Reverts the following commits from main:
- d7a8b8f2 perf: fix CI build + lazy-load heavy libs + parallelize DB queries (#2601)
- 48b5e2b4 fix: make tree-sitter WASM build failure non-fatal when cache exists (#2602)
- c372b6bc Merge pull request #2603 from codeflash-ai/fix/deploy-build-common
- b656bb1d fix: cf-api deploy broken by pnpm workspace migration
- c1b0076c fix: align TypeScript versions to deduplicate @prisma/client in pnpm
- 09ed4d4b fix: use redirect instead of throw for auth failures during prerender
- 71127055 fix: redirect remaining auth throws that crash prerendering
PR #2601 introduced 18 bugs including 5 authorization bypass vulnerabilities:
- Cross-org data access via forged currentOrganizationId cookie
- Cross-repo/cross-org member role escalation and deletion (unscoped lookups)
- Missing replayTests/concolicTests in approval flow
- repository_id filter silently broken for personal accounts
- Tests mocking wrong Prisma method ($queryRawUnsafe vs $queryRaw)
The subsequent PRs (#2602, #2603, and follow-up commits) were dependent
fixes for issues caused by #2601 and are reverted together.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
getUserIdAndUsername() and getAccountContext() also threw generic
errors when no session exists. Same fix as apikeys: use redirect()
which Next.js handles as a prerender bailout signal.
Pages that throw Error("Authentication required") crash the Next.js
build during static prerendering (no auth session at build time).
redirect("/login") is a proper Next.js bailout signal that skips
prerendering and marks the route as dynamic.
Root cause: cf-webapp used typescript@~5.4.5 while common used
typescript@^5.9.3. Since @prisma/client has typescript as a peer
dep, pnpm created two separate instances. prisma generate wrote to
one, but Next.js resolved the other — causing "Cannot find module
'.prisma/client/default'" at build time.
Fix: upgrade cf-webapp to typescript@^5.9.3 to match common. This
deduplicates @prisma/client to a single pnpm instance.
Also fixes cf-api deploy: exclude node_modules from copyfiles glob
and use cp -rL to dereference pnpm symlinks.
Both deploy workflows (cf-webapp and cf-api) fail with
"Can't resolve '@codeflash-ai/common'" because the workspace
dependency isn't built before the app build. Same fix already
applied to the CI quality-gate workflows.
## Summary
- If the WASM build fails (e.g. GitHub CDN outage for tree-sitter-cli or
wasi-sdk) but a cached `.wasm` file already exists, warn instead of
crashing `pnpm install`
- Only hard-fail when no cached WASM exists at all
This prevents transient CDN outages from blocking deploys when the WASM
artifacts are already cached.
## Test plan
- [ ] CI passes on this PR (validates the postinstall script doesn't
crash)
- [ ] Verify deploy workflow can proceed when WASM cache hits
## Summary
- **Fix CI build failure**: Auth0Client crashes during Next.js
prerendering when env vars aren't set. Returns a no-op stub (`getSession
→ null`) when domain is missing — semantically correct for static
generation
- **Lazy-load markdown libs (~260kb)**: ReactMarkdown, remarkGfm, and
react-syntax-highlighter were eagerly imported in monaco-diff-viewer but
only rendered when user expands "Generated Tests". Extracted into a
dynamic component
- **Parallelize repo detail query**: `getRepositoryById` ran the
activity count sequentially after the repo lookup. Since `repoId` is
already available, all three queries now run in parallel
## Test plan
- [ ] CI `build` check passes (was failing since #2598)
- [ ] Trace page still renders generated tests correctly when expanded
- [ ] Repository detail page loads correctly with activity status
## Summary
- **common**: Upgraded to Prisma 6.19.3, TypeScript 5.9.3, Prettier
3.8.2. Published as `@codeflash-ai/common@1.0.31` — fixes Prisma type
widening caused by cross-package version mismatch
- **cf-webapp**: 20+ dependency upgrades including posthog-js
(1.127→1.367), lucide-react (0.563→1.8), tailwind-merge (2→3), marked
(16→18), react-markdown (9→10), zod (3→4). Fixes lucide v1 icon renames
and react-markdown v10 API changes
- **cf-api**: 30+ dependency upgrades aligned with common. Prisma
6.19.3, Sentry 10.48, posthog-node 5.29, marked 18, resend 6.10
## Motivation
Testing hypothesis that outdated dependencies cause bundle bloat and
runtime regressions. posthog-js alone was 240 minor versions behind and
loads on every page. lucide-react v1 rewrote the icon system with better
tree-shaking. tailwind-merge v3 has a smaller/faster runtime used in
every `cn()` call.
