• Introduction
• AI as a Thinking Companion
• The Human-in-the-Loop Principle
  • Critical Thinking
  • Disruption in the job market
• Centaur vs Cyborg approaches
• Resources
• Conclusion

Introduction

We recently finished reading Co-Intelligence: Living and Working with AI by Ethan Mollick in our company’s book club. The book shares four core principles for AI collaboration and outlines various practical applications. Some really stuck with me, and I’ve tried to incorporate them in my work. Reading the author’s perspective and learning his way of thinking definitely improved how I look at these tools. But if you know me, you know how skeptical I am. There are some chapters and opinions that I don’t agree with.

So in this post, I’ll share the key insights from our book club in the context of software development, plus some personal opinions as always 🙂.

AI as a Thinking Companion

One of the most practical takeaways for me was viewing AI as a co-worker and thinking companion. When done right, this can be incredibly useful. Some people use it heavily for deep research, not so much to delegate tasks for it to do. André Santos gave some examples on the tasks it has been useful, like Terraform code or generating bash scripts. On those tasks, we can write a detailed prompt, alongside proper documentation (e.g. Context7 MCP), and ask it to write Terraform since it’s simpler and faster.

Even just making a POC, or demo, turning an idea you have into working software to see how viable the idea is. That is a perfect use case for delegating the front-end and back-end to AI. It’s not code that will ship to production, it’s a way to make prototypes or quick demo apps that otherwise you’d never spend the time to build.

I’ve enjoyed using models like Claude to help me around my tasks at work because they often uncover possibilities I haven’t thought about. The conversational style of going back and forth helps me fine-tune my own solution. It’s not just “give me code,” it’s “let’s discuss this architecture”. At the end of the conversation, we can generate a good draft of a PRD (Product Requirements Document). Notice I don’t delegate my thinking to it, it’s a tool that helps me think of solutions or just interview me sometimes.

However, it can be annoying. I’d like to minimize the number of times I have to tell it “no, you’re wrong. The Microsoft documentation for Azure Container Apps does not state X as you said” 😅. To fix this, I’ve tried giving an explicit instruction in my system prompts:

"It's also very important for you to verify if there is official documentation that supports your claims and statements. Please find official documentation supporting your claims before responding to a user. If there isn't documentation confirming your statement, don't include it in the response."

I have had better results with this, still not perfect. In a longer conversation, I think it doesn’t always verify the docs (memory limits, perhaps), but sometimes I get the response: “(…) Based on my search through the official documentation, I need to be honest with you (…)”.

I really find it funny that Claude “needs” to be honest with me 😄. Sycophancy is truly annoying, especially since we are talking about AI as a thinking companion. If your AI partner always agrees with you, how useful is it really as a thinking companion?

The Human-in-the-Loop Principle

While Mollick’s vision of a collaborative future with AI is profoundly optimistic, he is also a realist. One of the most important principles, and a recurring theme in the book, is the absolute necessity of human oversight – the “human-in-the-loop” principle. This is a key quote from the book:

For now, AI works best with human help, and you want to be that helpful human. As AI gets more capable and requires less human help — you still want to be that human. So the second principle is to learn to be the human in the loop.

One of Mollick’s key warnings is about falling asleep at the wheel. When AI performs well, humans stop paying attention. This has been referenced by Simon Willison as well, in his recent insightful post 2025: The year in LLMs. All I’m saying is I understand --dangerously-skip-permissions is useful as a tool when used in a secure sandbox environment. But we should verify our confidence level on the AI’s output and the autonomy + tools we give it. If we don’t, we risk using AI on tasks that fall outside the Jagged Frontier, which can lead to security issues, nasty bugs, and hurt our ability to learn.

I say this knowing full well that I trust Claude Opus 4.5 more on any task I give it. So I have to actively force myself to verify its suggestions just as rigorously, verify which tools I gave it access to, and which are denied. For example, I use Claude Code hooks to prevent any appsettings, .env, or similar files from being accessed. I still try to read the LLM reasoning/thinking text, so that I understand better, and simply out of curiosity as well.

I simply can’t forget when I saw the Claude Sonnet 4 and Opus 4 System Card, the “High-agency behavior” Anthropic examined. Whistleblowing and other misalignment problems are possible, for example, this is a quote from the Opus 4.6 System card:

In our whistleblowing and morally-motivated sabotage evaluations, we observed a low but persistent rate of the model acting against its operator’s interests in unanticipated ways. Overall, Opus 4.6 was slightly more inclined to this behavior than Opus 4.5.

All I’m saying is let’s be conscious of these behaviors and results on the evals.

In my opinion, the human-in-the-loop principle is crucial. Don’t just copy/paste or try to vibe your way into production. Engineers are the ones responsible for software systems, not tools or alien minds. If there are users who depend on your software, and your AI code causes an incident in production, you are responsible. Claude or Copilot won’t wake up at 3 AM if prod is on fire (or maybe Azure SRE agent will if you pay for it 🤔…). Having an engineering mindset and being in the driver’s seat is what I expect from myself and anyone I work with.

Critical Thinking

Within this principle, we have a topic I have a lot of strong opinions on. This quote says it all:

LLMs are not generally optimized to say "I don’t know" when they don't have enough information. Instead, they will give you an answer, expressing confidence.

Basically, to be the human in the loop, we really must have good critical thinking skills. This ability plus our experience, brings something very valuable to this AI collaboration – detect the “I don’t know”. It may help to know some ways we can reduce hallucinations in our prompts. But still, we can’t blindly believe AI output is correct based on its confidence that the proposed solution works. Now more than ever, we need to continue developing critical thinking skills and apply them when working with AI, so that in the scenarios where it should have responded “I don’t know”, you rely more on your own abilities.

