they ship
Improved dependency reportingVulnerability notifications with actionable detail

Better coverage that is also quieter. That is still the hardest thing to get right, and this week it got meaningfully closer.

Analytics

Pull request and repository activity metrics are now clearer and more complete. You can see what is actually happening across your codebase without building your own dashboards or parsing raw event logs.

GitHub Integration

  • Reviewer assignment works correctly across team configurations
  • Error messaging tells you what went wrong and what to do about it
  • Code indexing is more reliable for large projects — no more silent failures on big repos
New Feature

Interactive Demos and the Faster Front Door

Jun 21, 2026

Two changes to how people first experience autter. Demo workspaces are now interactive — you can click through a real environment instead of watching a video. And the demo signup flow lost its rough edges, so the path from curiosity to hands-on is shorter.

What ShippedWhat It Does
Interactive demo workspacesExplore a real environment without creating an account
Smoother demo signupFewer steps, fewer dropoffs, faster time-to-value
Faster org creationNew organizations spin up quicker and more reliably
Improvement

The Quiet Stuff That Keeps Everything Running

Jun 21, 2026

Not everything that ships is visible from the outside. This week: progress notifications now include direct links to completed work, so you do not have to hunt for results. Important account and billing actions are now fully tracked — every change leaves a trail. And deployment reliability improved across the board.

What ChangedWhat It Means
Progress notifications with direct linksGo straight to the result instead of searching for it
Complete audit trail for account and billing actionsEvery important change is logged and traceable
Improved deployment and application reliabilityFewer incidents, faster recovery

Ship the gates, ship the guardrails, then get out of the way.

New Feature

The Review That Sees Everything, and the Billing That Runs Itself

Jun 14, 2026

Two things happened this week. The PR review engine went from "good coverage" to "nothing gets past it." And autter shipped a full billing system, so teams can sign up, pick a plan, and start paying without a single manual step on our end.

PR Review: Broader, Sharper, Quieter

The review engine now checks for things most teams only catch after something goes wrong. Static security. Secrets. Dependency and license compliance. CI/CD misconfigurations. Auth and permissions. Database migrations. Frontend health. Code hygiene. Cross-language code quality.

What ChangedWhat It Means
Dependency impact analysisReviews now understand what a dependency change actually touches downstream
Typosquatting detectionPackages that look like popular libraries but aren't get flagged before they land
Cross-file consumer checksChanging an API? autter checks who's calling it before approving the change
Richer telemetryReview performance is measured and tracked, not assumed
False positive reductionFewer findings that waste your time. The ones that remain are the ones that matter

Better coverage that is also quieter is the hardest thing to get right in automated review. This week it got meaningfully closer.

Infrastructure-as-Code Scanning

IaC scanning is live. Terraform plans, CloudFormation templates, and Kubernetes manifests are now checked for misconfigurations before they ship. Three engines run independently, so coverage gaps from any single scanner get caught by the others.

If you have ever deployed a security group that was wider than you intended, this is for that.

Scan Results That Explain Themselves

The scan results experience got a full pass.

What ChangedWhat It Means
Frontend health findingsClient-side issues now surface alongside backend findings
Code hygiene detailsMaintenance risks are visible, not buried
Content-shaped loading statesScan results load progressively instead of appearing all at once
Finding detail modalsEvery finding opens into a full explanation, not a one-line summary
AI fix suggestionsAsk autter for a recommended fix directly from any finding

Scan results are no longer a list you have to interpret. They are a surface you can act from.

Business Logic Invariant Views

When a business logic violation is detected, autter now shows you exactly which invariant was broken and the proof supporting the finding. Not just "something looks wrong" — the specific rule, the specific violation, and the specific evidence.

Billing

autter now has a full billing system with native subscription management.

What ShippedWhat It Means
Plan tiers and subscriptionsPick a plan, upgrade or downgrade, and usage adjusts automatically
Hosted checkoutPay without leaving autter — UPI and B2B invoicing included
Post-payment confirmationClear confirmation and next steps after every transaction
Invoice generation and backfillCurrent and historical invoices available on demand
Usage visibilityYour current usage is always visible in the sidebar and billing settings

Billing should be something you set up once and never think about unless you want to. That is what shipped.

A review engine earns trust by catching real problems and staying quiet about everything else. A billing system earns trust by disappearing entirely. This week we shipped both.

