Switch from managed to vendored mode so tiles are committed to git.
Install 55 tiles (Python + JS/TS), add MCP configs, and set up
weekly tile update workflow via reusable github-workflows caller.
## Summary
- Replaces the inline `aiservice-test` job (30 lines of boilerplate)
with a 10-line shared workflow call
- Uses the new `test-secret-env` input on `ci-python-uv.yml` to
dynamically export 7 secrets as masked env vars
- Pattern: caller passes `secrets: inherit` + a JSON map of `{ENV_VAR:
SECRET_NAME}`, shared workflow uses `toJSON(secrets)` + jq to export
them with `::add-mask::`
### Before (inline)
```yaml
aiservice-test:
runs-on: ubuntu-latest
env:
SECRET_KEY: ${{ secrets.SECRET_KEY }}
DATABASE_URL: ${{ secrets.DATABASE_URL }}
# ... 5 more hardcoded secret refs
steps:
- uses: actions/checkout@v6
- uses: astral-sh/setup-uv@v8.1.0
- run: uv sync
- run: uv run pytest
```
### After (shared workflow)
```yaml
aiservice-test:
uses: codeflash-ai/github-workflows/.github/workflows/ci-python-uv.yml@main
secrets: inherit
with:
working-directory: "django/aiservice"
sync-command: "uv sync"
test-command: "uv run pytest"
test-secret-env: '{"SECRET_KEY": "SECRET_KEY", "DATABASE_URL": "DATABASE_URL", ...}'
```
First consumer of the `test-secret-env` feature — validates the pattern
for future jobs.
## Test plan
- [ ] CI passes — aiservice-test job runs via shared workflow and
secrets are correctly exported
- [ ] Gate job (required-checks-passed) still works with the new job
structure
- [ ] No regression in other jobs (they're unchanged)
## Summary
- Snyk PR #2305 bumped `diff` from 8.0.2 to 8.0.3 in
`js/VSC-Extension/package.json` without regenerating the lockfile
- This causes `npm ci` to fail with a "package.json and
package-lock.json are in sync" error
- Ran `npm install` to regenerate `package-lock.json` (resolves `diff`
to 8.0.4, the latest matching `^8.0.3`)
## Test plan
- [x] Verified `npm ci` succeeds with the updated lockfile
- [x] Diff is minimal: only the `diff` package version change (4
insertions, 4 deletions)
Delete 7 separate workflow files now replaced by the unified ci.yaml:
aiservice-ci.yml, cf-api-tests.yaml, cf-webapp-quality-gates.yml,
end-to-end-tests.yaml, nextjs-build.yaml, prek.yaml,
vscode-extension-build.yml
Replace 7 separate CI workflow files with a unified ci.yaml that uses
shared workflows from codeflash-ai/github-workflows:
- determine-changes: reusable workflow for path-based change detection
- prek-lint: reusable workflow for pre-commit checks
- ci-python-uv: reusable workflow for Python typecheck
- required-checks-gate: composite action for gate job
All downstream jobs use fromJSON(needs.determine-changes.outputs.flags)
for conditional execution. A single required-checks-passed gate job
replaces per-workflow required checks.
Private repos need explicit permissions on reusable workflow calls
(contents:write for prek) since they don't inherit permissive defaults.
The Python client sends raw source code, not markdown-wrapped blocks.
split_markdown_code() returned {} for raw input, making SearchAndReplaceDiff
have nothing to patch, so repairs always returned empty string.
Now falls back to {"file.py": raw_code} when markdown parsing yields nothing,
and is_valid() handles raw code blocks instead of only markdown-wrapped ones.
System prompt now focuses on repair strategy (identify pattern, compare
code, minimal fix) instead of spending most tokens on SEARCH/REPLACE
format spec. User prompt explicitly frames the task and asks for root
cause analysis. build_test_details() reformatted for clarity: grouped
by test source with clear Expected/Got lines separated by --- dividers.
## Summary
- The Monaco diff editor on `/trace/[id]` pages was not loading because
`@monaco-editor/react` fetches JS, CSS, and font assets from
`cdn.jsdelivr.net` by default
- The Content Security Policy in `next.config.mjs` blocked those
requests (missing from `script-src`, `style-src`, `font-src`)
- Added `https://cdn.jsdelivr.net` to the three relevant CSP directives
## Test plan
- [ ] Open a trace page (e.g.
`/trace/c0668bd3-9321-4082-9c43-3e41bdd9b1c5`) and verify the code diff
renders
- [ ] Check browser console for no remaining CSP violations
- [ ] Verify no regressions on other pages
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Sarthak Agarwal <sarthak.saga@gmail.com>
Reworded to highlight that hand-written unit tests encode the developer's
explicit behavioral expectations and that optimizations must produce
identical results for all test cases.
Accept baseline_runtime_ns, loop_count, line_profiler_results, and
test_input_examples on the optimize endpoint. Pass runtime context
and test examples to the user prompt so the LLM can generate
better-informed candidates. Alternate line profiler data across
parallel calls for diversity (odd calls get LP, even calls don't).
When Azure OpenAI or Anthropic returns null/empty content (content
filter, truncation, transient failure), call_openai/call_anthropic now
raise LLMOutputUnparseable instead of returning an empty string that
silently flows through the pipeline and produces 422 "Could not
generate any optimizations." All optimizer callers catch
LLMOutputUnparseable to preserve cost tracking while returning None.
node-linker=hoisted triggers an Invalid Version bug in pnpm 10 bin
linking. The standalone output with zip -y (symlink preservation) is
sufficient — Azure SquashFS supports symlinks natively.
