## Summary
- Snyk PR #2305 bumped `diff` from 8.0.2 to 8.0.3 in
`js/VSC-Extension/package.json` without regenerating the lockfile
- This causes `npm ci` to fail with a "package.json and
package-lock.json are in sync" error
- Ran `npm install` to regenerate `package-lock.json` (resolves `diff`
to 8.0.4, the latest matching `^8.0.3`)
## Test plan
- [x] Verified `npm ci` succeeds with the updated lockfile
- [x] Diff is minimal: only the `diff` package version change (4
insertions, 4 deletions)
Delete 7 separate workflow files now replaced by the unified ci.yaml:
aiservice-ci.yml, cf-api-tests.yaml, cf-webapp-quality-gates.yml,
end-to-end-tests.yaml, nextjs-build.yaml, prek.yaml,
vscode-extension-build.yml
Replace 7 separate CI workflow files with a unified ci.yaml that uses
shared workflows from codeflash-ai/github-workflows:
- determine-changes: reusable workflow for path-based change detection
- prek-lint: reusable workflow for pre-commit checks
- ci-python-uv: reusable workflow for Python typecheck
- required-checks-gate: composite action for gate job
All downstream jobs use fromJSON(needs.determine-changes.outputs.flags)
for conditional execution. A single required-checks-passed gate job
replaces per-workflow required checks.
Private repos need explicit permissions on reusable workflow calls
(contents:write for prek) since they don't inherit permissive defaults.
The Python client sends raw source code, not markdown-wrapped blocks.
split_markdown_code() returned {} for raw input, making SearchAndReplaceDiff
have nothing to patch, so repairs always returned empty string.
Now falls back to {"file.py": raw_code} when markdown parsing yields nothing,
and is_valid() handles raw code blocks instead of only markdown-wrapped ones.
System prompt now focuses on repair strategy (identify pattern, compare
code, minimal fix) instead of spending most tokens on SEARCH/REPLACE
format spec. User prompt explicitly frames the task and asks for root
cause analysis. build_test_details() reformatted for clarity: grouped
by test source with clear Expected/Got lines separated by --- dividers.
## Summary
- The Monaco diff editor on `/trace/[id]` pages was not loading because
`@monaco-editor/react` fetches JS, CSS, and font assets from
`cdn.jsdelivr.net` by default
- The Content Security Policy in `next.config.mjs` blocked those
requests (missing from `script-src`, `style-src`, `font-src`)
- Added `https://cdn.jsdelivr.net` to the three relevant CSP directives
## Test plan
- [ ] Open a trace page (e.g.
`/trace/c0668bd3-9321-4082-9c43-3e41bdd9b1c5`) and verify the code diff
renders
- [ ] Check browser console for no remaining CSP violations
- [ ] Verify no regressions on other pages
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Sarthak Agarwal <sarthak.saga@gmail.com>
Reworded to highlight that hand-written unit tests encode the developer's
explicit behavioral expectations and that optimizations must produce
identical results for all test cases.
Accept baseline_runtime_ns, loop_count, line_profiler_results, and
test_input_examples on the optimize endpoint. Pass runtime context
and test examples to the user prompt so the LLM can generate
better-informed candidates. Alternate line profiler data across
parallel calls for diversity (odd calls get LP, even calls don't).
When Azure OpenAI or Anthropic returns null/empty content (content
filter, truncation, transient failure), call_openai/call_anthropic now
raise LLMOutputUnparseable instead of returning an empty string that
silently flows through the pipeline and produces 422 "Could not
generate any optimizations." All optimizer callers catch
LLMOutputUnparseable to preserve cost tracking while returning None.
node-linker=hoisted triggers an Invalid Version bug in pnpm 10 bin
linking. The standalone output with zip -y (symlink preservation) is
sufficient — Azure SquashFS supports symlinks natively.
