Switch from managed to vendored mode so tiles are committed to git.
Install 55 tiles (Python + JS/TS), add MCP configs, and set up
weekly tile update workflow via reusable github-workflows caller.
## Summary
- Replaces the inline `aiservice-test` job (30 lines of boilerplate)
with a 10-line shared workflow call
- Uses the new `test-secret-env` input on `ci-python-uv.yml` to
dynamically export 7 secrets as masked env vars
- Pattern: caller passes `secrets: inherit` + a JSON map of `{ENV_VAR:
SECRET_NAME}`, shared workflow uses `toJSON(secrets)` + jq to export
them with `::add-mask::`
### Before (inline)
```yaml
aiservice-test:
runs-on: ubuntu-latest
env:
SECRET_KEY: ${{ secrets.SECRET_KEY }}
DATABASE_URL: ${{ secrets.DATABASE_URL }}
# ... 5 more hardcoded secret refs
steps:
- uses: actions/checkout@v6
- uses: astral-sh/setup-uv@v8.1.0
- run: uv sync
- run: uv run pytest
```
### After (shared workflow)
```yaml
aiservice-test:
uses: codeflash-ai/github-workflows/.github/workflows/ci-python-uv.yml@main
secrets: inherit
with:
working-directory: "django/aiservice"
sync-command: "uv sync"
test-command: "uv run pytest"
test-secret-env: '{"SECRET_KEY": "SECRET_KEY", "DATABASE_URL": "DATABASE_URL", ...}'
```
First consumer of the `test-secret-env` feature — validates the pattern
for future jobs.
## Test plan
- [ ] CI passes — aiservice-test job runs via shared workflow and
secrets are correctly exported
- [ ] Gate job (required-checks-passed) still works with the new job
structure
- [ ] No regression in other jobs (they're unchanged)
Delete 7 separate workflow files now replaced by the unified ci.yaml:
aiservice-ci.yml, cf-api-tests.yaml, cf-webapp-quality-gates.yml,
end-to-end-tests.yaml, nextjs-build.yaml, prek.yaml,
vscode-extension-build.yml
Replace 7 separate CI workflow files with a unified ci.yaml that uses
shared workflows from codeflash-ai/github-workflows:
- determine-changes: reusable workflow for path-based change detection
- prek-lint: reusable workflow for pre-commit checks
- ci-python-uv: reusable workflow for Python typecheck
- required-checks-gate: composite action for gate job
All downstream jobs use fromJSON(needs.determine-changes.outputs.flags)
for conditional execution. A single required-checks-passed gate job
replaces per-workflow required checks.
Private repos need explicit permissions on reusable workflow calls
(contents:write for prek) since they don't inherit permissive defaults.
Use zip -y to preserve symlinks in the standalone output. Azure Linux
App Service mounts the zip via SquashFS which supports symlinks. This
keeps the pnpm .pnpm/ structure intact so next can resolve peer deps
like @swc/helpers and @next/env from their co-located positions.
Also re-add node-linker=hoisted to .npmrc per pnpm docs recommendation
for environments that need standard node_modules resolution.
Switch from zipping cf-webapp/node_modules to Next.js standalone output
mode. This traces only required runtime deps into .next/standalone/ and
resolves the pnpm symlink issues that caused MODULE_NOT_FOUND crashes on
Azure (missing @next/env, @swc/helpers).
- Add output: "standalone" and outputFileTracingRoot to next.config.mjs
- Update CI to cp -rL (dereference symlinks) the standalone output
- Revert node-linker=hoisted from .npmrc (no longer needed)
- Deploy to codeflash-webapp-main (set in previous commit)
Add node-linker=hoisted to .npmrc so pnpm hoists all dependencies like
npm. Update CI to rsync workspace-root node_modules into cf-webapp
before zipping, ensuring @next/env, @swc/helpers, and other peer deps
are included. Retarget deployment to the new codeflash-webapp-main app.
