Changelog
User-facing changes only, summarised. One entry per day.Public scan request intake
- Public scan-request form. The qodex.ai website can now accept scan requests from visitors for follow-up.
July 3, 2026
The Chrome recorder can capture richer UI flows and use the browser to reach localhost targets.
Chrome recorder
- Record UI flows from Chrome. The Qodex Chrome recorder can capture browser actions and save them as draft UI scenarios.
- Localhost browser proxy. Browser-side requests can reach localhost targets that the hosted runner cannot access directly.
Dynamic scenario values and auth helpers
- Dynamic run-time values. Scenarios can now use built-in tokens for timestamps, UUIDs, random strings, random emails, and run-stable values that stay the same across one run.
- Dynamic values in UI replay. UI scenarios can resolve those same dynamic tokens during replay, which helps recorded or generated flows avoid stale unique values.
- Auth-profile token copy. Auth profile cards can reveal and copy the cached bearer token when a user needs to inspect or debug how a profile is being used.
June 30, 2026
Scenario folders gain a second level, imports handle more collection shapes, and uploads get larger.
Nested folders and imports
- Two-level scenario folders. Scenario groups can now include one nested folder level, so teams can organize a large test area into smaller sub-flows without creating separate top-level groups.
- More flexible collection imports. Imported collections that do not define a host can fall back to the project default environment instead of forcing users to repair the collection first.
- Larger chat uploads. Chat attachments now support files up to 50 MB, making larger specs, collections, and supporting files easier to share with Qodex.
Collection import through chat
- Import collections through chat. Qodex can now start an API collection import from the chat composer, so users can upload a collection and keep the import flow in the same conversation where they ask questions.
Collection rename and email verification
- Rename collections from settings. Collections can be renamed from the collection settings modal, so teams can keep imported API catalogs readable as projects change.
- Email verification login. Verification links can take users straight into an authenticated session after they confirm their email.
PR review controls
- PR table review controls. The Pull Requests page can show review state per row and lets users run a review from the table.
- Repo-specific review policy. Teams can tune review context, author allowlists, and review settings per repo.
PR review comments and settings
- Cleaner PR comments. Reviews now favor crisp comments, one persistent walkthrough, deduplicated content, and comments that can resolve when the underlying issue is fixed.
- Editable review context. Teams can add repository context and review preferences so Qodex reviews the project with the right expectations.
Scenario timing and file context
- Per-step delays. Scenario steps can include a deliberate delay when the system needs time for asynchronous backend work before the next assertion.
- File-aware chat context. Uploaded file contents can be injected into a chat turn, so Qodex can use the file as direct context when creating or refining tests.
Conditional steps and UI testing depth
- Conditional scenario steps. Scenarios can use a
whenguard so a step runs only when the previous data, state, or environment makes that step relevant. - Nested dropdown handling. UI testing can surface nested dropdown options during authoring and replay, making complex menus easier to test.
- Live browser wall. UI test authoring and replay can show the browser activity more clearly while Qodex explores or verifies a flow.
Invite links
- Invite by link. Project members can join from an invite link, so a team can onboard someone even when email delivery is delayed or blocked.
Scenario groups and run artifacts
- Groups default to parallel. New scenario groups now start in parallel mode, which matches the common folder-style use case for independent scenarios.
- “Scenarios” language replaces “members.” Group management now talks about scenarios, including Manage scenarios, scenario counts, and Add to group.
- Record UI-only groups. UI-only scenario groups can be run with video recording, giving every UI scenario in the group a replay artifact.
- Screenshot lightbox. Test run details can open step screenshots in a larger lightbox for easier debugging.
Test groups and folders
- Scenario groups as runnable folders. Teams can organize related scenarios into groups and run the group as one unit from the web app, schedules, webhooks, CI, or the full suite.
- Sequential and parallel modes. Sequential groups run scenarios in order and can share captured values. Parallel groups run independent scenarios at the same time.
- Add to group. Selected scenarios can be added to a group from the scenario list, with validation for sequential and parallel membership rules.
- Scenario groups view. The groups tab shows group ids such as
TG-001, scenario counts, parallel badges, searchable groups, and scenarios inside each group. - Drag to reorder. Scenarios inside a group can be reordered directly in the group tree or detail view.
- Grouped results. Test run details show grouped scenarios under their group container, including a parallel indicator when relevant.
UI auth profiles
- UI auth profiles. Browser sessions can now be saved as UI auth profiles and injected into UI scenario replay, so scenarios can start already authenticated.