Use zip -y to preserve symlinks in the standalone output. Azure Linux
App Service mounts the zip via SquashFS which supports symlinks. This
keeps the pnpm .pnpm/ structure intact so next can resolve peer deps
like @swc/helpers and @next/env from their co-located positions.
Also re-add node-linker=hoisted to .npmrc per pnpm docs recommendation
for environments that need standard node_modules resolution.
Switch from zipping cf-webapp/node_modules to Next.js standalone output
mode. This traces only required runtime deps into .next/standalone/ and
resolves the pnpm symlink issues that caused MODULE_NOT_FOUND crashes on
Azure (missing @next/env, @swc/helpers).
- Add output: "standalone" and outputFileTracingRoot to next.config.mjs
- Update CI to cp -rL (dereference symlinks) the standalone output
- Revert node-linker=hoisted from .npmrc (no longer needed)
- Deploy to codeflash-webapp-main (set in previous commit)
Add node-linker=hoisted to .npmrc so pnpm hoists all dependencies like
npm. Update CI to rsync workspace-root node_modules into cf-webapp
before zipping, ensuring @next/env, @swc/helpers, and other peer deps
are included. Retarget deployment to the new codeflash-webapp-main app.
pnpm doesn't hoist @swc/helpers to cf-webapp/node_modules/ by default,
so it's missing from the deploy zip. Azure runs npm start which can't
resolve it through pnpm's virtual store. Adding it as a direct dep
ensures it's included in the zip.
The page-level isTeamMember() check breaks PPR (Partial Prerendering):
at build time there's no session, so the prerender resolves as a
redirect/404 and the static shell poisons all runtime responses with 404.
Team member gating is already handled by proxy.ts middleware (lines 50-58),
matching how /observability and other team-gated routes work.
## Summary
- Add `aiservice-ci.yml` using the shared reusable workflow from
`codeflash-ai/github-workflows`
- Remove old `django-unit-tests.yaml` and `mypy_aiservice.yml` (both
replaced by the new unified workflow)
- **Typecheck job**: uses the shared workflow
(`codeflash-ai/github-workflows/.github/workflows/uv-mypy.yml`)
- **Test job**: defined locally in `aiservice-ci.yml` (needs repository
secrets that can't be passed to reusable workflows in other repos)
## What changed
| Before | After |
|---|---|
| `django-unit-tests.yaml` (standalone) | `aiservice-ci.yml` — test job
|
| `mypy_aiservice.yml` (standalone) | `aiservice-ci.yml` — typecheck job
(shared workflow) |
## Summary
- Replace hardcoded `"codeflash-edit-2025"` string authentication in the
`save-modified-code` API route with Auth0 session check
- Remove the secret prompt modal from the Monaco diff viewer — editing
is now gated by the user's existing login session
- Remove unused `Lock` import, dead `console.log`, and unused `result`
variable
## Test plan
- [ ] Verify the edit code button works without prompting for a secret
- [ ] Verify saving modified code succeeds for logged-in users
- [ ] Verify unauthenticated requests to
`/api/traces/:id/save-modified-code` return 401
## Summary
- Reverts lazy JWT_SECRET initialization — keeps eager fail-fast at
module load
- Adds `JWT_SECRET` secret to both `deploy_cfwebapp_to_azure.yml` and
`nextjs-build.yaml` CI workflows so `next build` page data collection
succeeds for the `/codeflash/auth/oauth/token` route
## Context
The deploy workflow ([run
#24425211765](https://github.com/codeflash-ai/codeflash-internal/actions/runs/24425211765/job/71357530269))
was failing because `JWT_SECRET` isn't available during CI build,
causing an eager throw at module load time. The secret already exists as
a GitHub repo secret.
