The optimization replaced the DOTALL regex `GO_CODE_PATTERN.search()` with a manual linear scan (`_extract_go_code_block`) that uses `str.find()` to locate fence delimiters and validate opening/closing structure. Profiler data shows this cut the pattern-matching cost from ~628 µs to ~367 µs (41% reduction), which is the critical path for inputs with large surrounding text or many fence candidates. The manual scanner avoids regex backtracking and match-object allocation overhead while preserving identical semantics (MULTILINE anchor, optional "go" token, mandatory surrounding newlines). Test cases confirm correctness across all edge cases, with large-input tests showing 175–1236% speedup where the old regex scanned kilobytes of text repeatedly.
Fix package declaration to match code under test (prevents build errors), warn
against string(int) Unicode trap, and pass package_name to system prompt.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Switch from managed to vendored mode so tiles are committed to git.
Install 55 tiles (Python + JS/TS), add MCP configs, and set up
weekly tile update workflow via reusable github-workflows caller.
## Summary
- Replaces the inline `aiservice-test` job (30 lines of boilerplate)
with a 10-line shared workflow call
- Uses the new `test-secret-env` input on `ci-python-uv.yml` to
dynamically export 7 secrets as masked env vars
- Pattern: caller passes `secrets: inherit` + a JSON map of `{ENV_VAR:
SECRET_NAME}`, shared workflow uses `toJSON(secrets)` + jq to export
them with `::add-mask::`
### Before (inline)
```yaml
aiservice-test:
runs-on: ubuntu-latest
env:
SECRET_KEY: ${{ secrets.SECRET_KEY }}
DATABASE_URL: ${{ secrets.DATABASE_URL }}
# ... 5 more hardcoded secret refs
steps:
- uses: actions/checkout@v6
- uses: astral-sh/setup-uv@v8.1.0
- run: uv sync
- run: uv run pytest
```
### After (shared workflow)
```yaml
aiservice-test:
uses: codeflash-ai/github-workflows/.github/workflows/ci-python-uv.yml@main
secrets: inherit
with:
working-directory: "django/aiservice"
sync-command: "uv sync"
test-command: "uv run pytest"
test-secret-env: '{"SECRET_KEY": "SECRET_KEY", "DATABASE_URL": "DATABASE_URL", ...}'
```
First consumer of the `test-secret-env` feature — validates the pattern
for future jobs.
## Test plan
- [ ] CI passes — aiservice-test job runs via shared workflow and
secrets are correctly exported
- [ ] Gate job (required-checks-passed) still works with the new job
structure
- [ ] No regression in other jobs (they're unchanged)
## Summary
- Snyk PR #2305 bumped `diff` from 8.0.2 to 8.0.3 in
`js/VSC-Extension/package.json` without regenerating the lockfile
- This causes `npm ci` to fail with a "package.json and
package-lock.json are in sync" error
- Ran `npm install` to regenerate `package-lock.json` (resolves `diff`
to 8.0.4, the latest matching `^8.0.3`)
## Test plan
- [x] Verified `npm ci` succeeds with the updated lockfile
- [x] Diff is minimal: only the `diff` package version change (4
insertions, 4 deletions)
Delete 7 separate workflow files now replaced by the unified ci.yaml:
aiservice-ci.yml, cf-api-tests.yaml, cf-webapp-quality-gates.yml,
end-to-end-tests.yaml, nextjs-build.yaml, prek.yaml,
vscode-extension-build.yml
Replace 7 separate CI workflow files with a unified ci.yaml that uses
shared workflows from codeflash-ai/github-workflows:
- determine-changes: reusable workflow for path-based change detection
- prek-lint: reusable workflow for pre-commit checks
- ci-python-uv: reusable workflow for Python typecheck
- required-checks-gate: composite action for gate job
All downstream jobs use fromJSON(needs.determine-changes.outputs.flags)
for conditional execution. A single required-checks-passed gate job
replaces per-workflow required checks.
Private repos need explicit permissions on reusable workflow calls
(contents:write for prek) since they don't inherit permissive defaults.
The Python client sends raw source code, not markdown-wrapped blocks.
split_markdown_code() returned {} for raw input, making SearchAndReplaceDiff
have nothing to patch, so repairs always returned empty string.
Now falls back to {"file.py": raw_code} when markdown parsing yields nothing,
and is_valid() handles raw code blocks instead of only markdown-wrapped ones.
System prompt now focuses on repair strategy (identify pattern, compare
code, minimal fix) instead of spending most tokens on SEARCH/REPLACE
format spec. User prompt explicitly frames the task and asks for root
cause analysis. build_test_details() reformatted for clarity: grouped
by test source with clear Expected/Got lines separated by --- dividers.
## Summary
- The Monaco diff editor on `/trace/[id]` pages was not loading because
`@monaco-editor/react` fetches JS, CSS, and font assets from
`cdn.jsdelivr.net` by default
- The Content Security Policy in `next.config.mjs` blocked those
requests (missing from `script-src`, `style-src`, `font-src`)
- Added `https://cdn.jsdelivr.net` to the three relevant CSP directives
## Test plan
- [ ] Open a trace page (e.g.
