Walkthrough

Adds execution tracing and replay capabilities: a new replay module and ExecutionRecorder, DB schema additions, ReactAgent integration to record traces, CLI commands for replay/diff/export/rerun, and comprehensive unit and integration tests.

Changes

Sequence Diagram(s)

sequenceDiagram
    participant Agent as ReactAgent
    participant Recorder as ExecutionRecorder
    participant DB as Workspace (SQLite)
    participant CLI as Replay CLI

    Agent->>Recorder: record_iteration(step_number, tools, summary)
    Note over Recorder: Buffer ExecutionStep
    Agent->>Recorder: record_llm_call(step_id, prompt, response, model, tokens)
    Note over Recorder: Buffer LLMInteraction
    Agent->>Recorder: record_file_operation(step_id, op_type, path, before, after)
    Note over Recorder: Buffer FileOperation
    Agent->>Recorder: flush()
    Recorder->>DB: save_execution_step(step)
    Recorder->>DB: save_llm_interaction(interaction)
    Recorder->>DB: save_file_operation(operation)

    CLI->>DB: load_execution_trace(run_id)
    DB-->>CLI: ExecutionTrace
    CLI->>CLI: ReplaySession.navigate(step)
    CLI->>DB: get_step_snapshot(run_id, step_number)
    DB-->>CLI: file_state

sequenceDiagram
    participant CLI as Replay Commands
    participant Session as ReplaySession
    participant DB as Trace Data
    participant Formatter as Export/Display

    CLI->>DB: load_execution_trace(run_id)
    DB-->>Session: ExecutionTrace

    alt work_replay
        Session->>Formatter: Format step with LLM/files
        Formatter-->>CLI: Display output
    else work_diff
        CLI->>DB: compare_steps(from_step, to_step)
        DB-->>CLI: Changes dict
        Formatter->>CLI: Unified diff
    else work_export_trace
        Formatter->>Formatter: export_trace_json() / export_trace_markdown()
        Formatter-->>CLI: JSON/Markdown output
    else work_rerun
        CLI->>DB: prepare_rerun(run_id, from_step)
        DB-->>CLI: File state + metadata
        Formatter->>CLI: Render checkpoint state
    end

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰 I hopped through traces, prompt and file,

Saved each step and paused to smile,
Replay the tale, diff every line,
Rerun from checkpoints, past to refine,
Crunching traces, carrot in paw — what a find!

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Review: feat(replay): debug and replay mode (PR 315)

Good feature addition overall - the architecture is clean and follows the repo headless core pattern. Here are my findings:

Bugs

1. Data loss in ExecutionRecorder.flush() - critical

In codeframe/core/replay.py, the flush() method clears the buffers in a finally block, which runs even when the DB write fails. The try/except/finally structure means if save_execution_step raises, the exception is caught and logged at DEBUG, then finally clears all three buffers - permanently losing data. The clear should be inside the try block so it only runs on success.

2. Incorrect file state reconstruction for edit_file operations

In codeframe/core/react_agent.py, the recorder captures new_text as content_after for edit_file operations. But new_text in the search-replace editor is the replacement snippet, not the full file content. get_step_snapshot() replays file operations by setting file_state[path] = op.content_after, so it reconstructs the file as just the replaced fragment. This means cf work diff and cf work rerun will produce incorrect file states for any run that used edit_file. The fix is to read the actual file content from disk after the edit completes, rather than capturing the tool input argument.

Code Issues

3. format parameter shadows Python builtin

In work_export_trace (cli/app.py), the parameter format: str = typer.Option(...) shadows the Python builtin. Rename to output_format or fmt.

4. cf work rerun is misleadingly named

The command prepares a rerun (shows file state and remaining steps) but does not actually execute anything. Given cf work start starts execution, users will expect cf work rerun to do the same. Either rename to something like cf work inspect-step, or add a --execute flag consistent with the cf work start UX.

5. Silent trace degradation on flush failure

Flush failures in react_agent.py are logged at DEBUG. If tracing silently fails, cf work replay will show an empty/partial trace with no user-visible explanation. Raise this to WARNING level.

Performance Consideration

6. Full file content stored in SQLite TEXT columns

For large source files, storing full before/after content in file_operations could bloat the database significantly over time. Consider adding a size cap (e.g., skip content capture if file exceeds 100KB) or tracking this as a follow-up issue.

Minor Observations

• ReplaySession is well-designed and testable, but none of the CLI commands currently use it - they build their own step lookups inline. Fine for now since the interactive REPL loop is deferred, but worth noting for when that mode is added.
• The load_execution_trace fallback returning task_id=unknown is useful for tests but could surface confusingly in production if a run record is missing.
• Test coverage looks solid - 78 new tests across unit, integration, and CLI layers is the right approach for a new feature of this scope.

Summary

The architecture is sound and the core pattern (headless module, thin CLI adapter, buffered recorder) is well-executed. Two items should be addressed before merging:

1. flush() data loss bug - buffer cleared in finally, so failures silently drop trace data
2. edit_file state reconstruction bug - new_text is a snippet, not the full post-edit file content; cf work diff and cf work rerun will reconstruct wrong state

TEST

CodeFRAME Development Guidelines

Last updated: 2026-03-09

Product Vision

CodeFrame is a project delivery system: Think → Build → Prove → Ship.

It owns the edges of the AI coding pipeline — everything BEFORE code gets written (PRD, specification, task decomposition) and everything AFTER (verification gates, quality memory, deployment). The actual code writing is delegated to frontier coding agents (Claude Code, Codex, OpenCode) that are better at it than any custom agent.

CodeFrame does not compete with coding agents. It orchestrates them.

THINK:  cf prd generate → cf prd stress-test → cf tasks generate
BUILD:  cf work start --engine claude-code  (or codex, opencode, built-in)
PROVE:  cf proof run  (9-gate evidence-based quality system)
SHIP:   cf pr create → cf pr merge
LOOP:   Glitch → cf proof capture → New REQ → Enforced forever

Status: Phase 1 ✅ | Phase 2 ✅ | Phase 2.5 ✅ — CLI workflow, server layer, and ReAct agent complete. Agent adapter architecture (#408) and PROOF9 quality system (#422) are next priorities. See docs/V2_STRATEGIC_ROADMAP.md for the full plan.

If you are an agent working in this repo: do not improvise architecture. Follow the documents listed below.

Primary Contract (MUST FOLLOW)

1. Golden Path: docs/GOLDEN_PATH.md
   The only workflow we build until it works end-to-end.

2. Refactor Plan: docs/REFACTOR_PLAN_FOR_AGENT.md
   Step-by-step refactor instructions.

3. Command Tree + Module Mapping: docs/CLI_WIREFRAME.md
   The authoritative map from CLI commands → core modules/functions.

4. Agent Implementation: docs/AGENT_IMPLEMENTATION_TASKS.md
   Tracks the agent system components (all complete).

5. Strategic Roadmap: docs/V2_STRATEGIC_ROADMAP.md
   5-phase plan from CLI to multi-agent.

Rule 0: If a change does not directly support the Think → Build → Prove → Ship pipeline, do not implement it.

Strategic Priority (Phase 4)

The next major architectural work is the Agent Adapter Architecture (#408):

• Define AgentAdapter protocol so any coding agent can be an execution engine
• CodeFrame's built-in ReactAgent becomes the fallback, not the primary
• Verification gates and self-correction wrap ALL engines uniformly
• See issues [Phase 4] Agent Adapter Architecture: Delegate to Frontier Coding Agents #408-[Phase 4] Kilocode Engine Adapter (VS Code Extension Protocol) #417 for the full breakdown

Current Reality (Phase 1, 2 & 2.5 Complete)

What's Working Now

• Full agent execution: cf work start <task-id> --execute (uses ReAct engine by default)
• Engine selection: --engine react (default) or --engine plan (legacy)
• Verbose mode: cf work start <task-id> --execute --verbose shows detailed progress
• Dry run mode: cf work start <task-id> --execute --dry-run
• Self-correction loop: Agent automatically fixes failing verification gates (up to 5 attempts with ReAct)
• FAILED task status: Tasks can transition to FAILED for proper error visibility
• Tech stack configuration: cf init . --detect auto-detects tech stack from project files
• Project preferences: Agent loads AGENTS.md or CLAUDE.md for per-project configuration
• Stall detection: Thread-based monitor with configurable recovery (--stall-action blocker|retry|fail)
• Blocker detection: Agent creates blockers when stuck
• Verification gates: Ruff/pytest checks after file changes
• State persistence: Pause/resume across sessions
• Batch execution: cf work batch run with serial/parallel/auto strategies
• Task dependencies: depends_on field with dependency graph analysis
• LLM dependency inference: --strategy auto analyzes task descriptions
• Automatic retry: --retry N for failed task recovery
• Batch resume: Re-run failed/blocked tasks from previous batches
• Task scheduling: cf schedule show/predict/bottlenecks with CPM-based scheduling
• Task templates: cf templates list/show/apply with 7 builtin templates
• Effort estimation: Tasks support estimated_hours field for scheduling
• Environment validation: cf env check/install/doctor validates tools and dependencies
• GitHub PR workflow: cf pr create/status/checks/merge for PR management
• Task self-diagnosis: cf work diagnose <task-id> analyzes failed tasks
• 70+ integration tests: Comprehensive CLI test coverage
• REST API: Full v2 API with 15 router modules (see Phase 2 below)
• API authentication: API key auth with scopes (read/write/admin)
• Rate limiting: Configurable per-endpoint rate limits
• Real-time streaming: SSE for task execution events
• OpenAPI documentation: Full Swagger/ReDoc at /docs and /redoc

v2 Architecture (current)

• Core-first: Domain logic lives in codeframe/core/ (headless, no FastAPI imports)
• CLI-first: Golden Path works without any running FastAPI server
• Adapters: LLM providers in codeframe/adapters/llm/
• Server/UI optional: FastAPI and UI are thin adapters over core

v1 Legacy

• FastAPI server + WebSockets + React/Next.js dashboard retained for reference
• Do not build toward v1 patterns during Golden Path work