## Root cause fix
The Prisma type widening errors (`string | Date | null` instead of
`string`) were caused by `@codeflash-ai/common` being published with
Prisma ^6.13 types while consumers installed a different version.
Aligning all packages to ^6.19.3 and republishing common fixed it
properly.
## Test plan
- [ ] cf-webapp builds and type-checks cleanly
- [ ] cf-api builds cleanly
- [ ] No runtime regressions in dashboard, observability pages
- [ ] Prisma types resolve correctly (no widening)
## Summary
- Auth0Client was constructed at module import time, crashing during
`next build` static analysis of `/_not-found` when `AUTH0_DOMAIN` isn't
set in CI
- Wraps the client in a lazy Proxy that defers construction to first
method call
- Zero API change — all callers still do `auth0.getSession()`,
`auth0.handleAuth()`, etc.
## Context
This broke in #2598 when the layout restructure caused `/_not-found` to
evaluate the root layout's auth0 import during build. The `build` CI
check has been failing on all PRs since.
## Test plan
- [ ] `build` CI check passes (was failing on #2598, #2593, #2599)
- [ ] Auth flows still work at runtime (login, logout, callback)
## Summary
- Run `npm audit fix` to resolve 12 of 14 vulnerabilities
- Fixed: axios (critical), brace-expansion, defu, effect/prisma,
minimatch, picomatch, qs, rollup, vite, yaml
- Remaining 2 moderate (`dompurify` via `monaco-editor`) have no
upstream fix yet
## Test plan
- [ ] Verify cf-webapp builds successfully
- [ ] Verify no regressions in dev server
## Summary
- Upgrade Next.js from 16.1.6 to 16.2.3
- Add `suppressHydrationWarning` to `<html>` tag to fix `next-themes`
hydration mismatch
- Remove unnecessary `isClient` guard in `ThemeProvider` that caused
script tag warning
- Redirect unauthenticated `/roadmap` visitors to `/login` instead of
`/`
## Test plan
- [ ] Verify `/roadmap` redirects to `/login` when not logged in
- [ ] Verify `/roadmap` loads correctly when logged in as team member
- [ ] Verify no hydration warnings in browser console
- [ ] Verify dark/light theme switching still works
## Summary
- Adds `/roadmap` page with visual flowchart showing codeflash-python
and codeflash-agent planned work
- Gated behind `isTeamMemberCheck` (same auth pattern as
`/observability`)
- Sidebar link visible only to team members
- Status tracking with distinct visual treatments: compact left-accent
for shipped, hero cards with glow for in-progress, dashed wireframe for
planned
## Test plan
- [ ] Visit `/roadmap` as a team member — page renders with status cards
- [ ] Visit `/roadmap` as a non-team member — redirects to `/`
- [ ] Sidebar shows roadmap link only for team members
- [ ] Build passes (`npm run build`)
- [ ] All tests pass (`npm test` — 39/39)
## CI Waste Cleanup
### Changes
1. **Deploy AI Service path filter** — narrowed `.github/workflows/**`
to `.github/workflows/deploy_aiservice_to_azure.yml`
- Previously, editing *any* workflow file triggered an AI service deploy
- The other deploy workflows (CFAPI, CF-WEB-APP) are already scoped
correctly
2. **Claude Code paths-ignore** — added `paths-ignore` for
`.github/workflows/**`, `*.md`, `docs/**`
- Currently fires on every PR regardless of files changed (85% failure
rate)
- The `codeflash` repo's Claude Code workflow already has these filters
3. **Publish to PyPI** — disabled via API
- Had `if: false` hardcoded with a TODO comment
- Was creating a skipped run on every push to main (pure noise)
### Context
Part of the Codeflash org CI audit. See also:
- codeflash-ai/codeflash#2025 (E2E path filters)
- codeflash-ai/codeflash#2026 (claude-code-action pin)
## Summary
- Pin `anthropics/claude-code-action` from `@v1` to `@v1.0.89` in both
`claude.yml` and `duplicate-code-detector.yml`
## Why
v1.0.90 (released Apr 8) broke Bedrock OIDC auth. Every Claude Code and
Duplicate Code Detector run has been failing with:
```
403 Authorization header requires 'Credential' parameter.
Authorization header requires 'Signature' parameter.