Security (critical):
- Scope member lookups to parent resource (repository_id / organization_id)
in updateRepositoryMemberRole, removeRepositoryMember,
updateOrganizationMemberRole, and removeOrganizationMember to prevent
cross-tenant escalation via crafted memberId
- Replace unvalidated currentOrganizationId cookie reads with
getAccountContext() (validates org membership) in review page and
repo detail data loaders
Bugs:
- Add missing string-UUID branch in repository_id filter (raw SQL paths)
- Pass actual username to RepoDetailClient instead of empty string
- Remove misleading React.cache() on getAllOptimizationEventsImpl (object
arg means reference equality never hits)
- Use create() result directly in addOrganizationMember to avoid NPE
from unnecessary re-fetch
- Separate null-session redirect from null-event 404 in profiler page
Tests:
- Rewrite action.test.ts: org payload for Prisma findMany path, proper
$queryRaw tagged-template mock for raw SQL path, verify repository_id
filter is actually applied
getUserIdAndUsername() and getAccountContext() also threw generic
errors when no session exists. Same fix as apikeys: use redirect()
which Next.js handles as a prerender bailout signal.
Pages that throw Error("Authentication required") crash the Next.js
build during static prerendering (no auth session at build time).
redirect("/login") is a proper Next.js bailout signal that skips
prerendering and marks the route as dynamic.
Root cause: cf-webapp used typescript@~5.4.5 while common used
typescript@^5.9.3. Since @prisma/client has typescript as a peer
dep, pnpm created two separate instances. prisma generate wrote to
one, but Next.js resolved the other — causing "Cannot find module
'.prisma/client/default'" at build time.
Fix: upgrade cf-webapp to typescript@^5.9.3 to match common. This
deduplicates @prisma/client to a single pnpm instance.
Also fixes cf-api deploy: exclude node_modules from copyfiles glob
and use cp -rL to dereference pnpm symlinks.
Both deploy workflows (cf-webapp and cf-api) fail with
"Can't resolve '@codeflash-ai/common'" because the workspace
dependency isn't built before the app build. Same fix already
applied to the CI quality-gate workflows.
## Summary
- If the WASM build fails (e.g. GitHub CDN outage for tree-sitter-cli or
wasi-sdk) but a cached `.wasm` file already exists, warn instead of
crashing `pnpm install`
- Only hard-fail when no cached WASM exists at all
This prevents transient CDN outages from blocking deploys when the WASM
artifacts are already cached.
## Test plan
- [ ] CI passes on this PR (validates the postinstall script doesn't
crash)
- [ ] Verify deploy workflow can proceed when WASM cache hits
## Summary
- **Fix CI build failure**: Auth0Client crashes during Next.js
prerendering when env vars aren't set. Returns a no-op stub (`getSession
→ null`) when domain is missing — semantically correct for static
generation
- **Lazy-load markdown libs (~260kb)**: ReactMarkdown, remarkGfm, and
react-syntax-highlighter were eagerly imported in monaco-diff-viewer but
only rendered when user expands "Generated Tests". Extracted into a
dynamic component
- **Parallelize repo detail query**: `getRepositoryById` ran the
activity count sequentially after the repo lookup. Since `repoId` is
already available, all three queries now run in parallel
## Test plan
- [ ] CI `build` check passes (was failing since #2598)
- [ ] Trace page still renders generated tests correctly when expanded
- [ ] Repository detail page loads correctly with activity status
## Summary
- **common**: Upgraded to Prisma 6.19.3, TypeScript 5.9.3, Prettier
3.8.2. Published as `@codeflash-ai/common@1.0.31` — fixes Prisma type
widening caused by cross-package version mismatch
- **cf-webapp**: 20+ dependency upgrades including posthog-js
(1.127→1.367), lucide-react (0.563→1.8), tailwind-merge (2→3), marked
(16→18), react-markdown (9→10), zod (3→4). Fixes lucide v1 icon renames
and react-markdown v10 API changes
- **cf-api**: 30+ dependency upgrades aligned with common. Prisma
6.19.3, Sentry 10.48, posthog-node 5.29, marked 18, resend 6.10
## Motivation
Testing hypothesis that outdated dependencies cause bundle bloat and
runtime regressions. posthog-js alone was 240 minor versions behind and
loads on every page. lucide-react v1 rewrote the icon system with better
tree-shaking. tailwind-merge v3 has a smaller/faster runtime used in
every `cn()` call.