Sure, there are tasks we are more confident delegating for AI to work on, but the ones we know fall outside the Jagged Frontier, we must proceed with caution and care. We discussed our confidence level with AI output a lot. For example, André Santos said it depends on the task we give it, but André Oliveira also argues that we can only validate the output in the topics we know. It serves as an amplifier because it’s only a tool. If the wielder of the tool doesn’t fact-check the output, we risk believing the hallucinations and false statements/claims. Pedro Vala also talked about a really good quote from the Agentic Design Patterns book that is super relevant to this topic:

An AI trained on "garbage" data doesn’t just produce garbage-out; it produces plausible, confident garbage that can poison an entire process - Marco Argenti, CIO, Goldman Sachs

Now imagine, if we read the AI output, and at first glance it looks okay, but it’s only plausible garbage. Which is a real risk, especially on the AI-generated content that is already available in the internet. Again, I hope developers continue to develop their critical thinking skills and don’t delegate their thinking to tools. Right now, the only process I have of filtering out garbage on the internet is consuming most content from authors I respect, and I know for a fact are real people 😅.

Disruption in the job market

Mollick also talks about the disruption in the job market, which is a hot topic in our industry. Especially the impact AI has on junior roles. We have debated this in a few sessions of our book club, and again, critical thinking and adaptability are crucial. We simply have to adapt and learn how to use this tool, nothing less, nothing more. How much value we bring to the table when working with AI matters, especially if the value you bring is very tiny. If you don’t bring any value to the table and just copy/paste, you are not a valuable professional in my view.

It’s a good idea to keep developing our skills and expertise. Andrej Karpathy talks about intelligence “brownout” when LLMs go down, this is extremely scary to me, especially if I see this behaviour in junior or college grads. I truly hope we stop delegating so much intelligence to a tool. I don’t want engineers to rely on LLMs when production is down and on fire. It would be sad to see engineers not knowing how to troubleshoot, how to fix these accidents in production… just because AI tools are not available 😐.

Centaur vs Cyborg approaches

The book distinguishes between two ways of working with AI:

1. Centaur: You divide tasks between human and machine. You handle the “Just me” tasks (outside the Jagged Frontier), and delegate specific sub-tasks to the AI that you later verify.
2. Cyborg: You integrate AI so deeply that the workflow becomes a hybrid, often automating entire processes.

For software development, I’m definitely in the Centaur camp right now. We should be careful about what tasks we delegate. Again, remember the “falling asleep at the wheel”. When the AI is very good, humans have no reason to work hard and pay attention. They let the AI take over instead of using it as a tool, which can hurt our learning process and skill development. Or in some scenarios, it can lead to your production database being deleted…

This is just a tool. We are still responsible at work. If the AI pushes a bug to production, you pushed a bug to production!

The author does give some “Cyborg examples” of working with AI, here is a quote from the book:

I would become a Cyborg and tell the AI: I am stuck on a paragraph in a section of a book about how AI can help get you unstuck. Can you help me rewrite the paragraph and finish it by giving me 10 options for the entire paragraph in various professional styles? Make the styles and approaches different from each other, making them extremely well written.

This is that ideation use case that is super useful when you have writer’s block, or just want to brainstorm a bit on a given topic. In our industry, a lot of teams are integrating AI in many phases of the SDLC. I haven’t found many workflows that work well in some parts of the SDLC, since we are focusing on adopting AI for coding and code review. But in most workflows, the cyborg practice is to steer more the AI and manage the tasks where you collaborate with AI as a co-worker.

The risk remains even when someone uses cyborg practices, but then fails to spot hallucinations or false claims. The takeaway is really to be conscious of our AI adoption and usage. The number one cyborg practice I try to do naturally is to push back. If I smell something is off, I will disagree with the output and ask the AI to reconsider. This leads to a far more interesting back-and-forth conversation on a given topic.

Resources

Here are some resources if you want to dive deeper:

• Co-intelligence by Ethan Mollick
• Navigating the Jagged Technological Frontier
• Agentic Design Patterns: A Hands-On Guide to Building Intelligent Systems
• Andrej Karpathy: Software Is Changing (Again)
• Centaurs and Cyborgs on the Jagged Frontier
• Why LLMs Can’t Really Build Software
• Why language models hallucinate | OpenAI

Conclusion

This was a great book, I truly recommend it to anyone who is interested in the slightest by AI. Co-intelligence is something we can strive for, focusing on adopting this new tool that can help us develop ourselves. Our expertise and our skills. When it was written, we had GPT 3.5 and GPT-4 was recent I believe… now we have GPT-5.3-Codex, Opus 4.6, GLM 4.7, and Kimi K2.5. I mean, in 2 years things just keep on changing 😅. The Jagged Frontier will keep changing, so this calls for experimentation. AI pioneers will do most of this experimentation, running evals and whatnot, to understand where each type of task falls in the Jagged Frontier. Pay attention to what they share, what works, and what doesn’t.

AI has augmented my team and me, mostly on “Centaur” tasks while we improve our AI fluency and usage. In my personal opinion, I don’t see us reaching the AGI scenario Ethan talks about in the last chapter. Actually, most of our industry talks and continues to hype AGI… even the exponential growth scenario raises some doubts for me.

But I agree with Ethan when he says: “No one wants to go back to working six days a week (…)” 😅. We should continue to focus on building our own expertise, and not delegating critical thinking to AI. There is a new skill in town, we now have LLM whisperers 😅, and having this skill can indeed augment you even further. Just remember the fundamentals don’t change. Engineers still need to know those! There are hundreds of “Vibe Coding Cleanup Specialist” now 🤣. Let’s remember to be the human in the loop. Apply critical thinking to any AI output, do fact-checking, and take ownership of the final result. Please don’t create AI slop 😅.