```
**Upstream issue:** anthropics/claude-code-action#1196
v1.0.89 was the last working version (confirmed: all runs succeeded on
Apr 7, all failed starting Apr 8).
## Test plan
- [ ] Merge and verify Claude Code workflow passes on next PR
- [ ] Verify Duplicate Code Detector passes on next PR
- [ ] Unpin to `@v1` once anthropics/claude-code-action#1196 is resolved
Summary
- Replace server action calls with API Route Handlers in
OptimizationPRsTable and OptimizationsTable to break the Next.js RSC
refresh cycle that caused continuous endpoint polling
- Create /api/optimization-prs and /api/optimization-events route
handlers that read auth from session cookies
- Remove accountPayload prop threading from both table components and
their parent pages
- Add key-based remount on OptimizationsTable to ensure data refreshes
correctly on org switch
Root Cause
Next.js server actions always trigger an RSC page refresh (GET) after
completion. When a client component calls a server action inside a
useEffect, it creates an infinite loop: server action POST → RSC refresh
→ component
re-renders → effect fires again → repeat. This was happening in both
OptimizationPRsTable (dashboard) and OptimizationsTable
(review-optimizations).
Solution
Regular fetch() calls to Route Handlers do not trigger RSC refreshes,
breaking the loop entirely. Auth is handled server-side in the route
handlers by reading the session cookie — same mechanism as
getAccountContext().
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Codeflash Bot <bot@codeflash.ai>
Co-authored-by: Kevin Turcios <106575910+KRRT7@users.noreply.github.com>
---
Summary
- Fixes OAuth authentication flow reliability by preventing duplicate
auth
checks caused by React Strict Mode / Suspense remounts using a useRef
guard
- Extracts useSearchParams() values into stable string primitives
outside the
effect, removing searchParams from the dependency array to avoid
unnecessary
re-runs
- Adds /codeflash/auth/oauth to the proxy ignore paths so OAuth token
exchange
requests are not intercepted by the auth middleware
- Adds debug logging for the API key returned during token exchange
- Adds codeflash configuration block to the root package.json
Test plan
- Verify CLI OAuth login flow completes successfully end-to-end (auth
page →
GitHub → redirect → token exchange)
- Confirm the auth page does not trigger duplicate API calls in React
Strict
Mode (check network tab)
- Verify VSCode extension OAuth login still works
- Confirm /codeflash/auth/oauth/token endpoint is reachable and not
blocked by
proxy middleware
---
Want me to push the branch and create the PR?
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
## Summary
- Adds `/report` page showing results of the 20-PR webapp optimization
sprint
- Team-member only access (guarded in `proxy.ts` + server component
`isTeamMember()` check)
- Full-width layout (no sidebar), matching `/roadmap` and
`/observability` patterns
- Dual-view toggle: Executive Summary / Engineering Details
- chart.js charts with datalabels matching the original Plotly Dash
report
- Full light/dark theme support via Tailwind `dark:` variants
## Files
- **New**: `src/app/report/page.tsx`,
`src/components/report/report-charts.tsx`,
`src/components/report/report-toggle.tsx`
- **Modified**: `proxy.ts` (added `/report` + `/roadmap` to team-member
guard), `conditional-layout.tsx` (hide sidebar for `/report`)
- **Dep**: `chartjs-plugin-datalabels` for bar/pie chart value labels
## Test plan
- [ ] Visit `/report` as a CF team member — page renders with all
sections
- [ ] Toggle between Executive Summary and Engineering Details
- [ ] Charts display with value labels and correct colors
- [ ] Visit `/report` as a non-team-member — redirected to `/`
- [ ] Light and dark mode both render correctly
## Summary
- Adds `chartjs-plugin-datalabels` to `package.json` — was installed
locally but missing, causing CI build failure for both `/report` and
`/membench` chart components
## Test plan
- [ ] CI build passes
- [ ] `/report` and `/membench` deploy successfully to staging
## Summary
- Fix infinite refetch loop in the dashboard sidebar that fires hundreds
of POST+GET requests per second
- The `subscriptionFetchRef` was reset in `finally()`, allowing
re-entrancy: fetch → `setSubscription` → re-render → ref is `false` →
fetch again → infinite loop
- Move the ref reset to the effect cleanup function so it only resets
when `mode` actually changes
## Note: Auth0 favicon 404
The Auth0 login page at `codeflash-ai.us.auth0.com` returns a 404 for
`/favicon.ico`. This is configured in **Auth0 Dashboard > Branding >
Universal Login**, not in application code. Upload the Codeflash favicon
there to resolve.