Repository Structure

codeframe/
├── core/                    # Headless domain + orchestration (NO FastAPI imports)
│   ├── react_agent.py      # ReAct agent (default engine) - observe-think-act loop
│   ├── tools.py            # Tool definitions for ReAct agent (7 tools)
│   ├── editor.py           # Search-replace file editor with fuzzy matching
│   ├── agent.py            # Legacy plan-based agent (--engine plan)
│   ├── planner.py          # LLM-powered implementation planning (plan engine)
│   ├── executor.py         # Code execution engine with rollback (plan engine)
│   ├── context.py          # Task context loader with relevance scoring
│   ├── tasks.py            # Task management with depends_on field
│   ├── blockers.py         # Human-in-the-loop blocker system
│   ├── runtime.py          # Run lifecycle management
│   ├── conductor.py        # Batch orchestration with worker pool
│   ├── dependency_graph.py # DAG operations and execution planning
│   ├── dependency_analyzer.py # LLM-based dependency inference
│   ├── gates.py            # Verification gates (ruff, pytest, BUILD)
│   ├── fix_tracker.py      # Fix attempt tracking for loop prevention
│   ├── quick_fixes.py      # Pattern-based fixes without LLM
│   ├── agents_config.py    # AGENTS.md/CLAUDE.md preference loading
│   ├── workspace.py        # Workspace initialization
│   ├── prd.py              # PRD management
│   ├── events.py           # Event emission
│   ├── state_machine.py    # Task status transitions
│   ├── environment.py      # Environment validation and tool detection
│   ├── installer.py        # Automatic tool installation
│   ├── diagnostics.py      # Failed task analysis
│   ├── diagnostic_agent.py # AI-powered task diagnosis
│   ├── credentials.py      # API key and credential management
│   ├── stall_detector.py   # Synchronous stall detector + StallAction enum + StallDetectedError
│   ├── stall_monitor.py    # Thread-based stall watchdog with callback
│   ├── streaming.py        # Real-time output streaming for cf work follow
│   └── ...
├── adapters/
│   └── llm/                # LLM provider adapters
│       ├── base.py         # Protocol + ModelSelector + Purpose enum
│       ├── anthropic.py    # Anthropic Claude provider
│       └── mock.py         # Mock provider for testing
├── cli/
│   └── app.py              # Typer CLI entry + subcommands
├── ui/                     # FastAPI server (Phase 2 - thin adapter over core)
│   ├── server.py           # FastAPI app with OpenAPI configuration
│   ├── models.py           # Pydantic request/response models
│   ├── dependencies.py     # Shared dependencies (workspace, auth)
│   └── routers/            # API route handlers
│       ├── blockers_v2.py  # Blocker CRUD
│       ├── tasks_v2.py     # Task management + streaming
│       ├── prd_v2.py       # PRD management + versioning
│       ├── workspace_v2.py # Workspace init and status
│       ├── batches_v2.py   # Batch execution
│       ├── streaming_v2.py # SSE event streaming
│       ├── api_key_v2.py   # API key management
│       └── ...             # 15 router modules total
├── lib/                    # Shared utilities
│   ├── rate_limiter.py     # SlowAPI rate limiting
│   └── audit_logger.py     # Request audit logging
├── auth/                   # Authentication
│   ├── api_key_service.py  # API key creation/validation
│   └── dependencies.py     # Auth dependencies
├── config/
│   └── rate_limits.py      # Rate limit configuration
└── server/                 # Legacy server code (reference only)

web-ui/                     # Frontend (legacy, reference only)
tests/
├── core/                   # Core module tests
│   ├── test_agent.py
│   ├── test_executor.py
│   ├── test_planner.py
│   ├── test_context.py
│   ├── test_conductor.py
│   ├── test_dependency_graph.py
│   ├── test_dependency_analyzer.py
│   ├── test_task_dependencies.py
│   └── ...
└── adapters/
    └── test_llm.py

Architecture Rules (non-negotiable)

1) Core must be headless

codeframe/core/** must NOT import:

• FastAPI
• WebSocket frameworks
• HTTP request/response objects
• UI modules

Core is allowed to:

• read/write durable state (SQLite/filesystem)
• run orchestration/worker loops
• emit events to an append-only event log
• call adapters via interfaces (LLM, git, fs)

2) CLI must not require a server

Golden Path commands must work from the CLI with no server running.

FastAPI is optional and must be started explicitly (e.g., codeframe serve) and must wrap core.

3) Agent state transitions flow through runtime

Critical pattern discovered during implementation:

• Agent (agent.py) manages its own AgentState (IDLE, PLANNING, EXECUTING, BLOCKED, COMPLETED, FAILED)
• Runtime (runtime.py) handles all TaskStatus transitions (BACKLOG, READY, IN_PROGRESS, DONE, BLOCKED)
• Agent does NOT call tasks.update_status() - runtime does this based on agent state

This separation prevents duplicate state transitions (e.g., DONE→DONE, BLOCKED→BLOCKED errors).

4) Legacy can be read, not depended on

Legacy code is reference material.

• Copy/simplify logic into core when useful
• Do NOT import legacy UI/server modules into core
• Do NOT "fix the UI" during Golden Path work

5) Keep commits runnable

At all times:

• codeframe --help works
• Golden Path command stubs can run
• Avoid breaking the repo with large renames/moves

Agent System Architecture

Components

Model Selection Strategy

Task-based heuristic via Purpose enum:

• PLANNING → claude-sonnet-4-20250514 (complex reasoning)
• EXECUTION → claude-sonnet-4-20250514 (balanced)
• GENERATION → claude-haiku-4-20250514 (fast/cheap)

Future: cf tasks set provider <id> <provider> for per-task override.

Engine Selection

CodeFRAME supports two execution engines, selected via --engine:

Execution Flow (ReAct — default)

cf work start <id> --execute [--verbose]
    │
    ├── runtime.start_task_run()      # Creates run, transitions task→IN_PROGRESS
    │
    └── runtime.execute_agent(engine="react")
            │
            └── ReactAgent.run(task_id)
                ├── Load context (PRD, codebase, blockers, AGENTS.md, tech_stack)
                ├── Build layered system prompt
                │
                └── Tool-use loop (until complete/blocked/failed):
                    ├── Check stall detector (configurable: retry/blocker/fail)
                    ├── LLM decides next action (tool call)
                    ├── Execute tool: read_file, edit_file, create_file,
                    │   run_command, run_tests, search_codebase, list_files
                    ├── Observe result → feed back to LLM
                    ├── Record activity (resets stall timer)
                    ├── Incremental verification (ruff after file changes)
                    └── Token budget management (3-tier compaction)
                │
                └── Final verification with self-correction (up to 5 retries)
                │
                └── Update run/task status based on agent result
                    ├── COMPLETED → complete_run() → task→DONE
                    ├── BLOCKED → block_run() → task→BLOCKED
                    └── FAILED → fail_run() → task→FAILED

Execution Flow (Plan — legacy, --engine plan)

cf work start <id> --execute --engine plan
    │
    ├── runtime.start_task_run()
    │
    └── runtime.execute_agent(engine="plan")
            │
            ├── agent.run(task_id)
            │   ├── Load context (PRD, codebase, blockers, AGENTS.md)
            │   ├── Create plan via LLM
            │   ├── Execute steps (file create/edit, shell commands)
            │   ├── Run incremental verification (ruff)
            │   ├── Detect blockers (consecutive failures, missing files)
            │   └── Run final verification with SELF-CORRECTION LOOP:
            │       ├── Run all gates (pytest, ruff)
            │       ├── If failed: _attempt_verification_fix()
            │       │   ├── Try ruff --fix for quick lint fixes
            │       │   ├── Use LLM to generate fix plan from errors
            │       │   └── Execute fix steps
            │       └── Retry up to max_attempts (default: 3)
            │
            └── Update run/task status based on agent result
                ├── COMPLETED → complete_run() → task→DONE
                ├── BLOCKED → block_run() → task→BLOCKED
                └── FAILED → fail_run() → task→FAILED

Commands (v2 CLI)

Python (preferred)

Use uv for Python tasks:

uv run pytest
uv run pytest tests/core/  # Core module tests only
uv run ruff check .

CLI (Golden Path)

# Workspace
cf init <repo>                                    # Initialize workspace
cf init <repo> --detect                           # Initialize + auto-detect tech stack
cf init <repo> --tech-stack "Python with uv"      # Initialize + explicit tech stack
cf init <repo> --tech-stack-interactive           # Initialize + interactive setup
cf status

# PRD
cf prd add <file.md>
cf prd show

# Tasks
cf tasks generate          # Uses LLM to generate from PRD
cf tasks list
cf tasks list --status READY
cf tasks show <id>

# Work execution (single task)
cf work start <task-id>                    # Creates run record
cf work start <task-id> --execute          # Runs AI agent (ReAct engine, default)
cf work start <task-id> --execute --engine plan  # Use legacy plan engine
cf work start <task-id> --execute --verbose  # With detailed output
cf work start <task-id> --execute --dry-run  # Preview changes
cf work start <task-id> --execute --stall-timeout 120  # Custom stall timeout (0=disabled)
cf work start <task-id> --execute --stall-action retry  # Recovery: blocker|retry|fail
cf work stop <task-id>                     # Cancel stale run
cf work resume <task-id>                   # Resume blocked work
cf work follow <task-id>                   # Stream real-time output
cf work follow <task-id> --tail 50         # Show last 50 lines then stream

# Batch execution (multiple tasks)
cf work batch run <id1> <id2> ...          # Execute multiple tasks (ReAct default)
cf work batch run --all-ready              # All READY tasks
cf work batch run --all-ready --engine plan  # Use legacy plan engine
cf work batch run --strategy serial        # Serial (default)
cf work batch run --strategy parallel      # Parallel execution
cf work batch run --strategy auto          # LLM-inferred dependencies
cf work batch run --max-parallel 4         # Concurrent limit
cf work batch run --retry 3               # Auto-retry failures
cf work batch status [batch_id]            # Show batch status
cf work batch cancel <batch_id>            # Cancel running batch
cf work batch resume <batch_id>            # Re-run failed tasks

# Blockers
cf blocker list
cf blocker show <id>
cf blocker answer <id> "answer"

# Quality
cf review
cf patch export
cf commit

# State
cf checkpoint create "name"
cf checkpoint list
cf checkpoint restore <id>
cf summary

# Environment validation
cf env check                     # Validate tools and dependencies
cf env install                   # Install missing tools
cf env doctor                    # Comprehensive environment health check

# GitHub PR workflow
cf pr create                     # Create PR from current branch
cf pr status                     # Show PR status
cf pr checks                     # Show CI check results
cf pr merge                      # Merge approved PR

# Diagnostics
cf work diagnose <task-id>       # AI-powered analysis of failed tasks

Note: codeframe serve exists but Golden Path does not depend on it.

Frontend (legacy)

cd web-ui && npm test
cd web-ui && npm run build

Do not expand frontend scope during Golden Path work.

