Autter

Changelog

Everything we ship — new features, improvements, and fixes.

New Feature

The Full Scan Surface

May 23, 2026

Everything we have been building the scan engine toward shipped this week. Secret scanning, SAST, container scanning, SBOM, exploit enrichment, exploit chains, supply chain analysis, API surface analysis, policy compliance, AI slop detection, database findings, code quality, and business logic analysis all landed with findings, enrichment, Captain Patch suggestions, and issue linkage. The merge gate is real.

Scan Infrastructure

Before any findings, the foundation got stronger.

What Shipped	What It Does
Agent pipeline tables	Every agent's output is tracked, counted, and attributed
Performance tracking	Runtime metrics are captured per agent, not just per scan
Runtime preflight checks	Agents verify the environment before executing, not midway through
`strace` runtime tracking	Runtime behavior is observed and stored alongside static findings
PostgreSQL support	Scan infrastructure now runs cleanly on PostgreSQL

Install command detection and per-scope preflight checks also shipped. Scans are more reliable and more debuggable than they were a week ago.

SBOM and File Risk History

autter now generates and stores Software Bill of Materials artifacts scoped to each organization. CycloneDX URL support is in. License and SBOM normalization is cleaner. File risk history now traces back through commit history, so you can see how a file's risk profile has changed over time, not just what it looks like today.

AI-Generated Scan Summaries

Scan results now include a human-readable summary generated by AI. The overview experience is cleaner, and the summary gives teams a starting point for triage instead of a raw list of findings.

Issue Sync: Linear, Jira, and GitHub

autter shipped multi-provider issue connector infrastructure this week. Linear, Jira, and GitHub Issues are all supported.

What Shipped	What It Does
Bidirectional sync	Issues created in autter stay in sync with your issue tracker
External issue creation	Push a finding to your tracker directly from autter
Sync logs	Every sync event is recorded and auditable
Backfill support	Historical findings can be synced, not just new ones
Persistent scan action items	Action items from scans persist and can be promoted to tracked issues

The issue side sheet also got a full rebuild: selected issue cards, properties, activity, comments, and Captain Patch suggestions live in a single panel. Suggestions now have an accept or decline workflow, so triage is a decision, not a manual copy-paste.

Captain Patch Analysis

Captain Patch suggestions are now persisted. Analysis runs, writes to the database, and surfaces in the UI consistently across sessions. Captain Patch is no longer ephemeral.

Secret Scanning

Secret scanning shipped with live validation, allowlists, rotation mapping, and direct issue creation from findings. Detected secrets are not just flagged: they are enriched with rotation guidance and tracked as actionable items.

SAST and CodeQL

SAST findings now include enrichment, validation, and suggestions. CodeQL is live as a fourth scanning engine alongside the existing three. Four independent engines against your codebase means significantly fewer gaps in static analysis coverage.

Dependency Auditing

Dependency findings are unified across engines and linked directly to issues. The view is cohesive instead of fragmented across different audit sources.

License Findings

License findings now route through Captain Patch for analysis, and the license detail UI is richer. Compliance risk from open source licenses surfaces with enough context to act on it.

Container Scanning

Trivy filesystem scanning is live. Container findings are analyzed by Captain Patch and surface alongside the rest of the scan results. Teams shipping containers now have the same finding depth as teams shipping only application code.

Exploit Enrichment and Chain Tracing

Vulnerability findings got substantially deeper.

What Shipped	What It Means
EPSS scoring	Exploit probability is attached to each CVE
CVSS integration	Severity is standardized, not estimated
OSV enrichment	Open Source Vulnerabilities database data feeds into findings
Exa context	External intelligence enriches findings with real-world exploit context
Complexity scoring	Findings are ranked by how hard they are to exploit
Exploit chain tracing	Connected vulnerability paths are tracked as chains, not isolated findings

Exploit chain findings are persisted, exposed through API endpoints, and visualized with path views and detail panels.

API Surface Analysis

API surface analysis now includes endpoint validation, authentication checks, filters, detail sheets, and Captain Patch suggestions. The API risk view is actionable in a way the previous version was not.

Supply Chain Analysis

Socket.dev integration is live. False-positive marking is in. Supply chain findings are enriched with real package intelligence, not just version matching.

Policy Compliance

Policy rules can now be validated directly against scan findings. Violations are tracked and linked to issues. Compliance is enforceable, not advisory.

AI Slop Detection

autter now detects AI-generated code patterns that signal quality problems: hallucinated imports, placeholder logic, and low-confidence outputs that made it past review. Findings go through validation, with filters, modals, and Captain Patch suggestions attached.