Hope you enjoyed this post! My next blog post will be about how we are using agentic coding tools, so stay tuned! Feel free to share in the comments your opinion too, or reach out and we can have a chat 🙂.

If you’re interested, check out my latest blog posts about AI:

• Lessons learned improving code reviews with AI
• Becoming augmented by AI

The post Book Review: Co-Intelligence by Ethan Mollick appeared first on Blog IT.

• Introduction
• Why we started experimenting
• Our AI code review journey
  • Claude Code
  • Saving learnings in memory
  • GitHub Copilot
  • CodeRabbit and Qodo
• Tool of choice
  • Improving multi-agent collaboration
• Resources
• Conclusion

Introduction

I have loved code reviews for years now, and still to this day, I love seeing good open source PRs! When I say good, I mean really great! We have access to tons of open source code, and the greatest PRs are the ones where you can learn a lot from on how to do it right. In a sense, this blog post is about just that. This blog post is part of a series where I share how AI is augmenting my work, and what I’m learning from it. If you’re interested, you can read the first post here: Becoming augmented by AI. In that post, I reference how AI has augmented me with an “initial code review”, but now I’ll go deeper into this topic. I’ll share our hands-on experience: what works, what doesn’t, and a healthy dose of my opinions along the way 😄.

Quick disclaimer: what works for us might not work for you. Your team and coding guidelines are different, and that’s fine. These are just our honest experiences.

With that said, let’s dive into why we started incorporating AI tools in our code review process.

Why we started experimenting

I recently watched this amazing video by CodeRabbit. In our team, code review isn’t really the bottleneck (yet), but it’s funny because we are also using AI heavily for feature development and trying to improve… hummm “velocity” 🤣.

Anyway, I understand many teams nowadays have increased the number of PRs created. That some PRs simply get a blind LGTM.

Maybe some PRs just have increasingly more AI slop… which wears down senior engineers tasked to do code review 😅. Not all professionals would want to do it right or maybe they just want to ship because their company’s “productivity metrics” incentivize merging more and more PRs 😅. Honestly, it’s our job to deliver code we have proven to work, I fully agree with Simon Willison. Throwing slop over to the engineers that do code review is unprofessional, just as much as throwing untested features over to QA 😐. In our case, we changed to having a dedicated dev responsible for all code reviews, and we don’t have that many per day. We simply wanted to improve code quality and reduce bugs, while keeping code review as an educational process for junior engineers.

About five months ago, our team started experimenting with AI tools, GitHub Copilot, Claude Code, Codacy, Qodo, and CodeRabbit to see how they could help us improve our review process without adding a ton of noise. There are more tools we didn’t try, like Augment Code and Greptile (has some cool benchmarks), but hopefully the lessons we learned will be useful to you either way.

Our AI code review journey

We already talked in the last post about our custom instructions, to some extent. Specifically for code review we took a phased approach and started comparing different tools:

1. Started with GitHub Copilot Code Review
2. Integrated Claude Code with GitHub and started comparing code reviews from both tools
3. Added CodeRabbit, Qodo and Codacy to spot differences between them
4. Refined prompts/instructions/configs for some tools

We didn’t invest equal time in all of them, though. Copilot and Claude ended up getting most of our attention, especially since we started using Copilot Code Review (CCR) when it was in public preview. Overall, we experimented with these tools in 30+ PRs, and made 20+ PRs to refine our prompts/instructions/agents.

Claude Code

Let’s go through Claude Code first. Here is a snippet of our code-review Claude Code custom slash command:

---
allowed-tools: Bash(dotnet test), Read, Glob, Grep, LS, Task, Explore, mcp.....
description: Perform a comprehensive code review of the requested PR or code changes, taking into consideration code standards
---

## Role

You are a world-class autonomous code review agent. You operate within a secure GitHub Actions environment.
Your analysis is precise, your feedback is constructive, and your adherence to instructions is absolute.
You do not deviate from your programming. You are tasked with reviewing a GitHub Pull Request.

## Primary Directive

Your sole purpose is to perform a comprehensive and constructive code review of this PR, and post all feedback and suggestions using the **GitHub review system** and provided tools.
All output must be directed through these tools. Any analysis not submitted as a review comment or summary is lost and constitutes a task failure.

## Input data
PR NUMBER: $ARGUMENTS

You MUST follow these steps to review the PR:
1. **Start a review**: Use `mcp__github__create_pending_pull_request_review` to begin a pending review
2. **Get diff information**: Use `mcp__github__get_pull_request_diff` to understand the code changes and line numbers
3. **Get list of files**: If you can't get diff information, use `mcp__github__get_pull_request_files` to get the list of files that were added, removed, and changed in the pull request
4. **Add comments**: Use `mcp__github__add_comment_to_pending_review` for each specific piece of feedback on particular lines
5. **Submit the review**: Use `mcp__github__submit_pending_pull_request_review` with event type "COMMENT" (not "REQUEST_CHANGES") to publish all comments as a non-blocking review

You can find all the code review standards and guidelines that you MUST follow here: `.github/instructions/code-review.instructions.md`

## Output format

**CRITICAL RULE** - DO NOT include compliments, positive notes, or praise in your review comments.
Be thorough but filter your comments aggressively - quality over quantity. Focus ONLY on issues, improvements, and actionable feedback.

**Output Violation Examples** (DO NOT DO THIS):
`The code follows best practices by...`
`Positive changes/notes`

**Important**: Submit as "COMMENT" type so the review doesn't block the PR.

Yes, some wording might be weird like praising the AI with “You are a world-class” or “your adherence to instructions is absolute”. Like we mentioned about using uppercase “DO NOT” or “IMPORTANT”, and others, I can’t explain some of this stuff or find enough research that claims this affects how the LLM pays attention to instructions. I just experiment and learn, and Gemini likes to use this phrase for code reviews as well 😄 (as well has 115 other devs on GitHub 😅).

