Ghost Architect™ ships fast. This page is the official record of what landed in each release, in plain language, with the user-facing change first. For deeper context on individual releases, see the corresponding posts on the blog.
Ghost Architect™ is not a launch-and-forget product. Every version below represents a real response -- to a gap we found, a customer need we heard, or a standard we weren't yet meeting. Ghost Watcher™ runs on every commit we make. We hold ourselves to the same bar we set for your codebase. This changelog is not a list of patches. It is a record of a product that takes its own advice.
v11.0.3 -- Renewal and recovery screens now include the activation step, Commit Forecast saves the complete findings sidecar, revocation checks are license-aware on machines running more than one license, and the new --list-sessions flag shows every resumable scan session.
v11.0.2 -- Recon's fallback-to-heuristics disclosure is live and its cost stamp is now accurate, expired customers using profile management commands see renewal guidance instead of a generic activation prompt, a scan that only partially resumes now honestly reports incomplete instead of complete, and session listing includes scans saved to the fallback directory.
v11.0.1 -- Claude Sonnet 5, Opus 4.8, and Fable 5 now work across every scan mode instead of failing outright, ghost --export-ci-token validates the exact token it exports instead of a different one, a malformed Ghost Watcher config value no longer blocks a commit, and a resumed prompts batch can no longer report a failed scan as complete.
v11.0.0 -- A checkpoint-salvage bug that corrupted recovered findings after a crash is fixed, license changes like activation and renewal now take effect immediately instead of requiring a restart, the new ghost --export-ci-token command makes CI secret setup reliable, and the Ghost Watcher paywall no longer pitches a free trial to accounts it cannot actually help.
v10.0.16 -- Ghost Watcher now separates blast radius observations from action-required findings.
v10.0.15 -- Chat and question mode now scales response depth to question complexity.
v10.0.14 -- Report polish, verifier trust fixes, AWS SHA redactor fix, Windows menu restored, clock-skew license panel fixed.
v10.0.13 -- assets/ directory and common binary asset extensions excluded from scans, audit paywall pricing corrected.
v10.0.12 -- Session resume fixed, concurrent publish locking, clock state hardened, GitHub PAT env var support, email em dashes removed.
v10.0.11 -- Clock ratchet window widened to 5 minutes, session salvage filters by project, interrupted publish recovery loop fixed, audit and multipass error handling hardened.
v10.0.10 -- Clock ratchet rejects past timestamps, quota counters fail-closed, verifier drops disputed findings, narrator cap raised to 30 with transparency, reliability hardening.
v10.0.9 -- Manifest parser crash-proofed, credential safety enforced, mobile publish atomicity added, batch store locking, rate limit handling.
v10.0.8 -- Reconfigure menu repo URL fixed, session recovery visible, verifier regeneration improved, profile model validation added.
v10.0.7 -- Reconfigure menu no longer crashes with a ReferenceError, and FREE_QUOTA is removed entirely so the free-scan quota has one source of truth.
v10.0.6 -- Cost reporting fixed, selective reconfigure menu, GitHub token secured in OS keychain, prompt injection hardened.
v10.0.5 -- Executive Brief renders a graceful empty state, Ghost Brief --output flag wired through, README install command updated to --location=global.
v10.0.4 -- Prompt Triage now redacts before API calls, keyless wizard loop fixed, paywall copy corrected, pricing constants completed.
v10.0.3 -- Privacy copy corrected, LICENSE fixed, Ghost Watcher false-clean fixed, trial funnel improved, profile creation fixed, license detection live, 549 em dashes removed from site.
License key generation fixed, Ghost Watcher Windows setup fixed, cost estimates corrected for audit and prompt-triage.
Trial funnel fixed, Ghost Brief working, Watcher regex patched, 9 conversion and trust improvements.
Full 32-finding audit remediation. Pricing fixed, trial CTA live, portal link fixed, 32 trust and conversion improvements.
Patched a ReferenceError in the multi-pass scanner: two constants (IS_WINDOWS and SYM) were trapped inside a JSDoc comment instead of live code, so pass-complete, batch-merge, and coverage output could crash. Both declarations moved to live code. Caught by Ghost Watcher automated conflict detection.