New Feature

The Gate Gets Teeth

Jun 7, 2026

The merge gate shipped weeks ago. This week it became the kind of gate you actually trust. A full PR review engine, fifteen categories of automated checks, richer webhooks, Slack routing, and the UI to make all of it legible to the humans doing the reviewing.

PR Review Engine

This is the core of the release. autter now runs a dedicated review pipeline with chapter-based analysis, inline comment generation, structured PR summaries, and support for both local and Fargate runners.

What ShippedWhat It Does
Chapter generationPRs are broken into reviewable chapters, not treated as a single diff
Inline commentsReview findings appear exactly where the code changed
Summary utilitiesEvery PR gets a structured overview before a reviewer opens a file
Gate panels and overview UIMerge-blocking status is visible, not buried in a check run
Local and Fargate runnersReview runs wherever your infrastructure already lives

The previous version could block a merge. This one explains why it blocked it.

Fifteen Review Checks

The review engine now runs a broad set of automated checks before a gate decision is made.

Static security. CI/CD security. API contract validation. Dependency and license compliance. Typosquatting detection. Secret scanning. Infrastructure-as-code misconfiguration. Race condition analysis. Logging hygiene. Privacy surface detection. Rate limiting coverage. Architectural conformance. Policy engine evaluation. AI slop detection.

Each check writes to its own findings surface with organization-level settings for enablement and sensitivity. Policy violations get deterministic hashes so repeated findings are tracked, not duplicated.

Organization Schema and Tracking

What ChangedWhat It Means
Chapter tablesReview chapters are durable data, not ephemeral analysis
PR activity trackingEvery revision, comment, and gate decision is recorded
Linked issue IDsPR findings connect back to tracked issues
Blast impact JSONChange impact is stored as structured data, queryable across scans
Policy violation hashesRepeated violations are deduplicated instead of re-flagged

Organization databases now validate and migrate schemas on startup across every org, not just the one that triggered the change.

GitHub Webhook Handling

Webhook ingestion got sharper. PR delivery events are logged with enough detail to debug routing. autter's own writebacks no longer trigger recursive review processing. Review-gate skip events are tracked so you can see what bypassed enforcement and when.

Schema bootstrapping runs automatically on first webhook delivery, so new repos do not require manual setup before gates start working.

Slack Notification Routing

PR review and scan events now route to Slack with per-event webhook support. Teams can configure which events fire, where they land, and whether a gate decision triggers a notification or stays silent.

PR Review UI

The review experience got a real interface pass.

What ChangedWhat It Means
Activity feed stylingReview events are scannable instead of a raw log
Keyboard shortcutsNavigate reviews without reaching for a mouse
Conversation timelineComments, suggestions, and gate decisions in chronological order
Monaco-based diff viewerDiffs render with the same engine your editor uses
TooltipsHover context across the review surface where it was missing

Comments, Mentions, and GIFs

Inline comments now support full Markdown. Mentions are wired in. The GIF picker is live, backed by new API routes and cleaner upload handling.

This is the kind of feature that makes review conversations feel like conversations instead of form submissions.

Onboarding and Auth

Terms of service and privacy policy acceptance are now part of the login and signup flow. Sidebar and settings keyboard shortcuts shipped alongside a refined settings layout.

Auth reliability got stronger: transient getSession handling no longer drops sessions during network hiccups, passkey autofill errors on unstable connections are handled gracefully, and stale persisted query caches are busted on load instead of silently serving old data.

A gate that checks fifteen things and tells you which one failed is not a gate. It is a review team that never takes a day off.

New Feature

The Merge Gate, Public Reports, and the Knowledge Graph

May 31, 2026

The merge gate is no longer a concept. This week autter shipped merge-blocking PR review gates, a full review pipeline with diff parsing and summary generation, and the webhook infrastructure to drive it all natively through GitHub. Alongside that: public scan sharing, deeper supply chain analysis, and the first version of a knowledge graph that maps how your codebase actually connects.

PR Review Pipeline

This is the headline. autter now has a dedicated PR review pipeline that parses diffs, generates PR summaries, populates task tables, and runs on both local and Fargate runners with backfill support.

What ShippedWhat It Does
Diff parsing and summary generationEvery PR gets a structured breakdown before review agents run
Merge-blocking review gatesReview output is evaluated before a pull request is allowed to merge
Durable PR trackingRevisions, metadata, bigint GitHub IDs, and migration safeguards for org databases
Writeback detectionautter's own PR comments do not recursively trigger review processing
Local and Fargate runnersReview can run close to the code or in managed infrastructure

The previous version could comment on a PR. This one can block it.