To be honest, we still have too much noise in AI PR comments, or just tons of fluff. The bright side is, at least the compliments have kind of disappeared 😅 . You might enjoy getting this:

I don’t 🤣, especially when 1 PR has 5 of these. I do praise comments for my team yes, because positive comments are good… when it comes from a human who knows the other person, IMO. Also, there are many comments that don’t belong in a PR, they belong in a linter or other tools. We have CSharpier and .NET analyzers for that.

It also doesn’t have the best GitHub integration for now, at least we’ve had some problems (400 errors, branch 404 errors) with the GitHub action. Like not having access to GitHub mcp tools, even though we set it in allowed-tools option.

Anyway, we iterated a lot on instructions and prompts so far, since we use them for both Claude and Copilot. Here is a quick recap of what features we use from Claude Code:

• Sub-agents (custom and built-in)
• Built-in /review and security review commands
• Custom slash commands (code-review.md)
• Plugins, specifically code-review plugin authored by Boris Cherny

We leverage those 2 built-in commands, in parallel, but it’s just to see if we get any good feedback. Our custom code review slash command already does a good review following our guidelines, plus the “code-review” plugin from Boris is works very well with parallel agents. We basically went through the famous spiral:

Write CLAUDE.md -> Ask for code review -> Find bad comments and noise we don't want -> Re-write CLAUDE.md and other files -> Do some meta-prompting -> Repeat

Like I said, our custom code review prompt/command has evolved through time, and was refined when we learned something new. We started with this incredible suggestion to use the GitHub MCP. We also searched for other GitHub repos, mostly .NET related to see how they set up their instructions. In case they have anything particular around code review (e.g. for GitHub Copilot). I find .NET Aspire to be a super cool real-life example 🙂 . I think a lot of their AI adoption is lead by David Fowler. So I often check their PRs to see what we can learn from them, e.g. this one.

Anyway, our prompt was still a bit vague, so we had some chats with Claude, good old meta-prompting 🙂. After a while, Claude suggested a new file that has all the coding standards and bad smells we want to avoid – code-review.instructions.md. It does live under .github/instructions but it doesn’t matter, Claude can use it. The bad smells are specific and we see them referenced quite often in our PRs now. Still, we don’t have a perfect solution for overly large PRs. We simply communicate more often or have more than one dev working in the PR for those cases. When a feature genuinely requires lots of new code, the best forum to debate and provide actionable feedback is by talking. Sure, this isn’t always possible, people are busy or prefer async work. In our team going on call, or during the demo of the PR, helps make large PRs way more digestible. Draft PRs also work somewhat, to get some feedback early on.

Avoiding noise comments

Our biggest lesson learned here is running locally our custom slash command for code review and using sug-agents. Locally, we can try to provide the proper context for the review, the rest is the agent using tools and doing reasoning. No noise gets sent to GitHub comments because all the back-and-forth is done in the chat, plus right now Claude Code works better locally, not on GitHub Actions. Having sub-agents has been amazing since the main reason Claude Code uses it is for context management. Since we now have a built-in Explore sub-agent, our code review command uses that in order to have Explore sub-agents run in parallel (with Haiku 4.5) and not clog up the main context window.

I’ve learned recently of other devs using a different workflow, basically leveraging the Task tool for the main agent to spawn sub-agents. Whichever way you want to do it, using a sub-agent that is focused on exploring the codebase and potential impacts of this PR is something I recommend.

Saving learnings in memory

Every once in a while, once we’ve merged a few PRs. We use Claude to improve itself again based on these PRs. This is our prompt:

Please look at the 5 most recent PRs in our GitHub repository, and check for learnings in order to improve the code review workflow. Please ultrathink on this task, so that all necessary memory files are updated taking into account these learnings, like @CLAUDE.md and @.github\instructions\ Focus on seeing code review comments that were good and made it into the codebase afterwards (e.g. coding standards violations). Ignore bad comments that were resolved with a "negative comment" or thumbs down emoji. Ask me clarifying questions before you begin. YOU MUST create a changelog file explaining why you made these edits to instruction files. Each learning must reference a PR that exists. The best is for you to link the exact comment that you used for a given learning

At the end of the session, we usually have a few items that are good enough to add. Mostly are learnings around bugs we can catch earlier, some are coding standards. Honestly, a lot of suggestions aren’t what I want or I just think they won’t be useful in future code reviews. But doing this has been important for me to also take a step back and think about what we can learn from the work we’ve already merged. I reflect on it and then discuss with my team. I’ve seen others also talk about this idea and have a learnings.md, e.g. this repo. At least this process seems better for us than simply using emojis to give feedback that CodeRabbit blog also eludes to 😅.

GitHub Copilot

Copilot’s code review features were super basic in the beginning. We tried and experimented with it a lot when it came out. It only caught nitpicks, console.log and typos, really not helpful on any other area. Sure catching this is good, but a human reviewer catches that in the first pass too. It didn’t support all languages so we often got 0 comments or feedback. Then in the last months, completely different, night and day.

If you have seen GitHub Universe, you know what’s new. But in case you don’t know, the GitHub team has invested heavily in Copilot code review and coding agent, and it shows. The code review agent is often right in every comment, it makes suggestions that are actually based on our instructions and memory files, meaning our PRs follow consistent code style and team conventions (with a link to these docs).

And the agent session is somewhat transparent, since you can view it in GitHub actions now:

I mean “somewhat” because there are things I can’t configure, just like Claude Code and most tools, I guess 😅. In the logs I can see the option UseGPT5Model=false, and that it’s using Sonnet 4.5. There is also this “MoreSeniorReviews” flag that I couldn’t find any info on, and believe me… I wanted to because it was set to false 🤣 – the logs show ccr[MoreSeniorReviews=false;EnableAgenticTools=true;EnableMemoryUsage=false...