After processing your files, Ghost now opens with "Ready to analyze N files. What would you like Ghost to do?" instead of dropping straight into the menu. First-run onboarding asks whether you have a license key before setup: enter one to activate immediately, or head to the free 7-day trial or Ghost Open. A bad key warns and continues rather than killing the session. Plus a README note on running Ghost from any directory and entering the full path when prompted.
Linux sudo ghost --activate no longer silently drops to Open tier on relaunch: the license store now resolves to the invoking user's real home, with automatic ownership reconciliation and five Configstore instances consolidated into one. Ghost also recognizes extensionless Git hook files (pre-commit, post-checkout, commit-msg, and 13 others) across the directory, ZIP, and GitHub loaders, so a .git/hooks folder is fully analyzed. Test suite now 30 tests.
Locked in the v9.4.36 forecast context-cap fix with a dedicated regression fixture -- it asserts resolveContextCap() returns an object and that .effective extraction is required, so the bug can't silently return. Also reconciled the v9.4.35 self-audit count to 14 findings. Test suite now 29 tests.
Ghost Watcher flagged a real bug on the v9.4.35 release commit. forecast-overlay.js was using the resolveContextCap() return object as a number instead of extracting .effective -- silently bypassing the tier context cap on large change sets. Ghost Watcher caught it automatically. Fixed same session.
Ghost scanned Ghost. POI self-audit identified and resolved 14 latent findings across error handling, concurrency, and silent failure paths -- none affecting the happy path, all affecting edge-case reliability. Includes 3 new regression fixtures and a 28-test suite.
Conflict Detection already suppresses findings that talk themselves out of being conflicts at generation time. This release adds a post-generation safety net that catches two more self-refuting phrasings, so anything that slips past the prompt still gets filtered before it reaches your report. A verified annotation also documents the token counter's intentional cache isolation.
Conflict Detection now suppresses findings that talk themselves out of being conflicts: if a finding's own description says there is no runtime failure or that it is correct behavior, it never reaches your report. Under the hood, the token counter's fast and exact caches are now fully isolated, and a dead import was removed.
A flagged import in the prompt-triage mode was reviewed and confirmed as a false positive. The four cost helpers it uses are correctly exported and imported directly from the core estimator, so the annotation records that verification in place. No behavior change.
Every Watcher run now compares against the last one. Findings that disappear after a fix move to a Resolved section in your portal, tagged with the commit that closed them, and brand-new findings are marked as first seen on this commit. It is branch-aware, so parallel work does not muddy the picture.
A quality pass on Conflict Detection. The scanner now suppresses speculative and hypothetical findings at the source, so what surfaces is grounded in a code path that runs today rather than a what-if. Under the hood, the findings parser gained two more recovery tiers for imperfect model output, and CI moved to Node.js 24.
A documentation fix. The Ghost Watcher config example in the README now shows the structured blast-radius block, so copying it preserves the release-commit skip behavior added last release instead of silently reverting to the older on/off form.
A small workflow refinement. Ghost Watcher now skips the Blast Radius pass on version-tagged release commits, which produced impact-analysis noise rather than actionable findings. Conflict Detection and Ghost Brief still run on every commit.
A follow-up hardening release. The multi-pass Blast Radius synthesis introduced last release now surfaces batch failures as an explicit error instead of returning a blank report, so a failed synthesis never gets saved as an empty file.
A reliability release. Ghost Watcher's Blast Radius narration and multi-pass synthesis no longer depend on long-lived streaming connections, which occasionally dropped on CI runners and produced degraded results. Those paths now use blocking and batch requests instead, so large-codebase runs complete cleanly.
A precision release. Conflict Detection sometimes surfaced findings that its own explanation admitted were not real conflicts. The noise filter now recognizes more of those self-cancelling phrasings and drops them before they reach you.
A small correctness release. The automated patch generator no longer drops switch-case lines from a fix, cancelled Ghost Watcher runs now report the right version, and an internal detector-ranking path was made consistent.