GitHub Webhook Ingestion

Webhook handling got rebuilt. GitHub PR events, review events, review comments, and issue comments now route through GitHub-native handlers with cleaner routing and delivery logging. This replaces the earlier generic ingestion path with something that understands GitHub's event model directly.

Secret Scanning

Secret scanning is now backed by TruffleHog. Detection runs across full git history, not just the current state. Provider context, verification status, and richer scan result presentation all shipped alongside it.

The previous version found secrets. This one tells you which ones are live, which ones rotated, and where in history they first appeared.

Static Analysis

Semgrep rule coverage expanded significantly across auth bypass, injection, cryptographic misuse, path traversal, SSRF, unsafe code execution, XSS, and other security classes. More rules means fewer gaps in what static analysis catches before a finding ever reaches a human reviewer.

Scan Sharing and Reports

Scans can now be shared publicly. Share tokens, public report routes, downloadable PDFs, and Autter-branded report pages are all in.

What ShippedWhat It Does
Public share tokensGenerate a link anyone can view without an autter account
Branded report pagesShared reports look like they came from your security team, not a raw tool
PDF exportStructured sections, branded cover and closing pages, stronger layout handling
Report call-to-actionShared reports guide readers toward next steps instead of ending with a findings list

If your security review process involves sending a PDF to someone who does not have access to your tooling, this is for that.

Supply Chain and Dependency Risk

What ChangedWhat It Means
Deterministic severity and risk factorsRisk scoring is reproducible, not model-dependent
Lockfile-aware version resolutionautter resolves what you actually installed, not what your manifest says
Registry-backed ownership checksPackage provenance is verified against the source registry
Obfuscation signal filteringFewer false positives from minified or bundled code

Exploit Chain Tracking

Critical and high CVEs with no published fix now get exploit chain tracking. Chain cards, detail views, summary metrics, and narrative generation are all wired in. If a vulnerability has a plausible attack path, autter will show you the path, not just the CVE number.

Code Quality

The code-quality scanner now detects infinite loops and surfaces those findings in scan results and public reports. This is the kind of bug that passes every linter and then takes down a production service.

Issue Sync

Connected repositories now support manual issue refresh with repository-scoped fetching. Provider states are richer, and empty states for issue sync are clearer.

Payment Gateway Traces

Payment findings now include execution path visibility. If the Payment Gateway Auditor flags something, you can see the relevant trace and supporting context directly in the frontend.

Captain Patch

Suggestion creation is now centralized across all scanners. Scanner findings normalize into a shared format before they reach Captain Patch, which means suggestions are more consistent regardless of which engine produced the finding.

Knowledge Graph

Graphify-backed knowledge graph indexing is live. Graph tables, indexer orchestration, and deployment wiring all shipped. Repository dependency views now include connectivity data from the graph, so you can see how components relate to each other structurally, not just through import statements.

Chat and Model Routing

The codebase-scan chat experience is now powered by AI SDK with a more capable conversational interface. Documentation generation now uses task-specific model routing: architecture analysis, module analysis, node analysis, and page writers each get the model best suited to what they are doing.

Architecture Diagrams

Fullscreen viewing and copy support across wiki and repository architecture-map surfaces.

Infrastructure

What ChangedWhat It Means
Organization provisioning trackingMulti-step setup states, smoother loading, automatic migrations, and stronger org-schema validation
CodeQL installation checksAgents verify CodeQL availability before attempting to use it
Shell and Docker compatibilityAgent runtime handles more host environments without manual fixes
Node 24 supportService imports are compatible with the latest Node LTS
Repository learnings filteringRepository-aware filtering and cleaner settings-page controls

A comment on a PR is advice. A blocked merge is enforcement. This week autter started enforcing.

New Feature

The Full Scan Surface

May 23, 2026

Everything we have been building the scan engine toward shipped this week. Secret scanning, SAST, container scanning, SBOM, exploit enrichment, exploit chains, supply chain analysis, API surface analysis, policy compliance, AI slop detection, database findings, code quality, and business logic analysis all landed with findings, enrichment, Captain Patch suggestions, and issue linkage. The merge gate is real.

Scan Infrastructure

Before any findings, the foundation got stronger.