Are you telling me there could be a hidden way to get a more senior review… sign me up! Jokes aside, I couldn’t find much info on the endpoint api.githubcopilot.com/agents/swe of CAPI (presumably Copilot API) the Autofind agent was calling, and the contents of the ccr/callback saved in results-agent.json. I can only hope some of these options are configurable in the future.

I checked the MCP docs, hoping to find details about these options, but no luck.

Anyway, it also now has access to CodeQL and some linters, which is amazing because we didn’t have this before. It’s the way we are able to leverage CodeQL analysis in all our PRs now, we couldn’t do this in any other AI code review tool. We also see that it calls the tool “store_comment” during its session, and only submits the comments to GitHub in the end. This is useful since sometimes it stores a comment because it thought something was wrong in the implementation, and afterwards it read more code into context that invalidated the stored comment, so it no longer submits that comment in the PR. Much like the CodeRabbit validation agent, reducing the amount of noise we get in PRs.

CodeRabbit and Qodo

Let’s start with the cool features CodeRabbit has:

• Code diagrams in Mermaid
• Generates a poem! Yes, a poem for my PR
• Summary of changes added to the description

Now… I gotta be honest, I don’t care about any of them 😅. They are cool, but I only glance at the poem or ignore it. Never read or care about the summary; I get one from Copilot and edit it myself. All code and sequence diagrams I saw generated in our PRs, were simply not useful, but a lot are from front-end code. I simply don’t look at them later, and if it makes sense, we update our architecture diagrams later once the code is merged. With that said, the code suggestions and feedback it obscene. By far the best code review AI tool when it comes to actionable and valuable feedback/suggestions (by a long shot)! Even if we didn’t configure .coderabbit.yaml or tried to optimize it, CodeRabbit already uses Claude and Copilot instructions so the work we did on those was probably used in CodeRabbit. In some of our PRs it caught some nasty bugs and gave super useful feedback. Our team was impressed!

The insights CodeRabbit adds during code review piqued my interest. I read a few of their blog posts on context engineering like this one, where I found it interesting that there is a separate validation agent before submitting comments. This is probably why they maintain a high signal-to-noise ratio. I also read their open-source version of CodeRabbit, they have some prompts there. I know it’s old, but it’s what I have access to. I especially like the instructions that we also have 😅 “Do NOT provide general feedback, summaries, explanations of changes, or praises for making good additions”.

We basically tried to have Claude and Copilot understand our large codebase, not focusing only on the PR diff. It’s harder, we still have a lot to improve here. CodeRabbit claims it’s known to be great at understanding large codebases. I don’t see any research backing this, just opinions. But yes, we humans don’t like large PRs either:

In my opinion I couldn’t find that many large PRs that were way better reviewed by CodeRabbit, in comparison to Claude Code and Copilot. But one thing we liked a lot is that it uses collapsed sections in markdown very well, for example:

But I mean, we did have cases that we tried to use Claude Code for code review on a PR that was reviewed by CodeRabbit, and like ~60% of the context window was comments made by CodeRabbit. All that markdown ain’t friendly for AI with limited context windows. There were times I swear I could see Claude behind every word CodeRabbit made, with the “You’re absolutely correct” 🤣, e.g.

But it could be GPT models or whatever, we never truly know what is behind these products 🙂.

Qodo

As for Qodo, we liked the fact it checks for compliance and flags violations as non-compliant (no other tool had this built in). This was previously just a bullet point in our markdown file. The code review feedback was good, sometimes we ended up doing the suggested changes Qodo leaves in the comment. After reading more about what compliance checks Qodo does, we improved by adding specific instructions on our code-review.instructions.md for ISO 9001, GDPR and others:

## Regulatory Compliance Checks

### Data Protection (GDPR/HIPAA/PCI-DSS)
- Does this code handle PII (Personally Identifiable Information)?
- Are sensitive fields properly encrypted at rest and in transit?
- Is data retention policy followed (deletion after X days)?
- Are audit logs created for data access?
- Is data anonymization/pseudonymization applied where required?

### Security Standards (SOC 2 / ISO 27001)
- Are all external API calls wrapped with proper error handling?
- Is input validation present for all user inputs?
- Are authentication checks present on all sensitive endpoints?
- Are secrets/credentials stored securely (no hardcoding)?
- Is sensitive data logged or exposed in error messages?

We kept experimenting with Qodo for longer than CodeRabbit, but the insights and feedback never reached the level of CodeRabbit. It was still a good tool that improved our codebase and sparked good discussions.

Tool of choice

Our prompts/instructions can still be improved, of course. We’ve experimented with different prompts, memory and instruction files. We’ve also researched how other teams use AI for code review, and how tools like CodeRabbit do context engineering. All of this is because our goal is to continue to improve our software development process and ensure high quality. Adopting new tools is a way of achieving this goal. Given that most AI code review tools have a price tag, we decided to focus on using only one/two tools and optimizing them. Yes, it’s Claude Code and GitHub Copilot 😄. I basically use 100% of both Copilot and Claude every month, but I get more requests from Claude even though I hit the weekly rate limit every time.

We know CodeRabbit is amazing, and these paid AI tools will continue getting better. There is actually a new tool supporting code review we didn’t use, Augment Code (these AI companies move so fast 😅). No amount of customizing our setup with Claude or Copilot will reach the same output as these specific code review paid tools. But for us, it makes more sense to pay for one tool, for example, and leverage it in multiple steps of our software development lifecycle.

