Release: v6.3.0

.github/workflows/workflow.yml

@@ -5,14 +5,20 @@ on:
   push:
     branches:
       - master
+    paths-ignore:
+      - "**.md"
+      - "**.mdx"
+      - "**.html"
+      - "**.css"
+      - "DOCS/**"
   pull_request:
     branches:
       - master
     paths-ignore:
-      - "CHANGELOG.md"
-      - "README.md"
-      - "SECURITY.md"
-      - "CONTRIBUTING.md"
+      - "**.md"
+      - "**.mdx"
+      - "**.html"
+      - "**.css"
       - "DOCS/**"
 
 jobs:
@@ -25,7 +31,7 @@ jobs:
       - name: Build environment
         run: |
           chmod +x ghostwriter-cli-linux
-          ./ghostwriter-cli-linux install --dev
+          ./ghostwriter-cli-linux install --mode local-dev
 
       - name: Get django logs
         if: failure()

.gitignore

@@ -283,3 +283,7 @@ cypress/*
 ghostwriter-cli
 
 .gwcli-last-update-check
+
+# Ignore any *.cast or *.cast.gz files
+*.cast
+*.cast.gz

CHANGELOG.md

@@ -5,6 +5,82 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [6.3.0] - 10 April 2026
+
+### Added
+
+* **Operation Log Evidence Linking**: Added support for linking evidence to individual operation log entries (Closes #132; Closes #831)
+  * New `OplogEntryEvidence` model to create many-to-many relationships between log entries and evidence
+  * New GraphQL `linkOplogEvidence` action to attach evidence via API
+  * New web form (`OplogEvidenceCreate` view) to attach evidence through the UI
+  * Evidence appears in a dedicated section within each log entry, with friendly names and direct links to the original evidence
+  * Automatic "evidence" tag applied when evidence is linked to an entry
+
+* **Operation Log Terminal Recordings**: Added support for uploading and playback of Asciinema terminal session recordings (.cast and .cast.gz files) (Closes #831)
+  * New `OplogEntryRecording` model to store a single terminal recording per log entry
+  * New GraphQL `uploadOplogRecording` action for base64-encoded file uploads via API
+  * New GraphQL `downloadOplogRecording` action to retrieve recordings and metadata
+  * New Django views for recording upload, deletion, and download with file serving and inline playback support
+  * Support for Asciinema player integration for viewing recordings directly in the log entry's details pane
+  * Automatic "recording" tag applied when a recording is uploaded
+
+* **Automatic Tag Management for Log Entry Features**: Evidence linking and terminal recordings automatically apply and remove tags
+  * `evidence` tag added when first evidence is linked, removed when the last evidence is unlinked
+  * `recording` tag added when a recording is uploaded, removed when the recording is deleted
+  * Tags can be used for filtering log entries and visual identification
+
+* **Passive Voice Detection**: Added support for performing passive voice identification inside the collaborative editor (PR #796)
+  * Ghostwriter now hosts a small local copy of the spaCy language model for text analysis
+  * Select "Check Passive Voice" in the collaborative editor to examine text and highlight instances of passive voice
+  * See the wiki for more details and an explanation for how to change the model's language
+
+* **Build a Narrative Outline from Log Entries**: Construct an outline for a report narrative based on tagged log entries (Closes #863)
+  * This is useful for quickly generating a narrative outline to kickstart a report draft
+  * Added a button to the collaborative editor to insert a narrative outline based on activity logs
+  * The action includes any log entries tagged with `evidence` or `report`
+  * Extended the global report configuration to include a field for specifying additional tags
+    * Includes support for partial tags—e.g., `cred*` will match `creds` or `credentials`.
+  * Each line includes the start date and time (assumes UTC), tool used, target, and comments
+  * The action also inserts evidence objects below each line for any evidence linked with that entry
+  * Pairs nicely with Ghostwriter's external tools, `mythic_sync` and `cobalt_sync`
+  * Big thanks to @C0KERNEL who created the initial PoC of this
+
+### Changed
+
+* **New User Interface for Operation Logs**: Replaced the table view for operation logs with two pane interface (Closes #831)
+  * New interface is similar to those used by many email clients
+  * Log entries appear on the left-side with at-a-glance information
+  * Details appear on the right-side in a details pane
+  * Details pane includes dedicated sections for attaching evidence and uploading terminal recordings
+
+* **Text Evidence Previews**: Text evidence now has previews in the collaborative editor like image evidence
+
+* **Pasting Images into Collaborative Editor**: You can now paste an image file or screenshot in your clipboard into a collaborative editor field
+  * The paste will automatically trigger the modal window for uploading your evidence
+  * Your filename will be the default friendly name for the upload
+
+* **Updated Ghostwriter CLI Binaries**: Updated the pre-built Ghostwriter CLI binaries to v1.0.0
+  * Review the Ghostwriter CLI CHANGELOG for complete notes
+  * Going forward, we recommend all users use the new published container images for easier updates
+  * Existing installations will need to migrate some files
+    * Copy the _ssl/_ directory to the _ghostwriter/_ directory inside your operating system's data file directory
+    * Also copy any custom settings files from _config/settings/production.d_ to _ghostwriter/settings/_
+  * Ghostwriter CLI can be used with `--mode local-prod` to keep the old behavior of using a local copy of Ghostwriter's code
+    * You will need to do this if you are using a customized version of the codebase
+
+* Report names in the sidebar now also include the parent project's codename to aid in identification
+
+### Fixed
+
+* Fixed an error that occurred in local development environments related to trying to connect to nginx (Closes #847)
+
+### Security
+
+* As we allow more user-editable content to be rendered in the DOM, we have implemented stronger controls to prevent JavaScript injection
+  * Updated the allowed HTML attributes to be more targeted
+  * Added sanitization to activity log entries that support rich text (`comments` and `description`)
+  * Added `DOMPurify` to the project for an extra layer of security and client-side sanitization
+
 ## [6.2.13] - 8 April 2026
 