## Test plan
- [ ] Navigate to dashboard, open Network tab — confirm no repeated
POST/GET polling
- [ ] Switch between personal/org mode — confirm subscription data still
loads correctly
- [ ] Verify sidebar subscription usage display still renders
## Summary
- Runs `llm_calls.findUnique` and `optimization_errors.findMany` in
parallel via `Promise.all`
- Both queries use `params.id` directly — no data dependency between
them
- Page load time reduced from sum to max of both queries
## Evidence
- Proof doc: `js/cf-webapp/proof/17-parallel-llm-call-detail.md`
## Test plan
- [ ] `bash
js/cf-webapp/proof/reproducers/17-parallel-llm-call-detail.sh` — 5/5
checks pass
- [ ] LLM call detail page renders correctly with error list
## Summary
- Wraps `optimization_features.findUnique` in `React.cache()` so
`generateMetadata()` and the page component share one DB hit
- Eliminates redundant query — before: 2 identical queries per page
load, after: 1
- Replaces inline type annotation with `Awaited<ReturnType<...>>` for
DRY types
## Evidence
- Proof doc: `js/cf-webapp/proof/16-react-cache-dedup.md`
## Test plan
- [ ] `bash js/cf-webapp/proof/reproducers/16-react-cache-dedup.sh` —
5/5 checks pass
- [ ] Trace detail page renders correctly with metadata title
## Summary
- Runs `optimization_events.findFirst` and
`optimization_features.findUnique` in parallel via `Promise.all`
- The features query only needs `trace_id` (a parameter), not the event
result, making the queries independent
- Wall-clock time goes from sum of both queries to max of either
## Evidence
- Proof doc: `js/cf-webapp/proof/15-parallel-optimization-event.md`
## Test plan
- [ ] `bash
js/cf-webapp/proof/reproducers/15-parallel-optimization-event.sh` — 6/6
checks pass
- [ ] Optimization review page loads correctly with review quality data
## Summary
- Converts `PostHogClient()` to singleton pattern — reuses one `PostHog`
instance instead of creating new ones per call
- Replaces `shutdown()` with `flush()` across 5 files (6 call sites) —
flush sends events without destroying the shared client
## Evidence
- Before: each call to `PostHogClient()` creates new HTTP connection +
event queue
- After: single instance reused across all server components/actions in
the same process
- Proof doc: `js/cf-webapp/proof/14-posthog-singleton.md`
## Test plan
- [ ] `bash js/cf-webapp/proof/reproducers/14-posthog-singleton.sh` —
9/9 checks pass
- [ ] PostHog events still appear in PostHog dashboard after deployment
## Summary
Replace `@sentry/node` import with `@sentry/nextjs` in the repository
action. `@sentry/nextjs` already re-exports all server-side APIs, so
importing `@sentry/node` separately pulls in a duplicate SDK.
## How to Verify
```bash
cd js/cf-webapp
bash proof/reproducers/11-sentry-nextjs-consistency.sh
```
3 checks: no @sentry/node in app/, repository action uses
@sentry/nextjs, all app/ Sentry imports consistent.
## Summary
- Move `replayIntegration` from eager initialization to
`lazyLoadIntegration()`
- Removes ~300KB per copy (two copies were shipped) from the critical
path
- Replay still activates after page is interactive via
`Sentry.addIntegration`
## How to Verify
```bash
cd js/cf-webapp
bash proof/reproducers/10-lazy-sentry-replay.sh
```
6 checks: lazyLoadIntegration used, empty init integrations,
addIntegration for deferred loading, maskAllText/blockAllMedia
preserved.
## Test Plan
- [ ] Run reproducer (6/6 pass)
- [ ] Verify Sentry Replay still works after page load
## Summary
- Add `withTiming()` wrapper for server actions with Sentry span
reporting and slow action warnings (>1s)
- Add centralized `captureEvent()` helper for PostHog tracking
- Add 5 new PostHog tracking events: optimization_reviewed,
repository_connected, api_key_created, member_invited,
billing_page_viewed
- Instrument 4 server actions with `withTiming()`:
getOrganizationMembers, getRepositoryById,
getRepositoriesWithStagingEvents, getAllOptimizationEvents
## Proof of Correctness
See
[`js/cf-webapp/proof/08-server-action-timing.md`](js/cf-webapp/proof/08-server-action-timing.md)
## How to Verify
```bash
cd js/cf-webapp
bash proof/reproducers/08-server-action-timing.sh
```
21 checks verify: withTiming utility, 4 instrumented actions,
captureEvent helper, 5 tracking functions, and all tracking calls wired
into action files.