A small correctness release. Two Prompt Triage detectors were reclassified back to their documented roles as broad fallbacks, so overlapping findings no longer surface twice. One internal publish path was annotated as reviewed to keep future self-scans quiet.
A maintenance release closing out the precision work from this cycle. Scan records now persist every field the Ghost Mobile portfolio dashboard reads, so finding and severity counts render correctly instead of showing zero. The unified-diff renderer was verified correct on multi-hunk output, and the bundled conflict-prompt snapshots were refreshed to match the tightened v0.4 wording.
A maintenance release focused on precision. Conflict Detection now requires concrete runtime impact before flagging an issue, cutting speculative noise. Recurring intentional-design findings are marked reviewed so they stop resurfacing, the mobile portfolio dashboard reports findings correctly, and the Ghost Portal degraded-run banner now names the exact commit affected.
A maintenance release. When a Blast Radius analysis is interrupted, Ghost Watcher™ now emails a clear rerun notice instead of raw, unnarrated findings, and the narrator has twice as long to finish before timing out. Conflict scans recover more partial results, the Ghost Portal gains a per-commit filter, and the live usage dashboard reflects new activity immediately.
A maintenance release refining Ghost Architect™'s internals. Two prompt detectors now deduplicate correctly, conflict scans on very large codebases recover gracefully when a response is cut short, and the automated patch generator no longer mishandles method-shaped edits. All surfaced by Ghost scanning its own code.
A small maintenance release. Enabling Ghost Watcher™ on a new repository no longer bakes a hidden five-iteration cap into the generated config: the iteration limit is now opt-in, matching the documented behavior that no configuration means no limit. Plus an internal documentation correction.
A maintenance release resolving issues Ghost Architect™ found while scanning its own codebase. Duplicate findings are now suppressed correctly, batch cost estimates reflect whichever Claude model you have configured, and a redundant telemetry file that stored raw commit and repository identifiers on disk has been removed.
A maintenance release that consolidates duplicated logic and sharpens a few internal heuristics. The model temperature guard now lives in one shared place instead of three copies, the mobile dashboard reads cost and effort estimates correctly, and the report verifier no longer mistakes cost or effort ranges for source line numbers.
A small maintenance release tidying up the last loose ends from the v9.4.14 correctness work. The final naive repository-URL parser now handles GitHub Enterprise Server hosts, a context-limit warning no longer names a flag you never typed, and several in-code docs and bundled prompt snapshots were brought back in line with the actual behavior.
A maintenance release of 18 internal consistency fixes surfaced by Ghost Architect™ scanning its own codebase. Portal publishing now parses GitHub Enterprise Server repositories correctly, audit confidence scores render on the right scale, file publishing uses one consistent encoding path across every destination, and model sampling parameters are selected from an explicit allowlist so the newest Claude models are handled cleanly.
A maintenance release focused on Ghost Watcher™ reliability for larger and enterprise teams. Cancelled CI runs now resolve cleanly instead of showing a stuck Analyzing state, GitHub Enterprise Server repositories parse correctly, conflict scans on big codebases submit in right-sized pieces, and the dashboard's open-issue export is accurate. Plus forward-looking support for the newest Claude models.
On big repositories, Ghost Watcher™ used to send the entire codebase as one oversized request that constrained CI networks could drop mid-upload. It now splits the work into right-sized batches automatically, then merges every batch's findings back together. No conflicts lost, no hung scans.
A dropped connection mid-scan no longer means a degraded report in silence. Ghost Watcher™ now retries narration automatically, and if results still come through unnarrated, the Watch tab flags the affected commits so you know to rerun. The conflict filter also got sharper at telling real conflicts from ones the analysis talked itself out of.
Ghost Watcher™ now drops noise before it reaches your report. Stray version strings and malformed file references are kept out of findings, routine release-safety report sections are no longer mistaken for issues, and conflict findings that contradict themselves are removed before they surface.
The @ghost-verified annotation is now restricted to source files. Documentation files that merely contain the marker as text (changelogs, READMEs, configs) are no longer eligible, closing the last doc-text false-positive in Ghost Watcher™.