Use zip -y to preserve symlinks in the standalone output. Azure Linux
App Service mounts the zip via SquashFS which supports symlinks. This
keeps the pnpm .pnpm/ structure intact so next can resolve peer deps
like @swc/helpers and @next/env from their co-located positions.
Also re-add node-linker=hoisted to .npmrc per pnpm docs recommendation
for environments that need standard node_modules resolution.
Switch from zipping cf-webapp/node_modules to Next.js standalone output
mode. This traces only required runtime deps into .next/standalone/ and
resolves the pnpm symlink issues that caused MODULE_NOT_FOUND crashes on
Azure (missing @next/env, @swc/helpers).
- Add output: "standalone" and outputFileTracingRoot to next.config.mjs
- Update CI to cp -rL (dereference symlinks) the standalone output
- Revert node-linker=hoisted from .npmrc (no longer needed)
- Deploy to codeflash-webapp-main (set in previous commit)
Add node-linker=hoisted to .npmrc so pnpm hoists all dependencies like
npm. Update CI to rsync workspace-root node_modules into cf-webapp
before zipping, ensuring @next/env, @swc/helpers, and other peer deps
are included. Retarget deployment to the new codeflash-webapp-main app.
pnpm doesn't hoist @swc/helpers to cf-webapp/node_modules/ by default,
so it's missing from the deploy zip. Azure runs npm start which can't
resolve it through pnpm's virtual store. Adding it as a direct dep
ensures it's included in the zip.
The page-level isTeamMember() check breaks PPR (Partial Prerendering):
at build time there's no session, so the prerender resolves as a
redirect/404 and the static shell poisons all runtime responses with 404.
Team member gating is already handled by proxy.ts middleware (lines 50-58),
matching how /observability and other team-gated routes work.
## Summary
- Add `aiservice-ci.yml` using the shared reusable workflow from
`codeflash-ai/github-workflows`
- Remove old `django-unit-tests.yaml` and `mypy_aiservice.yml` (both
replaced by the new unified workflow)
- **Typecheck job**: uses the shared workflow
(`codeflash-ai/github-workflows/.github/workflows/uv-mypy.yml`)
- **Test job**: defined locally in `aiservice-ci.yml` (needs repository
secrets that can't be passed to reusable workflows in other repos)
## What changed
| Before | After |
|---|---|
| `django-unit-tests.yaml` (standalone) | `aiservice-ci.yml` — test job
|
| `mypy_aiservice.yml` (standalone) | `aiservice-ci.yml` — typecheck job
(shared workflow) |
## Summary
- Replace hardcoded `"codeflash-edit-2025"` string authentication in the
`save-modified-code` API route with Auth0 session check
- Remove the secret prompt modal from the Monaco diff viewer — editing
is now gated by the user's existing login session
- Remove unused `Lock` import, dead `console.log`, and unused `result`
variable
## Test plan
- [ ] Verify the edit code button works without prompting for a secret
- [ ] Verify saving modified code succeeds for logged-in users
- [ ] Verify unauthenticated requests to
`/api/traces/:id/save-modified-code` return 401
## Summary
- Reverts lazy JWT_SECRET initialization — keeps eager fail-fast at
module load
- Adds `JWT_SECRET` secret to both `deploy_cfwebapp_to_azure.yml` and
`nextjs-build.yaml` CI workflows so `next build` page data collection
succeeds for the `/codeflash/auth/oauth/token` route
## Context
The deploy workflow ([run
#24425211765](https://github.com/codeflash-ai/codeflash-internal/actions/runs/24425211765/job/71357530269))
was failing because `JWT_SECRET` isn't available during CI build,
causing an eager throw at module load time. The secret already exists as
a GitHub repo secret.
Security (critical):
- Scope member lookups to parent resource (repository_id / organization_id)
in updateRepositoryMemberRole, removeRepositoryMember,
updateOrganizationMemberRole, and removeOrganizationMember to prevent
cross-tenant escalation via crafted memberId
- Replace unvalidated currentOrganizationId cookie reads with
getAccountContext() (validates org membership) in review page and
repo detail data loaders
Bugs:
- Add missing string-UUID branch in repository_id filter (raw SQL paths)
- Pass actual username to RepoDetailClient instead of empty string
- Remove misleading React.cache() on getAllOptimizationEventsImpl (object
arg means reference equality never hits)
- Use create() result directly in addOrganizationMember to avoid NPE
from unnecessary re-fetch
- Separate null-session redirect from null-event 404 in profiler page
Tests:
- Rewrite action.test.ts: org payload for Prisma findMany path, proper
$queryRaw tagged-template mock for raw SQL path, verify repository_id
filter is actually applied
getUserIdAndUsername() and getAccountContext() also threw generic
errors when no session exists. Same fix as apikeys: use redirect()
which Next.js handles as a prerender bailout signal.
Pages that throw Error("Authentication required") crash the Next.js
build during static prerendering (no auth session at build time).
redirect("/login") is a proper Next.js bailout signal that skips
prerendering and marks the route as dynamic.
Root cause: cf-webapp used typescript@~5.4.5 while common used
typescript@^5.9.3. Since @prisma/client has typescript as a peer
dep, pnpm created two separate instances. prisma generate wrote to
one, but Next.js resolved the other — causing "Cannot find module
'.prisma/client/default'" at build time.
Fix: upgrade cf-webapp to typescript@^5.9.3 to match common. This
deduplicates @prisma/client to a single pnpm instance.
Also fixes cf-api deploy: exclude node_modules from copyfiles glob
and use cp -rL to dereference pnpm symlinks.
Both deploy workflows (cf-webapp and cf-api) fail with
"Can't resolve '@codeflash-ai/common'" because the workspace
dependency isn't built before the app build. Same fix already
applied to the CI quality-gate workflows.