## Test Plan
- [ ] Run reproducer: `bash
proof/reproducers/08-server-action-timing.sh` (21/21 pass)
- [ ] Verify server actions still work correctly
- [ ] Check Sentry for `server.action` spans after deployment
## Summary
- Parallelize `getRepositoryById` server action: repo fetch + auth check
now run via `Promise.all` instead of sequentially
- Parallelize 6 independent stats queries on the repository detail page
via `Promise.all`: optimization counts, time series data, PR event data,
and leaderboard
- Reduces repository detail page server-side latency from ~350ms (7
sequential round-trips) to ~100ms (2 parallel batches)
## Proof of Correctness
See
[`js/cf-webapp/proof/06-parallel-repo-page.md`](js/cf-webapp/proof/06-parallel-repo-page.md)
for detailed analysis.
## How to Verify
```bash
cd js/cf-webapp
bash proof/reproducers/06-parallel-repo-page.sh
```
The reproducer verifies:
1. `getRepositoryById` uses `Promise.all` for repo + auth
2. At least 5 of 6 stats queries are inside `Promise.all`
3. No sequential `await` patterns remain for stats queries
4. All stats queries are independent (take only `repositoryId`)
## Why This Is Real
1. **All 6 stats queries are independent** — each takes only
`repositoryId` and returns different data
2. **Repo fetch and auth check are independent** — `findFirst` needs
`repoId`, `getRepositoriesForAccountCached` needs `payload`
3. **Latency reduction is significant** — 6 sequential DB round-trips
become 1 parallel batch
## Test Plan
- [ ] Run reproducer script: `bash
proof/reproducers/06-parallel-repo-page.sh`
- [ ] Verify repository detail page loads correctly
- [ ] Confirm all stats widgets render with correct data
## Proof of Correctness — Commit 5/22
**Optimization:** Run `getCurrentUserRole` and `getOrganizationMembers`
concurrently via `Promise.all` instead of sequentially.
**Claim:** Saves one round-trip latency. Total latency: `role_time +
members_time` → `max(role_time, members_time)`.
### Evidence
Both calls take `(userId, orgId)` and are independent — neither uses the
other's result. The sequential pattern was unnecessary.
### Reproducer
```bash
cd js/cf-webapp
bash proof/reproducers/05-parallel-members-page.sh
```
Verifies: both calls inside `Promise.all`, no sequential awaits remain,
no cross-dependency.
### Files
- `js/cf-webapp/proof/05-parallel-members-page.md` — proof
- `js/cf-webapp/proof/reproducers/05-parallel-members-page.sh` —
reproducer
## Proof of Correctness — Commit 3/22
**Optimization:** Replace 5 separate `new PrismaClient()` instances with
a shared singleton at `@/lib/prisma`.
**Claim:** Eliminates 5 independent connection pools → 1 shared pool
with `connection_limit=10`, `pool_timeout=20`. Prevents connection pool
exhaustion under concurrent requests.
### Evidence
Each `new PrismaClient()` creates its own query engine and PostgreSQL
connection pool (default 5 connections). With 5 instances, the app could
hold 25 connections simultaneously — a real risk against PostgreSQL's
hard limit (typically 100, often lower on Azure).
Files that had their own `new PrismaClient()`:
- `src/app/(dashboard)/apikeys/page.tsx`
- `src/app/(dashboard)/apikeys/tokenfuncs.ts`
- `src/app/api/traces/[trace_id]/save-modified-code/route.ts`
- `src/app/trace/[trace_id]/page.tsx`
- `src/lib/modified-code-utils.ts`
The singleton pattern is [Prisma's official recommendation for
Next.js](https://www.prisma.io/docs/orm/more/help-and-troubleshooting/help-articles/nextjs-prisma-client-dev-practices).
### Reproducer
```bash
cd js/cf-webapp
bash proof/reproducers/03-prisma-singleton.sh
```
Verifies:
1. No `new PrismaClient()` outside `src/lib/prisma.ts`
2. All 5 affected files import from `@/lib/prisma`
3. Singleton has connection pooling + globalThis caching
4. TypeScript compiles cleanly
### Files
- `js/cf-webapp/proof/03-prisma-singleton.md` — detailed proof
- `js/cf-webapp/proof/reproducers/03-prisma-singleton.sh` — reproducer
### Reference
- Source commit: 16c5887a from PR #2536
## Proof of Correctness — Commit 2/22
**Optimization:** Replace `import * as Diff` with named `import {
createPatch }` for tree-shaking, and `@sentry/browser` →
`@sentry/nextjs` to eliminate duplicate SDK bundle.