 ### Changed
@@ -138,6 +214,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * Fixed client logos not showing properly on client dashboards
 * Fixed issue with the `last_update` column preventing creation of a report via the GraphQL API (Fixes #828)
 
+## [6.3.0-rc1] - 24 February 2026
+
+### Added
+
+* Added support for performing passive voice identification inside the collaborative editor
+  * Ghostwriter now hosts a small local copy of the spaCy language model for text analysis
+  * Select "Check Passive Voice" in the collaborative editor to examine text and highlight instances of passive voice
+  * See the wiki for more details and an explanation for how to change the model's language
+* Added fonts formerly imported from Google Fonts to the local codebase to support systems without network connections (Fixes #823)
+
+### Changed
+
+* Updated the pre-built Ghostwriter CLI binaries to v1.0.0
+  * Review the Ghostwriter CLI CHANGELOG for complete notes
+  * Going forward, we recommend all users use the new published container images for easier updates
+  * Existing installations will need to migrate some files
+    * Copy the _ssl/_ directory to the _ghostwriter/_ directory inside your operating system's data file directory
+    * Also copy any custom settings files from _config/settings/production.d_ to _ghostwriter/settings/_
+  * Ghostwriter CLI can be used with `--mode local-prod` to keep the old behavior of using a local copy of Ghostwriter's code
+    * You will need to do this if you are using a customized version of the codebase
+
 ## [6.2.3] — 5 February 2026
 
 ### Changed

DOCS/docs.json

@@ -104,6 +104,9 @@
                   "features/operation-logs",
                   "features/operation-logs/creating-a-new-oplog",
                   "features/operation-logs/create-a-new-entry",
+                  "features/operation-logs/generating-narrative-outlines",
+                  "features/operation-logs/linking-evidence-to-entries",
+                  "features/operation-logs/attaching-terminal-recordings",
                   "features/operation-logs/setting-up-automated-logging",
                   "features/operation-logs/exporting-importing-oplogs"
                 ]
@@ -112,6 +115,13 @@
                 "group": "Reporting",
                 "pages": [
                   "features/reporting",
+                  {
+                    "group": "Collaborative Editor",
+                    "pages": [
+                      "features/reporting/collaborative-editing",
+                      "features/reporting/collaborative-editor/editor-features"
+                    ]
+                  },
                   {
                     "group": "Report Types",
                     "pages": [

DOCS/features/access-authentication-and-session-controls/single-sign-on.mdx

@@ -4,19 +4,25 @@ description: "Authentication and account creation via an external SSO provider"
 ---
 
