DOC · changelog KEEP-A-CHANGELOG 1.1 LAST ENTRY · 2026.05.04
DOCS / CHANGELOG

What changed, and when.

Every public release. Breaking changes are labelled. For full diffs, follow the GitHub release link on each entry.

1.1.0 May 4, 2026 LATEST

1.1 — webhooks, scans, PR comments.

Inbound webhooks trigger pipelines on push and pull-request events. Trivy and Semgrep output is parsed into structured findings. AI review and scan results post back to the originating PR as a single comment.

  • added
    Webhook handler at /api/v1/webhook/:provider for GitHub push / pull_request and GitLab Push / MR hooks.
  • added
    HMAC-SHA256 verification for GitHub (X-Hub-Signature-256) and constant-time token compare for GitLab (X-Gitlab-Token).
  • added
    PR/MR comment poster — stdlib-only HTTP, retry-with-exponential-backoff on 5xx and network failures, fast-fail on 4xx.
  • added
    Trivy and Semgrep JSON parsed into SecurityScanResult with severity counts and per-finding cards.
  • added
    AI review wired into the post-build step — appears as an expandable job card and posts to PRs for pull-request builds.
  • fixed
    Pipeline fallback no longer hardcodes JavaScript — projects without a Callahanfile auto-detect Go, Python, Rust, Java, or Ruby from cloned files.
  • fixed
    Trivy parser tolerates progress logs on stdout — CombinedOutput was eating findings.
  • fixed
    LLM test endpoint now receives provider/model/key from the UI — was posting an empty body and always returning "No provider selected".
BRANCH · mainGitHub release ↗
1.0.0 January 2026 GA · STABLE

1.0 — the first public cut.

First open-source release. A single Go binary that runs pipelines on your laptop, stores state in SQLite, and serves a Next.js dashboard. AI features are opt-in via the ai: block in your Callahanfile.

  • added
    Callahanfile.yaml — GitHub-Actions-compatible YAML with an ai: extension for review, security-scan, and explain-failures.
  • added
    Local pipeline executor — runs each step as a shell process in a per-build temp directory.
  • added
    LLM client with four providers: Anthropic, OpenAI, Groq, and Ollama (local). Switchable from the settings page.
  • added
    Pipeline Architect — generates a Callahanfile from a plain-English description and commits it to the repo.
  • added
    Build DebuggerAI Explain Failure button on every failed build; reads logs and the Callahanfile.
  • added
    Code Reviewer — runs on every build, output rendered as an expandable job card.
  • added
    Security Analyst — runs Trivy or Semgrep when present, falls back to AI source review otherwise.
  • added
    Language auto-detection from go.mod, package.json, requirements.txt, Cargo.toml, pom.xml, Gemfile.
  • security
    Project secrets — XOR-obfuscated at rest, decrypted in memory only when used for git clone or shell injection.
  • added
    Live build logs — Go server pushes lines over WebSocket to the Next.js dashboard.
  • added
    Dashboard — Jenkins-style build history, expandable job cards, command palette (⌘K).
  • added
    Docker Compose for one-command bring-up; start.sh for local dev mode.
  • added
    Example Callahanfiles for Next.js, Python FastAPI, Go, Rust, and Java Spring.
LICENSE · MITGitHub release ↗