- Session import for hard logins. For captcha, OTP, SSO, or other logins the agent cannot automate, users can import a browser session and bind it to an auth profile.
- Authoring with a bound profile. UI scenario authoring can start from a saved profile’s session instead of forcing the agent through login steps every time.
Pull request review retry
- Retry failed PR reviews. The Pull Requests page now exposes a retry path for failed reviews.
Onboarding and PR-review setup
- Attach-first onboarding. The onboarding flow now guides users toward attaching a Codex account earlier.
- Simpler setup steps. The wizard drops the API/web/both question and uses a clearer step sequence.
- Auto-review after GitHub connect. GitHub PR-review onboarding can trigger a review on connect so new users see value immediately.
- Auto-named Codex accounts. Attached Codex accounts can be named after the person adding them.
Plans, PR tables, and Codex account health
- Plan entitlements. Qodex now shows plan limits, module access, usage caps, and upgrade-request state from one consistent model.
- Pull Requests table parity. The Pull Requests table now matches the Scenarios table structure and filtering model.
- OAuth expiry emails. Users receive email alerts when a Codex account’s OAuth authorization expires.
PR review commands and configuration
- Cleaner repeated reviews. Qodex avoids repeating review comments the team has already handled in the PR discussion.
- PR description quality signal. The review checklist can call out when a PR description does not give enough context.
- Per-rule disable support.
.qodex.yamlcan now disable specific review rules withdisabled_rules, so teams can turn off checks that do not fit a repo. @qodex retryand@qodex fix.@qodex retryworks as an alias for@qodex review, and@qodex fixcan suggest a focused fix from an inline finding.
June 8, 2026
PR review gets manual re-runs, duplicate suppression, walkthrough tables, and triage commands.
PR review workflow improvements
- Manual review trigger. Users can manually trigger PR reviews, and repeated triggers on the same SHA reuse recent or running reviews instead of creating duplicate jobs.
- Incremental review and carry-over. Qodex suppresses duplicate inline comments across review runs, carries findings forward safely, and avoids hard-filtering findings against a truncated incremental diff.
- Walkthrough table. Review comments now include a per-file walkthrough table so readers can see what changed and where Qodex focused.
- Slash-command triage.
@qodex resolveand@qodex ignorelanded for review workflows.
Transparency block on every walkthrough
- Every PR review walkthrough now ends with a “What Qodex checked” block: rules applied, files reviewed, findings dropped by post-filter, probe outcomes per verified finding.
- On by default. The
severity_thresholdandconfidence_floorreported in the block come straight from the repo’s.qodex.yaml. - Intent: decide in one glance whether to trust the review or read the diff yourself.
June 6, 2026
M1 PR review surface ships end to end: webhook, walkthrough, inline comments, verification probes, .qodex.yaml, slash commands, Check Run, multi-project routing.
M1 PR review ships
- Reviews fire on every PR.
pull_requestevents (opened, synchronize, reopened) trigger a top-level walkthrough comment plus inline comments on findings inside the diff. Findings outside the diff fall back into the walkthrough body so nothing is dropped silently. See PR review and How a review fires. .qodex.yamlper-repo config. Each linked repo can setseverity_threshold,confidence_floor, path includes and excludes, and advisory vs blocking mode. Read off the PR head SHA, so config changes ship with the PR. Invalid YAML is reported as an inline comment on the file, not silently ignored. See .qodex.yaml reference.- Slash commands.
@qodex reviewre-runs the walkthrough and inline findings on the current head SHA.@qodex helpposts the supported-command list. Permissions inherited from the GitHub App install. Author must be a repo collaborator. See Slash commands. - Pre-merge Check Run. Every review creates a GitHub Check Run that starts in
in_progresson webhook receipt and ends inneutral(advisory, default),success, orfailure(blocking, opt-in via.qodex.yaml). Branch protection can requireqodex/review. See Check Run and merge gating. - Verification probes against preview deployments. When a PR has a successful preview, the reviewer emits one or more HTTP probes per finding, runs them against the preview URL, and attaches request line + response status + verdict (
verified,unverified,inconclusive) as evidence. SSRF allowlist rejects link-local, loopback, private, and reserved ranges. See Verification probes. - Multi-project install routing. One GitHub App install can now serve many projects through a
project_installsgrant table. Connecting a new project to an already-installed org is one click, not a re-install. Existing single-project installs auto-backfilled. See Multi-project routing and Connect a repo.