Database, Code Quality, and Business Logic

Database analyst findings now support dismissal and on-demand Captain Patch analysis. Code quality findings are enriched and can be raised directly to suggestions. Business logic analysis shipped attack scenario documentation, race-condition deduplication, and an expanded findings surface.

A merge gate is only as strong as what it checks. This week we finished building the checklist.

New Feature

The Docs Engine, the Architecture View, and the Auditor Agents

May 17, 2026

A week that deepened what already shipped and added the kind of features that make the platform feel like it was built by people who have actually debugged production codebases at scale.

Documentation Engine, Upgraded

The documentation generator that shipped last week got a significant rebuild.

What Changed	What It Means
Manual generation trigger	Teams can regenerate docs on demand, not just on scan
Job status tracking	Generation progress is visible, not a black box
Stronger logging	Failures surface clearly instead of disappearing into a queue
Type-safe modular internals	The pipeline is now structured in a way we can actually extend without breaking things

Ingestion got the same treatment. Concurrent processing, import parsing, Dockerfile extraction, metadata updates, and per-organization connection pooling all shipped this week. The pipeline is faster and more complete. Repos with complex structures are ingested without the gaps that appeared in v1.

Wiki Search and UX

Search inside generated wikis is now powered by tsvector columns and proper indexing. Queries that used to be slow are now fast enough to feel immediate.

The reading experience also improved: better markdown navigation, zoom support, updated typography, and page generation prompts that make it easier to fill gaps in documentation that autter does not have enough signal to generate automatically.

Architecture Visualization

Generated documentation now includes architecture visualization. The structural shape of your codebase, the relationships between components, and where complexity is concentrated are all visible alongside the written documentation.

This is the part of the wiki that replaces the whiteboard drawing someone made three years ago that no one has updated.

Team and Member Management

Organizations can now manage custom teams and member assignments directly from settings. This is foundational for the team-scoped agent context and risk scoring that agent execution now incorporates.

Repository Issues Tab

Repositories now have a dedicated issues tab. Issues surface in context, alongside the repository they came from, instead of living only in a global findings list.

File Content in Search Results

Search results can now surface file content directly. When a query matches something inside a file, you get the relevant content without having to navigate to the file separately.

Payment Gateway Auditor Agent

autter shipped its first domain-specific agent: a Payment Gateway Auditor that targets the risk surface specific to payment flows. Dedicated findings tables and summary views are wired in. This is the first of several vertical auditors in the pipeline.

Agent Execution Improvements

The execution layer that runs agents during a scan got meaningfully faster and more accurate.

What Changed	What It Means
Batch inserts	Findings write to the database in bulk, not one row at a time
Parallel processing	Multiple agents run concurrently without contention
Lockfile parsing	Dependency resolution is more accurate across package managers
Team context	Agents now know which team owns a scope before they score it
Risk scoring	Scoring is better calibrated against actual severity signals

Codebase scan dispatching and AWS Step Functions orchestration also got a pass this week, with more reliable deployment workflows across the board.

A wiki you trust beats documentation you maintain. This week we made it trustworthy.

New Feature

Custom Agents, Guided Config, and the Documentation Engine

May 10, 2026

Three things shipped this week that expand what teams can build on top of autter. Agents got a full configuration surface. The setup experience for complex agents became guided instead of guesswork. And autter shipped its first documentation generation pipeline, turning indexed codebase knowledge into something readable.

Custom Agents

Custom agents are no longer a flat list. They now have categories, trigger configuration, and richer API support, so teams can define agents around specific risk domains, specific workflows, or specific conditions in a repository. The surface for building and organizing custom agents looks like something a platform team would actually want to maintain.

Guided Agent Configuration

Configuring an agent is now a step-by-step flow with streaming updates and visible progress. You can see what autter is doing as configuration applies, and the assistant surfaces issues before they become silent failures. This is the kind of experience that makes the difference between teams who set up custom agents once and teams who never get around to it.

Prebuilt agent overrides shipped alongside this: teams can now take a prebuilt agent, adjust its schema and behavior through the registry, and edit it through the same UI. The line between "built by autter" and "built by your team" got meaningfully blurrier.

Documentation Generation Pipeline

The first version of autter's documentation pipeline is live.