## Summary
- Add `aiservice-ci.yml` using the shared reusable workflow from
`codeflash-ai/github-workflows`
- Remove old `django-unit-tests.yaml` and `mypy_aiservice.yml` (both
replaced by the new unified workflow)
- **Typecheck job**: uses the shared workflow
(`codeflash-ai/github-workflows/.github/workflows/uv-mypy.yml`)
- **Test job**: defined locally in `aiservice-ci.yml` (needs repository
secrets that can't be passed to reusable workflows in other repos)
## What changed
| Before | After |
|---|---|
| `django-unit-tests.yaml` (standalone) | `aiservice-ci.yml` — test job
|
| `mypy_aiservice.yml` (standalone) | `aiservice-ci.yml` — typecheck job
(shared workflow) |
## Summary
- Reverts lazy JWT_SECRET initialization — keeps eager fail-fast at
module load
- Adds `JWT_SECRET` secret to both `deploy_cfwebapp_to_azure.yml` and
`nextjs-build.yaml` CI workflows so `next build` page data collection
succeeds for the `/codeflash/auth/oauth/token` route
## Context
The deploy workflow ([run
#24425211765](https://github.com/codeflash-ai/codeflash-internal/actions/runs/24425211765/job/71357530269))
was failing because `JWT_SECRET` isn't available during CI build,
causing an eager throw at module load time. The secret already exists as
a GitHub repo secret.
Both deploy workflows (cf-webapp and cf-api) fail with
"Can't resolve '@codeflash-ai/common'" because the workspace
dependency isn't built before the app build. Same fix already
applied to the CI quality-gate workflows.
## Summary
- If the WASM build fails (e.g. GitHub CDN outage for tree-sitter-cli or
wasi-sdk) but a cached `.wasm` file already exists, warn instead of
crashing `pnpm install`
- Only hard-fail when no cached WASM exists at all
This prevents transient CDN outages from blocking deploys when the WASM
artifacts are already cached.
## Test plan
- [ ] CI passes on this PR (validates the postinstall script doesn't
crash)
- [ ] Verify deploy workflow can proceed when WASM cache hits
## Summary
- **Fix CI build failure**: Auth0Client crashes during Next.js
prerendering when env vars aren't set. Returns a no-op stub (`getSession
→ null`) when domain is missing — semantically correct for static
generation
- **Lazy-load markdown libs (~260kb)**: ReactMarkdown, remarkGfm, and
react-syntax-highlighter were eagerly imported in monaco-diff-viewer but
only rendered when user expands "Generated Tests". Extracted into a
dynamic component
- **Parallelize repo detail query**: `getRepositoryById` ran the
activity count sequentially after the repo lookup. Since `repoId` is
already available, all three queries now run in parallel
## Test plan
- [ ] CI `build` check passes (was failing since #2598)
- [ ] Trace page still renders generated tests correctly when expanded
- [ ] Repository detail page loads correctly with activity status
## Summary
- Run `npm audit fix` to resolve 12 of 14 vulnerabilities
- Fixed: axios (critical), brace-expansion, defu, effect/prisma,
minimatch, picomatch, qs, rollup, vite, yaml
- Remaining 2 moderate (`dompurify` via `monaco-editor`) have no
upstream fix yet
## Test plan
- [ ] Verify cf-webapp builds successfully
- [ ] Verify no regressions in dev server
## Summary
- Upgrade Next.js from 16.1.6 to 16.2.3
- Add `suppressHydrationWarning` to `<html>` tag to fix `next-themes`
hydration mismatch
- Remove unnecessary `isClient` guard in `ThemeProvider` that caused
script tag warning
- Redirect unauthenticated `/roadmap` visitors to `/login` instead of
`/`
## Test plan
- [ ] Verify `/roadmap` redirects to `/login` when not logged in
- [ ] Verify `/roadmap` loads correctly when logged in as team member
- [ ] Verify no hydration warnings in browser console
- [ ] Verify dark/light theme switching still works
## CI Waste Cleanup
### Changes
1. **Deploy AI Service path filter** — narrowed `.github/workflows/**`
to `.github/workflows/deploy_aiservice_to_azure.yml`
- Previously, editing *any* workflow file triggered an AI service deploy
- The other deploy workflows (CFAPI, CF-WEB-APP) are already scoped
correctly
2. **Claude Code paths-ignore** — added `paths-ignore` for
`.github/workflows/**`, `*.md`, `docs/**`
- Currently fires on every PR regardless of files changed (85% failure
rate)
- The `codeflash` repo's Claude Code workflow already has these filters
3. **Publish to PyPI** — disabled via API
- Had `if: false` hardcoded with a TODO comment
- Was creating a skipped run on every push to main (pure noise)
### Context
Part of the Codeflash org CI audit. See also:
- codeflash-ai/codeflash#2025 (E2E path filters)
- codeflash-ai/codeflash#2026 (claude-code-action pin)
## Summary
- Pin `anthropics/claude-code-action` from `@v1` to `@v1.0.89` in both
`claude.yml` and `duplicate-code-detector.yml`
## Why
v1.0.90 (released Apr 8) broke Bedrock OIDC auth. Every Claude Code and
Duplicate Code Detector run has been failing with:
```
403 Authorization header requires 'Credential' parameter.
Authorization header requires 'Signature' parameter.
```
**Upstream issue:** anthropics/claude-code-action#1196
v1.0.89 was the last working version (confirmed: all runs succeeded on
Apr 7, all failed starting Apr 8).
## Test plan
- [ ] Merge and verify Claude Code workflow passes on next PR
- [ ] Verify Duplicate Code Detector passes on next PR
- [ ] Unpin to `@v1` once anthropics/claude-code-action#1196 is resolved
## Summary
- Fix infinite refetch loop in the dashboard sidebar that fires hundreds
of POST+GET requests per second
- The `subscriptionFetchRef` was reset in `finally()`, allowing
re-entrancy: fetch → `setSubscription` → re-render → ref is `false` →
fetch again → infinite loop
- Move the ref reset to the effect cleanup function so it only resets
when `mode` actually changes
## Note: Auth0 favicon 404
The Auth0 login page at `codeflash-ai.us.auth0.com` returns a 404 for
`/favicon.ico`. This is configured in **Auth0 Dashboard > Branding >
Universal Login**, not in application code. Upload the Codeflash favicon
there to resolve.
## Test plan
- [ ] Navigate to dashboard, open Network tab — confirm no repeated
POST/GET polling
- [ ] Switch between personal/org mode — confirm subscription data still
loads correctly
- [ ] Verify sidebar subscription usage display still renders
## Summary
- Add `withTiming()` wrapper for server actions with Sentry span
reporting and slow action warnings (>1s)
- Add centralized `captureEvent()` helper for PostHog tracking
- Add 5 new PostHog tracking events: optimization_reviewed,
repository_connected, api_key_created, member_invited,
billing_page_viewed
- Instrument 4 server actions with `withTiming()`:
getOrganizationMembers, getRepositoryById,
getRepositoriesWithStagingEvents, getAllOptimizationEvents
## Proof of Correctness
See
[`js/cf-webapp/proof/08-server-action-timing.md`](js/cf-webapp/proof/08-server-action-timing.md)
## How to Verify
```bash
cd js/cf-webapp
bash proof/reproducers/08-server-action-timing.sh
```
21 checks verify: withTiming utility, 4 instrumented actions,
captureEvent helper, 5 tracking functions, and all tracking calls wired
into action files.
## Test Plan
- [ ] Run reproducer: `bash
proof/reproducers/08-server-action-timing.sh` (21/21 pass)
- [ ] Verify server actions still work correctly
- [ ] Check Sentry for `server.action` spans after deployment
## Summary
Parallelize independent DB writes at the end of 4 endpoints using
`asyncio.TaskGroup`. With psycopg3 connection pooling (#2489), each task
gets its own connection from the pool.
### Endpoints optimized
| Endpoint | Before | After |
|----------|--------|-------|
| **Refinement** | `log_features` then `update_optimization_cost` |
`TaskGroup` (concurrent) |
| **Explanations** | `update_optimization_cost` inside inner fn | Moved
to handler, `TaskGroup` with `log_features` |
| **Optimization review** | `update_optimization_cost` inside inner fn |
Moved to handler, `TaskGroup` with `update_optimization_features_review`
|
| **Ranker** | `update_optimization_cost` inside inner fn | Moved to
handler, `TaskGroup` with `log_features` |
Each endpoint saves ~87ms (one DB round-trip) by overlapping two
independent writes.
