Know what is in the codebase before the next migration, SOW, or audit. Any codebase, any language, any platform.
window.facebookBusinessExtensionConfigGhost Architect™ analyzes the entire codebase and surfaces architectural risks, conflicts, and vulnerabilities before they become production incidents.
Auto-map red flags, dead zones, fault lines, and landmarks across your entire codebase. Know what matters before you touch it.
Find contract mismatches, schema conflicts, config errors, and constant disagreements across any language or platform.
Before you make a change, understand the full impact. Every dependency, every affected flow, with a rollback plan included.
Walk into the scoping call with data. Recon counts files, gauges complexity, projects scan cost, and proposes a multi-pass plan before you spend a cent on analysis.
If you ship AI features, your prompts are production code. Ghost audits a folder of LLM prompts and surfaces 16 categories of defects backed by the Tian et al. 2025 academic taxonomy. Learn more →
Ghost Architect™ runs entirely on your local machine. Your codebase is never uploaded, never stored, and never transmitted to Ghost Architect™ servers — because there are no Ghost Architect™ servers.
Analysis calls go directly from your machine to Anthropic's API using your own key, under your own data agreement. No SaaS. No upload. No data retention.
Ghost Architect™ is a CLI tool that runs entirely on your machine. Zero cloud dependency.
You bring your own Anthropic API key. Ghost Architect™ is never in the middle.
Nothing is stored, logged, or retained outside your own filesystem. Ever.
Ghost Architect™ has been audited with npm audit and contains zero known vulnerabilities across all dependencies. Verifiable by anyone.
GitHub, GitLab, Bitbucket — public or private. Authenticate with a personal access token and scan. No ZIP download required. Any language. Any framework.
Your developers aren't pulling client codebases to their laptops. They're working from repos. Ghost Architect™ works the same way. Point Ghost at any GitHub, GitLab, or Bitbucket repository — public or private — authenticate with a personal access token, and run your scan. The entire analysis happens on your local machine. No code is uploaded. No third party ever sees your client's codebase.
Authenticate with a personal access token. Ghost clones the repo locally, scans it, and removes the clone when done. Your client's code never touches our infrastructure — because there is no our infrastructure.
Point Ghost at a specific directory within a large repo. Scan the module you're working on, not the entire monorepo.
Every scan produces a branded PDF for stakeholders, a TXT for developers, and a MD for your team to commit. Hand it to the client the same day.
Each developer runs Ghost with their own Anthropic API key — giving your agency complete visibility into usage and cost at the individual seat level. No black box billing.
Solo developer or independent architect? Ghost Architect™ works just as well for individuals. Start with Ghost Open free, upgrade when you need more.
Ghost Partner™ is the consultant edition of Ghost Architect. Load a profile YAML that injects your audit methodology, billing rates, and branding into every scan. The findings are still Ghost's. The framing, the priorities, and the dollar estimates are yours.
Ghost Architect™ analyzed 658 files in a real Meta Magento extension and surfaced 18 architectural findings — conflict mismatches, security risks, and integration vulnerabilities — in under 10 minutes.
Meta OAuth access tokens stored in window.facebookBusinessExtensionConfig — readable by any XSS attack or DevTools inspection. Full Facebook Business account takeover via browser.
Event ID deduplication race condition causing 10–20% duplicate Conversion API events. Ghost flagged this as the most expensive bug in the codebase — inflating Meta ad spend by thousands monthly.
Arbitrary POST parameters saved directly to core_config_data with no validation or allowlist. Combined with missing CSRF protection — any system configuration value is writable by an attacker.
These are 3 of 18 findings from a real public extension. Download the full report ↓
The largest architectural shift in the 2.4.x line since 2.4.4. PHP 8.2 dropped. PHP 8.4+ mandatory. Laminas MVC removed entirely. Valkey replacing Redis as the default cache. Plus 500+ core fixes that expose latent assumptions in your custom code. Most stores carry 30-100 custom modules accumulated over years — most written when PHP 8.1 or 8.2 was the target.
Every custom module written for PHP 8.2 or 8.3 needs an audit. Deprecated functions become fatal errors. Implicit nullable parameters are gone. Dynamic property creation throws.
Laminas MVC removal breaks any extension that imports from Laminas\Mvc\ namespaces — at compile time, not runtime. The module simply will not load.
POI scan inventories every custom module. Conflict Detection surfaces deprecated APIs and removed-function patterns. Recon mode produces a sized engagement plan in 5 minutes for ~$0.05.
Walk into the upgrade conversation with data, not guesswork.
Run a Free Scan → Read the Full BreakdownGhost Architect scans your codebase and produces a structured triage report — categorizing every finding by severity (Critical, High, Medium, Low), flagging architectural risks, security vulnerabilities, and conflict mismatches. It gives your team a prioritized map of where to start, not a raw list of every issue. Output is a branded PDF for stakeholders, a TXT for developers, and a Markdown file your team can commit.
No. Ghost Architect runs entirely on your local machine. Your source code is never uploaded to any Ghost Architect server — because there are no Ghost Architect servers. Analysis calls go directly from your machine to Anthropic's API using your own API key. Anthropic deletes API inputs and outputs within 7 days per their data retention policy.
Ghost Architect works on any codebase, any language, any platform. PHP, JavaScript, TypeScript, Python, Ruby, Java — it doesn't matter. It's framework-aware and analyzes code structure, dependency relationships, configuration files, and integration patterns regardless of what stack you're running. Adobe Commerce and Magento are common use cases, but they're not requirements.
A typical Ghost Architect scan costs $0.23 in Anthropic API usage. Most Pro users run 10–20 scans per month, putting their total API cost at $2–5/month on top of the subscription. You can verify this yourself — Ghost prints the exact cost of every scan in the terminal output. There are no hidden fees or usage caps imposed by Ghost Architect.
Linters catch syntax errors and style violations. Static analysis tools find known vulnerability patterns. Ghost Architect does something different — it reasons about your codebase architecturally. It identifies how components relate to each other, where integrations are fragile, what the blast radius of a change would be, and which findings represent real business risk versus noise. It's triage intelligence, not a rule-based scanner.
Yes. Ghost Architect supports private GitHub, GitLab, and Bitbucket repositories. You authenticate with a personal access token, Ghost clones the repo locally, runs the scan, and removes the local clone when done. Your client's code never touches any third-party infrastructure beyond your own Anthropic API key. This makes it safe to use under NDA with enterprise clients.