 
-Ghostwriter incorporates `django-allauth` to extend basic account creation and authentication to support Single Sign-On (SSO) and multi-factor authentication (MFA). You can learn more here:
+Ghostwriter incorporates `django-allauth` to extend basic account creation and authentication to support Single Sign-On (SSO) and multi-factor authentication (MFA). You can
+learn more here:
 
 [Introduction - django-allauth](https://docs.allauth.org/en/latest/introduction/index.html)
 
-The `django-allauth` documentation covers the available SSO providers. There are dozens of options for social networks and business accounts, but the major providers you are probably looking for are covered–e.g., Microsoft, Google, GitHub, Slack, and Okta.
+The `django-allauth` documentation covers the available SSO providers. There are dozens of options for social networks and business accounts, but the major providers you are
+probably looking for are covered–e.g., Microsoft, Google, GitHub, Slack, and Okta.
 
 ### Configuring an SSO Provider
 
+Once you have an SSO provider you want to implement, find the provider here to get the necessary configuration template:
 
+First, create a Python file inside the proper directory. For a default installation using the published Ghostwriter images, add files to _ghostwriter/settings_ inside your
+operating system's data file directory.
 
-Once you have an SSO provider you want to implement, find the provider here to get the necessary configuration template:
+For `local-dev` or `local-prod` modes, create the file(s) in _config/settings/local.d_ or _production.d_ directory.
 
-First, create a Python file inside the _config/settings/local.d_ or _production.d_ directory. Files in these directories are loaded after the main configuration files. They load in order, so you can create multiple files with number prefixes to control ordering (e.g., _1-custom-config.py_ and _2-custom-config.py_).
+Files in these directories are loaded after the main configuration files. They load in order, so you can create multiple files with number prefixes to control ordering
+(e.g., _1-custom-config.py_ and _2-custom-config.py_).
 
 For example, you might make _1-sso-provider.py_ to hold your SSO configuration and _2-mail-config.py_ to hold your email backend configuration.
 
@@ -38,7 +44,8 @@ SSO_PROVIDERS = ["allauth.socialaccount.providers.microsoft"]
 INSTALLED_APPS = INSTALLED_APPS + SSO_PROVIDERS
 ```
 
-The above lines add our provider (Microsoft for this example) to Ghostwriter's installed apps and provide the information necessary for the SSO handshake. You can find the values you need for your provider(s) at the above link.
+The above lines add our provider (Microsoft for this example) to Ghostwriter's installed apps and provide the information necessary for the SSO handshake. You can find
+the values you need for your provider(s) at the above link.
 
 You can enable multiple SSO providers by extending the `SOCIALACCOUNT_PROVIDERS` configuration and list of `SSO_PROVIDERS`.
 
@@ -53,13 +60,17 @@ When someone authenticates with an SSO provider, one of two things can happen:
 2.  The SSO login matches an existing local account; the two become linked, and the user is logged in under that local account.
 
 
-For the first scenario, you can control new account registration by toggling `DJANGO_SOCIAL_ACCOUNT_ALLOW_REGISTRATION` to `true` or `false` with Ghostwriter CLI. Alternatively, you can set `SOCIAL_ACCOUNT_ALLOW_REGISTRATION` in your config file.
+For the first scenario, you can control new account registration by toggling `DJANGO_SOCIAL_ACCOUNT_ALLOW_REGISTRATION` to `true` or `false` with Ghostwriter CLI.
+Alternatively, you can set `SOCIAL_ACCOUNT_ALLOW_REGISTRATION` in your config file.
 
-Using Ghostwriter CLI for these configuration changes makes everything easier. To apply the change (e.g., turning registration on or off), you must only bring the containers down and back up. If you change a Python config file, the containers must be rebuilt.
+Using Ghostwriter CLI for these configuration changes makes everything easier. To apply the change (e.g., turning registration on or off), you must only bring the containers
+down and back up. If you change a Python config file, the containers must be rebuilt.
 
-You may want to allow registration but only for specific domains. The domain allowlist manages email domains you want to allow to authenticate or register via SSO. Like the registration setting, you can set this via Ghostwriter CLI or in your config file.
+You may want to allow registration but only for specific domains. The domain allowlist manages email domains you want to allow to authenticate or register via SSO. Like the
+registration setting, you can set this via Ghostwriter CLI or in your config file.
 
-Set `DJANGO_SOCIAL_ACCOUNT_DOMAIN_ALLOWLIST` with Ghostwriter CLI or `SOCIAL_ACCOUNT_DOMAIN_ALLOWLIST` in your config file. The allowlist can be defined as a space-separated list or a Python list (if setting it in your config file).
+Set `DJANGO_SOCIAL_ACCOUNT_DOMAIN_ALLOWLIST` with Ghostwriter CLI or `SOCIAL_ACCOUNT_DOMAIN_ALLOWLIST` in your config file. The allowlist can be defined as a space-separated
+list or a Python list (if setting it in your config file).
 
 Here is what this might look like in your config file:
 
@@ -72,13 +83,16 @@ SOCIAL_ACCOUNT_DOMAIN_ALLOWLIST = ["specterops.io"]
 
 These settings allow registration via an SSO provider, but only if the account's email address has the _specterops.io_ domain.
 
-If a local account with a matching email address already exists, the user will be prompted to enter a different address for their new account. This will most likely arise when transitioning from local accounts to a new SSO provider. You will probably want to link the accounts in these cases.
+If a local account with a matching email address already exists, the user will be prompted to enter a different address for their new account. This will most likely arise when
+transitioning from local accounts to a new SSO provider. You will probably want to link the accounts in these cases.
 
 <Note>
-An error is raised if multiple existing accounts share the same email address. Rather than trying to connect one of them, the user will see a message encouraging them to contact an administrator.
+An error is raised if multiple existing accounts share the same email address. Rather than trying to connect one of them, the user will see a message encouraging them to
+contact an administrator.
 </Note>
 
-You can link accounts by enabling your provider to authenticate via the account's email address. By default, email authentication is disabled, and the provider must have pre-verified the email address. Use the following settings if you trust the provider and want to consider email addresses as verified.
+You can link accounts by enabling your provider to authenticate via the account's email address. By default, email authentication is disabled, and the provider must have
+pre-verified the email address. Use the following settings if you trust the provider and want to consider email addresses as verified.
 