### Comprehensive audit
All 13 endpoints were audited — no remaining async antipatterns found:
- No blocking calls in async paths
- No `await`-in-loop patterns
- LLM clients already use connection reuse
- All other endpoints have at most 1 DB write in the epilogue
## Test plan
- [x] All 538 tests passing
- [ ] Verify under load in staging
---------
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Kevin Turcios <KRRT7@users.noreply.github.com>
Co-authored-by: codeflash-ai[bot] <148906541+codeflash-ai[bot]@users.noreply.github.com>
## Summary
- Normalize quote style to double quotes for YAML consistency
- Remove redundant `jest-junit` runtime install step (already in
devDependencies)
- Simplify codeflash CLI flags: `--all --verbose --yes` → `--yes`
## Test plan
- [ ] Verify workflow runs successfully on a test PR touching
`js/cf-api/` or `js/cf-webapp/`
- [ ] Confirm `npm ci` installs jest-junit from package-lock without the
extra install step
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Kevin Turcios <106575910+KRRT7@users.noreply.github.com>
Coverage analysis in the Claude pr-review job needs these env vars
to run pytest, matching how django-unit-tests and codeflash-aiservice
workflows configure them.
Replace Anthropic Foundry authentication with AWS Bedrock OIDC
in both claude.yml and duplicate-code-detector.yml workflows.
Changes:
- Replace use_foundry with use_bedrock
- Add aws-actions/configure-aws-credentials@v4 OIDC step
- Remove ANTHROPIC_FOUNDRY_API_KEY/BASE_URL env vars
- Update model identifiers to Bedrock format
Requires AWS_ROLE_TO_ASSUME secret to be configured in the repo.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
## Summary
- Add Foundry env vars (ANTHROPIC_FOUNDRY_API_KEY,
ANTHROPIC_FOUNDRY_BASE_URL) so the workflow authenticates via Azure
Foundry
- Fix Serena language config (javascript -> typescript)
## Summary
- Adds the GitHub Agentic Workflows duplicate code detector, configured
for Python and TypeScript/JavaScript with Serena semantic analysis
- Runs daily, flags patterns spanning 10+ lines or appearing in 3+
locations
- Creates up to 3 issues per run with `[duplicate-code]` prefix
## Notes
- Requires Claude API secret configured in repo Actions secrets
- `code-quality` and `automated-analysis` labels will be auto-created on
first run
## Summary
- Restructure CLAUDE.md hierarchy so Claude Code auto-discovers
project-specific instructions
- Delete dead `AGENTS.md` files (referenced non-existent
`.tessl/RULES.md`)
- Rename `django/aiservice/AGENTS.md` → `CLAUDE.md` for auto-discovery
- Create `js/CLAUDE.md` with package commands and gotchas
- Move PR review guidelines to `.claude/rules/pr-review.md` (auto-loaded
rule)
- Move prek workflow to `.claude/skills/fix-prek.md` (on-demand skill)
- Add path-scoped rules for Python and Next.js patterns
- Add domain glossary, service architecture diagram, and per-package
gotchas
## Test plan
- Verify `CLAUDE.md` files exist at root, `django/aiservice/`, and `js/`
- Verify no remaining references to `AGENTS.md` or `.tessl/`
- Verify `.claude/rules/` and `.claude/skills/` files are committed
## Summary
- Use claude-opus-4-6 model for both pr-review and claude-mention jobs
- Add mypy checks and consolidated summary comment (Steps 1 & 4) from
CLI workflow
- Add Edit tool and extra git/gh tools to allowed tools
## Summary
- Add prek auto-fix step (format/lint changed files, commit & push)
- Add coverage analysis step (compare PR vs main, enforce 75% for new
code)
- Add uv setup and dependency install to pr-review job
- Change pr-review permissions to allow pushing fixes
Syncs with recent improvements made to the CLI repo.
Prek checks should not block other workflows from running. This removes
the wait-for-prek jobs entirely so unit tests, e2e tests, and codeflash
optimization can run independently of pre-commit checks.