`/trace/c0668bd3-9321-4082-9c43-3e41bdd9b1c5`) and verify the code diff
renders
- [ ] Check browser console for no remaining CSP violations
- [ ] Verify no regressions on other pages
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Sarthak Agarwal <sarthak.saga@gmail.com>
Reworded to highlight that hand-written unit tests encode the developer's
explicit behavioral expectations and that optimizations must produce
identical results for all test cases.
Accept baseline_runtime_ns, loop_count, line_profiler_results, and
test_input_examples on the optimize endpoint. Pass runtime context
and test examples to the user prompt so the LLM can generate
better-informed candidates. Alternate line profiler data across
parallel calls for diversity (odd calls get LP, even calls don't).
When Azure OpenAI or Anthropic returns null/empty content (content
filter, truncation, transient failure), call_openai/call_anthropic now
raise LLMOutputUnparseable instead of returning an empty string that
silently flows through the pipeline and produces 422 "Could not
generate any optimizations." All optimizer callers catch
LLMOutputUnparseable to preserve cost tracking while returning None.
node-linker=hoisted triggers an Invalid Version bug in pnpm 10 bin
linking. The standalone output with zip -y (symlink preservation) is
sufficient — Azure SquashFS supports symlinks natively.
Use zip -y to preserve symlinks in the standalone output. Azure Linux
App Service mounts the zip via SquashFS which supports symlinks. This
keeps the pnpm .pnpm/ structure intact so next can resolve peer deps
like @swc/helpers and @next/env from their co-located positions.
Also re-add node-linker=hoisted to .npmrc per pnpm docs recommendation
for environments that need standard node_modules resolution.
Switch from zipping cf-webapp/node_modules to Next.js standalone output
mode. This traces only required runtime deps into .next/standalone/ and
resolves the pnpm symlink issues that caused MODULE_NOT_FOUND crashes on
Azure (missing @next/env, @swc/helpers).
- Add output: "standalone" and outputFileTracingRoot to next.config.mjs
- Update CI to cp -rL (dereference symlinks) the standalone output
- Revert node-linker=hoisted from .npmrc (no longer needed)
- Deploy to codeflash-webapp-main (set in previous commit)
Add node-linker=hoisted to .npmrc so pnpm hoists all dependencies like
npm. Update CI to rsync workspace-root node_modules into cf-webapp
before zipping, ensuring @next/env, @swc/helpers, and other peer deps
are included. Retarget deployment to the new codeflash-webapp-main app.
pnpm doesn't hoist @swc/helpers to cf-webapp/node_modules/ by default,
so it's missing from the deploy zip. Azure runs npm start which can't
resolve it through pnpm's virtual store. Adding it as a direct dep
ensures it's included in the zip.
The page-level isTeamMember() check breaks PPR (Partial Prerendering):
at build time there's no session, so the prerender resolves as a
redirect/404 and the static shell poisons all runtime responses with 404.
Team member gating is already handled by proxy.ts middleware (lines 50-58),
matching how /observability and other team-gated routes work.
## Summary
- Add `aiservice-ci.yml` using the shared reusable workflow from
`codeflash-ai/github-workflows`
- Remove old `django-unit-tests.yaml` and `mypy_aiservice.yml` (both
replaced by the new unified workflow)
- **Typecheck job**: uses the shared workflow
(`codeflash-ai/github-workflows/.github/workflows/uv-mypy.yml`)
- **Test job**: defined locally in `aiservice-ci.yml` (needs repository
secrets that can't be passed to reusable workflows in other repos)
## What changed
| Before | After |
|---|---|
| `django-unit-tests.yaml` (standalone) | `aiservice-ci.yml` — test job
|
| `mypy_aiservice.yml` (standalone) | `aiservice-ci.yml` — typecheck job
(shared workflow) |
## Summary
- Replace hardcoded `"codeflash-edit-2025"` string authentication in the
`save-modified-code` API route with Auth0 session check
- Remove the secret prompt modal from the Monaco diff viewer — editing
is now gated by the user's existing login session
- Remove unused `Lock` import, dead `console.log`, and unused `result`
variable
## Test plan
- [ ] Verify the edit code button works without prompting for a secret
- [ ] Verify saving modified code succeeds for logged-in users
- [ ] Verify unauthenticated requests to
`/api/traces/:id/save-modified-code` return 401
## Summary
- Reverts lazy JWT_SECRET initialization — keeps eager fail-fast at
module load
- Adds `JWT_SECRET` secret to both `deploy_cfwebapp_to_azure.yml` and
`nextjs-build.yaml` CI workflows so `next build` page data collection
succeeds for the `/codeflash/auth/oauth/token` route
## Context
The deploy workflow ([run
#24425211765](https://github.com/codeflash-ai/codeflash-internal/actions/runs/24425211765/job/71357530269))
was failing because `JWT_SECRET` isn't available during CI build,
causing an eager throw at module load time. The secret already exists as
a GitHub repo secret.