Documentation Navigation

Authoritative (v2)

• docs/GOLDEN_PATH.md - CLI-first workflow contract
• docs/REFACTOR_PLAN_FOR_AGENT.md - Step-by-step refactor instructions
• docs/CLI_WIREFRAME.md - Command → module mapping
• docs/AGENT_IMPLEMENTATION_TASKS.md - Agent system components
• docs/V2_STRATEGIC_ROADMAP.md - 5-phase plan from CLI to multi-agent

Agent Architecture (Phase 2.5)

• docs/AGENT_V3_UNIFIED_PLAN.md - ReAct architecture design and rules
• docs/REACT_AGENT_ARCHITECTURE.md - Deep-dive: tools, editor, token management
• docs/REACT_AGENT_ANALYSIS.md - Golden path test run analysis

API Documentation (Phase 2)

• /docs - Swagger UI (interactive API explorer)
• /redoc - ReDoc (readable API documentation)
• /openapi.json - OpenAPI 3.1 specification
• docs/PHASE_2_DEVELOPER_GUIDE.md - Server layer implementation guide
• docs/PHASE_2_CLI_API_MAPPING.md - CLI to API endpoint mapping

Legacy (v1 reference only)

These describe old server/UI-driven architecture:

• SPRINTS.md, sprints/
• specs/
• CODEFRAME_SPEC.md
• v1 feature docs (context/session/auth/UI state management)

What NOT to do (common agent failure modes)

• Don't add new HTTP endpoints to support the CLI
• Don't require codeframe serve for CLI workflows
• Don't implement UI concepts (tabs, panels, progress bars) inside core
• Don't redesign auth, websockets, or UI state management
• Don't add multi-providers/model switching features before Golden Path works
• Don't "clean up the repo" as a goal - only refactor to enable Golden Path
• Don't update task status from agent.py - let runtime handle transitions

Testing / Demoing CodeFRAME on Sample Projects

When running uv run cf commands against a sample project (e.g., cf-test/) to test or demo CodeFRAME's capabilities, you are observing the CodeFRAME agent's work, not doing the work yourself.

Rules for testing/demo mode:

• You are evaluating how well the CodeFRAME agent (ReAct or Plan engine) builds the project
• Do NOT help out, fix errors, or write code on behalf of the CodeFRAME agent
• Do NOT intervene when the agent makes mistakes — that's data
• Your job is to report the process: what worked, what failed, how close the agent got
• Document the agent's output, errors encountered, and final state
• Assess completion against the PRD/acceptance criteria objectively
• If the agent gets stuck or fails, report that as a finding — don't rescue it

This applies when using commands like cf work start <id> --execute, cf work batch run, or any command that triggers the AI agent to do implementation work on a target project.

Practical Working Mode for Agents

When implementing anything, do this loop:

1. Read docs/GOLDEN_PATH.md and confirm the change is required
2. Find the command in docs/CLI_WIREFRAME.md
3. Implement core functionality in codeframe/core/
4. Call it from Typer command in codeframe/cli/
5. Emit events + persist state
6. Keep it runnable. Commit.

If you are unsure which direction to take, default to:

• simpler state
• fewer dependencies
• smaller surface area
• core-first, CLI-first

Recent Updates (2026-03-09)

Stall Detection System (#399, #400, #401)

Complete stall detection and configurable recovery for agent execution:

Components:

• StallMonitor (core/stall_monitor.py) — Thread-based watchdog polling every 5s
• StallDetector (core/stall_detector.py) — Synchronous time-tracking primitive
• StallAction enum — Recovery strategy: RETRY, BLOCKER, FAIL
• StallDetectedError — Exception for RETRY path (propagates to runtime for retry)

CLI flags:

• --stall-timeout N — Seconds without tool activity before stall (default: 300, 0=disabled)
• --stall-action {blocker,retry,fail} — Recovery action (default: blocker)
• Both flags available on cf work start and cf work batch run

Recovery flow:

• BLOCKER (default): Creates informative blocker, task → BLOCKED
• RETRY: Raises StallDetectedError, runtime retries once with fresh agent
• FAIL: Task transitions directly to FAILED

Config: agent_budget.stall_timeout_s in .codeframe/config.yaml (0 = disabled)

Phase 2.5 Complete: ReAct Agent Architecture (#355)

Default execution engine switched from plan-based to ReAct (Reasoning + Acting).

What changed:

• Default engine is now "react" — all cf work start --execute and cf work batch run commands use ReactAgent
• Legacy plan engine available via --engine plan flag
• ReactAgent uses iterative tool-use loop (observe → think → act) instead of plan-all-then-execute
• 7 structured tools: read_file, edit_file, create_file, run_command, run_tests, search_codebase, list_files
• Search-replace editing with 4-level fuzzy matching (exact → whitespace-normalized → indentation-agnostic → fuzzy)
• Token budget management with 3-tier compaction
• Adaptive iteration budget based on task complexity

Phase 2.5 deliverables:

• ✅ ReAct agent implementation (core/react_agent.py, core/tools.py, core/editor.py)
• ✅ CLI --engine flag ([Phase 2.5-F] End-to-end CLI validation with cf-test project #353)
• ✅ API engine parameter ([Phase 2.5-F] Verify ReAct engine works via API routes #354)
• ✅ Default switch to react + documentation ([Phase 2.5-F] Switch default engine to react and update documentation #355)

Phase 2 Complete: Server Layer (2026-02-03)

Phase 2 deliverables completed:

• ✅ Server audit and refactor ([Phase 2] Server audit and refactor - routes delegating to core modules #322) - 15 v2 routers following thin adapter pattern
• ✅ API key authentication (feat(auth): add API key authentication for CLI and REST API #326) - Scopes: read/write/admin
• ✅ Rate limiting (feat(security): add API rate limiting with slowapi #327) - Configurable per-endpoint with Redis support
• ✅ Real-time SSE streaming (feat(streaming): add real-time SSE events for task execution #328) - /api/v2/tasks/{id}/stream
• ✅ OpenAPI documentation ([Phase 2] Complete OpenAPI documentation for all endpoints #119) - Full Swagger/ReDoc with examples

Server Architecture (Phase 2)

Pattern: Thin adapter over core - server routes delegate to core.* modules.

CLI (typer) ─┬── core.* ─── adapters.*
             │
Server (fastapi) ─┘

V2 Router Modules (15 total):

API Authentication:

# Create API key
cf auth api-key-create --name "my-key" --scopes read,write

# Use in requests
curl -H "X-API-Key: cf_..." https://api.example.com/api/v2/tasks

Rate Limiting:

• Default: 100 requests/minute (standard endpoints)
• Auth endpoints: 10/minute
• AI endpoints: 20/minute
• Configurable via RATE_LIMIT_* environment variables

OpenAPI Documentation:

• Swagger UI: /docs
• ReDoc: /redoc
• OpenAPI JSON: /openapi.json

Previous Updates (2026-01-29)

V2 Strategic Roadmap Established

Created comprehensive 5-phase roadmap in docs/V2_STRATEGIC_ROADMAP.md.

Phase 1 Complete: CLI Foundation

All Phase 1 priorities completed:

• ✅ cf prd generate - Socratic PRD discovery ([Phase 1] cf prd generate - Interactive AI PRD creation (Socratic Discovery) #307)
• ✅ cf work follow - Live execution streaming ([Phase 1] cf work follow - Live execution streaming #308)
• ✅ Integration tests for credential/env modules ([Phase 1] Integration tests for credential and environment modules #309)
• ✅ PRD template system ([Phase 1] PRD template system for customizable output formats #316)

Environment Validation (cf env)

New commands for validating development environment:

cf env check              # Validate required tools (git, uv, ruff, pytest)
cf env install            # Install missing tools automatically
cf env doctor             # Comprehensive environment health check

Modules:

• core/environment.py - Tool detection and validation
• core/installer.py - Cross-platform tool installation

GitHub PR Workflow (cf pr)

Streamlined PR management without leaving the CLI:

cf pr create              # Create PR from current branch
cf pr status              # Show PR status and review state
cf pr checks              # Show CI check results
cf pr merge               # Merge approved PR

Task Self-Diagnosis (cf work diagnose)

AI-powered analysis of failed tasks:

cf work diagnose <task-id>   # Analyze why a task failed

Modules:

• core/diagnostics.py - Failed task analysis
• core/diagnostic_agent.py - AI-powered diagnosis

Bug Fixes

• [Phase 1] Backend: NoneType error accessing search_pattern during task execution #265: Fixed NoneType error in codebase_index.search_pattern() - added null check
• [Phase 1] Checkpoint diff API returns 500 - workspace directory missing #253: Fixed checkpoint diff API returning 500 - added workspace existence validation

GitHub Issue Organization

• Created v1-legacy label for 22 v1-specific issues (closed, retained as Phase 3 reference)
• Created phase labels: phase-1, phase-2, phase-4, phase-5
• Created 9 new issues ([Phase 1] cf prd generate - Interactive AI PRD creation (Socratic Discovery) #307-[Phase 5] Debug and replay mode #315) for roadmap features
• Consistent naming: [Phase #] Title format

Previous Updates (2026-01-16)

Phase 3.1: Tech Stack Configuration

Simplified tech stack configuration using natural language descriptions:

1. ✅ tech_stack field on Workspace model - stores natural language description
2. ✅ --detect flag - auto-detects from pyproject.toml, package.json, Cargo.toml, go.mod
3. ✅ --tech-stack flag - explicit tech stack description (e.g., "Rust project with cargo")
4. ✅ --tech-stack-interactive flag - simple prompt for user input (stub for future multi-round)
5. ✅ Agent integration - TaskContext and Planner include tech_stack in LLM prompts
6. ✅ Removed cf config subcommand - tech stack is now part of workspace init

Design philosophy: Instead of structured configuration with specific package managers and frameworks, users describe their stack in natural language. The agent interprets and adapts.

Examples:

cf init . --detect                           # Auto-detect: "Python with uv, pytest, ruff for linting"
cf init . --tech-stack "Rust project using cargo"
cf init . --tech-stack "TypeScript monorepo with pnpm, Next.js, jest"
cf init . --tech-stack-interactive           # Prompts user for description

Future work: Multi-round interactive discovery (bead: codeframe-8d80)

Agent Self-Correction & Observability

Improved agent reliability with automatic error recovery:

1. ✅ Self-correction loop in _run_final_verification() - agent retries up to 3 times
2. ✅ Verbose mode (--verbose / -v) - shows detailed verification/self-correction progress
3. ✅ FAILED task status - tasks transition to FAILED for proper error visibility
4. ✅ Project preferences - agent loads AGENTS.md/CLAUDE.md for per-project config
5. ✅ Fixed fail_run() - now properly transitions task status (was leaving tasks stuck)

Enhanced Self-Correction (Phase 3.4)

Advanced error recovery with loop prevention and smart escalation:

1. ✅ Fix Attempt Tracker (core/fix_tracker.py) - prevents repeating failed fixes

   • Normalizes errors for comparison (removes line numbers, memory addresses)
   • Tracks (error_signature, fix_description) pairs with outcomes
   • Detects escalation patterns (same error 3+ times, same file 3+ times)

2. ✅ Pattern-Based Quick Fixes (core/quick_fixes.py) - fixes common errors without LLM

   • ModuleNotFoundError → auto-install package (detects package manager)
   • ImportError → add missing import statement
   • NameError → add common imports (Optional, dataclass, Path, etc.)
   • SyntaxError → fix missing colons, f-string prefixes
   • IndentationError → normalize mixed tabs/spaces