## Root cause fix
The Prisma type widening errors (`string | Date | null` instead of
`string`) were caused by `@codeflash-ai/common` being published with
Prisma ^6.13 types while consumers installed a different version.
Aligning all packages to ^6.19.3 and republishing common fixed it
properly.
## Test plan
- [ ] cf-webapp builds and type-checks cleanly
- [ ] cf-api builds cleanly
- [ ] No runtime regressions in dashboard, observability pages
- [ ] Prisma types resolve correctly (no widening)
## Summary
- Auth0Client was constructed at module import time, crashing during
`next build` static analysis of `/_not-found` when `AUTH0_DOMAIN` isn't
set in CI
- Wraps the client in a lazy Proxy that defers construction to first
method call
- Zero API change — all callers still do `auth0.getSession()`,
`auth0.handleAuth()`, etc.
## Context
This broke in #2598 when the layout restructure caused `/_not-found` to
evaluate the root layout's auth0 import during build. The `build` CI
check has been failing on all PRs since.
## Test plan
- [ ] `build` CI check passes (was failing on #2598, #2593, #2599)
- [ ] Auth flows still work at runtime (login, logout, callback)
## Summary
- Run `npm audit fix` to resolve 12 of 14 vulnerabilities
- Fixed: axios (critical), brace-expansion, defu, effect/prisma,
minimatch, picomatch, qs, rollup, vite, yaml
- Remaining 2 moderate (`dompurify` via `monaco-editor`) have no
upstream fix yet
## Test plan
- [ ] Verify cf-webapp builds successfully
- [ ] Verify no regressions in dev server
## Summary
- Upgrade Next.js from 16.1.6 to 16.2.3
- Add `suppressHydrationWarning` to `<html>` tag to fix `next-themes`
hydration mismatch
- Remove unnecessary `isClient` guard in `ThemeProvider` that caused
script tag warning
- Redirect unauthenticated `/roadmap` visitors to `/login` instead of
`/`
## Test plan
- [ ] Verify `/roadmap` redirects to `/login` when not logged in
- [ ] Verify `/roadmap` loads correctly when logged in as team member
- [ ] Verify no hydration warnings in browser console
- [ ] Verify dark/light theme switching still works
## Summary
- Adds `/roadmap` page with visual flowchart showing codeflash-python
and codeflash-agent planned work
- Gated behind `isTeamMemberCheck` (same auth pattern as
`/observability`)
- Sidebar link visible only to team members
- Status tracking with distinct visual treatments: compact left-accent
for shipped, hero cards with glow for in-progress, dashed wireframe for
planned
## Test plan
- [ ] Visit `/roadmap` as a team member — page renders with status cards
- [ ] Visit `/roadmap` as a non-team member — redirects to `/`
- [ ] Sidebar shows roadmap link only for team members
- [ ] Build passes (`npm run build`)
- [ ] All tests pass (`npm test` — 39/39)
## CI Waste Cleanup
### Changes
1. **Deploy AI Service path filter** — narrowed `.github/workflows/**`
to `.github/workflows/deploy_aiservice_to_azure.yml`
- Previously, editing *any* workflow file triggered an AI service deploy
- The other deploy workflows (CFAPI, CF-WEB-APP) are already scoped
correctly
2. **Claude Code paths-ignore** — added `paths-ignore` for
`.github/workflows/**`, `*.md`, `docs/**`
- Currently fires on every PR regardless of files changed (85% failure
rate)
- The `codeflash` repo's Claude Code workflow already has these filters
3. **Publish to PyPI** — disabled via API
- Had `if: false` hardcoded with a TODO comment
- Was creating a skipped run on every push to main (pure noise)
### Context
Part of the Codeflash org CI audit. See also:
- codeflash-ai/codeflash#2025 (E2E path filters)
- codeflash-ai/codeflash#2026 (claude-code-action pin)