### Evidence
1. **`import *` prevents tree-shaking** — webpack/turbopack must include
all 15+ exports from the `diff` package. Named import allows dead code
elimination of unused functions (`diffChars`, `diffWords`, `diffLines`,
`structuredPatch`, etc.).
2. **`@sentry/browser` duplicates `@sentry/nextjs` core** — the app
already uses `@sentry/nextjs` everywhere. Having one file import
`@sentry/browser` pulls in a second copy of Sentry's core code.
### Reproducer
```bash
cd js/cf-webapp
bash proof/reproducers/02-named-diff-sentry-import.sh
```
Verifies via grep that:
- No `import * as Diff` remains
- No `@sentry/browser` imports remain
- Only `createPatch` is used from the `diff` package
- All Sentry imports use `@sentry/nextjs`
For bundle size measurement, run with `MEASURE=1`:
```bash
MEASURE=1 bash proof/reproducers/02-named-diff-sentry-import.sh
```
### Files
- `js/cf-webapp/proof/02-named-diff-sentry-import.md` — detailed proof
- `js/cf-webapp/proof/reproducers/02-named-diff-sentry-import.sh` —
reproducer
### Reference
- Source commit: 36bd47b4 from PR #2536
## Proof of Correctness — Commit 1/22
**Optimization:** Replace full `react-syntax-highlighter/Prism` build
(300 language grammars via `refractor/all`) with PrismLight registering
only 11 used languages.
**Claim:** Client JS bundle 5,990 KB → 3,146 KB (−47.5%, −2,844 KB)
### Evidence
The default Prism import resolves to `refractor/all.js` — a barrel file
that eagerly imports grammar definitions for 300+ languages (each 3–10
KB). The app only uses 11: python, javascript, typescript, java, json,
css, html, bash, jsx, tsx, markup.
PrismLight uses `refractor/core` and requires explicit
`registerLanguage()` calls, eliminating ~289 unused grammars from the
bundle.
### Reproducer
```bash
cd js/cf-webapp
bash proof/reproducers/01-prismlight-benchmark.sh
```
This runs two real `next build` passes (baseline on main, then with only
the PrismLight diff applied) and prints the route tables side-by-side
for comparison.
### Files
- `js/cf-webapp/proof/01-prismlight-switch.md` — detailed proof document
- `js/cf-webapp/proof/reproducers/01-prismlight-benchmark.sh` —
reproducible benchmark
### Reference
- Source commit: e249a1cf from PR #2536
- [react-syntax-highlighter light build
docs](https://github.com/react-syntax-highlighter/react-syntax-highlighter#light-build)
## Problem
Generated tests imported TypeScript files with `.js` extensions, causing
"Cannot find module" errors. The AI service was only stripping
extensions from `generated_test_source` but NOT from
`instrumented_behavior_tests` and `instrumented_perf_tests` (which the
CLI actually uses).
## Root Cause
**File:** `core/languages/js_ts/testgen.py:608`
Only `generated_test_source` received `strip_js_extensions()` call. The
CLI uses `instrumented_behavior_tests` from the response, which still
had incorrect `.js` extensions on TypeScript imports.
## Impact
- Affected **15 out of 20 test runs (~75% failure rate)**
- **Severity: HIGH** - systematic bug blocking all TypeScript projects
- **Error:** `Cannot find module '../../google.js'` when source is
`google.ts`
## Fix
Apply `strip_js_extensions()` to all three test output variants:
- `generated_test_source` (already done)
- `instrumented_behavior_tests` ✨ **NEW**
- `instrumented_perf_tests` ✨ **NEW**
## Testing
✅ All 32 existing JavaScript testgen tests pass
✅ Added regression test for extension stripping
✅ Verified with `--rerun` on trace
`03899729-131e-4ff6-8149-c132bd888089`
✅ No "Cannot find module *.js" errors after fix
## References
**Trace IDs exhibiting this bug:**
- `03899729-131e-4ff6-8149-c132bd888089`
- `19446b34-cd22-4a38-b304-22c16ba86747`
- (and 13 others - see `/workspace/logs`)
**Related:** AI Service Reference doc section 10.1 issue #2
---------
Co-authored-by: mohammed ahmed <mohammedahmed18@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