3. ✅ Escalation to Blocker - creates informative blockers when stuck

   • Triggered after MAX_SAME_ERROR_ATTEMPTS (3) failures on same error
   • Triggered after MAX_SAME_FILE_ATTEMPTS (3) failures on same file
   • Triggered after MAX_TOTAL_FAILURES (5) in a run
   • Blocker includes error type, attempted fixes, and guidance questions

Self-Correction Flow

Error occurs
    │
    ├── Try ruff --fix (auto-lint)
    │
    ├── Try pattern-based quick fix (no LLM)
    │   ├── Check if fix already attempted → skip
    │   ├── Apply fix
    │   └── Record outcome in tracker
    │
    ├── Check escalation threshold
    │   └── If exceeded → create escalation blocker
    │
    └── Use LLM to generate fix plan
        ├── Include already-tried fixes to avoid repetition
        ├── Execute fix steps with tracking
        └── Re-verify

Key Self-Correction Methods

• _run_final_verification(): While loop that re-runs gates after self-correction
• _attempt_verification_fix(): Orchestrates quick fixes, escalation check, LLM fixes
• _create_escalation_blocker(): Creates detailed blocker with context
• _verbose_print(): Conditional stdout output for observability

Phase 2 Complete (2026-01-15): Parallel Batch Execution

All 6 Phase 2 items from CLI_WIREFRAME.md are done:

1. ✅ work batch resume <batch-id> - re-run failed/blocked tasks
2. ✅ depends_on field on Task model
3. ✅ Dependency graph analysis (DAG, cycle detection, topological sort)
4. ✅ True parallel execution with ThreadPoolExecutor worker pool
5. ✅ --strategy auto with LLM-based dependency inference
6. ✅ --retry N automatic retry of failed tasks

Key Phase 2 Modules

• conductor.py: Batch orchestration with serial/parallel/auto strategies
• dependency_graph.py: DAG operations, level-based grouping for parallelization
• dependency_analyzer.py: LLM analyzes task descriptions to infer dependencies

Agent Implementation Complete (2026-01-14)

All 8 implementation tasks from AGENT_IMPLEMENTATION_TASKS.md are done:

1. ✅ LLM Adapter Interface (adapters/llm/)
2. ✅ Task Context Loader (core/context.py)
3. ✅ Agent Planning (core/planner.py)
4. ✅ Code Execution Engine (core/executor.py)
5. ✅ Automatic Blocker Detection (in core/agent.py)
6. ✅ Gate Integration (in core/agent.py)
7. ✅ Agent Orchestrator (core/agent.py)
8. ✅ Wire into Runtime (core/runtime.py)

Bug Fixes During Testing

• GateResult attribute access: Fixed gate_result.status → gate_result.passed
• Duplicate task transitions: Removed task status updates from agent.py (runtime handles all)
• READY→READY error: Added check in stop_run before transitioning
• Verification step handling: Made _execute_verification smarter about file vs command targets

Key Design Decisions

• State separation: Agent manages AgentState, Runtime manages TaskStatus
• Model selection: Task-based heuristic via Purpose enum
• Blocker creation: Agent creates blockers, Runtime updates task status
• Verification: Incremental (ruff after each file change) + final (all gates)

Testing

Run all tests

uv run pytest

Run v2 tests only

uv run pytest -m v2           # All v2 tests (~411 tests)
uv run pytest -m v2 -q        # Quiet mode

The v2 marker identifies tests for CLI-first, headless functionality:

• All tests in tests/core/ are automatically marked v2 (via conftest.py)
• v2 CLI tests have pytestmark = pytest.mark.v2 at the top

Convention: When adding new v2 functionality, mark tests with @pytest.mark.v2 or add pytestmark = pytest.mark.v2 at module level for CLI tests that use codeframe.cli.app.

Run core module tests

uv run pytest tests/core/
uv run pytest tests/core/test_agent.py -v
uv run pytest tests/adapters/test_llm.py -v

Test coverage

uv run pytest --cov=codeframe --cov-report=html

Environment Variables

# Required for agent execution
ANTHROPIC_API_KEY=sk-ant-...

# Optional - Database
DATABASE_PATH=./codeframe.db

# Optional - Rate Limiting (Phase 2)
RATE_LIMIT_ENABLED=true                    # Enable/disable rate limiting
RATE_LIMIT_DEFAULT=100/minute              # Default limit
RATE_LIMIT_AUTH=10/minute                  # Auth endpoints
RATE_LIMIT_AI=20/minute                    # AI/LLM endpoints
RATE_LIMIT_WEBSOCKET=50/minute             # WebSocket connections
REDIS_URL=redis://localhost:6379           # Redis for distributed rate limiting (optional)

# Optional - API Server
CODEFRAME_API_KEY_SECRET=<random-secret>   # Secret for API key hashing

Legacy sections removed on purpose

This file previously contained extensive v1 details (auth, websocket, UI template, sprint history).
Those are still in git history and legacy docs, but they are not the current contract.

The current contract is Golden Path + Refactor Plan + Command Tree mapping + Agent Implementation.

CodeFRAME v2 — Golden Path Contract (CLI-first)

This document is the contract for CodeFRAME v2 development.

Rule 0 (the only rule that matters):

If a change does not directly support the Golden Path flow below, do not implement it.

This applies to both humans and agentic coding assistants.

Goals

What "done" looks like (Enhanced MVP definition)

CodeFRAME can run a complete end-to-end AI-driven development workflow from the CLI on a target repo:

1. Initialize workspace with project discovery

   • Analyze codebase and detect tech stack
   • Configure environment and tooling automatically
   • Create durable state storage

2. AI-driven PRD generation and refinement

   • Interactive AI session gathers project requirements
   • AI asks follow-up questions about scope, users, constraints
   • Generates comprehensive PRD + technical specs + user stories
   • Iterative refinement based on user feedback

3. Intelligent task generation with dependency analysis

   • Decompose PRD into actionable tasks with dependencies
   • Prioritize tasks and group by functionality
   • Generate implementation strategies per task

4. Batch task execution with orchestration

   • Execute multiple tasks in sequence or parallel
   • Handle inter-task dependencies automatically
   • Main agent coordinates entire batch workflow
   • Real-time progress monitoring and event streaming

5. Human-in-the-loop blocker resolution

   • Interactive blocker handling with contextual AI suggestions
   • Resume execution after blocker resolution
   • Learning from blocker patterns

6. Integrated Git workflow and PR management

   • Automatic branch creation per task/batch
   • AI-generated commit messages and PR descriptions
   • Automated verification gate execution
   • PR creation, review, and merging workflows

7. Comprehensive checkpointing and state management

   • Snapshots of workspace state with git refs
   • Resume interrupted workflows from checkpoints
   • Multi-environment state isolation

No UI is required.
A FastAPI server is not required for the Golden Path to work.
All Git operations are integrated into the CLI workflow.

Non-Goals (explicitly forbidden until Golden Path works)

Do not build or refactor:

• Web UI / dashboard features
• Settings pages, preferences, themes
• Multi-provider/model switching UI or complex provider management
• Advanced metrics dashboards or timeseries endpoints
• Auth / sessions for remote users
• Electron desktop app
• Plugin marketplace / extensibility frameworks
• “Perfect” project structure, monorepo tooling, or build system redesign
• Large migrations or renames that aren’t required by Golden Path

These may be revisited only after Golden Path is working and stable.

Golden Path CLI Flow (the only flow that matters)

0) Preconditions

• A target repo exists (any small test repo is fine).
• CodeFRAME runs locally and can store durable state (SQLite or filesystem).
• The CLI can be run from anywhere.

1) Initialize a workspace

Command:

• codeframe init <path-to-repo>

Required behavior:

• Registers the repo as a workspace.
• Creates/updates durable state storage.
• Prints a short workspace summary (repo path, workspace id, state location).

Artifacts:

• Local state created (DB/file), e.g. .codeframe/ and/or codeframe.db.

2) AI-driven PRD generation and refinement

Commands:

• codeframe prd generate (primary - interactive AI session)
• codeframe prd add <file.md> (secondary - existing file support)
• codeframe prd refine (iterative improvement)

Required behavior for prd generate:

• AI conducts interactive discovery session asking:
  • Project scope, objectives, and success criteria
  • Target users, use cases, and user stories
  • Technical constraints, preferences, and requirements
  • Timeline, priorities, and MVP boundaries
• Generates comprehensive PRD with:
  • Executive summary and problem statement
  • Functional requirements with acceptance criteria
  • Technical specifications and architecture guidance
  • User stories with priority ranking
  • Success metrics and validation criteria
• Provides iterative refinement based on user feedback
• Stores PRD in durable state with versioning
• Supports multiple PRD versions with change tracking

3) Intelligent task generation with dependency analysis

Commands:

• codeframe tasks generate (enhanced with dependencies)
• codeframe tasks analyze (dependency graph analysis)

Required behavior:

• Decomposes PRD into granular, actionable tasks
• Automatically detects and assigns task dependencies
• Estimates effort and complexity for each task
• Groups related tasks into logical workstreams
• Prioritizes tasks based on dependencies and value delivery
• Supports task templates for common patterns (setup, implementation, testing, deployment)
• Generates implementation strategy per task (files to modify, approaches to consider)
• Creates task dependency graph with critical path identification

4) Batch task execution with orchestration

Commands:

• codeframe work batch run (primary - main execution pathway)
• codeframe work start <task-id> (secondary - single task fallback)
• codeframe work batch status <batch-id> (monitoring)
• codeframe work batch follow <batch-id> (real-time streaming)

Required behavior for batch execution:

• Executes multiple tasks with intelligent scheduling:
  • Serial execution for dependent tasks
  • Parallel execution for independent tasks
  • Auto-strategy using dependency graph analysis
• Main orchestrator agent coordinates entire batch:
  • Resource allocation and task scheduling
  • Inter-task communication and data sharing
  • Failure handling and retry logic
  • Progress tracking and milestone reporting
• Real-time event streaming with:
  • Task start/completion events
  • Progress indicators and ETAs
  • Blocker detection and notification
  • Dependency resolution updates
• Supports execution strategies:
  • --strategy serial: Linear execution
  • --strategy parallel: Max parallelization
  • --strategy auto: AI-optimized based on dependencies

5) Enhanced human-in-loop blocker resolution

Commands:

• codeframe blockers list (enhanced with context)
• codeframe blocker answer <blocker-id> "<text>" (with AI suggestions)
• codeframe blocker resolve <blocker-id> (automated resolution options)

Required behavior:

• AI provides contextual blocker resolution suggestions:
  • Similar past blockers and their solutions
  • Multiple solution approaches with trade-offs
  • Impact analysis of resolution choices
• Interactive blocker handling with:
  • Rich context display (related code, PRD sections, task dependencies)
  • Suggested responses ranked by confidence
  • Impact on task timeline and dependencies
• Learning system that:
  • Records blocker patterns and resolutions
  • Improves future blocker handling suggestions
  • Reduces human intervention over time