What ShippedWhat It Does
Agent pipeline tablesEvery agent's output is tracked, counted, and attributed
Performance trackingRuntime metrics are captured per agent, not just per scan
Runtime preflight checksAgents verify the environment before executing, not midway through
strace runtime trackingRuntime behavior is observed and stored alongside static findings
PostgreSQL supportScan infrastructure now runs cleanly on PostgreSQL

Install command detection and per-scope preflight checks also shipped. Scans are more reliable and more debuggable than they were a week ago.

SBOM and File Risk History

autter now generates and stores Software Bill of Materials artifacts scoped to each organization. CycloneDX URL support is in. License and SBOM normalization is cleaner. File risk history now traces back through commit history, so you can see how a file's risk profile has changed over time, not just what it looks like today.

AI-Generated Scan Summaries

Scan results now include a human-readable summary generated by AI. The overview experience is cleaner, and the summary gives teams a starting point for triage instead of a raw list of findings.

Issue Sync: Linear, Jira, and GitHub

autter shipped multi-provider issue connector infrastructure this week. Linear, Jira, and GitHub Issues are all supported.

What ShippedWhat It Does
Bidirectional syncIssues created in autter stay in sync with your issue tracker
External issue creationPush a finding to your tracker directly from autter
Sync logsEvery sync event is recorded and auditable
Backfill supportHistorical findings can be synced, not just new ones
Persistent scan action itemsAction items from scans persist and can be promoted to tracked issues

The issue side sheet also got a full rebuild: selected issue cards, properties, activity, comments, and Captain Patch suggestions live in a single panel. Suggestions now have an accept or decline workflow, so triage is a decision, not a manual copy-paste.

Captain Patch Analysis

Captain Patch suggestions are now persisted. Analysis runs, writes to the database, and surfaces in the UI consistently across sessions. Captain Patch is no longer ephemeral.

Secret Scanning

Secret scanning shipped with live validation, allowlists, rotation mapping, and direct issue creation from findings. Detected secrets are not just flagged: they are enriched with rotation guidance and tracked as actionable items.

SAST and CodeQL

SAST findings now include enrichment, validation, and suggestions. CodeQL is live as a fourth scanning engine alongside the existing three. Four independent engines against your codebase means significantly fewer gaps in static analysis coverage.

Dependency Auditing

Dependency findings are unified across engines and linked directly to issues. The view is cohesive instead of fragmented across different audit sources.

License Findings

License findings now route through Captain Patch for analysis, and the license detail UI is richer. Compliance risk from open source licenses surfaces with enough context to act on it.

Container Scanning

Trivy filesystem scanning is live. Container findings are analyzed by Captain Patch and surface alongside the rest of the scan results. Teams shipping containers now have the same finding depth as teams shipping only application code.

Exploit Enrichment and Chain Tracing

Vulnerability findings got substantially deeper.

What ShippedWhat It Means
EPSS scoringExploit probability is attached to each CVE
CVSS integrationSeverity is standardized, not estimated
OSV enrichmentOpen Source Vulnerabilities database data feeds into findings
Exa contextExternal intelligence enriches findings with real-world exploit context
Complexity scoringFindings are ranked by how hard they are to exploit
Exploit chain tracingConnected vulnerability paths are tracked as chains, not isolated findings

Exploit chain findings are persisted, exposed through API endpoints, and visualized with path views and detail panels.

API Surface Analysis

API surface analysis now includes endpoint validation, authentication checks, filters, detail sheets, and Captain Patch suggestions. The API risk view is actionable in a way the previous version was not.

Supply Chain Analysis

Socket.dev integration is live. False-positive marking is in. Supply chain findings are enriched with real package intelligence, not just version matching.

Policy Compliance

Policy rules can now be validated directly against scan findings. Violations are tracked and linked to issues. Compliance is enforceable, not advisory.

AI Slop Detection

autter now detects AI-generated code patterns that signal quality problems: hallucinated imports, placeholder logic, and low-confidence outputs that made it past review. Findings go through validation, with filters, modals, and Captain Patch suggestions attached.

Database, Code Quality, and Business Logic

Database analyst findings now support dismissal and on-demand Captain Patch analysis. Code quality findings are enriched and can be raised directly to suggestions. Business logic analysis shipped attack scenario documentation, race-condition deduplication, and an expanded findings surface.

A merge gate is only as strong as what it checks. This week we finished building the checklist.

New Feature

The Docs Engine, the Architecture View, and the Auditor Agents

May 17, 2026

A week that deepened what already shipped and added the kind of features that make the platform feel like it was built by people who have actually debugged production codebases at scale.

