What we've shippedchangelog.

Public timeline of every meaningful milestone — what shipped, what was built, what got designed. Specific enough to be falsifiable. Newest entries on top.

  1. May 27, 2026shipped

    Multi-member ring management — real 1-of-N anonymity, shipped

    Shipped the feature that makes gitghost actually meaningful: dashboard-native ring management where anyone can create a ring, add members by GitHub username, and start signing commits as 1-of-N. The privacy story is end-to-end now — your private key lives in the browser, the server never sees it, and you decide per ring whether to put it in the public index or keep it private. Verifiers see "someone in the ring signed" — not who.
    • Create rings from /dashboard/rings — name, description, category, public/private toggle
    • Add members by GitHub username — ghost key pubkeys auto-derived, no manual key paste
    • Privacy by default: rings start private, opt-in to discovery in /rings public index
    • Per-ring visibility toggle in ring detail page (blue 'public' / gray 'private' badge)
    • Zero-knowledge keypairs: secp256k1 generated in browser, stored in localStorage, never sent to server
    • /dashboard/settings: view truncated pubkey, download backup, restore from JSON backup, regenerate
    • /join flow: invited users land on onboarding page, login, auto-generate ghost key, ready to be added
    • /rings index merged: seed rings + public user rings, live stats (rings / members / verifiable)
    • Ring detail at /rings/[slug]: members + pubkey + ring root + CLI snippet + canonical ring.json
  2. May 27, 2026infra

    Production infrastructure — Neon Postgres, Drizzle ORM, GitHub App

    Replaced the JSON-file storage layer and demo-only ring seed with a real production stack. Postgres on Neon (serverless), Drizzle ORM for type-safe queries, and a full GitHub App integration so gitghost can interact with repos through scoped installation tokens instead of personal OAuth tokens. Webhook-driven data sync is live — installs, repo additions, and renames propagate in real time.
    • Database: Neon Postgres with 7 tables (users, installations, repos, jobs, ai_credentials, rings, ghost_commits)
    • ORM: Drizzle with lazy-init client schema and idempotent upserts (JSONB @> membership queries, ON CONFLICT DO UPDATE)
    • GitHub App: JWT generation + installation token minting + webhook signature verification (HMAC-SHA256, timing-safe)
    • Webhook handler at /api/webhooks/github processes installation, installation_repositories, repository events idempotently
    • /dashboard/repos lists your GitHub App installations with expandable repo view
    • Migrated dashboard jobs + credentials from local JSON files to async Drizzle calls
    • db-users.ts: explicit upsertUser for webhook/OAuth flows (FK constraint defense)
    • Removed unused sql.js dependency
    • Production: www.gitghost.org live with full integration
  3. May 26, 2026shipped

    Dashboard MVP shipped — AI-powered ghost commit workspace

    Shipped the first usable GitGhost Dashboard: an AI-powered workspace that lets anyone describe a change, review the generated code in a live preview, and ship it as a ghost-attributed commit — all without leaving the browser. This closes the gap between "I want to build something" and "it's in the repo with a verifiable ghost signature."
    • Dashboard: single-page workspace at /dashboard — prompt, preview, approve, commit
    • AI code generation: 8 providers (OpenAI, Anthropic, DeepSeek, Gemini, Groq, Together, Mistral, OpenRouter)
    • Live preview: generated HTML/React renders inline in sandboxed iframe
    • GitHub OAuth: login, auto-create repos, one-click ghost commits — no manual token or repo setup
    • LSAG ring signatures: every ghost commit carries a real cryptographic ring signature verifiable by the CLI and web verifier
    • GhostRegistry anchor: commits automatically anchored on Base mainnet (0x4dc8911fd65aa7cdcac410549ee80323bbcb2206)
    • Anonymous ranking: dashboard-generated repos appear with hash-based names, no identity leak
    • Feed + events: recent verifications and anchor events surface in real-time
    • 8 providers via BYOK: bring your own API key for any supported AI provider
  4. May 25, 2026docs

    Repo ranking and ghost review flow documented

    Documented how /feed, repo ranking, and gitghost review fit together. The important boundary is explicit now: the CLI signs commits and reviews, while ranking is derived from public verification and anchor events stored in the activity ledger. That keeps the public leaderboard useful without turning it into signer tracking.
    • /docs now explains the activity write path: verify/anchor → activity ledger → /api/feed → /api/feed/rank
    • Repo ranking groups public GitHub verification events by owner/repo and scores volume, anchor rate, ring diversity, recency, and freshness
    • gitghost review approve|reject|comment signs PR reviews with Ghost-* trailers and posts them through the GitHub Reviews API
    • /api/review can read GitHub reviews back and verify ghost-signed review trailers
    • Privacy boundary: ranking proves repo-level ghost activity; it does not identify the signer or store commit bodies
  5. May 24, 2026built