6) Integrated Git workflow and PR management

Commands:

• codeframe work start <task-id> --create-branch (branch management)
• codeframe pr create (PR creation with AI descriptions)
• codeframe pr list (PR status monitoring)
• codeframe pr merge <pr-id> (PR merging with verification)

Required behavior:

• Branch Management:
  • Automatic feature branch creation per task/batch
  • Branch naming conventions with task/batch IDs
  • Branch cleanup and organization utilities
  • Conflict detection and resolution assistance
• PR Creation:
  • AI generates comprehensive PR descriptions:
    • Summary of changes and business impact
    • Technical implementation details
    • Testing performed and results
    • Breaking changes and migration notes
  • Automated PR labeling and categorization
  • Reviewer assignment based on code expertise
• PR Workflow:
  • Automated gate execution before merge (tests, lint, security scans)
  • Integration with CI/CD pipelines
  • Merge strategies (squash, merge, rebase) based on team preferences
  • Post-merge cleanup and notification

7) Enhanced verification and quality gates

Commands:

• codeframe review (comprehensive code review)
• codeframe gates run (automated quality checks)
• codeframe quality report (quality metrics and trends)

Required behavior:

• Comprehensive Gate Suite:
  • Unit tests with coverage reporting
  • Integration and end-to-end tests
  • Static code analysis (lint, security, complexity)
  • Performance regression tests
  • Documentation and API specification validation
• AI-Assisted Code Review:
  • Automated code quality assessment
  • Best practices compliance checking
  • Potential bug detection and suggestions
  • Code style and maintainability analysis
• Quality Tracking:
  • Trend analysis of code quality metrics
  • Technical debt accumulation tracking
  • Gate failure pattern identification

8) Integrated artifact and commit management

Commands:

• codeframe commit create -m "<message>" (AI-generated commits)
• codeframe patch export (safe patch generation)
• codeframe artifacts list (artifact tracking)

Required behavior:

• Smart Commits:
  • AI generates meaningful commit messages:
    • Conventional commit format compliance
    • Contextual change descriptions
    • References to tasks/PRDs/issues
    • Breaking change highlights
  • Atomic commit boundaries and logical grouping
• Artifact Management:
  • Automatic patch generation for safety
  • Commit linking to tasks and batches
  • Rollback points and recovery procedures
  • Integration with external artifact repositories

9) Comprehensive checkpointing and state management

Commands:

• codeframe checkpoint create "<name>" (enhanced snapshots)
• codeframe checkpoint restore <checkpoint-id> (workflow resume)
• codeframe summary (comprehensive reporting)

Required behavior:

• Rich Checkpoints:
  • Complete workspace state capture:
    • Task statuses and progress
    • Git refs and working directory state
    • PRD versions and requirements
    • Configuration and environment settings
  • Incremental checkpoint optimization
  • Cross-environment checkpoint portability
• Workflow Resume:
  • Seamless resumption from any checkpoint
  • Context restoration for active agents
  • Branch and working directory restoration
  • Event log continuity and replay
• Comprehensive Reporting:
  • Executive summaries with progress metrics
  • Detailed task completion reports
  • Quality gate performance tracking
  • Resource utilization and timing analysis
  • Risk assessment and mitigation recommendations

State Machine (authoritative)

Statuses:

• BACKLOG - Task identified but not ready for execution
• READY - Task prepared and ready to start
• IN_PROGRESS - Task actively being worked on
• BLOCKED - Task waiting for human input or external dependency
• DONE - Task completed locally, ready for review/integration
• IN_REVIEW - Task changes in PR review process
• MERGED - Task changes integrated into main branch
• FAILED - Task execution failed (can be retried)

Allowed transitions (comprehensive):

• BACKLOG -> READY (task preparation complete)
• READY -> IN_PROGRESS (work started)
• IN_PROGRESS -> BLOCKED (awaiting input/dependency)
• BLOCKED -> IN_PROGRESS (blocker resolved)
• BLOCKED -> READY (returned to queue)
• IN_PROGRESS -> DONE (local completion)
• IN_PROGRESS -> FAILED (execution failure)
• DONE -> IN_REVIEW (PR created/under review)
• IN_REVIEW -> DONE (PR rejected, needs work)
• IN_REVIEW -> MERGED (PR approved and merged)
• DONE -> READY (reopened for additional work)
• FAILED -> READY (retry after failure)
• MERGED -> BACKLOG (reopened for enhancement)

The CLI is the authority for transitions.
UIs (web/electron) are views over this state machine, not the source of truth.

PR Workflow Integration:

• Tasks automatically transition to IN_REVIEW when codeframe pr create is run
• PR status changes trigger corresponding task state updates
• Merge actions transition tasks to MERGED status
• Failed or rejected PRs return tasks to DONE for additional work

Implementation Principles

Core-first (no FastAPI in the core)

• Domain logic must live in a reusable core module/package.
• Core must not import FastAPI, websockets, or HTTP request objects.
• FastAPI server (if used) must be a thin adapter over core.

CLI-first (server optional)

• Golden Path commands must work without any running backend server.
• If a server exists, it may be started separately (codeframe serve) and must wrap core.

Salvage safely

• Legacy code can be read and copied from.
• Core must not take dependencies on legacy UI-driven modules.
• Prefer copying useful functions into core and simplifying interfaces.

Keep it runnable

• Every commit should keep codeframe --help working.
• The Golden Path commands should remain executable even if stubs at first.

Acceptance Checklist (Enhanced MVP - must pass)

Status: 🔄 Enhanced MVP Partially Complete

📊 Current Implementation Status

Overall Assessment: Enhanced MVP is ~60% complete with solid foundation but critical gaps remaining.

✅ Fully Implemented Phases:

• Phase 1: Basic PRD functionality (prd add) - Enhanced PRD generation missing
• Phase 2: Core task generation with LLM support - Advanced dependency analysis incomplete
• Phase 3: Complete batch execution framework - Orchestrator integration complete
• Phase 4: Basic blocker management system - AI-powered suggestions missing
• Phase 6: Basic verification gates (codeframe review) - AI-assisted review missing
• Phase 7: Comprehensive checkpointing system - Incremental/batch features missing

⚠️ Critical Missing Components:

• AI-driven PRD generation: No codeframe prd generate command
• Credential management: No codeframe auth system - CRITICAL BLOCKER
• Git/PR workflow: GitHub integration exists but no CLI commands
• Environment validation: No pre-flight validation system
• Advanced recovery: Limited rollback beyond full checkpoints
• Enhanced monitoring: Basic event streaming, no rich debugging

🎯 Key Finding:

The single most critical issue is missing credential management - users cannot reliably use the enhanced workflow without it.

Foundation is solid - Core CLI functionality, batch execution, and basic Git integration work reliably.

Next priority: Implement credential management system as outlined in gap analysis documents.

Phase 1: AI-Driven Project Discovery & PRD Generation

• codeframe init with auto tech stack detection and environment setup
  • ✅ Implementation: Auto tech stack detection with --detect flag
  • ✅ Implementation: Interactive tech stack configuration with --tech-stack-interactive
  • ✅ Note: Basic init works, enhanced features not yet integrated
• codeframe prd generate conducts interactive AI discovery session
  • ⚠️ Status: Command not implemented - only codeframe prd add <file.md> exists
  • Note: Discovery exists in legacy codebase but not integrated into CLI
• AI asks contextual follow-up questions about requirements and constraints
• Generates comprehensive PRD with technical specs and user stories
• Supports iterative PRD refinement based on user feedback
• PRD versioning and change tracking

Phase 2: Intelligent Task Generation & Dependency Management

• codeframe tasks generate creates dependency-aware task graphs
  • ✅ Implementation: Uses LLM for task generation with dependency analysis
  • ✅ Implementation: Supports both LLM and simple extraction modes
  • ⚠️ Status: Limited dependency graph functionality
  • Note: Basic task generation works, advanced dependency analysis incomplete
• Automatic task prioritization and workstream grouping
• Effort estimation and complexity analysis
• Critical path identification and scheduling
• Task template system for common implementation patterns

Phase 3: Batch Execution & Orchestration

• codeframe work batch run as primary execution pathway
  • ✅ Implementation: Comprehensive batch execution with multiple strategies
  • ✅ Implementation: Serial, parallel, and auto-strategy execution modes
  • ✅ Implementation: Event streaming and progress monitoring
  • ✅ Implementation: Failure handling and retry logic
  • ✅ Implementation: Real-time status and batch monitoring commands
  • Note: Main batch functionality works, orchestrator integration complete
• Serial, parallel, and auto-strategy execution modes
• Real-time progress monitoring with event streaming
• Inter-task dependency management and coordination
• Main orchestrator agent manages entire batch workflow
• Failure handling and automatic retry logic

Phase 4: Enhanced Human-in-the-Loop Blocker Resolution

• Contextual blocker display with rich background information
  • ✅ Implementation: Comprehensive blocker management system
  • ✅ Implementation: Rich context display with codebase references
  • ⚠️ Status: AI-powered suggestions not yet implemented
  • Note: Basic blocker listing and answering works, AI suggestions missing
• AI-powered blocker resolution suggestions
• Learning system for blocker pattern recognition
• Similar past blocker solutions and recommendations
• Impact analysis for different resolution approaches

Phase 5: Integrated Git Workflow & PR Management

• Automatic branch creation per task/batch with naming conventions
• AI-generated comprehensive PR descriptions with business impact
• Automated PR labeling and reviewer assignment
• Integration with CI/CD pipelines and gate execution
• Multiple merge strategies (squash, merge, rebase) support
• Post-merge cleanup and notification automation
  • ⚠️ Status: Basic Git integration exists, PR creation incomplete
  • Note: GitHub integration module exists (codeframe/git/github_integration.py)
  • Note: Auth commands exist but credential management missing
  • Note: No CLI commands for PR creation/management yet implemented

Phase 6: Comprehensive Quality Gates & Verification

• Expanded gate suite: unit tests, integration tests, security scans
  • ✅ Implementation: Basic codeframe review command exists
  • ✅ Implementation: Supports multiple gate types (pytest, ruff, mypy, npm)
  • ⚠️ Status: Limited gate functionality - stub implementation
  • Note: Only basic verification works, AI-assisted review not implemented
• AI-assisted code review with best practices checking
• Quality metrics tracking and trend analysis
• Technical debt accumulation monitoring
• Automated regression detection and prevention

Phase 7: Advanced Checkpointing & State Management

• Rich checkpoint snapshots with complete workspace state
  • ✅ Implementation: Comprehensive checkpoint management system
  • ✅ Implementation: Checkpoint create, list, show, and restore commands
  • ✅ Implementation: Git reference integration for state tracking
  • ⚠️ Status: Basic checkpointing works, advanced features missing
  • Note: No incremental checkpointing during batch execution
• Cross-environment checkpoint portability
• Seamless workflow resumption from any checkpoint
• Incremental checkpoint optimization
• Executive reporting with progress and risk metrics

Cross-Cutting Requirements

• All functionality works without FastAPI server running
  • ✅ Implementation: Core functionality works independently of server
  • ✅ Verification: CLI commands work without FastAPI dependency
  • ⚠️ Status: Server wrapper incomplete but not required for CLI workflow
• No UI required at any point in workflow
  • Event logging and streaming for observability
  • ✅ Implementation: Comprehensive event system with rich logging
  • ✅ Implementation: Real-time event streaming during batch execution
  • ⚠️ Status: Advanced monitoring features missing
• Comprehensive error handling and recovery procedures
  • ⚠️ Status: Basic error handling exists, advanced recovery missing
  • Note: No rollback capability beyond full checkpoints
• Performance optimization for large repositories
  • Security best practices and credential management
  • Documentation and help commands for all new features
  • ⚠️ Status: No credential management system implemented
  • ⚠️ Critical Gap: Authentication failures would block entire workflow
  • Note: See gap analysis documents for detailed credential management plan

Definition of Done:

• All acceptance criteria must be satisfied
• End-to-end workflow tested on real project repositories
• Performance benchmarks meet minimum standards
• Security audit passes all compliance checks
• Documentation is complete and accurate
• User feedback collected from beta testing validates approach

Next phase: Production Readiness & Advanced Features (see roadmap planning).