Improving multi-agent collaboration

Claude and Copilot are working very well for our code review process. But like I’ve been saying, there is work to do. We learned a lot from using each tool, but there are more areas to improve, at least in Claude Code since we have more flexibility there. I’m currently looking at implementing the “Debate and Consensus” multi-agent design pattern (Google DeepMind paper and Free-MAD), basically a group chat orchestration. I just want to try it out, I’m not sure I’ll have better code reviews by having different agents (e.g. Security, Quality and Performance) debate and review the code through different perspectives. If they run sequentially, the quality agent can have questions for the performance agent, and each can agree or disagree with the reported issues. We can try out the LLM-as-a-Judge as well, to focus on reducing noise and following code quality standards.

Anyway, we’ll continue learning, optimizing, and improving the way we work 🙂.

Resources

• Why AI will never replace human code review
• AI Code Reviews with CodeRabbit’s Howon Lee
• CodeRabbit report: AI code creates 1.7x more problems
• Awesome reviewers GH repo
• Anthropic’s NEW Claude Code Review Agent (Full Open Source Workflow)
• How I Use Every Claude Code Feature

Conclusion

The number one thing we learned is: experimentation is king. Like we talked before, the Jagged Frontier changes with every model release. Claude Opus 4.5 behaves a bit differently, for example, on tool triggering… maybe we can stop shouting and being aggressive 🤣. We must experiment and keep learning. We can’t calibrate the prompt once and expect the best result.

For now we are quite happy, the human reviewer has more time to focus on design decisions and discuss trade-offs with the author of the PR. I don’t envision a future where AI does 100% of the code review.

If you’re considering AI for code reviews, my advice is simple: just try it. Pick one tool, run a one-month pilot, and see what happens. The worst case is you turn it off. The best case is that your team becomes augmented and probably improves code quality.

My next blog post in this series will be about how we are using agentic coding tools! Are you using AI code review tools? I’d love to hear from you what your experience has been. Leave a comment and let’s chat 🙂 .

The post Lessons learned improving code reviews with AI appeared first on Blog IT.

• Introduction
• The “Jagged Frontier” concept
• Becoming augmented by AI
  • AI as a co-worker
  • AI as a co-teacher
• My augmentation list
  • Custom instructions
  • Meta-prompting
• Resources
• Conclusion

Introduction

We’re deep into Co-Intelligence in Create IT’s book club — definitely worth your time! Between that and the endless stream of LLM content online, I’ve been in full research mode. Still, I can’t just watch and hear others talk about these tools, I must experiment myself and learn how to use them for my use cases.

Software development is complex. My job isn’t just churning out code, but there are many concepts in this book that we’ve internalized and started adopting. In this post, I’ll share my opinions and some of the practical guidelines our team has been following to be augmented by AI.

The “Jagged Frontier” concept

The Jagged Frontier described by the author Ethan Mollick is an amazing concept in my opinion. It’s where tasks that appear to be of similar difficulty may either be performed better or worse by humans using AI. Due to the “jagged” nature of the frontier, the same knowledge workflow of tasks can have tasks on both sides of the frontier according to a publication where the author took part.

This leads to the Centaur vs. Cyborg distinction which is really interesting. Using both approaches (deeply integrated collaboration and separation of tasks) seems to be the goal to achieve co-intelligence. One very important Cyborg practice seen in that publication is “push-back” and “demanding logic explanation”, meaning we disagree with the AI output, give it feedback, and ask it to reconsider and explain better. Or as I often do, ask it to double-check with official documentation that what it’s telling me is correct. It’s also important to understand that this frontier can change as these models improve. Hence, the focus on experimentation to understand where the Jagged Frontier lies in each LLM. It’s definitely knowledge that everyone in the industry right now wants to acquire (maybe share it afterwards 😅).

Becoming augmented by AI

I’m aware of the marketed productivity gains, where GitHub Copilot usage makes devs 55% faster, and other studies that have been posted about GenAI increasing productivity. I’m also aware of the studies claiming the opposite 😄 like the METR study showing AI makes devs 19% slower. However, I don’t see 55% productivity gains for myself, and I don’t think it makes me slower either.

In my opinion, productivity gains aren’t measured by producing more code. Number of PRs? Nope. Acceptance rate for AI suggestions? Definitely not! I firmly believe the less code, the better. The less slop the better too 😄. I’m currently focused on assessing DORA metrics and others for my team, because we want to measure how AI-assisted coding and the other ways we use it as an augmentation tool, actually improves those metrics, or make them worse. The rest of marketing and hype doesn’t matter.

Ethan Mollick provides numerous examples and research on how professionals across industries are already leveraging AI tools, like the Cyborg approach. But if we focus on our software industry, what does it mean for a tech lead to be augmented by AI? What tasks would be good to involve an AI in without compromising quality?

AI as a co-worker

For a tech lead that works with Azure services, an important skill is to know how to leverage the correct Azure services to build, deploy, and manage a scalable solution. So it becomes very useful to have an AI partner that can have a conversation about this, for example about Azure Durable Functions. This conversation can be shallow, and not get all the implementation details 100% correct. That’s okay, because the tech lead (and any dev 😅) also needs to exhibit critical thinking and evaluate the AI responses. This is not a skill we want to delegate to these models, at least in my opinion and in the author’s opinion. There is a relevant research paper about this by Microsoft as well.

The goal can simply be to have a conversation with a co-worker to spark some new ideas or possible solutions that we haven’t thought of. Using AI for ideation is a great use case, not just for engineering, but for product features too like UI/UX, important metrics to capture, etc. If it generates 20 ideas, there is a higher chance you find the bad ones, filter them out, and clear your mind or steer it into better ideas. Here is an example to get some ideas on fixing a recurring exception:

It asks clarifying questions so that I can give it more useful context. Then I can see the response, iterate, or ask for more ideas, etc. I usually always set these instructions for any LLM:

Ask clarifying questions before giving an answer. Keep explanations not too long. Try to be as insightful as possible, and remember to verify if a solution can be implemented when answering about Azure and architecture in general.
It's also very important for you to verify if there is official documentation that supports your claims and statements. Please find official documentation supporting your claims, before responding to a user. If there isn't documentation confirming your statement, don't include it in the response.