    Local MCP server surface for agents

    Added @gitghost/mcp, a local stdio MCP server for agent clients. Agents can now initialize gitghost, manage rings, create ghost commits, and verify trailers from the repo they are already working in — without a hosted API or remote identity service in the loop.
    • Package: @gitghost/mcp
    • Clients: Claude Desktop, Cursor, Cline, OpenCode, or any stdio MCP client
    • Transport: local stdio only — no hosted identity service
    • Tools: gitghost_init, gitghost_ring_add_self, gitghost_ring_add, gitghost_ring_list, gitghost_commit, gitghost_verify
    • Repo cwd is the trust boundary; .gitghost/identity.json stays local
  6. May 23, 2026shipped

    GitHub Action live on Marketplace · automatic PR verification

    Shipped gitghost verify as a public GitHub Action. Anyone can now search "gitghost" on the GitHub Marketplace, install in 1 click, and drop 6 lines into their workflow — every pull request in their repo gets a sticky comment with the cryptographic verdict for each commit. Before this, maintainers had to clone the PR locally and run gitghost verify <sha> on every commit by hand. Now it's automatic, sticky (one comment per PR, updated in place across pushes), and surfaces the on-chain anchor link when present. The action's own repo eats its own dogfood — every commit there is signed with gitghost commit, author shows as ghost, no identity leak.
    • Marketplace listing: github.com/marketplace/actions/gitghost-verify
    • Source: github.com/gitghostonbase/gitghost-action (MIT, v1.0.0)
    • Sticky comment pattern — one comment per PR, edited in place across pushes
    • Outcome taxonomy: verified · invalid · not-ghost · error (regular commits never false-flagged)
    • Optional fail-on-invalid mode integrates with branch protection / required checks
    • Self-signed: the action repo's own commits are LSAG-signed, author = ghost
  7. May 22, 2026shipped

    On-chain anchoring live · GhostRegistry deployed on Base mainnet

    Every ghost commit can now be permanently timestamped on a trust-minimized chain. GhostRegistry — a 50-line append-only contract — is live on Base mainnet at 0x4dc8911fd65aa7cdcac410549ee80323bbcb2206. Each anchor records (commitSha, ringRoot, keyImage) and emits an indexable event. A sponsored relayer at /api/anchor pays gas after re-running full LSAG verification server-side, so users don't need a wallet. Why Base: Bitcoin/Ethereum-secured, ~$0.0001 per anchor, 1.6s end-to-end including signature verify.
    • Contract: GhostRegistry.sol on Base mainnet, MIT, source-verified on Basescan
    • Foundry test suite: 8 unit tests + 1 fuzz pass
    • Sponsored relayer: 5 anchors/hour per ip, 100/day global cap
    • First anchor proof: basescan.org/tx/0x6679bb94…811abc · block 46,337,919
    • CLI: gitghost commit -m … --anchor (auto-submit) or gitghost anchor <sha>
    • Verifier auto-surfaces 'ANCHORED · base block N' when commit has on-chain proof
  8. May 22, 2026shipped

    Playground · live activity feed · public ledger

    Shipped /playground — a 4-tab browser app that lets anyone generate a ghost identity, build a ring (by GitHub username or paste pubkey), sign a message with LSAG, and verify — all client-side, no install, secret never leaves the page. Plus /feed: a public timeline of every successful verification. Counters, 14-day histogram, per-ring breakdown, all auto-refreshing every 8 seconds. Privacy-conscious: ring metadata + key image only — no author email, no commit body.
    • /playground — 4 tabs (Identity, Build, Sign, Verify), full client-side crypto
    • /api/derive-pubkey — fetch GitHub keys, derive deterministic ghost pubkey
    • /feed — SSR snapshot + 8s client refresh, persistent activity ledger
    • Live ticker on landing: X verified today · Y total
    • Anchored events get an ⚓ badge with Basescan link
  9. May 22, 2026shipped