Documentation Engine, Upgraded

The documentation generator that shipped last week got a significant rebuild.

What ChangedWhat It Means
Manual generation triggerTeams can regenerate docs on demand, not just on scan
Job status trackingGeneration progress is visible, not a black box
Stronger loggingFailures surface clearly instead of disappearing into a queue
Type-safe modular internalsThe pipeline is now structured in a way we can actually extend without breaking things

Ingestion got the same treatment. Concurrent processing, import parsing, Dockerfile extraction, metadata updates, and per-organization connection pooling all shipped this week. The pipeline is faster and more complete. Repos with complex structures are ingested without the gaps that appeared in v1.

Wiki Search and UX

Search inside generated wikis is now powered by tsvector columns and proper indexing. Queries that used to be slow are now fast enough to feel immediate.

The reading experience also improved: better markdown navigation, zoom support, updated typography, and page generation prompts that make it easier to fill gaps in documentation that autter does not have enough signal to generate automatically.

Architecture Visualization

Generated documentation now includes architecture visualization. The structural shape of your codebase, the relationships between components, and where complexity is concentrated are all visible alongside the written documentation.

This is the part of the wiki that replaces the whiteboard drawing someone made three years ago that no one has updated.

Team and Member Management

Organizations can now manage custom teams and member assignments directly from settings. This is foundational for the team-scoped agent context and risk scoring that agent execution now incorporates.

Repository Issues Tab

Repositories now have a dedicated issues tab. Issues surface in context, alongside the repository they came from, instead of living only in a global findings list.

File Content in Search Results

Search results can now surface file content directly. When a query matches something inside a file, you get the relevant content without having to navigate to the file separately.

Payment Gateway Auditor Agent

autter shipped its first domain-specific agent: a Payment Gateway Auditor that targets the risk surface specific to payment flows. Dedicated findings tables and summary views are wired in. This is the first of several vertical auditors in the pipeline.

Agent Execution Improvements

The execution layer that runs agents during a scan got meaningfully faster and more accurate.

What ChangedWhat It Means
Batch insertsFindings write to the database in bulk, not one row at a time
Parallel processingMultiple agents run concurrently without contention
Lockfile parsingDependency resolution is more accurate across package managers
Team contextAgents now know which team owns a scope before they score it
Risk scoringScoring is better calibrated against actual severity signals

Codebase scan dispatching and AWS Step Functions orchestration also got a pass this week, with more reliable deployment workflows across the board.

A wiki you trust beats documentation you maintain. This week we made it trustworthy.

New Feature

Custom Agents, Guided Config, and the Documentation Engine

May 10, 2026

Three things shipped this week that expand what teams can build on top of autter. Agents got a full configuration surface. The setup experience for complex agents became guided instead of guesswork. And autter shipped its first documentation generation pipeline, turning indexed codebase knowledge into something readable.

Custom Agents

Custom agents are no longer a flat list. They now have categories, trigger configuration, and richer API support, so teams can define agents around specific risk domains, specific workflows, or specific conditions in a repository. The surface for building and organizing custom agents looks like something a platform team would actually want to maintain.

Guided Agent Configuration

Configuring an agent is now a step-by-step flow with streaming updates and visible progress. You can see what autter is doing as configuration applies, and the assistant surfaces issues before they become silent failures. This is the kind of experience that makes the difference between teams who set up custom agents once and teams who never get around to it.

Prebuilt agent overrides shipped alongside this: teams can now take a prebuilt agent, adjust its schema and behavior through the registry, and edit it through the same UI. The line between "built by autter" and "built by your team" got meaningfully blurrier.

Documentation Generation Pipeline

The first version of autter's documentation pipeline is live.

What It DoesWhat It Means
Codebase graph constructionautter maps the structure of your repo before generating any docs
Dependency edge trackingRelationships between modules are first-class inputs to generation
Module clusteringRelated code is grouped before documentation is written
Risk flag integrationHigh-risk areas surface in the docs, not just in findings

The output layer is real: wiki routes, documentation query APIs, markdown rendering, sidebar navigation, and full-text searchable generated docs are all in. The first version is a foundation. The indexing and generation improvements shipping in the weeks ahead will make it meaningfully better.

Mailing List Integration

New user signups can now flow into a mailing list. Optional, opt-in, and wired into the onboarding path so it does not require any manual coordination.

The agents know your codebase. The docs make it legible. This week connected both.

