node-linker=hoisted triggers an Invalid Version bug in pnpm 10 bin
linking. The standalone output with zip -y (symlink preservation) is
sufficient — Azure SquashFS supports symlinks natively.
Use zip -y to preserve symlinks in the standalone output. Azure Linux
App Service mounts the zip via SquashFS which supports symlinks. This
keeps the pnpm .pnpm/ structure intact so next can resolve peer deps
like @swc/helpers and @next/env from their co-located positions.
Also re-add node-linker=hoisted to .npmrc per pnpm docs recommendation
for environments that need standard node_modules resolution.
Switch from zipping cf-webapp/node_modules to Next.js standalone output
mode. This traces only required runtime deps into .next/standalone/ and
resolves the pnpm symlink issues that caused MODULE_NOT_FOUND crashes on
Azure (missing @next/env, @swc/helpers).
- Add output: "standalone" and outputFileTracingRoot to next.config.mjs
- Update CI to cp -rL (dereference symlinks) the standalone output
- Revert node-linker=hoisted from .npmrc (no longer needed)
- Deploy to codeflash-webapp-main (set in previous commit)
Add node-linker=hoisted to .npmrc so pnpm hoists all dependencies like
npm. Update CI to rsync workspace-root node_modules into cf-webapp
before zipping, ensuring @next/env, @swc/helpers, and other peer deps
are included. Retarget deployment to the new codeflash-webapp-main app.
pnpm doesn't hoist @swc/helpers to cf-webapp/node_modules/ by default,
so it's missing from the deploy zip. Azure runs npm start which can't
resolve it through pnpm's virtual store. Adding it as a direct dep
ensures it's included in the zip.
The page-level isTeamMember() check breaks PPR (Partial Prerendering):
at build time there's no session, so the prerender resolves as a
redirect/404 and the static shell poisons all runtime responses with 404.
Team member gating is already handled by proxy.ts middleware (lines 50-58),
matching how /observability and other team-gated routes work.
## Summary
- Add `aiservice-ci.yml` using the shared reusable workflow from
`codeflash-ai/github-workflows`
- Remove old `django-unit-tests.yaml` and `mypy_aiservice.yml` (both
replaced by the new unified workflow)
- **Typecheck job**: uses the shared workflow
(`codeflash-ai/github-workflows/.github/workflows/uv-mypy.yml`)
- **Test job**: defined locally in `aiservice-ci.yml` (needs repository
secrets that can't be passed to reusable workflows in other repos)
## What changed
| Before | After |
|---|---|
| `django-unit-tests.yaml` (standalone) | `aiservice-ci.yml` — test job
|
| `mypy_aiservice.yml` (standalone) | `aiservice-ci.yml` — typecheck job
(shared workflow) |
## Summary
- Replace hardcoded `"codeflash-edit-2025"` string authentication in the
`save-modified-code` API route with Auth0 session check
- Remove the secret prompt modal from the Monaco diff viewer — editing
is now gated by the user's existing login session
- Remove unused `Lock` import, dead `console.log`, and unused `result`
variable
## Test plan
- [ ] Verify the edit code button works without prompting for a secret
- [ ] Verify saving modified code succeeds for logged-in users
- [ ] Verify unauthenticated requests to
`/api/traces/:id/save-modified-code` return 401
## Summary
- Reverts lazy JWT_SECRET initialization — keeps eager fail-fast at
module load
- Adds `JWT_SECRET` secret to both `deploy_cfwebapp_to_azure.yml` and
`nextjs-build.yaml` CI workflows so `next build` page data collection
succeeds for the `/codeflash/auth/oauth/token` route
## Context
The deploy workflow ([run
#24425211765](https://github.com/codeflash-ai/codeflash-internal/actions/runs/24425211765/job/71357530269))
was failing because `JWT_SECRET` isn't available during CI build,
causing an eager throw at module load time. The secret already exists as
a GitHub repo secret.
Security (critical):
- Scope member lookups to parent resource (repository_id / organization_id)
in updateRepositoryMemberRole, removeRepositoryMember,
updateOrganizationMemberRole, and removeOrganizationMember to prevent
cross-tenant escalation via crafted memberId
- Replace unvalidated currentOrganizationId cookie reads with
getAccountContext() (validates org membership) in review page and
repo detail data loaders
Bugs:
- Add missing string-UUID branch in repository_id filter (raw SQL paths)
- Pass actual username to RepoDetailClient instead of empty string
- Remove misleading React.cache() on getAllOptimizationEventsImpl (object
arg means reference equality never hits)
- Use create() result directly in addOrganizationMember to avoid NPE
from unnecessary re-fetch
- Separate null-session redirect from null-event 404 in profiler page
Tests:
- Rewrite action.test.ts: org payload for Prisma findMany path, proper
$queryRaw tagged-template mock for raw SQL path, verify repository_id
filter is actually applied
getUserIdAndUsername() and getAccountContext() also threw generic
errors when no session exists. Same fix as apikeys: use redirect()
which Next.js handles as a prerender bailout signal.