What It Does	What It Means
Codebase graph construction	autter maps the structure of your repo before generating any docs
Dependency edge tracking	Relationships between modules are first-class inputs to generation
Module clustering	Related code is grouped before documentation is written
Risk flag integration	High-risk areas surface in the docs, not just in findings

The output layer is real: wiki routes, documentation query APIs, markdown rendering, sidebar navigation, and full-text searchable generated docs are all in. The first version is a foundation. The indexing and generation improvements shipping in the weeks ahead will make it meaningfully better.

Mailing List Integration

New user signups can now flow into a mailing list. Optional, opt-in, and wired into the onboarding path so it does not require any manual coordination.

The agents know your codebase. The docs make it legible. This week connected both.

New Feature

Repository Overview, CVE Watch, and Smarter Search

May 4, 2026

The repository workspace got a real face this week. Health views matured. Search got smarter in ways you can feel. And we started watching for vulnerabilities on a schedule instead of waiting for someone to ask.

Repository Overview

The repository page got a substantial rebuild. Dedicated tabs for activity, dependencies, API data, health, and onboarding now live in a single workspace, so understanding a codebase no longer means hopping between four different surfaces.

The previous version showed you data. This one gives you a place to actually work from.

Codebase Health

Health views got smarter. Empty states are clearer. Architectural concerns surface earlier and more obviously. Repository-level metrics are richer and easier to scan.

The signal-to-noise ratio on what actually matters in a repo is meaningfully better than it was last week.

Search and Command Palette

Search got real. Org-wide search now ships suggestions, cleaner query handling, page-visit awareness, and prefix-collapsing so we log finalized intent instead of every keystroke along the way. The header search trigger is animated, with rotating prompts that make discovery feel less like a chore.

A small but meaningful detail: persistent query synchronization and caching now carry across navigation, so repository data stays consistent instead of flickering every time you change pages.

Scheduled CVE Monitoring

This is the foundation for everything we are shipping next on the supply-chain side.

What Changed	What It Means
Scheduled CVE monitoring	Recurring background checks against your dependencies
Concurrency controls	Multiple repos can be scanned without stepping on each other
Graceful shutdown handling	Long-running checks no longer leave findings in a half-written state
Schema for findings and upgrade suggestions	Vulnerabilities and recommended fixes are first-class data, not log lines

You stop having to ask. autter watches.

Dependency Intelligence

Dependency analysis in the repository view got deeper. Vulnerability lookups are wired in. Registry and version enrichment runs automatically. The dependency surface is starting to look less like a list and more like a real understanding of what your repo actually pulls in.

API and Test Coverage

Endpoint metadata tracking expanded again. API surfaces are now linked to test coverage insights, so you can see which endpoints have tests behind them and which ones are running on hope.

AI Performance and Observability

AI response caching is in. Redundant model calls are gone, and AI-powered analysis workflows are noticeably faster. More AI flows are now covered by LLM analytics, with improved logging across the board, so we can actually debug model behavior instead of guessing at it.

Infrastructure

We migrated the AI gateway to Vercel AI Gateway and added Vercel Web Analytics instrumentation. The analytics and AI delivery stack is stronger, and we have a much cleaner read on how the platform is actually being used.

UI Polish

Loading skeletons across the repo experience. A new team rules editor. A handful of small interaction improvements that are individually unremarkable and collectively the difference between a product that feels good and one that feels fine.

A repo overview is a workspace. A scheduled scan is a habit. This week was about turning autter into both.

New Feature

The Docs Engine, the Architecture View, and the Auditor Agents

May 17, 2026

Two headline features and a substantial expansion of the indexing engine. This is the week autter started reasoning about your codebase the way a senior engineer does.

Repository Wiki

autter now ships with a full repo Wiki experience. Searchable repository discovery, structured documentation pages, table-of-contents navigation, breadcrumbs, and keyboard shortcuts. There is also an AI-assisted "ask" flow for exploring codebase knowledge directly, so engineers can query their own repository the way they would query Notion.

The Wiki is not a documentation tool. It is a way to make the indexed knowledge autter already has about your codebase actually browsable.

Pull Request Review

The PR review experience got rebuilt. Dedicated tabs for AI review, checks, and commits. A richer conversation timeline with inline comments. File tree navigation. Unified and split diff viewing.

The previous version worked. This one feels like a place you actually want to do code review.

Code Intelligence Pipeline

The indexing pipeline expanded across almost every dimension this week. End-to-end repository indexing now covers scope detection, repository context, file hotspots, file-level indexing, dependency resolution, scope relationships, and scope health metrics.

Smarter dependency resolution maps imports across relative paths, aliases, and workspace packages. Change detection and impact analysis now track symbol changes, dependency edges, and the downstream effects of code changes.

This is the part of autter that turns "we ran a scan" into "we know what is going on in your repo."