New Feature

Repository Overview, CVE Watch, and Smarter Search

May 4, 2026

The repository workspace got a real face this week. Health views matured. Search got smarter in ways you can feel. And we started watching for vulnerabilities on a schedule instead of waiting for someone to ask.

Repository Overview

The repository page got a substantial rebuild. Dedicated tabs for activity, dependencies, API data, health, and onboarding now live in a single workspace, so understanding a codebase no longer means hopping between four different surfaces.

The previous version showed you data. This one gives you a place to actually work from.

Codebase Health

Health views got smarter. Empty states are clearer. Architectural concerns surface earlier and more obviously. Repository-level metrics are richer and easier to scan.

The signal-to-noise ratio on what actually matters in a repo is meaningfully better than it was last week.

Search and Command Palette

Search got real. Org-wide search now ships suggestions, cleaner query handling, page-visit awareness, and prefix-collapsing so we log finalized intent instead of every keystroke along the way. The header search trigger is animated, with rotating prompts that make discovery feel less like a chore.

A small but meaningful detail: persistent query synchronization and caching now carry across navigation, so repository data stays consistent instead of flickering every time you change pages.

Scheduled CVE Monitoring

This is the foundation for everything we are shipping next on the supply-chain side.

What ChangedWhat It Means
Scheduled CVE monitoringRecurring background checks against your dependencies
Concurrency controlsMultiple repos can be scanned without stepping on each other
Graceful shutdown handlingLong-running checks no longer leave findings in a half-written state
Schema for findings and upgrade suggestionsVulnerabilities and recommended fixes are first-class data, not log lines

You stop having to ask. autter watches.

Dependency Intelligence

Dependency analysis in the repository view got deeper. Vulnerability lookups are wired in. Registry and version enrichment runs automatically. The dependency surface is starting to look less like a list and more like a real understanding of what your repo actually pulls in.

API and Test Coverage

Endpoint metadata tracking expanded again. API surfaces are now linked to test coverage insights, so you can see which endpoints have tests behind them and which ones are running on hope.

AI Performance and Observability

AI response caching is in. Redundant model calls are gone, and AI-powered analysis workflows are noticeably faster. More AI flows are now covered by LLM analytics, with improved logging across the board, so we can actually debug model behavior instead of guessing at it.

Infrastructure

We migrated the AI gateway to Vercel AI Gateway and added Vercel Web Analytics instrumentation. The analytics and AI delivery stack is stronger, and we have a much cleaner read on how the platform is actually being used.

UI Polish

Loading skeletons across the repo experience. A new team rules editor. A handful of small interaction improvements that are individually unremarkable and collectively the difference between a product that feels good and one that feels fine.

A repo overview is a workspace. A scheduled scan is a habit. This week was about turning autter into both.

New Feature

The Wiki, the PR Review, and the Graph

Apr 27, 2026

Two headline features and a substantial expansion of the indexing engine. This is the week autter started reasoning about your codebase the way a senior engineer does.

Repository Wiki

autter now ships with a full repo Wiki experience. Searchable repository discovery, structured documentation pages, table-of-contents navigation, breadcrumbs, and keyboard shortcuts. There is also an AI-assisted "ask" flow for exploring codebase knowledge directly, so engineers can query their own repository the way they would query Notion.

The Wiki is not a documentation tool. It is a way to make the indexed knowledge autter already has about your codebase actually browsable.

Pull Request Review

The PR review experience got rebuilt. Dedicated tabs for AI review, checks, and commits. A richer conversation timeline with inline comments. File tree navigation. Unified and split diff viewing.

The previous version worked. This one feels like a place you actually want to do code review.

Code Intelligence Pipeline

The indexing pipeline expanded across almost every dimension this week. End-to-end repository indexing now covers scope detection, repository context, file hotspots, file-level indexing, dependency resolution, scope relationships, and scope health metrics.

Smarter dependency resolution maps imports across relative paths, aliases, and workspace packages. Change detection and impact analysis now track symbol changes, dependency edges, and the downstream effects of code changes.

This is the part of autter that turns "we ran a scan" into "we know what is going on in your repo."

Architectural Insights

This is the most significant conceptual addition this week.

What ChangedWhat It Means
Reverse dependency analysisautter now knows what depends on what, in both directions
Call graph analysisFunction-level relationships are tracked across the codebase
Scope dependency graphsCoupling and layering between scopes are visible, not implied
AI-augmented health and riskStructural issues, maintenance hotspots, and tech-debt signals are surfaced per scope

Most tools tell you that a file changed. autter is starting to tell you what that change means for the rest of the system.