CodeFRAME v2 Strategic Roadmap

Created: 2026-01-29
Updated: 2026-02-15
Status: Active - Phase 2.5 Complete, Phase 3 Next

Executive Summary

CodeFRAME v2 CLI Phase 1 is complete with a production-ready foundation. The path forward involves:

1. Closing the remaining 5-10% CLI gap (mainly prd generate and observability) ✅ DONE
2. Building server layer as thin adapter over core
3. Rebuilding web UI on the v2 foundation
4. Evolving toward the multi-agent "FRAME" vision

Current State Assessment

What's Working (Phase 1 Complete)

• Full agent execution: cf work start <task-id> --execute
• Batch orchestration: serial, parallel, auto (LLM-inferred dependencies)
• Self-correction loop with up to 3 retry attempts
• Blocker system for human-in-the-loop decisions
• Verification gates (ruff, pytest, BUILD)
• State persistence and checkpoint/restore
• Tech stack auto-detection
• 76+ integration tests, all passing
• GitHub PR workflow commands
• Interactive PRD generation (cf prd generate) ✅
• Live execution streaming (cf work follow) ✅
• PRD template system for customizable output ✅
• Integration tests for credentials/environment modules ✅

Phase 1 Gaps - ALL CLOSED

Phase 1: CLI Foundation Completion ✅ COMPLETE

Goal: Make CLI fully production-ready for headless agent workflows.
Status: ✅ ALL DELIVERABLES COMPLETE (2026-02-01)

Deliverables

1. cf prd generate command ([Phase 1] cf prd generate - Interactive AI PRD creation (Socratic Discovery) #307) - ✅ COMPLETE

   • Interactive AI-driven requirements discovery
   • Multi-turn Socratic questioning (5+ turns minimum)
   • Progressive refinement: broad vision → specific requirements → acceptance criteria
   • Outputs structured PRD document
   • Template support for customizable output formats

2. Live execution streaming ([Phase 1] cf work follow - Live execution streaming #308) - ✅ COMPLETE

   • cf work follow <task-id> for real-time output
   • File-based streaming with tail support

3. PRD template system ([Phase 1] PRD template system for customizable output formats #316) - ✅ COMPLETE (BONUS)

   • 5 built-in templates: standard, lean, enterprise, technical, user-story
   • Export/import for customization
   • cf prd templates list/show/export/import commands

4. Integration test expansion ([Phase 1] Integration tests for credential and environment modules #309) - ✅ COMPLETE

   • Test credential manager with keyring
   • Test environment validator with tool detection
   • 76+ integration tests (exceeded target)

Success Criteria - ALL MET

• ✅ New user completes full workflow without hitting credential/env failures
• ✅ cf prd generate conducts 5+ turn discovery session
• ✅ All v2 integration tests pass (4285 total tests)

Phase 2: Server Layer as Thin Adapter

Goal: FastAPI server exposing core functionality via REST + real-time events.
Status: ✅ COMPLETE

Deliverables

1. Server audit and refactor ([Phase 2] Server audit and refactor - routes delegating to core modules #322) - ✅ COMPLETE

   • ✅ Business logic audit completed (see docs/PHASE_2_BUSINESS_LOGIC_AUDIT.md)
   • ✅ CLI-to-API route mapping (see docs/PHASE_2_CLI_API_MAPPING.md)
   • ✅ V2 routers created following thin adapter pattern:
     • blockers_v2.py - Full CRUD delegating to core.blockers
     • prd_v2.py - Full CRUD + versioning delegating to core.prd
     • tasks_v2.py - Enhanced with PATCH/DELETE/streaming/run status
     • workspace_v2.py - Init, status, tech stack detection
     • batches_v2.py - Batch execution with strategies
     • diagnose_v2.py - Failed task analysis
     • pr_v2.py - GitHub PR workflow
     • environment_v2.py - Tool detection and validation
     • gates_v2.py - Verification gate execution
   • ✅ Integration tests: 130+ tests for v2 routers

2. Real-time events ([Phase 2] Real-time events via SSE/WebSocket for task execution #323) - 🔄 PARTIAL

   • ✅ SSE streaming via /api/v2/tasks/{id}/stream
   • ⚠️ WebSocket for bidirectional events still needed

3. Authentication & Security

   • ✅ API key authentication (feat(auth): add API key authentication for CLI and REST API #326) - COMPLETE
     • Scope-based permissions (read/write/admin)
     • CLI commands: cf auth api-key-create/list/revoke/rotate
     • REST header: X-API-Key
   • ✅ Rate limiting (feat(security): add API rate limiting with slowapi #327) - COMPLETE
     • Configurable limits per endpoint type (auth/standard/AI/websocket)
     • Redis backend support for distributed deployments
     • SlowAPI integration
   • API pagination ([Phase 2] Add API pagination support for large datasets #118) - Open

Phase 2 Progress Summary

All Phase 2 Issues

Architecture Principle: Thin Adapter Pattern

CLI (typer) ─┬── core.* ─── adapters.*
             │
Server (fastapi) ─┘

Server and CLI are siblings, both calling core.

Key Pattern: V2 routers follow the thin adapter pattern:

1. Parse HTTP request parameters
2. Call core module function with workspace
3. Transform result to HTTP response
4. Handle errors with standard format

See docs/PHASE_2_DEVELOPER_GUIDE.md for implementation guide.

Phase 2.5: ReAct Agent Architecture ✅ COMPLETE

Goal: Replace plan-then-execute agent with iterative ReAct (Reasoning + Acting) loop as the default engine.
Status: ✅ COMPLETE (2026-02-15)

Motivation

The plan-based agent had several failure modes discovered during testing:

• Config file overwrites (whole-file generation ignores existing content)
• Cross-file naming inconsistency (each file generated in isolation)
• Accumulated lint errors (no incremental verification)
• Ineffective self-correction (empty error context)

Deliverables

1. ReAct Agent Implementation - ✅ COMPLETE

   • core/react_agent.py - Observe-Think-Act loop with tool use
   • core/tools.py - 7 structured tools (read/edit/create file, run command/tests, search, list)
   • core/editor.py - Search-replace editor with 4-level fuzzy matching

2. Engine Selection - ✅ COMPLETE

   • --engine react (default) or --engine plan (legacy) on all work commands
   • Runtime routes to ReactAgent or Agent based on engine parameter
   • API endpoints support engine parameter with validation

3. CLI Validation ([Phase 2.5-F] End-to-end CLI validation with cf-test project #353) - ✅ COMPLETE

   • --engine flag on cf work start and cf work batch run
   • Default switched to "react"

4. API Validation ([Phase 2.5-F] Verify ReAct engine works via API routes #354) - ✅ COMPLETE

   • Engine parameter on execute, approve, and stream endpoints
   • Backward compatible — omitting engine uses "react" default

5. Default Switch + Documentation ([Phase 2.5-F] Switch default engine to react and update documentation #355) - ✅ COMPLETE

   • Default engine changed from "plan" to "react" across CLI, API, and runtime
   • CLAUDE.md updated with ReAct architecture documentation

Key Architecture Decisions

• Search-replace editing: ~98% accuracy vs ~70-80% for whole-file regeneration
• Read before write: Agent always sees actual file state before editing
• Lint after every change: Catch errors immediately, not after they accumulate
• 7 focused tools: Fewer tools = higher accuracy
• Token budget management: 3-tier compaction prevents context window overflow
• Adaptive iteration budget: Task complexity scoring adjusts iteration limits

Reference Documentation

• docs/AGENT_V3_UNIFIED_PLAN.md - Architecture design and rules
• docs/REACT_AGENT_ARCHITECTURE.md - Deep-dive on tools, editor, token management
• docs/PHASE_25_VALIDATION_REPORT.md - End-to-end validation results

Phase 3: Web UI Rebuild

Goal: Modern dashboard consuming REST/WebSocket API.

Deliverables

1. Project management - Workspace list, creation, configuration
2. PRD interface - Visual editor with AI assistance
3. Task board - Drag-and-drop with dependency visualization
4. Execution monitor - Live dashboard showing agent progress
5. Blocker resolution - Interactive Q&A interface
6. Onboarding flow - First-time user experience

Tech Stack

• Next.js with App Router
• Shadcn/UI + Tailwind (Nova template)
• Hugeicons
• Real-time via WebSocket/SSE

Note: v1-legacy issues (labeled and closed) serve as reference for this phase.

Phase 4: Multi-Agent Coordination

Goal: Realize the "FRAME" vision - specialist agents working together.

Deliverables

1. Agent roles ([Phase 4] Agent role system with specialized prompts #310)

   • Backend Agent, Frontend Agent, Test Agent, Review Agent
   • Role-specific system prompts and tool access
   • Automatic task-to-agent matching

2. Parallel multi-agent execution

   • Multiple agents on independent tasks
   • Worker pool management

3. Conflict detection & resolution ([Phase 4] Multi-agent conflict detection and resolution #311)

   • Identify concurrent modifications to same files
   • Strategies: serialize, merge, escalate to blocker
   • 90%+ automatic resolution target

4. Handoff protocols ([Phase 4] Agent handoff protocols #312)

   • Context passing between roles
   • Implementation → Test → Review pipeline

Related Issues

• [Future] Evaluate Subagent Context Isolation per Task #68: Subagent context isolation
• [Future] Evaluate Task-Scoped Context vs. Agent-Level Context Tiers #72: Task-scoped vs agent-level context
• [Phase 4] Replace Fixed Self-Correction Cap with Adaptive Failure Handling #71: Adaptive failure handling
• [Future] Implement Procedural Memory for Agent Learning #73: Procedural memory for learning
• [Future] Implement Goal Recitation for Long-Running Tasks #70, [Future] Implement Memory Eviction Strategy for COLD Tier #67, [Future] Optimize Context Assembly Order for LLM Cache Hits #63: Context engineering

Phase 5: Advanced Features & Polish

Goal: Power user features and production hardening.