Architectural Insights

This is the most significant conceptual addition this week.

What Changed	What It Means
Reverse dependency analysis	autter now knows what depends on what, in both directions
Call graph analysis	Function-level relationships are tracked across the codebase
Scope dependency graphs	Coupling and layering between scopes are visible, not implied
AI-augmented health and risk	Structural issues, maintenance hotspots, and tech-debt signals are surfaced per scope

Most tools tell you that a file changed. autter is starting to tell you what that change means for the rest of the system.

External Dependency Intelligence

Third-party packages now get richer treatment. Better classification, documentation resolution, and AI-generated insights into how a dependency is used and what the risk surface looks like.

If you have ever inherited a repo with 400 packages in package.json and no idea which ones matter, this is for you.

API and Test Coverage Intelligence

Endpoint indexing now works across multiple frameworks. Test coverage indexing is connected to the API surface, so you can see which endpoints have tests behind them and which ones do not.

This sets up the API risk views we are shipping next.

Notification Controls

Organization notification controls got real. Configurable event-based notifications. Weekly digest settings. Test flows for Slack and webhook integrations directly from settings.

Observability and Config

Structured logging and tracing context across the dependency and supply-chain analysis flows, so we can actually see what the AI agents are doing during a scan. PostHog configuration got cleaned up to properly separate API and UI host settings.

Also This Week

Shipped agentic-sales, a small open-source AI sales toolkit as a side project on autter.dev.

A scanner finds problems. A graph explains them. This week was about the graph.

New Feature

Custom Agents, Guided Config, and the Documentation Engine

May 10, 2026

Not every week produces a headline feature. This one produced a lot of things that make the headline features work reliably.

Onboarding

The first-run experience for new organizations is more guided now. autter asks about your setup upfront so it can tailor what you see, walks you through codebase scanning as part of onboarding rather than leaving you to find it later, and handles organization creation with better animations and a skip option for teams that already know what they are doing.

Dashboard and Authentication

The login flow is richer. Animated organization creation feels more intentional. Transitions across the dashboard are smoother. None of this changes what autter does, but it changes how it feels to use it at the start of a session, which matters more than it sounds.

Webhook Testing and Notification Setup

You can now test webhooks directly from organization settings. Error handling for notification setup is clearer, and the feedback when something goes wrong is specific enough to actually be useful.

Infrastructure and Deployment

A lot of backend infrastructure got quietly hardened this week. Organization database provisioning is more resilient, with better retry logic for cases where setup does not go cleanly on the first attempt. Deployment workflows are more reliable overall. This is the kind of work that is invisible when it goes right and catastrophic when it does not.

Observability

Logging is stronger across the backend. Health check visibility is improved. Slack integration got updated. We also added proper instrumentation around how the AI pipeline behaves at runtime, which means we now have actual data on what the scan agents are doing, not just whether they finished.

Indexing Pipeline

This is the most significant work in this release.

The indexing pipeline that builds autter's understanding of your codebase got a substantial upgrade across several dimensions.

What Changed	What It Means
Repository context detection	autter now identifies what kind of codebase it is looking at before it starts scanning
Scope profiling	The indexer understands which parts of the repo are related to which other parts
File indexing improvements	More complete coverage, fewer gaps in what gets indexed
Dependency resolution	autter can now trace the full dependency graph, not just the top-level packages
Dependency graph insights	Relationships between packages are tracked and surfaced in findings
Scope health metrics	The indexer now produces a health signal per scope, not just per file
AI-augmented analysis	Repository context, scope dependencies, and quality signals are now evaluated with richer graph-based reasoning

Better indexing means better findings. The scan results you get from a repository that went through this pipeline are more accurate and better prioritized than what was possible before.

UI Polish

Analytics and wiki interactions got styling refinements, sidebar improvements, and richer navigation components. The product looks more cohesive than it did a week ago.

The indexer is what makes autter's findings trustworthy instead of just plentiful. This week it got meaningfully better.

Dependency graph and scope health view

Suggested image: A harbour map with annotated shipping lanes showing which routes connect to which docks. Maps cleanly to dependency graphs and scope relationships.

New Feature

Repository Overview, CVE Watch, and Smarter Search

May 4, 2026

Getting set up with autter should not feel like configuring a server. This week we focused on making the first few minutes feel less like work.

What Changed

Guided organization setup: The onboarding flow now walks you through each step with actual context, not just a progress bar and a prayer.

Cleaner motion and transitions: Loading states, animations, and screen transitions across the dashboard and login experience are more polished and consistent.