Ghost Watcher™ configuration comments clarified. No change to behavior.
Two fixes to Ghost Watcher™. The codebase path is now correctly passed through to the Ghost Brief™ instead of falling back to the working directory, and the @ghost-verified annotation is now detected only in real code comments, so a file that merely mentions the marker is no longer mistaken for a reviewed one.
Ghost Watcher™ runs on your own Anthropic API key. The Team, Team Max, Enterprise, and Enterprise Max pricing cards now state the typical per-commit cost up front, so there are no surprises when you connect your key.
Findings a developer marked @ghost-verified in source are already kept out of the active list, the PR comment, and Ghost Brief™. The Ghost Portal Findings tab now surfaces them in their own collapsed Reviewed · Expected Behavior section below the active findings, so reviewers can see what was deliberately accepted without it cluttering the work that still needs attention.
The trial tier now has an explicit 50K context cap (matching Open) instead of relying on a fallback, and the conflict-report narrator now generates prose at the same temperature as the rest of the report-narration family for consistent output.
A finding marked @ghost-verified was already kept out of the PR comment and scan file, but Ghost Brief™ still generated a remediation prompt for it. Ghost Brief™ and its detailed-prompt step now build from the active finding set only, so verified findings are excluded end to end. Internal hardening also makes the Ghost Brief™ tier gate impossible to drift, and adds the agent-loop error contract to the CI test suite.
The GitHub Actions job timeout was raised to 360 minutes (GitHub's maximum) in both the generated workflow and its template. The Actions job is intentionally no longer the limiting factor: batch poll timeouts and the store-and-resume logic own time management, so a long scan is stored and resumed on the next push instead of being killed at the finish line and firing an unnecessary incomplete-run email.
The interactive menu and ghost --brief command wrongly let non-Max Team and Enterprise users generate a Ghost Brief™, even though Ghost Watcher™ and the docs restrict it to the Max tiers. Both gates now use a single shared Max-tier constant, so Ghost Brief™ and Executive Brief are consistently available on Pro Max, Team Max, and Enterprise Max only.
Developers can mark a reviewed-and-accepted finding by dropping a @ghost-verified comment in the source file, with an optional reason. Ghost Watcher™ segregates those findings into a Reviewed · Expected Behavior section of the PR comment and scan file, so real findings stay front and center and accepted ones stop nagging on every commit.
Pro Max, Team Max, and Enterprise Max license keys now activate correctly via ghost --activate. The license parser and token validator previously did not recognize the Max-tier key codes, so activation failed before reaching the server.
Ghost Brief™ is enforced as a Max-tier feature (Pro Max, Team Max, Enterprise Max). Ghost Watcher™ can optionally verify conflict findings before reporting them, dropping false positives. Plus internal refactors to the redactor and batch cost calculation.
Pro Max, Team Max, and Enterprise Max now correctly receive 100K, 150K, and 200K token context caps. The Ghost Watcher™ iteration limit is opt-in: no config means no limit. Internal cleanup removes a duplicated quota constant.
All batch paths (blast, conflict, prompts, resume) now record inputTokens, outputTokens, and estimatedCostUsd at Anthropic batch API rates ($1.50/$7.50 per 1M tokens). Unit tests added for buildTokenUsage and sumBatchUsage.
Finding titles, severity labels, and branch names are now safely escaped before being written to GitHub PR comments. Prevents markdown injection from LLM-authored finding titles or attacker-controlled fork branch names.
Finding titles, detail text, file paths, and repo names are now safely escaped in all six Ghost Watcher™ email templates. Prevents HTML and content injection from LLM-authored findings or crafted codebase content.
Every Ghost Watcher™ scan now produces LLM-authored, developer-ready remediation prompts. Paste directly into Claude Code, Cursor, Copilot, or any AI coding tool. No preamble. No boilerplate. Just the prompt.
Ghost Watcher™ blast scans now populate file arrays correctly. Ghost Brief™ generates after every scan -- not just conflict scans. Every finding has files. Every finding gets a prompt.