    @gitghost/cli published to npm

    First public CLI release. npm install -g @gitghost/cli or curl-pipe via gitghost.org/install.sh. Fully working init / ring / commit / verify path with privacy-safe defaults — secret keys auto-gitignored on init, message signing canonicalised to survive whitespace edits, robust trailer parsing that doesn't break on commit bodies that mention literal Ghost-Ring:.
    • Published as @gitghost/cli@0.1.1 (org-scoped on npm)
    • Audit fixes: identity.json auto-gitignore, --anchor flag wired, findAnchor collision-safe
    • Ring-size warnings: weak anonymity for N<5, performance note for N>200
    • Windows ACL hint when mode 0o600 doesn't apply
    • Dynamic version reads from package.json (no more hardcode drift)
  10. May 21, 2026shipped

    Browser verifier API live · public ring registry

    Shipped POST /api/verify end to end. Github mode fetches a commit + ring config straight from GitHub and runs the full LSAG check. Raw mode accepts pasted message + ring for offline / private repo verification. GET /api/rings and /api/rings/[slug] expose the public registry. Four reproducible rings seeded from real public SSH keys at github.com/<user>.keys.
    • POST /api/verify · github + raw mode
    • GET /api/rings · GET /api/rings/[slug]
    • Seeded rings: linux-kernel-core, node-runtime-historic, frontend-frameworks, privacy-engineering
    • Ring root validated against the live cryptography on every boot
    • 404 / 400 / 200 paths covered for malformed inputs
  11. May 20, 2026built

    Browser-safe LSAG port — CLI ↔ web cryptographic parity

    Ported the full LSAG / ringRoot / Ghost-* trailer logic into a browser-safe bundle so the verifier runs the exact same math as the CLI. Every signature signed by gitghost commit verifies via POST /api/verify, byte for byte. Cryptography uses @noble/curves + @noble/hashes — widely-audited primitives, zero rolled-our-own crypto.
    • secp256k1 LSAG sign + verify in TypeScript
    • Deterministic ring root (sha256 of canonical ring config)
    • Ghost-* commit trailer parser + emitter
    • Bit-identical results across CLI and web verifier
  12. May 19, 2026shipped

    First real ghost commit signed and verified

    Ran the full pipeline end-to-end. Initialised demo-ring with three members (the local identity plus two derived from real GitHub SSH keys), signed a commit anonymously, and verified it through both the CLI and the public API. The exact signature is now wired into the verifier as a load-live-example button — click it to watch real LSAG verification execute in front of you.
    • First real anonymous commit produced via the CLI
    • Ring: demo-ring (3 members, real-key-derived)
    • Verified path: trailers parsed → ring root matches → LSAG valid
    • Verifier returns ok: true on the live signature, deterministic
  13. May 15, 2026built

    CLI v0.1.0 — init / ring / commit / verify / anchor

    Shipped the TypeScript CLI. gitghost init bootstraps a per-repo identity and ring config. gitghost ring add <user> pulls SSH keys from GitHub and derives a deterministic ghost public key. gitghost commit signs with LSAG and writes Ghost-* trailers. gitghost verify reproduces the proof and flags key-image reuse.
    • Node 18+, ESM, Commander 12 + simple-git + ora
    • Trailers: Ghost-Ring · Ghost-Ring-Root · Ghost-Key-Image · Ghost-Signature
    • Local anchor log for key-image reuse detection
    • Anchor command stub (Phase 1: real on-chain Base anchoring)
  14. May 08, 2026plan

    Protocol design — LSAG over secp256k1 with linkable key image

    Locked the cryptographic primitives. LSAG (Liu/Wei/Wong 2004) over secp256k1, SHA-256 for hash-to-scalar, try-and-increment for hash-to-point. Same curve as Bitcoin/Ethereum so on-chain anchoring on Base reuses existing tooling. Key image binds to sha256("gitghost.v1.context|" + ringName) for cross-ring isolation.
    • secp256k1 + SHA-256 — Bitcoin / Ethereum-compatible
    • Key image: I = sk · H_p(pk ‖ ctx)
    • Context binding prevents cross-ring linkability
    • Ring root: deterministic SHA-256 of canonical ring config
  15. May 05, 2026plan

    Project kickoff — anonymous attribution, not anonymous code

    Defined scope and threat model. gitghost is for cryptographic attribution — proving a commit came from a trusted set without revealing the signer. It is not an identity service, not a network anonymizer, not a vulnerability disclosure platform. If you need network-layer anonymity (who pushed), compose with Tor; gitghost only handles the math.
    • Scope: cryptographic attribution only
    • Out-of-scope: network anonymity, key compromise, coercion
    • Target users: security researchers, OSS maintainers, sensitive infra
Stay updated

Updates land on @gitghost_ and the Telegram group first, then on this page within a day. If something here is missing, ping us — public ledger is the point.