 ```python SSO Email Authentication
 SOCIALACCOUNT_PROVIDERS = {
@@ -95,16 +109,20 @@ SOCIALACCOUNT_PROVIDERS = {
 
 These settings enable Microsoft email authentication and consider all email addresses verified for automatic connection.
 
-If someone were to authenticate with a Microsoft account, they would only be allowed to create or link an account if registration is enabled and the domain allowlist checks passed. If either check fails, the user will be redirected to a page like this.
+If someone were to authenticate with a Microsoft account, they would only be allowed to create or link an account if registration is enabled and the domain allowlist
+checks passed. If either check fails, the user will be redirected to a page like this.
 
 <Frame>
   <img src="/images/features/image-1.avif" alt=""/>
 </Frame>
 
 ### Additional SSO Settings
 
-Depending on your SSO provider, you may need to consider other configuration options. One common request is how to bypass clicking twice when signing in. By default, the sign-in page redirects users to a confirmation screen. The user must click the button to initiate the handshake with the SSO provider. This is a security feature to prevent abuse of an open redirect, but you can change the behavior.
+Depending on your SSO provider, you may need to consider other configuration options. One common request is how to bypass clicking twice when signing in. By default,
+the sign-in page redirects users to a confirmation screen. The user must click the button to initiate the handshake with the SSO provider. This is a security feature to prevent abuse of an open redirect, but you can change the behavior.
 
-If you wish to have users log in immediately when they click the provider button, set `DJANGO_SOCIAL_ACCOUNT_LOGIN_ON_GET` to `true` with Ghostwriter CLI. For information is available here:
+If you wish to have users log in immediately when they click the provider button, set `DJANGO_SOCIAL_ACCOUNT_LOGIN_ON_GET` to `true` with Ghostwriter CLI. For information
+is available here:
 
-<CardGroup cols={1}> <Card title="Provider Configuration" icon="chevron-right" iconType="solid" href="https://docs.allauth.org/en/latest/socialaccount/configuration.html" horizontal > <span className="text-xs text-dark/7 dark:text-light/6">docs.allauth.org</span> </Card> </CardGroup>
+<CardGroup cols={1}> <Card title="Provider Configuration" icon="chevron-right" iconType="solid" href="https://docs.allauth.org/en/latest/socialaccount/configuration.html"
+horizontal > <span className="text-xs text-dark/7 dark:text-light/6">docs.allauth.org</span> </Card> </CardGroup>