Findings email delivers per-finding detail and severity summary when issues are detected. Clean scan email confirms when a commit scans clean. Both fire-and-forget and never block the CI pipeline.
Every scan now opens with a cost estimate and a choice -- stream for real-time results or submit as a batch and save 50% on API charges. Same analysis, same report, you decide.
ghost batch-status and ghost batch-retrieve commands.temperature 0 across all Anthropic call sites.Closes the final gap in the Batches API path. Raw blast batch output is now narrated before extractFindings runs, so Ghost Brief™ receives findings with fully populated files arrays. The end-to-end batch flow -- scan to Brief -- is validated.
extractFindings, so each finding arrives with a populated files array. Ghost Brief™ now generates correctly after a Ghost Watcher™ batch scan.The Anthropic SDK's batch transport dropped its connection on GitHub Actions runners. Ghost Watcher™ now submits Batches API requests over native fetch, which completes the request reliably where the SDK failed.
fetch. The SDK fetch implementation dropped the connection on GitHub Actions runners; native fetch completes the request reliably.Two reliability fixes for the Batches API path on ephemeral CI runners: retry with backoff on transient submission failures, and a preflight reachability check so unreachable endpoints fail fast with a clear message.
submitBatch. Transient network failures on CI runners no longer abort the run.Ghost Watcher™ now submits scans through the Anthropic Batches API. Runs process asynchronously, an interrupted run resumes from where it stopped, and Ghost Portal shows a pending state until results land. Batch behavior is tunable from ghost-watcher.yaml.
ghost-watcher.yaml.Ghost Architect™ ran Ghost Brief™ against its own codebase in dogfood pass 10. One critical security vulnerability and six high severity issues were found and fixed using Ghost Brief™ prompts executed in Claude Code. Ghost Watcher™ confirmed zero findings after the push. The tool used itself to fix itself.
ok: false on the result when the loop exits due to an API error. Error message included in top-level result. Test coverage added.Ghost Watcher™ is a headless CI pipeline that runs inside GitHub Actions. Every commit your team pushes triggers a full Ghost Architect™ scan automatically -- Blast Radius, Conflict Detection, and Ghost Brief™ -- with results delivered to Ghost Portal and a PR comment posted before the reviewer opens the tab.
ghost-watcher.yaml and the GitHub Actions workflow to your repo automatically, with version pinning and custom branch support.ghost-watcher.yaml.[ghost-skip] to any commit message to bypass Ghost Watcher™ for that commit.Profile management is now available before selecting a codebase. Open-tier users see an upgrade prompt with a pricing link. Pro and higher get the full sub-menu with immediate session activation.
Every report Ghost Architect™ produces now fully respects an active Ghost Partner™ profile. When a profile is loaded, your firm's name, footer, and confidentiality text replace Ghost defaults across all output formats.
companyName, footerText, and confidentialityText sourced from profile branding block.companyName in both attribution lines when a profile is active.reports.js and pdf-generator.js; no changes needed.After any scan, Ghost generates a one-page Executive Brief: health score, plain-language risk summary, and a cost comparison table showing what remediation costs manually versus with AI. 24 hours and $4,800 becomes 3 hours and $3.60. Built for the person who signs the check.
~/Ghost Architect Reports/ alongside existing scan reports.HTML report now writes to ~/Ghost Architect Reports/ alongside PDF and MD. Effort estimates now include context explaining manual vs AI-assisted execution rates.
~/Ghost Architect Reports/ for consistency with PDF and Markdown reports. No more hunting for the file in cwd.Ghost Brief™ now auto-generates a ghost-brief.html alongside ghost-brief.json. Full dark-theme interactive report with expandable prompt cards, copy buttons, and blast-radius execution sequence. No login, no dependencies.
ghost-brief.html alongside ghost-brief.json on every ghost --brief run.Six targeted fixes from Ghost Brief™ dogfood pass 5 final review. Scan resilience, compliance visibility, and portal write reliability.
lastAuditFailureUtc timestamp added to audit failure warnings for easier incident correlation.Three targeted fixes to the license validation layer surfaced during Ghost Brief™ dogfood pass 5.
