phoenixvc · JustAGhosT · Mar 6, 2026 · Mar 6, 2026 · Mar 6, 2026
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -8,18 +8,18 @@ The monorepo uses a combination of engine-specific workflows, path-aware compone
 
 ### Workflow Overview
 
-| Workflow | Purpose | Triggers |
-| --- | --- | --- |
-| `ci.yml` | Engine test and build validation | Push, PR, manual |
-| `lint.yml` | Engine lint and type checks | Push, PR |
-| `security.yml` | Engine dependency and filesystem security checks | Push, PR, schedule |
-| `monorepo-ci.yml` | Path-aware builds for engine, desktop, website, orchestration utils, and VS Code extension | Push, PR, manual |
-| `release.yml` | Engine package release | Tags, manual |
-| `release-desktop.yml` | Desktop release build | Tags, manual |
-| `release-website.yml` | Website release build | Tags, manual |
-| `release-vscode-extension.yml` | VS Code extension release packaging | Tags, manual |
-| `release-orchestration-utils.yml` | Shared utility package release build | Tags, manual |
-| `deploy-autopr-engine.yml` | Engine container build and Azure deployment | Push to `master`, PR, manual |
+| Workflow                          | Purpose                                                                                    | Triggers                     |
+| --------------------------------- | ------------------------------------------------------------------------------------------ | ---------------------------- |
+| `ci.yml`                          | Engine test and build validation                                                           | Push, PR, manual             |
+| `lint.yml`                        | Engine lint and type checks                                                                | Push, PR                     |
+| `security.yml`                    | Engine dependency and filesystem security checks                                           | Push, PR, schedule           |
+| `monorepo-ci.yml`                 | Path-aware builds for engine, desktop, website, orchestration utils, and VS Code extension | Push, PR, manual             |
+| `release.yml`                     | Engine package release                                                                     | Tags, manual                 |
+| `release-desktop.yml`             | Desktop release build                                                                      | Tags, manual                 |
+| `release-website.yml`             | Website release build                                                                      | Tags, manual                 |
+| `release-vscode-extension.yml`    | VS Code extension release packaging                                                        | Tags, manual                 |
+| `release-orchestration-utils.yml` | Shared utility package release build                                                       | Tags, manual                 |
+| `deploy-autopr-engine.yml`        | Engine container build and Azure deployment                                                | Push to `master`, PR, manual |
 
 ## Workflow Details
 
@@ -143,17 +143,17 @@ env:
 
 Set these in GitHub repository settings:
 
-| Variable                | Description              | Default |
-| ----------------------- | ------------------------ | ------- |
+| Variable                  | Description              | Default |
+| ------------------------- | ------------------------ | ------- |
 | `CODEFLOW_VOLUME_PR`      | Volume for pull requests | 100     |
 | `CODEFLOW_VOLUME_CHECKIN` | Volume for pushes        | 50      |
 | `CODEFLOW_VOLUME_DEV`     | Volume for development   | 200     |
 
 ### Environment Variables
 
-| Variable                  | Description               | Default |
-| ------------------------- | ------------------------- | ------- |
-| `PYTHON_VERSION`          | Python version to use     | 3.13    |
+| Variable                    | Description               | Default |
+| --------------------------- | ------------------------- | ------- |
+| `PYTHON_VERSION`            | Python version to use     | 3.13    |
 | `CODEFLOW_PRECOMMIT_VOLUME` | Pre-commit volume         | 100     |
 | `CODEFLOW_BG_BATCH`         | Background fix batch size | 30      |
 

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,17 +1,17 @@
 name: CI

 on:
   workflow_dispatch:
   push:
-    branches: [ master, develop ]
+    branches: [master, develop]
     paths:
-      - 'engine/**'
-      - '.github/workflows/ci.yml'
+      - "engine/**"
+      - ".github/workflows/ci.yml"
   pull_request:
-    branches: [ master, develop ]
+    branches: [master, develop]
     paths:
-      - 'engine/**'
-      - '.github/workflows/ci.yml'
+      - "engine/**"
+      - ".github/workflows/ci.yml"
 