That is also why it searches for docs. I’ve gotten way too many statements in the LLM’s response that when I follow-up on, it realizes it made an error, or assumption, etc. When I ask it further about that sentence that it just gave me, I just get “You’re right – I was wrong about that”… Don’t become too over-reliant on these tools 😅.

AI as a co-teacher

With that said, the tech lead and senior devs are also responsible for upskilling their team by sharing knowledge, best practices, challenging juniors with more complex tasks, etc. And this part of the job isn’t that simple; it’s hard to be a force multiplier that improves everyone around you. So, what if the tech lead could use AI in this way, by creating reusable prompts, documentation, and custom agents? How about the tech lead uses AI as a co-teacher, and then shares how to do it with the rest of the team? All of these are then able to help juniors be onboarded, help them understand our codebase and our domain. Claude Code Best practices post also reference onboarding as a good use case that helps Anthropic engineers:

“At Anthropic, using Claude Code in this way has become our core onboarding workflow, significantly improving ramp-up time and reducing load on other engineers.”

A lot of onboarding time is spent on understanding the business logic and then how it’s implemented. For juniors, it’s also about the design patterns or codebase structure. So I really think this is a net-positive for the whole team.

My augmentation list

It might not be much, but these are essentially the tasks I’m augmented by AI:

Technical:

• Initial code review (e.g. nitpicks, typos), some stuff I should really just automate 😅
• Generate summaries for the PR description
• Architectural discussions, including trade-off and risk analysis
  • Draft an ADR (Architecture decision record) based on my analysis and arguments
• Co-Teacher and Co-Worker
  • “Deep Research” and discussion about possible solutions
  • Learn new tech with analogies or specific Azure features
  • Find new sources of information (e.g. blog posts, official docs, conference talks)
• Troubleshooting for specific infrastructure problems
  • Generating KQL queries (e.g. rendering charts, analyzing traces & exceptions & dependencies)
• Refactoring and documentation suggestions
• Generation of new unit tests given X scenarios

Non-technical

• Summarizing book chapters/blog posts or videos (e.g. NotebookLM)
• Role play in various scenarios (e.g. book discussions)

Of course, we also need to talk about the tasks that fall outside the Jagged Frontier. Again, these can vary from person to person. From my usage and experiments so far, these are the tasks that currently fall outside the frontier:

• Being responsible for technical support tickets, where a customer encountered an error or has a question about our product. This involves answering the ticket, asking clarifying questions when necessary, opening up tickets on a 3rd party that are related to this issue, and then resolving the issue.
• Deep valuable code review. This includes good insights, suggestions, and knowledge sharing to improve the PR author’s skills. CodeRabbit does often give valuable code reviews, way better than any other solution. Still not the same as human review 🙂
• Development of a v0 (or draft) for new complex features
• Fixing bugs that require business domain knowledge

Delegating some of those tasks would be cool, at least 50% 😄, while our engineering team focuses on other tasks. But oh well, maybe that day will come.

AI-assisted coding

AI-assisted coding can be very helpful on some tasks, and lately my goal is to increase the number of tasks AI can assist me. In our team, we’ve read Claude Code Best practices in order to learn and see what fits best for our use case. Then we dive deeper in some topics that post references, for example these docs were very useful to learn about Claude’s extended thinking feature, complementing the usage of “think” < “think hard” < “think harder” < “ultrathink”. We also found this post by Simon about this entire feature that was interesting. In most tasks, using an iterative approach, just like normal software development, is indeed way better than one-shot with the perfect prompt. Still, if it takes too many iterations, like some bugfixes were too complex because it’s hard to pinpoint the location of the bug, then it loses performance and overall becomes bad (infinite load spinner of death 🤣).

Before we can use AI-assisted coding on more complex tasks, we need to improve the output quality. So we’ve invested a lot of time in fine-tuning custom instructions and meta-prompting. Let’s talk about these two.

Custom Instructions

According to Copilot docs, instructions should be short, self-contained statements. Most principles in prompt engineering are about being short, specific, and making sure our critical instructions is something the model takes special attention to. Like everyone talks about, the context window is very important, so it’s really good if we can just have an instruction file of 200 lines. The longer our instructions are, the greater the risk that the LLM won’t follow them, since it can pay more attention to other tokens or forget relevant instructions. With that said, keeping instructions short is also a challenge when we use the few-shot prompting technique and add more examples.

To build our custom instructions, we used C# and Blazor files from the awesome-copilot repo and other sources of inspiration like parahelp prompt design to get a first version. We wanted to know what techniques other teams use. Then we made specific edits to follow our own guidelines and removed rules specific to explaining concepts, etc. We also added some capitalized words that are common in system prompts or commands, like IMPORTANT, NEVER, ALWAYS, MUST. The IMPORTANT word is also at the end of the instruction, to try and refocus the attention to coding standards:

IMPORTANT: Follow our coding standards when implementing features or fixing bugs. If you are unsure about a specific coding standard, ask for clarification.

I’m not 100% sure how this capitalization works, or why it works… and I have not found docs/evidence/research on this. All I know is that capitalized words have different tokens than lowercase. It’s probably something the model pays more attention to, since in the training data, when we use these words, it means it’s important. I do wish Microsoft, OpenAI, and Anthropic included this topic on capitalization in their prompt engineering docs/tutorials.