Deliverables

1. TUI Dashboard ([Phase 5] TUI Dashboard with Rich/Textual #313) - Rich/Textual terminal interface
2. Token/cost tracking ([Phase 5] Token and cost tracking per task #314) - Usage metrics per task/batch
3. Debug/replay mode ([Phase 5] Debug and replay mode #315) - Step through past executions
4. Performance benchmarks ([Phase 5] Add performance and load testing benchmarks #115) - Baseline metrics
5. Context optimization ([Future] Optimize Context Assembly Order for LLM Cache Hits #63, [Future] Implement Memory Eviction Strategy for COLD Tier #67) - Assembly order, eviction strategy

Execution Timeline

Phase 1 (CLI) ──────────────────────────────────►
                  │
                  ├── Phase 2 (Server) ────────────────►
                  │                     │
                  │                     ├── Phase 3 (UI) ──────►
                  │
                  └── Phase 4 (Multi-Agent) ────────────────────►
                                                          │
                                                          └── Phase 5 (Advanced) ──►

• Phase 1 is prerequisite for everything
• Phases 2-3 (server/UI) can run in parallel with Phase 4 (multi-agent)
• Phase 5 depends on earlier phases but can start partially

GitHub Issue Organization

Labels

• phase-1: CLI Foundation (7 issues - ALL CLOSED)
• phase-2: Server Layer (6 issues - ALL OPEN)
• phase-4: Multi-Agent (10 issues)
• phase-5: Advanced Features (5 issues)
• v1-legacy: V1-specific issues, closed but retained as Phase 3 reference (22 issues)

Phase 1 Issues - ALL COMPLETE

Phase 2 Issues - MOSTLY COMPLETE

Architecture Decisions

1. Core-first pattern maintained

Core remains headless. Server and CLI are equal adapters.

2. Integration tests as guardrail

The existing 130+ v2 router tests ensure "always working codebase" through all phases.

3. No big-bang UI rewrite

Web UI is built incrementally on v2 server, not by fixing v1.

4. Agent swarms are Phase 4, not Phase 1

Focus on single-agent excellence first, then parallelize.

Verification Plan

After each phase:

1. Run full integration test suite: uv run pytest tests/cli/test_v2_cli_integration.py
2. Manual smoke test of Golden Path
3. Confirm no regressions in existing functionality

Summary

Current focus: Phase 3 - Web UI rebuild on v2 foundation.

Code Review Report: PRD View - Document Creation & Discovery

Date: 2026-02-05
Reviewer: Code Review Agent
Component: PRD View (PR #337, Issue #330)
Files Reviewed: 34 files (20 source, 8 test, 1 mock, 1 docs, 4 config)
Ready for Production: Yes, with 2 major issues recommended for near-term fix

Executive Summary

This PR implements the full PRD View for Phase 3 UI — a well-structured, component-driven implementation across 9 incremental commits. The code follows established project patterns (Shadcn/UI Nova template, Hugeicons, SWR, axios namespace pattern) and includes 64 new tests. Two major reliability issues were found (missing error handling in page.tsx handlers and a misused React hook in DiscoveryPanel), plus a few minor improvements. No critical security vulnerabilities.

Critical Issues: 0
Major Issues: 2
Minor Issues: 4
Positive Findings: 7

Review Context

Code Type: Frontend (Next.js React components, hooks, API client)
Risk Level: Medium (user input handling, file upload, SSE connections, AI chat rendering)
Business Constraints: Phase 3 UI rebuild — first user-facing view beyond workspace

Review Focus Areas

• ✅ A03 - Injection/XSS — User markdown rendered via react-markdown, file upload content
• ✅ Reliability — Error handling in async handlers, resource cleanup in SSE hooks
• ✅ Resource Management — EventSource lifecycle, FileReader cleanup, SWR cache management
• ✅ A06 - Vulnerable Components — Dependency audit
• ❌ OWASP LLM Top 10 — Skipped (frontend doesn't interact with LLM directly)
• ❌ Zero Trust / Auth — Skipped (auth is backend concern; API client already has withCredentials: true)
• ❌ Performance — Skipped (not performance-critical UI code)

Priority 1 Issues - Critical ⛔

None found.

Priority 2 Issues - Major ⚠️

1. Missing error handling in handleSavePrd and handleGenerateTasks

Location: web-ui/src/app/prd/page.tsx:89-103 and web-ui/src/app/prd/page.tsx:118-127
Severity: Major
Category: Reliability

Problem:
Both handleSavePrd and handleGenerateTasks use try...finally without a catch block. If the API call fails, the error propagates as an unhandled rejection. Unlike DiscoveryPanel and UploadPRDModal (which properly catch and display errors), these handlers silently fail — the user sees the spinner stop but gets no feedback about what went wrong.

Current Code:

const handleSavePrd = async (content: string, changeSummary: string) => {
  if (!prd || !workspacePath) return;
  setIsSaving(true);
  try {
    const updated = await prdApi.createVersion(...);
    mutatePrd(updated, false);
  } finally {
    setIsSaving(false);
  }
};

Recommended Fix:

const handleSavePrd = async (content: string, changeSummary: string) => {
  if (!prd || !workspacePath) return;
  setIsSaving(true);
  try {
    const updated = await prdApi.createVersion(...);
    mutatePrd(updated, false);
  } catch (err) {
    const apiError = err as ApiError;
    console.error('[PRD] Save failed:', apiError.detail);
    // TODO: Show error toast/banner to user
  } finally {
    setIsSaving(false);
  }
};

Why This Fix Works:
Prevents unhandled promise rejections and gives the user feedback. A toast/notification system would be the ideal UX, but at minimum logging prevents silent failures.

2. Misuse of useState as initializer in DiscoveryPanel

Location: web-ui/src/components/prd/DiscoveryPanel.tsx:68-70
Severity: Major
Category: Reliability / Correctness

Problem:
useState is being used with a callback to auto-start the discovery session on mount. This is an unconventional pattern — useState's initializer runs during the first render (synchronously), but here it triggers an async side effect (startSession()). This works coincidentally because React state initializers run once, but:

1. It violates React's rules — side effects should use useEffect
2. The async call fires during render, not after mount
3. React StrictMode in development will call it twice

Current Code:

useState(() => {
  if (!sessionId) startSession();
});

Recommended Fix:

useEffect(() => {
  if (!sessionId) startSession();
  // eslint-disable-next-line react-hooks/exhaustive-deps
}, []);

Why This Fix Works:
useEffect with [] runs after the component mounts, which is the correct lifecycle for firing API calls. The eslint-disable is needed because startSession and sessionId are intentionally excluded (we only want to run on mount).

Priority 3 Issues - Minor 📝

1. sessionId interpolated directly into URL path

Location: web-ui/src/lib/api.ts:258, 270
Severity: Minor
Category: A03 - Injection (Defense in depth)

Recommendation:
sessionId is interpolated into the URL path via template literal: `/api/v2/discovery/${sessionId}/answer`. While sessionId comes from the server (not user input), encoding it would add defense-in-depth against future misuse.

Suggested Approach:

`/api/v2/discovery/${encodeURIComponent(sessionId)}/answer`

This is a nitpick — the backend validates the session ID format, and the value originates from the server. No immediate risk.

2. No file size limit on upload

Location: web-ui/src/components/prd/UploadPRDModal.tsx:45-67
Severity: Minor
Category: Reliability

Recommendation:
The file upload handler reads the entire file into memory via FileReader.readAsText() without checking file size. A user could accidentally select a very large file (e.g., a binary misnamed .md), causing browser memory issues.

Suggested Approach:
Add a size check before reading:

const MAX_FILE_SIZE = 5 * 1024 * 1024; // 5 MB
if (file.size > MAX_FILE_SIZE) {
  setError('File too large (max 5 MB)');
  return;
}

3. genResp variable unused in handleGeneratePrd

Location: web-ui/src/components/prd/DiscoveryPanel.tsx:124
Severity: Minor
Category: Code Quality

Recommendation:
The response from discoveryApi.generatePrd() is assigned to genResp but never used — the function immediately fetches the full PRD via prdApi.getLatest(). This is correct behavior (the generate endpoint returns a preview, not the full PRD), but the unused variable should be removed for clarity.

Suggested Approach:

await discoveryApi.generatePrd(sessionId, workspacePath);
const fullPrd = await prdApi.getLatest(workspacePath);

4. DiscoveryPanel and PRDView lack test coverage

Location: web-ui/src/components/prd/DiscoveryPanel.tsx, PRDView.tsx
Severity: Minor
Category: Test Coverage

Recommendation:
DiscoveryPanel (0% coverage) and PRDView (0% coverage) are the two orchestrator components that tie everything together. While their child components are well-tested (93-100%), the orchestrators contain the async API flow logic (session start, answer submission, PRD generation) that is most likely to break in production.

Suggested Approach:
Add tests that mock @/lib/api and SWR, then verify:

• DiscoveryPanel: session auto-start, answer submission flow, error display
• PRDView: loading/empty/content state rendering, discovery toggle

Positive Findings ✨

Excellent Practices

• Consistent error pattern: All API-facing components (DiscoveryPanel, UploadPRDModal, DiscoveryInput) use try/catch/finally with typed ApiError extraction — follows the project's established normalizeErrorDetail pattern.
• SWR optimistic updates: mutatePrd(newPrd, false) correctly uses false for revalidate to avoid redundant refetches after mutations.
• Proper React patterns: Stable callback refs in useEventSource prevent unnecessary effect re-runs. useCallback used consistently for handlers passed to children.

Good Architectural Decisions

• Incremental commits: Each of the 9 commits is independently reviewable and represents a testable increment — excellent for bisecting bugs.
• Component separation: Clear responsibility split (PRDView = layout, PRDHeader = actions, MarkdownEditor = content, DiscoveryPanel = chat lifecycle). Each component is independently testable.
• Generic + specific hook pattern: useEventSource (generic SSE) wrapping into useTaskStream (typed for task events) is a clean, reusable pattern.

Security Wins

• react-markdown 10.1.0: Uses micromark parser which does not support raw HTML by default — safe against XSS in markdown content without needing rehype-raw or rehype-sanitize.
• accept attribute on file input: Limits file picker to .md,.markdown,.txt — client-side defense against wrong file types.
• API client withCredentials: true: Already configured in the existing axios instance — cookies sent with cross-origin requests, matching backend auth pattern.
• Zero npm audit vulnerabilities: npm audit --production shows 0 vulnerabilities.