 jobs:
   test:
@@ -21,92 +21,91 @@
         working-directory: engine
     strategy:
       matrix:
-        python-version: ['3.12', '3.13']
-    
+        python-version: ["3.12", "3.13"]
+
     steps:
-    - uses: actions/checkout@v4
-    
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v5
-      with:
-        python-version: ${{ matrix.python-version }}
-        cache: 'pip'
-    
-    - name: Install Poetry
-      uses: snok/install-poetry@v1
-      with:
-        version: latest
-        virtualenvs-create: true
-        virtualenvs-in-project: true
-    
-    - name: Install dependencies
-      run: |
-        poetry install --with dev --no-root
-    
-    - name: Install package
-      run: poetry install --no-dev
-    
-    - name: Run tests with coverage
-      run: |
-        poetry run pytest --cov=codeflow_engine --cov-report=xml --cov-report=term --cov-report=html
-    
-    - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v4
-      with:
-        file: ./engine/coverage.xml
-        flags: unittests
-        name: codecov-umbrella
-        fail_ci_if_error: false
-        token: ${{ secrets.CODECOV_TOKEN }}
-    
-    - name: Check coverage threshold
-      run: |
-        poetry run coverage report --fail-under=70 || echo "Coverage below 70% - this is a warning, not a failure"
-    
-    - name: Upload coverage HTML report
-      uses: actions/upload-artifact@v4
-      if: always()
-      with:
-        name: coverage-report-${{ matrix.python-version }}
-        path: engine/htmlcov/
-    
-    - name: Run linting
-      run: |
-        poetry run ruff check .
-        poetry run mypy codeflow_engine
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: "pip"
+
+      - name: Install Poetry
+        uses: snok/install-poetry@v1
+        with:
+          version: latest
+          virtualenvs-create: true
+          virtualenvs-in-project: true
+
+      - name: Install dependencies
+        run: |
+          poetry install --with dev --no-root
+
+      - name: Install package
+        run: poetry install --no-dev
+
+      - name: Run tests with coverage
+        run: |
+          poetry run pytest --cov=codeflow_engine --cov-report=xml --cov-report=term --cov-report=html
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          file: ./engine/coverage.xml
+          flags: unittests
+          name: codecov-umbrella
+          fail_ci_if_error: false
+          token: ${{ secrets.CODECOV_TOKEN }}
+
+      - name: Check coverage threshold
+        run: |
+          poetry run coverage report --fail-under=70 || echo "Coverage below 70% - this is a warning, not a failure"
+
+      - name: Upload coverage HTML report
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: coverage-report-${{ matrix.python-version }}
+          path: engine/htmlcov/
+
+      - name: Run linting
+        run: |
+          poetry run ruff check .
+          poetry run mypy codeflow_engine
 
   build:
     runs-on: ubuntu-latest
     needs: test
     defaults:
       run:
         working-directory: engine
-    
+
     steps:
-    - uses: actions/checkout@v4
-
-    - name: Set up Python
-      uses: actions/setup-python@v5
-      with:
-        python-version: '3.12'
-        cache: 'pip'
-
-    - name: Install Poetry
-      uses: snok/install-poetry@v1
-      with:
-        version: latest
-        virtualenvs-create: true
-        virtualenvs-in-project: true
-
-    - name: Build package
-      run: poetry build
-
-    - name: Check package
-      run: poetry check
-
-    - name: Upload artifacts
-      uses: actions/upload-artifact@v4
-      with:
-        name: engine-dist
-        path: engine/dist/*
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: "pip"
+
+      - name: Install Poetry
+        uses: snok/install-poetry@v1
+        with:
+          version: latest
+          virtualenvs-create: true
+          virtualenvs-in-project: true
+
+      - name: Build package
+        run: poetry build
+
+      - name: Check package
+        run: poetry check
 
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: engine-dist
+          path: engine/dist/*
diff --git a/.github/workflows/deploy-autopr-engine.yml b/.github/workflows/deploy-autopr-engine.yml
@@ -1,19 +1,19 @@
 name: Build and Deploy CodeFlow Engine

 on:
  push:
     branches:
       - master
     paths:
-      - 'engine/**'
-      - '.github/workflows/deploy-autopr-engine.yml'
-      - '.github/app-manifest.yml'
+      - "engine/**"
+      - ".github/workflows/deploy-autopr-engine.yml"
+      - ".github/app-manifest.yml"
   pull_request:
     paths:
-      - 'engine/**'
-      - '.github/workflows/deploy-autopr-engine.yml'
-      - '.github/app-manifest.yml'
-      - '.codeflow.yml'
+      - "engine/**"
+      - ".github/workflows/deploy-autopr-engine.yml"
+      - ".github/app-manifest.yml"
+      - ".codeflow.yml"
   workflow_dispatch:
 
 env:
@@ -151,7 +151,7 @@
              echo "Using existing postgres password from secrets"
              echo "postgres_password=${{ secrets.CODEFLOW_POSTGRES_PASSWORD }}" >> $GITHUB_OUTPUT
            else
              echo "::warning::CODEFLOW_POSTGRES_PASSWORD secret not set. Using generated password (may break existing DB)."
              echo "postgres_password=$(openssl rand -base64 32)" >> $GITHUB_OUTPUT
            fi