updateLastSeenUtc now returns a boolean; caller treats false as a validation failure instead of silently proceeding.trialExpires validated as a non-empty string before .slice; falls back to "Expires: (unknown)" instead of throwing.Ten targeted fixes from Ghost Brief™ dogfood passes 4 and 5. License bypass, race conditions, and silent failure modes that Ghost Brief™ surfaced against its own codebase -- all closed.
saveOrgConfig now gates on admin check as first line before any mutation.Ghost Brief™ is now accessible from the post-scan menu -- no CLI flags required. Also fixes a critical packaging bug: lib/ghostBrief.js and lib/ghostBriefAdapter.js were missing from the published npm package in v8.0.0 and v8.0.1, causing Ghost Brief™ to fail on any fresh install.
ghostBrief.js and ghostBriefAdapter.js were not included in the published package. Any install of 8.0.0 or 8.0.1 would fail when Ghost Brief™ was invoked. Fixed -- both files are now bundled correctly.
--help output. --brief, --input, and --output flags are now documented with tier gate note (Pro Max and above).
Documentation pass for the v8.0.0 Ghost Brief™ launch. Seven-tier comparison table, What's New section, and updated npm package metadata.
Ghost Brief™ converts any Ghost scan into a validated, blast-radius-aware Claude Code prompt pack. Feed ghost-brief.json into Claude Code, Cursor, or Copilot. Ghost briefs the AI. The AI fixes the code. You ship.
--brief). Converts any Ghost scan findings JSON into a structured prompt pack. Each prompt includes what to fix, which files to touch, which files to never touch, and validation hints to confirm the fix landed correctly.
signup.ghostarchitect.dev/portal-report Worker now serves briefs/ paths alongside reports/ paths. Required for the Portal Brief tab to load Brief data.
A pair of housekeeping improvements: version is no longer hardcoded in the CLI binary, and Ghost Portal™ activation instructions are now bundled with every install.
npm version patch bumps both the package and the CLI banner automatically.
Connect your GitHub account, get your Portal URL in under 60 seconds. No manual repo setup, no config files -- one OAuth flow and you're live.
ghost-reports repo and Portal dashboard are provisioned automatically.
Fix Forecast is no longer a single-finding operation. Pick N findings at once, review the estimated cost before Ghost spends a token, and get a combined client-ready PDF when you're done. Blast Radius now shows real API token costs instead of character-count estimates. The conflict scanner was rebuilt around structured JSON output.
SessionCostTracker instead of character-count estimates. The cost breakdown after a blast scan shows actual API usage, including a labeled estimate for narrator tokens.
v7.1 shipped on launch day alongside v7.0.0 -- site overhaul live, Stripe payments enabled, Ghost Open freemium gate active.
The headline change is structural. There is no separate trial flow anymore. Install Ghost Architect™ via npm, point it at any codebase, run real work. By the time you hit the paywall, you have already gotten real value, on your own machine, on your own code.
--profile, --create-profile, and --list-profiles flags now correctly restricted to Pro, Team, and Enterprise. Open tier sees a clear upgrade message instead of a broken flag.
v6.0.0 wired the License Worker to the full Stripe subscription lifecycle and shipped a defensive fix for a findings-parser edge case that had been silently skipping output.
tests/parser-fixtures.test.js covers the parser edge cases so the same bug class cannot regress.
The v5 series rolled out per-scan context controls, tier-aware context budgets, the Ghost Partner™ profile system for agencies, and a machine-readable findings output for downstream tooling.
--max-context N for raising or lowering the context budget on a single run. --exclude "glob" for path or pattern exclusion. --exclude-presets for curated exclusion bundles (test data, generated files, vendor caches).
--profile name, --create-profile, and --list-profiles flags. Profiles are stored locally per-machine.
findings.json alongside the human-readable TXT, MD, and PDF outputs. Downstream tooling, dashboards, and the Ghost Portal report sync all consume this format.
npm update -g ghost-architect-open to pull v7.2.2. Your config, scan history, and license persist. Nothing breaks.