Changelog

What changed.

Arbor evolved from a generic blast-radius tool to a security graph for AI-generated code. This log tracks that shift openly, including the technical decisions behind each release.

0.8.0MajorApril 2026

Security analysis pipeline

Complete security analysis integrated into the PR pipeline. The engine now classifies changed code against 10 security surface categories and produces structured evidence packets.

-Security classifier with path rules, filename rules, and symbol rules for 10 surface categories.
-Upstream and downstream path tracing through the call graph for entrypoints and sensitive sinks.
-Framework-aware entry point detection for Next.js, Express, FastAPI, Spring, Axum, Go HTTP, WebSocket, cron, and CLI.

0.7.0MajorMarch 2026

PR-time security reachability

Arbor pivoted from generic blast-radius analysis to focused security reachability. The product is now positioned around reachable security risk for AI-generated code.

-New security dashboard direction: reachable paths, sensitive surfaces, and policy gates.
-New GitHub-style PR security comment with required proof and limitations.
-New frontend evidence packet types for backend-native security data.

0.6.0EngineFebruary 2026

Evidence-based PR analysis engine

The private engine added multidimensional risk scoring, conditional verdicts, and richer PR reports with evidence fusion.

-Four risk dimensions: correctness, security, reliability, maintainability.
-21 evidence signals across 13 signal extractors.
-Weighted DS evidence fusion with reliability weights and staleness decay.

0.5.1FixJanuary 2026

Billing and access control fixes

Production hardening of the billing flow, org access controls, and API authentication.

-Invalidate optimistic billing verification cache to prevent stale reads.
-Make Stripe plan sync read-after-write safe.
-Clear billing success session ID after verification loop completes.

0.5.0MajorDecember 2025

GitHub App and dashboard

Arbor Cloud launched as a GitHub App with install flow, PR analysis history, billing, and dashboard.

-GitHub OAuth dashboard with repository list and analysis history.
-GitHub App webhook handler with HMAC-SHA256 verification.
-Durable analysis job queue with retry support.

0.4.0LegacyNovember 2025

Blast radius analysis (legacy)

Initial PR analysis focused on blast radius and dependency impact. This was the precursor to the security-focused pivot.

-Tree-sitter parsing for 14 languages via arbor-core.
-petgraph call graph construction via arbor-graph.
-BFS upstream/downstream impact analysis.

Security analysis pipeline

Complete security analysis integrated into the PR pipeline. The engine now classifies changed code against 10 security surface categories and produces structured evidence packets.

-Security classifier with path rules, filename rules, and symbol rules for 10 surface categories.

-Upstream and downstream path tracing through the call graph for entrypoints and sensitive sinks.

-Framework-aware entry point detection for Next.js, Express, FastAPI, Spring, Axum, Go HTTP, WebSocket, cron, and CLI.

PR-time security reachability

Arbor pivoted from generic blast-radius analysis to focused security reachability. The product is now positioned around reachable security risk for AI-generated code.

-New security dashboard direction: reachable paths, sensitive surfaces, and policy gates.

-New GitHub-style PR security comment with required proof and limitations.

-New frontend evidence packet types for backend-native security data.

Evidence-based PR analysis engine

The private engine added multidimensional risk scoring, conditional verdicts, and richer PR reports with evidence fusion.

-Four risk dimensions: correctness, security, reliability, maintainability.

-21 evidence signals across 13 signal extractors.

-Weighted DS evidence fusion with reliability weights and staleness decay.