External Dependency Intelligence

Third-party packages now get richer treatment. Better classification, documentation resolution, and AI-generated insights into how a dependency is used and what the risk surface looks like.

If you have ever inherited a repo with 400 packages in package.json and no idea which ones matter, this is for you.

API and Test Coverage Intelligence

Endpoint indexing now works across multiple frameworks. Test coverage indexing is connected to the API surface, so you can see which endpoints have tests behind them and which ones do not.

This sets up the API risk views we are shipping next.

Notification Controls

Organization notification controls got real. Configurable event-based notifications. Weekly digest settings. Test flows for Slack and webhook integrations directly from settings.

Observability and Config

Structured logging and tracing context across the dependency and supply-chain analysis flows, so we can actually see what the AI agents are doing during a scan. PostHog configuration got cleaned up to properly separate API and UI host settings.

Also This Week

Shipped agentic-sales, a small open-source AI sales toolkit as a side project on autter.dev.

A scanner finds problems. A graph explains them. This week was about the graph.

Improvement

Indexing, Onboarding, and a Lot of Plumbing

Apr 20, 2026

Not every week produces a headline feature. This one produced a lot of things that make the headline features work reliably.

Onboarding

The first-run experience for new organizations is more guided now. autter asks about your setup upfront so it can tailor what you see, walks you through codebase scanning as part of onboarding rather than leaving you to find it later, and handles organization creation with better animations and a skip option for teams that already know what they are doing.

Dashboard and Authentication

The login flow is richer. Animated organization creation feels more intentional. Transitions across the dashboard are smoother. None of this changes what autter does, but it changes how it feels to use it at the start of a session, which matters more than it sounds.

Webhook Testing and Notification Setup

You can now test webhooks directly from organization settings. Error handling for notification setup is clearer, and the feedback when something goes wrong is specific enough to actually be useful.

Infrastructure and Deployment

A lot of backend infrastructure got quietly hardened this week. Organization database provisioning is more resilient, with better retry logic for cases where setup does not go cleanly on the first attempt. Deployment workflows are more reliable overall. This is the kind of work that is invisible when it goes right and catastrophic when it does not.

Observability

Logging is stronger across the backend. Health check visibility is improved. Slack integration got updated. We also added proper instrumentation around how the AI pipeline behaves at runtime, which means we now have actual data on what the scan agents are doing, not just whether they finished.

Indexing Pipeline

This is the most significant work in this release.

The indexing pipeline that builds autter's understanding of your codebase got a substantial upgrade across several dimensions.

What ChangedWhat It Means
Repository context detectionautter now identifies what kind of codebase it is looking at before it starts scanning
Scope profilingThe indexer understands which parts of the repo are related to which other parts
File indexing improvementsMore complete coverage, fewer gaps in what gets indexed
Dependency resolutionautter can now trace the full dependency graph, not just the top-level packages
Dependency graph insightsRelationships between packages are tracked and surfaced in findings
Scope health metricsThe indexer now produces a health signal per scope, not just per file
AI-augmented analysisRepository context, scope dependencies, and quality signals are now evaluated with richer graph-based reasoning

Better indexing means better findings. The scan results you get from a repository that went through this pipeline are more accurate and better prioritized than what was possible before.

UI Polish

Analytics and wiki interactions got styling refinements, sidebar improvements, and richer navigation components. The product looks more cohesive than it did a week ago.

The indexer is what makes autter's findings trustworthy instead of just plentiful. This week it got meaningfully better.

Dependency graph and scope health view

Suggested image: A harbour map with annotated shipping lanes showing which routes connect to which docks. Maps cleanly to dependency graphs and scope relationships.

Improvement

Onboarding That Gets Out of the Way

Apr 16, 2026

Getting set up with autter should not feel like configuring a server. This week we focused on making the first few minutes feel less like work.

What Changed

Guided organization setup: The onboarding flow now walks you through each step with actual context, not just a progress bar and a prayer.

Cleaner motion and transitions: Loading states, animations, and screen transitions across the dashboard and login experience are more polished and consistent.

More reliable infrastructure: Secrets management, host configuration, and deployment setup got meaningful hardening. Nothing visible on the surface, but a significant reduction in the number of things that could go wrong before you see your first scan result.

Dynamic database migrations: Organization provisioning now handles schema changes more gracefully during setup.