More reliable infrastructure: Secrets management, host configuration, and deployment setup got meaningful hardening. Nothing visible on the surface, but a significant reduction in the number of things that could go wrong before you see your first scan result.

Dynamic database migrations: Organization provisioning now handles schema changes more gracefully during setup.

Better observability: Improved route logging, health checks, and Slack integration on the backend so we catch problems before you do.

Why It Matters

First impressions compound. If setup is confusing, people assume the product is confusing. We have been fixing that assumption one step at a time.

The goal is for setup to feel so unremarkable that you forget it happened. We are getting there.

New Feature

The Wiki, the PR Review, and the Graph

Apr 27, 2026

The codebase scan is now something you can start yourself.

From onboarding or from your dashboard, you can point autter at a repository and kick off a full scan without filing a support request or waiting on us. This is the feature the concierge phase was building toward.

What You Can Do Now

Start a scan from the dashboard or onboarding flow: No manual handoff required.
Get notified when it is done: Scan completion triggers notifications via email and Slack.
See full dependency coverage: autter now tracks every package in your repo, cross-references known vulnerabilities, and stores the results so they are auditable over time.
Branch-aware scanning: Scans run against the right branch, not just whatever was last pushed.

How Scan Initiation Works

You connect a repository, select a branch, and start the scan. autter queues it, runs the full agent pipeline, and sends you a report when it is finished. No configuration required to get started.

What Gets Scanned

Security vulnerabilities: Known CVEs, exposed secrets, injection patterns
Dependencies: Every package, version, and license in your repo
AI-generated code quality: Hallucinated imports, placeholder logic, low-signal patterns
Blast radius: Which parts of the codebase a change touches and how far it reaches

Seven out of ten users in our concierge cohort said they would pay for this. That is why we shipped it.

Improvement

Indexing, Onboarding, and a Lot of Plumbing

Apr 20, 2026

Small week. Useful change.

What Changed

Streaming progress during setup: When you create an organization, you can now watch it happen step by step instead of waiting on a static loading state and hoping it finishes.

Auto-open setup dialog: The organization creation dialog now opens from the right place in the dashboard flow automatically. This is the kind of thing that should have always worked this way.

Not every changelog is dramatic. Sometimes you just fix the thing that was quietly annoying everyone.

Improvement

Onboarding That Gets Out of the Way

Apr 16, 2026

This is where the engine got built.

We shipped the multi-agent scanning foundation: a set of specialized agents that each look at a different risk surface in your codebase. Each agent has one job. They run independently and their findings roll up into a single, prioritized report.

What the Scan Engine Covers

Security vulnerabilities in your code and dependencies
Open source licenses across every package you are using
Supply chain risk from third-party dependencies
Configuration problems in infrastructure definitions
Container security across your Docker setup
Policy compliance against your org's own rules
Business logic issues that static analysis typically misses
Runtime behavior signals that indicate how code behaves under real conditions

GitHub PR Automation

autter can now comment on pull requests, post check runs, and flag issues directly in GitHub without you leaving your workflow. Webhook handling, file fetching, and review flows are all operational.

Analytics Dashboard

The first version of the analytics dashboard is live. You can filter findings by date range and view results across multiple tabs. More views are coming, but the foundation is solid.

Codebase Intelligence

We expanded the intelligence layer that tracks how a codebase changes over time: hotspot detection, dependency relationship mapping, and legacy code signals that inform how findings get prioritized.

A comment on a PR is advice. A blocked merge is enforcement. Everything we built this week is in service of the second one.

New Feature

Self-Service Scan Initiation

Apr 12, 2026

Week one. We built the product.

Not a prototype. Not a proof of concept. The actual product, with the foundations required to sign up a real user, connect a real repository, and enforce a real merge gate.

What Shipped

Authentication: Email login with one-time codes and passkeys. Trusted device support. Login method tracking. Welcome flows for new users.

Organization management: Create an org, upload a logo, manage your team, and configure your account from a settings surface that actually covers the things you need to configure. Billing, source control, PR review preferences, custom agents, AI configuration, and experimental features.

GitHub integration: GitHub App installation and handling, pull request views, and the first version of repository insights. autter can read your repos and understand their structure from day one.

Codebase intelligence: Architecture graphs, repository context, hotspot metrics, and the learning signals that autter uses to understand how a codebase has changed over time and who changed it.

Dashboard and navigation: Loaders, toast notifications, responsive layouts, sidebars, search, and the branding system that makes everything look like it belongs together.

Captain Patch is officially on duty.