Team Collaboration Needed

Handoffs to Other Agents

Architecture Agent:

• The AppSidebar reads workspace state from localStorage independently of the workspace page's own state management. If the workspace is deselected on the home page, the sidebar relies on a storage event listener to update. Consider a shared React context for workspace state to ensure consistency.

UX Designer Agent:

• Error feedback for handleSavePrd and handleGenerateTasks failures currently has no visual indicator — user sees spinner stop but no message. A toast/notification system should be prioritized.
• Disabled nav items in the sidebar show as dimmed text with no tooltip on mobile (icon-only mode). Consider adding title tooltips on the icon-only view.

Testing Recommendations

Unit Tests Needed

• PRDHeader (10 tests) ✅
• AssociatedTasksSummary (4 tests) ✅
• MarkdownEditor (8 tests) ✅
• DiscoveryTranscript (6 tests) ✅
• DiscoveryInput (9 tests) ✅
• AppSidebar (7 tests) ✅
• useEventSource (9 tests) ✅
• useTaskStream (9 tests) ✅
• DiscoveryPanel (mock API, test session lifecycle)
• PRDView (test state-driven rendering)
• UploadPRDModal (mock prdApi.create, test submit flow)

Integration Tests

• Full discovery flow: mount → auto-start → answer questions → generate PRD
• Upload PRD via paste → verify editor populated
• Task generation → verify AssociatedTasksSummary updates

Future Considerations

Patterns for Project Evolution

• Toast/notification system: Multiple components need user-facing error feedback. Consider adding a lightweight toast (e.g., Sonner or Shadcn Toast) before building more views.
• Workspace context: As more pages are added (Tasks, Execution, Blockers, Review), workspace state should move from localStorage + per-page hooks to a shared React context.

Technical Debt Items

• useState misuse in DiscoveryPanel (issue Brainstorming: Integrate remaining general concepts into specification #2 above) — should be fixed before more components copy this pattern
• Unused genResp variable (issue feat(sprint-4): Multi-Agent Coordination System - P0 & P1 Complete #3 above)

Compliance & Best Practices

Security Standards Met

• ✅ No raw HTML rendering in markdown (react-markdown default config)
• ✅ File upload restricted by accept attribute
• ✅ API client uses withCredentials for cookie-based auth
• ✅ No secrets or credentials in frontend code
• ✅ Zero npm audit vulnerabilities
• ✅ User input sent to API via POST body (not URL path), except workspace_path which is from localStorage

Enterprise Best Practices

• ✅ TypeScript strict types for all API responses
• ✅ Consistent error handling pattern across components
• ✅ 64 tests with 93-100% coverage on tested components
• ⚠️ Two orchestrator components (DiscoveryPanel, PRDView) at 0% coverage

Action Items Summary

Immediate (Before Merge - Recommended)

1. Add catch blocks to handleSavePrd and handleGenerateTasks in page.tsx
2. Replace useState() with useEffect() for auto-start in DiscoveryPanel.tsx

Short-term (Next Sprint)

1. Add toast/notification system for error feedback
2. Add tests for DiscoveryPanel and PRDView orchestrator components
3. Add file size validation to UploadPRDModal

Long-term (Backlog)

1. Workspace state context (replace localStorage reads per-component)
2. encodeURIComponent for path-interpolated IDs in API client
3. Remove unused genResp variable

Conclusion

This is a well-executed PR that delivers a complete PRD View with strong component architecture, comprehensive tests for leaf components, and proper security defaults. The two major issues (missing error handling and misused useState) are straightforward fixes that don't require architectural changes. The codebase follows established patterns consistently across all 20 source files.

Recommendation: Fix the 2 major issues, then merge. Short-term items can be addressed in follow-up.

Appendix

Tools Used for Review

• Manual code review of all 34 changed files
• npm audit --production — 0 vulnerabilities
• npx tsc --noEmit — 0 new type errors
• npx jest — 152/152 tests passing
• react-markdown version check (v10.1.0 — safe defaults)

References

• OWASP Top 10 Web Application Security (A03, A06, A07)
• React Rules of Hooks documentation
• react-markdown security model (micromark parser, no raw HTML by default)

Metrics

• Lines of Code Reviewed: ~2,400 (source), ~880 (tests)
• Components Reviewed: 10 new components, 2 hooks, 1 API client extension
• Security Patterns Checked: 6 (XSS, injection, file upload, auth headers, dependency audit, resource cleanup)

Code Review: feat(replay): debug and replay mode

CodeFRAME

The IDE of the future is not a better text editor with AI autocomplete. It is a project delivery system where writing code is a subprocess.

The Problem

Coding agents are getting remarkably good at writing code. But shipping software is not the same as writing code.

Before code gets written, someone has to figure out what to build, decompose it into tasks that an agent can execute, and resolve ambiguities. After code gets written, someone has to verify it actually works, catch regressions, and deploy with confidence. Today, that "someone" is still you.

CodeFRAME owns the edges of the pipeline -- everything that happens before and after the code gets written. The actual coding is delegated to frontier agents (Claude Code, Codex, OpenCode, or CodeFRAME's built-in ReAct agent) that are better at it than any custom agent could be.

Think. Build. Prove. Ship.

THINK    What are you building? How should it be broken down?
           cf prd generate         Socratic requirements gathering
           cf prd stress-test      Recursive decomposition, surface ambiguities  [planned]
           cf tasks generate       Atomic tasks with dependency graphs

BUILD    Delegate to the best coding agent for the job
           cf work start --engine  Claude Code, Codex, OpenCode, or built-in
           CodeFRAME owns: verification gates, self-correction, stall detection

PROVE    Is the output any good?
           cf proof run            9-gate evidence-based quality system           [planned]
           cf proof capture        Glitch becomes a permanent requirement         [planned]

SHIP     Deploy with confidence
           cf pr create            PR with proof report attached
           cf pr merge             Only merges if proof passes

THE CLOSED LOOP
  Glitch in production
    -> cf proof capture
    -> New requirement
    -> Enforced on every future build
    = Quality compounding interest

Why CodeFRAME

Nobody else does the full upstream pipeline. Most orchestrators assume issues and specs already exist. CodeFRAME generates them through AI-guided Socratic discovery and recursive decomposition.

Agent-agnostic execution. CodeFRAME does not compete with Claude Code or Codex. It orchestrates them. The built-in ReAct agent is a capable fallback, not the point.

Quality memory (PROOF9). Every failure becomes a permanent proof obligation across 9 verification gates. Not just test coverage -- evidence-based verification that compounds over time. The closed loop is what turns a project into a learning system.

Radical simplicity. Single CLI binary, SQLite, no daemons, no infrastructure. Install and start building in under a minute.

Quick Start

# Install
git clone https://github.com/frankbria/codeframe.git
cd codeframe
curl -LsSf https://astral.sh/uv/install.sh | sh
uv venv && source .venv/bin/activate && uv sync
export ANTHROPIC_API_KEY="your-key"

# Initialize a project
cd /path/to/your/project
cf init . --detect

# Generate requirements through AI-guided discovery
cf prd generate

# Decompose into atomic tasks
cf tasks generate

# Execute (delegates to the agent engine)
cf work start <task-id> --execute

# Ship
cf pr create

That is the entire workflow. Everything else is optional.

Architecture

    YOU
     |
     v
  +-THINK---------------------------------------------+
  |  cf prd generate    Socratic requirements          |
  |  cf tasks generate  Atomic decomposition           |
  +----------------------------+-----------------------+
                               |
                               v
  +-BUILD---------------------------------------------+
  |  cf work start --engine <agent>                    |
  |                                                    |
  |  +-- Claude Code / Codex / OpenCode / ReactAgent   |
  |  |                                                 |
  |  +-- Verification gates (ruff, pytest, BUILD)      |
  |  +-- Self-correction loop (up to 5 retries)        |
  |  +-- Stall detection -> retry / blocker / fail       |
  +----------------------------+-----------------------+
                               |
                               v
  +-PROVE---------------------------------------------+
  |  cf proof run       9-gate quality system [planned]|
  |  cf review          Verification gates             |
  +----------------------------+-----------------------+
                               |
                               v
  +-SHIP----------------------------------------------+
  |  cf pr create       PR with proof report           |
  |  cf pr merge        Merge if proof passes          |
  +---------------------------------------------------+
                               |
            Glitch in production?
                               |
                               v
            cf proof capture -> new requirement
            -> enforced forever (closed loop)

The core domain is headless and runs entirely from the CLI. The FastAPI server and web UI are optional adapters for teams that want a dashboard.

CLI Reference

THINK -- Requirements and Planning

# Workspace
cf init <path>                        # Initialize workspace
cf init <path> --detect               # Auto-detect tech stack
cf status                             # Workspace status

# Requirements
cf prd generate                       # AI-guided Socratic PRD creation
cf prd generate --template lean       # Use a specific template
cf prd add <file.md>                  # Import existing PRD
cf prd show                           # Display current PRD

# Task decomposition
cf tasks generate                     # Generate tasks from PRD (LLM-powered)
cf tasks list                         # List all tasks
cf tasks list --status READY          # Filter by status
cf tasks show <id>                    # Task details with dependencies

# Scheduling
cf schedule show                      # Task schedule with dependencies
cf schedule predict                   # Completion date estimates
cf schedule bottlenecks               # Identify blocking tasks

BUILD -- Execution

# Single task
cf work start <id> --execute          # Execute with default engine (ReAct)
cf work start <id> --execute --engine plan   # Use legacy plan engine
cf work start <id> --execute --verbose       # Detailed progress output
cf work start <id> --execute --dry-run       # Preview without applying
cf work start <id> --execute --stall-timeout 120   # Custom stall timeout (seconds)
cf work start <id> --execute --stall-action retry  # Auto-retry on stall (blocker|retry|fail)
cf work follow <id>                   # Stream live output
cf work stop <id>                     # Cancel a run
cf work resume <id>                   # Resume after answering blockers

# Batch execution
cf work batch run --all-ready                # All READY tasks
cf work batch run --strategy parallel        # Parallel execution
cf work batch run --strategy auto            # LLM-inferred dependencies
cf work batch run --retry 3                  # Auto-retry failures
cf work batch status [batch_id]              # Batch progress
cf work batch resume <batch_id>              # Re-run failed tasks

# Blockers (human-in-the-loop)
cf blocker list                       # Questions the agent needs answered
cf blocker show <id>                  # Blocker details
cf blocker answer <id> "answer"       # Unblock the agent

# Diagnostics
cf work diagnose <id>                 # AI-powered failure analysis
cf env check                          # Validate environment
cf env doctor                         # Comprehensive health check