Better observability: Improved route logging, health checks, and Slack integration on the backend so we catch problems before you do.

Why It Matters

First impressions compound. If setup is confusing, people assume the product is confusing. We have been fixing that assumption one step at a time.

The goal is for setup to feel so unremarkable that you forget it happened. We are getting there.

New Feature

Self-Service Scan Initiation

Apr 12, 2026

The codebase scan is now something you can start yourself.

From onboarding or from your dashboard, you can point autter at a repository and kick off a full scan without filing a support request or waiting on us. This is the feature the concierge phase was building toward.

What You Can Do Now

  • Start a scan from the dashboard or onboarding flow: No manual handoff required.
  • Get notified when it is done: Scan completion triggers notifications via email and Slack.
  • See full dependency coverage: autter now tracks every package in your repo, cross-references known vulnerabilities, and stores the results so they are auditable over time.
  • Branch-aware scanning: Scans run against the right branch, not just whatever was last pushed.

How Scan Initiation Works

You connect a repository, select a branch, and start the scan. autter queues it, runs the full agent pipeline, and sends you a report when it is finished. No configuration required to get started.

What Gets Scanned

  • Security vulnerabilities: Known CVEs, exposed secrets, injection patterns
  • Dependencies: Every package, version, and license in your repo
  • AI-generated code quality: Hallucinated imports, placeholder logic, low-signal patterns
  • Blast radius: Which parts of the codebase a change touches and how far it reaches

Seven out of ten users in our concierge cohort said they would pay for this. That is why we shipped it.

Improvement

Streaming Progress and Auto-Open Setup

Apr 5, 2026

Small week. Useful change.

What Changed

Streaming progress during setup: When you create an organization, you can now watch it happen step by step instead of waiting on a static loading state and hoping it finishes.

Auto-open setup dialog: The organization creation dialog now opens from the right place in the dashboard flow automatically. This is the kind of thing that should have always worked this way.

Not every changelog is dramatic. Sometimes you just fix the thing that was quietly annoying everyone.

New Feature

The Multi-Agent Scan Engine

Mar 29, 2026

This is where the engine got built.

We shipped the multi-agent scanning foundation: a set of specialized agents that each look at a different risk surface in your codebase. Each agent has one job. They run independently and their findings roll up into a single, prioritized report.

What the Scan Engine Covers

  • Security vulnerabilities in your code and dependencies
  • Open source licenses across every package you are using
  • Supply chain risk from third-party dependencies
  • Configuration problems in infrastructure definitions
  • Container security across your Docker setup
  • Policy compliance against your org's own rules
  • Business logic issues that static analysis typically misses
  • Runtime behavior signals that indicate how code behaves under real conditions

GitHub PR Automation

autter can now comment on pull requests, post check runs, and flag issues directly in GitHub without you leaving your workflow. Webhook handling, file fetching, and review flows are all operational.

Analytics Dashboard

The first version of the analytics dashboard is live. You can filter findings by date range and view results across multiple tabs. More views are coming, but the foundation is solid.

Codebase Intelligence

We expanded the intelligence layer that tracks how a codebase changes over time: hotspot detection, dependency relationship mapping, and legacy code signals that inform how findings get prioritized.

A comment on a PR is advice. A blocked merge is enforcement. Everything we built this week is in service of the second one.

New Feature

Week One: We Built the Product

Mar 22, 2026

Week one. We built the product.

Not a prototype. Not a proof of concept. The actual product, with the foundations required to sign up a real user, connect a real repository, and enforce a real merge gate.

What Shipped

Authentication: Email login with one-time codes and passkeys. Trusted device support. Login method tracking. Welcome flows for new users.

Organization management: Create an org, upload a logo, manage your team, and configure your account from a settings surface that actually covers the things you need to configure. Billing, source control, PR review preferences, custom agents, AI configuration, and experimental features.

GitHub integration: GitHub App installation and handling, pull request views, and the first version of repository insights. autter can read your repos and understand their structure from day one.

Codebase intelligence: Architecture graphs, repository context, hotspot metrics, and the learning signals that autter uses to understand how a codebase has changed over time and who changed it.

Dashboard and navigation: Loaders, toast notifications, responsive layouts, sidebars, search, and the branding system that makes everything look like it belongs together.

Captain Patch is officially on duty.

Capt. Patch

Capt. Autter Patch

Online now

I've seen a lot of codebases. Most teams find out they needed Autter after a bad deploy. What does your PR review process look like right now?

Powered by Autter AI