@@ -160,7 +160,7 @@
              echo "redis_password=${{ secrets.CODEFLOW_REDIS_PASSWORD }}" >> $GITHUB_OUTPUT
            else
              # Redis password can be retrieved from Azure
              REDIS_KEY=$(az redis list-keys -n prod-codeflow-san-redis -g $RESOURCE_GROUP --query primaryKey -o tsv 2>/dev/null || echo "")
              if [ -n "$REDIS_KEY" ]; then
                echo "Retrieved redis password from Azure"
                echo "redis_password=$REDIS_KEY" >> $GITHUB_OUTPUT
@@ -181,7 +181,7 @@
            REDIS_PWD=$(openssl rand -base64 32)
            echo "postgres_password=$POSTGRES_PWD" >> $GITHUB_OUTPUT
            echo "redis_password=$REDIS_PWD" >> $GITHUB_OUTPUT
            echo "::notice::Save these credentials to GitHub secrets for future deployments: CODEFLOW_POSTGRES_LOGIN, CODEFLOW_POSTGRES_PASSWORD, CODEFLOW_REDIS_PASSWORD"
          fi

      - name: Cleanup duplicate managed certificates
@@ -189,29 +189,29 @@
           RESOURCE_GROUP="prod-rg-san-codeflow"
           ENV_NAME="prod-codeflow-san-env"
           CUSTOM_DOMAIN="app.codeflow.io"
-          
+
           echo "[*] Checking for existing managed certificates for domain: $CUSTOM_DOMAIN"
-          
+
           # Check if environment exists
           if az containerapp env show -n $ENV_NAME -g $RESOURCE_GROUP &>/dev/null; then
             echo "Environment exists, checking for duplicate certificates..."

            # List all managed certificates and find duplicates for our domain
            CERTS=$(az containerapp env certificate list \
              --name $ENV_NAME \
              --resource-group $RESOURCE_GROUP \
              --output json 2>/dev/null || echo "[]")

            # Check if any certificates match our domain
            DUPLICATE_CERTS=$(echo "$CERTS" | jq -r --arg domain "$CUSTOM_DOMAIN" \
              '.[] | select(.properties.subjectName == $domain and .type == "Microsoft.App/managedEnvironments/managedCertificates") | .name')

            if [ -n "$DUPLICATE_CERTS" ]; then
              echo "[!] Found duplicate managed certificate(s) for domain $CUSTOM_DOMAIN:"
              echo "$DUPLICATE_CERTS"
              echo ""
              echo "[*] Removing duplicate certificates to prevent deployment conflicts..."

              while IFS= read -r cert_name; do
                if [ -n "$cert_name" ]; then
                  echo "Deleting certificate: $cert_name"
@@ -259,7 +259,7 @@
             --name codeflow-engine \
             --query properties.outputs \
             --output json)
-          
+
           echo "container_app_url=$(echo $OUTPUTS | jq -r '.containerAppUrl.value')" >> $GITHUB_OUTPUT
           echo "custom_domain=$(echo $OUTPUTS | jq -r '.customDomain.value')" >> $GITHUB_OUTPUT
           echo "postgres_fqdn=$(echo $OUTPUTS | jq -r '.postgresFqdn.value')" >> $GITHUB_OUTPUT
@@ -281,4 +281,3 @@
           echo "3. Azure will automatically provision and bind the SSL certificate (5-15 minutes)"
           echo ""
           echo "[*] For troubleshooting, see: infrastructure/bicep/FAQ.md"
-
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -1,16 +1,16 @@
 name: Lint
 
 on:
   push:
-    branches: [ master, develop ]
+    branches: [master, develop]
     paths:
-      - 'engine/**'
-      - '.github/workflows/lint.yml'
+      - "engine/**"
+      - ".github/workflows/lint.yml"
   pull_request:
-    branches: [ master, develop ]
+    branches: [master, develop]
     paths:
-      - 'engine/**'
-      - '.github/workflows/lint.yml'
+      - "engine/**"
+      - ".github/workflows/lint.yml"
 
 jobs:
   ruff:
@@ -21,26 +21,26 @@
         working-directory: engine
     steps:
       - uses: actions/checkout@v4
-      
+
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.12'
-          cache: 'pip'
-      
+          python-version: "3.12"
+          cache: "pip"
+
       - name: Install Poetry
         uses: snok/install-poetry@v1
         with:
           version: latest
           virtualenvs-create: true
           virtualenvs-in-project: true
-      
+
       - name: Install dependencies
         run: poetry install --with dev --no-root
-      
+
       - name: Run Ruff
         run: poetry run ruff check .
-      
+
       - name: Run Ruff format check
         run: poetry run ruff format --check .
 
@@ -52,23 +52,22 @@
         working-directory: engine
     steps:
       - uses: actions/checkout@v4
-      
+
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.12'
-          cache: 'pip'
-      
+          python-version: "3.12"
+          cache: "pip"
+
       - name: Install Poetry
         uses: snok/install-poetry@v1
         with:
           version: latest
           virtualenvs-create: true
           virtualenvs-in-project: true
-      
+
       - name: Install dependencies
         run: poetry install --with dev --no-root
-      
+
       - name: Run MyPy
         run: poetry run mypy codeflow_engine --ignore-missing-imports
-