Skip to content

feat(web): implement seamless workflows, local optimizer fallback, and benchmark UX enhancements#605

Merged
madara88645 merged 6 commits into
mainfrom
chore/jules-instructions-guardrails
May 20, 2026
Merged

feat(web): implement seamless workflows, local optimizer fallback, and benchmark UX enhancements#605
madara88645 merged 6 commits into
mainfrom
chore/jules-instructions-guardrails

Conversation

@madara88645
Copy link
Copy Markdown
Owner

@madara88645 madara88645 commented May 20, 2026

This PR resolves 3 key UX and workflow challenges identified in the first-time user experience walkthrough across the Web Compiler, Token Optimizer, and Benchmark pages.

Copilot AI review requested due to automatic review settings May 20, 2026 10:58
@vercel
Copy link
Copy Markdown

vercel Bot commented May 20, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
compiler Ready Ready Preview, Comment May 20, 2026 3:53pm

Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves first-time UX and cross-page workflow continuity in the Next.js web app by persisting user prompts, adding clearer “offline/local” fallbacks in the optimizer, and enhancing benchmark status/error UI.

Changes:

  • Persist the last prompt via localStorage and surface RAG context activity status in the compiler UI.
  • Add a local/offline optimizer mode plus “send to compiler” workflow and improved cloud-key error recovery UI.
  • Improve benchmark page UX with demo-mode badging and more actionable API-key error messaging; introduce .jules/ guidance docs.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
web/app/page.tsx Loads/saves last prompt and displays a “RAG Context Active” indicator in the compiler UI.
web/app/optimizer/page.tsx Adds optimizer engine selection (cloud vs local), offline compression fallback, and “Send to Compiler”.
web/app/components/ContextManager.tsx Enhances ingestion status panel with clearer structure and tips.
web/app/benchmark/page.tsx Loads last prompt and improves demo-mode and API key error UX.
CLAUDE.md Adds .jules/ guidance and removes the server-side env-var table section.
.jules/sentinel.md Adds “read first” notice and trims older journal entries.
.jules/palette.md Adds “read first” notice and trims older journal entries.
.jules/instructions.md Introduces authoritative Jules instructions and verification commands.
.jules/bolt.md Adds “read first” notice and trims older journal entries.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread web/app/page.tsx
Comment on lines 148 to +151
} = useCompiler();

const { indexStats } = useContextManager();

Comment thread web/app/page.tsx
const { indexStats } = useContextManager();

useEffect(() => {
window.localStorage.setItem("promptc_last_prompt", prompt);
Comment thread web/app/optimizer/page.tsx
Comment on lines +352 to +355
// Queue the optimize operation instantly
setTimeout(() => {
void handleOptimize();
}, 50);
Comment thread web/app/benchmark/page.tsx
Comment on lines 44 to +48
export default function BenchmarkPage() {
const [prompt, setPrompt] = useState("");
const [prompt, setPrompt] = useState(() => {
if (typeof window === "undefined") return "";
return window.localStorage.getItem("promptc_last_prompt") || "";
});
Comment thread web/app/components/ContextManager.tsx
Comment on lines +98 to +100
<><span>⚠️</span> Ingestion Alert</>
) : (
<><span>ℹ️</span> Status</>
Comment thread CLAUDE.md
Comment on lines 19 to 33
## Runbook
- Backend dev server: `python -m uvicorn api.main:app --reload --port 8080`
- Frontend dev server: `cd web && npm run dev`
- Backend tests: `python -m pytest tests/ -q`
- Focused export tests: `python -m pytest tests/test_export_adapters.py tests/test_llm_providers.py -q`
- MCP tests: `python -m pytest integrations/mcp-server/test_server.py -q`
- Frontend tests: `cd web && npm run test`
- Frontend build: `cd web && npm run build`

## Server-side environment variables
The Next-side proxy and the backend each need their own keys; keep them out of the bundled JS.

| Env var | Side | Purpose |
| --- | --- | --- |
| `PROMPTC_SERVER_API_KEY` | Next.js | Forwarded as `x-api-key` to protected backend routes (generators, analyze). Without it, protected proxy routes return 500. |
| `PROMPTC_PROXY_UPSTREAM_TIMEOUT_MS` | Next.js | Hard upstream-fetch timeout for the proxy (default 25000). Aborts a stuck backend connection with a 504 instead of hanging the route forever. |
| `PROMPTC_GITHUB_TOKEN` (or `GITHUB_TOKEN`) | Backend | Optional. When set, the public-repo analyzer adds `Authorization: Bearer <token>` to GitHub requests, raising the rate limit from 60 req/h (anonymous) to 5000 req/h. |
| `PROMPTC_REPO_CONTEXT_CACHE_TTL` | Backend | Repo-brief cache TTL in seconds (default 600). Set to `0` to disable the in-memory cache. |

## Domain Concepts
- Conservative mode should avoid hallucinated requirements and fake APIs.
- Export surfaces should feel executable, not just prompt-pretty.
- Agent packs can map policy into `CLAUDE.md`, `.claude/settings.json`, `.claude/agents/`, and GitHub workflow assets.
- MCP integration is a first-class bridge for Claude Code, Cursor, and other clients.

@madara88645
Copy link
Copy Markdown
Owner Author

madara88645 commented May 20, 2026

This PR is larger than it may look at first glance, so here is the intended merge context and why it matters.

What this PR is doing

The main purpose of this PR is to remove end-user Prompt Compiler API key requirements from the public/open-source product experience.

In practice, that means:

  • Public-facing app flows should not ask visitors for internal Prompt Compiler keys such as x-api-key, PROMPTC_SERVER_API_KEY, or similar custom auth values.
  • The app should behave like an open-source product that people can open and use, not like a private developer API that expects undocumented internal credentials.
  • Provider credentials such as OPENAI_API_KEY / GROQ_API_KEY remain a server/operator concern, not something the end user is expected to know or supply in the UI.

Key changes included here

  • Removed custom Prompt Compiler API-key gating from the intended public routes and flows.
  • Updated frontend messaging so users are no longer told to provide undocumented internal keys.
  • Updated repository instructions/docs/agent guidance so future agents do not silently reintroduce this requirement.
  • Fixed related CI/smoke/lint issues uncovered while making the auth surface consistent.
  • Added an offline fallback for /validate so public validation does not crash in environments where no upstream LLM key is present.
  • Resolved merge conflicts with main while preserving newer safety/error-handling improvements from upstream.

Why this PR is important

This is not just a small auth tweak. It corrects a product-level mismatch.

Before this change, the repo had multiple places where the system behaved as if a random visitor should already know:

  • what x-api-key is,
  • what PROMPTC_SERVER_API_KEY is,
  • where such a key would come from,
  • and why they would need it in the first place.

For an open-source/publicly usable product, that is a major UX and adoption problem.

The previous behavior created confusion because the application exposed internal protection concepts to end users without giving them any realistic path to succeed. In other words, people could reach the product, try it, and then get blocked by a requirement that was neither documented for them nor appropriate for them.

This PR intentionally removes that mismatch.

Why this should be reviewed carefully before merge

This PR changes an important boundary: who authentication is for.

The explicit decision behind this branch is:

  • Do not use custom Prompt Compiler API keys as a requirement for normal public product usage.
  • If stronger protection is needed later, it should be added through the appropriate mechanisms for the deployment model (for example: rate limits, quotas, login, admin-only controls, infrastructure-level protections, or other operator-owned safeguards).
  • Do not push that burden onto anonymous users through undocumented key prompts.

So if anyone reviewing this PR expected some of these routes to remain protected by end-user-entered Prompt Compiler keys, that would be a product-direction disagreement, not just an implementation detail.

Merge intent

Please merge this PR with the following intent in mind:

  1. Public/open-source users should be able to use the product without learning internal Prompt Compiler auth knobs.
  2. Internal/server/provider credentials should stay internal.
  3. Future agents and contributors should treat reintroducing browser-side Prompt Compiler key prompts as a regression unless there is an explicit product decision to change direction.

Verification notes

The branch was updated to keep smoke/lint/test expectations aligned with this behavior, including the /validate offline fallback so CI does not fail just because provider credentials are absent.

If you are merging this with an AI agent later, the most important thing for the agent to preserve is the policy intent above, not just the literal code diff.

@madara88645
Copy link
Copy Markdown
Owner Author

madara88645 commented May 20, 2026

Deferring this PR for human review rather than auto-merging in the current batch session. CI is green and the PR is MERGEABLE, but the diff bundles three concerns (seamless workflows, local optimizer fallback, benchmark UX) across 34 files and includes a 246-line deletion of web/lib/server/backendProxy.ts + its test file. The branch name (chore/jules-instructions-guardrails) also doesn't match the current title (feat(web): …), suggesting the branch was repurposed. Could you split this into ≤3 focused PRs (one per concern), or post a brief justification for the backendProxy removal so it can be reviewed on its own merits?

@madara88645 madara88645 force-pushed the chore/jules-instructions-guardrails branch from c252121 to 8bb8437 Compare May 20, 2026 15:48
@madara88645 madara88645 force-pushed the chore/jules-instructions-guardrails branch from 8bb8437 to 4e24ecd Compare May 20, 2026 15:52
@madara88645 madara88645 merged commit 039c797 into main May 20, 2026
10 checks passed
This was referenced May 20, 2026
Closed
Merged
madara88645 added a commit that referenced this pull request May 21, 2026
@madara88645 @cursoragent
feat(api): add IP-based rate-limit on public routes (closes #607) (#608)
2ddd34f 
* feat(api): add IP-based rate-limit on public routes (closes #607)

Restore sliding-window limits on the public API surface after #605 removed
verify_api_key. Public buckets use ip:{client_ip}:{route_group} at 20/min
(heavy) and 60/min (default); API-key limits for Jules/admin paths unchanged.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(auth): rate limit repo-context as heavy public route

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
This was referenced May 31, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@madara88645