It’s at the end of our file since it’s also being researched that the beginning and end of a prompt are what the LLM pays more attention to and finds more relevant. Some middle parts are “meh” and can be forgotten. Microsoft docs say the same essentially, it’s known as “recency bias“. In most prompts we see, this section exists at the end to refocus the LLM’s attention.

Meta-prompting

Our goal also isn’t to have the perfect custom instructions and prompt, since refining it later with an iterative/conversational approach works well. But we came across the concept of meta-prompting, a term that is becoming more popular. Basically, we asked Claude how to improve our prompt, and it gave us some cool ideas to improve our instructions/reusable prompts.

But don’t forget to use LLMs with caution… I keep getting “You’re absolutely right…” and it’s annoying how sycophantic it is oftentimes 😅

The quality of the output is most likely affected by the complexity of the task I’m working on too. Prompting skills only go so far, from what I’ve researched and learned so far, I can say there is a learning curve for understanding LLMs. So we need to continue experimenting and learning the layers between our prompt and the output we see.

Resources

This is not an exhaustive list by any means, just some resources I find very useful:

• Andrej Karpathy – How I use LLMs
• Andrej Karpathy: Software Is Changing (Again)
  • Related to this is this post from Nate Jones
• Does AI Actually Boost Developer Productivity? (100k Devs Study) – Yegor Denisov-Blanch, Stanford
• Claude Code: Best practices for agentic coding
• Why LLMs Can’t Really Build Software
• Is AI the Future of Software Development, or Just a new Abstraction? Insights from Kelsey Hightower
• GPT-5 prompting guide

Conclusion

I’ve enjoyed learning and improving myself over the years. But with GenAI I now feel like I could learn a lot more and improve myself even further since I’m choosing them as augmentation tools. Hopefully, this article motivates you to pursue AI augmentation for yourself. It’s okay to be skeptical about all the hype you watch and hear around these tools. It’s a good mechanism to not fall for all the sales pitches and fluff CEO’s and others in the industry talk about. Just don’t let your skepticism prevent you from learning, experimenting, building your own opinion, and finding ways of improving your work 🙂.

Still… I can’t deny my curiosity to know more about how these systems work underneath. How is fine-tuning done exactly? How does post-training work? Can these models emit telemetry (logs, traces, metrics) that we can observe? Why does capitalization (e.g. IMPORTANT, MUST) or setting a role/persona improve prompts? Can we really not have access to a high-level tree with the weights the LLM uses to correlate tokens, and use it to justify why a given output was produced? Or why an instruction given as input was not followed? It’s okay to just have a basic understanding and know about the new abstractions we have with these LLMs. But knowing how that abstraction works leads to knowing how to transition to automation.

I will keep searching and learning more in order to answer these questions or find engineers in the industry who have answered them. Especially around interpretability research, which is amazing!!! I recommend reading this research, for example – Tracing the thoughts of a large language model. Hope you enjoyed reading, feel free to share in the comments below how you use AI to augment yourself 🙂.

The post Becoming augmented by AI appeared first on Blog IT.

• Introduction
• Get Started
• Logs
  • Canonical logs
• Traces
• Metrics
• General Best Practices
• Resources
  • GitHub demo repo
• Conclusion

Introduction

In this small post, I’ll share some resources, notes I’ve taken while learning, and best practices for making our systems observable. I’ve always had a knowledge gap regarding observability, and recently I’ve truly enjoyed learning more about this area in our software industry.

Quick note: In this post I’ll only share about 3 telemetry signals. Profile is another signal that I will research in the future.

Get Started

Follow these steps to get started with auto-instrumentation in your application using OpenTelemetry: https://opentelemetry.io/docs/languages/net/getting-started/#instrumentation

For OpenTelemetry in a front-end app you can check these useful resources:

• Grafana faro
• Next.js
• Guide for OpenTelemetry in Next.js
• Browser OpenTelemetry getting started

Client-side instrumentation in OpenTelemetry is part of their roadmap which is great to see, since I’ve only seen vendor-specific solutions and products for front-end apps (e.g. New Relic, Datadog). For browser instrumentation otel doesn’t seem to be super mature yet, but a lot of effort is being put into this area by the OpenTelemetry team.

Logs

We all know about logs 😄. It’s data that we all need in order to troubleshoot and know what is happening in our applications. We shouldn’t overdo it, creating tons and tons of logs since that will probably create noise and make it harder to troubleshoot problems.

For logs, we can use these best practices. From this list, these are an absolute must to follow:

• Avoid string interpolation
• Use structured logging
• Log redaction for sensitive information

In addition to the list above, we should also include the TraceId and SpanId in our log records, to correlate logs with traces. If you are using the Serilog console sink, by default the message template won’t have those fields so if you want them, consider using JsonFormatter or CompactJsonFormatter. Here is an example Serilog configuration in appsettings.json (setup to remove unnecessary/noisy logs):

"Serilog": {
    "Using": [
      "Serilog.Sinks.Console"
    ],
    "MinimumLevel": {
      "Default": "Information",
      "Override": {
        "Microsoft.AspNetCore": "Warning",
        "Microsoft.Extensions.Diagnostics.HealthChecks": "Warning"
      }
    },
    "WriteTo": [
      {
        "Name": "Console",
        "Args": {
          "formatter": {
            "type": "Serilog.Formatting.Json.JsonFormatter, Serilog",
            "renderMessage": true
          }
        }
      }
    ],
    "Enrich": [
      "FromLogContext",
      "WithMachineName",
      "WithThreadId",
      "WithProcessId",
      "WithProcessName",
      "WithExceptionDetails",
      "WithExceptionStackTraceHash",
      "WithEnvironmentName"
    ],
    "Properties": {
      "Application": "GrafanaDemoOtelApp"
    }
  }

Below are some documentation links for logging in .NET. The ILogger extension methods are not always the best choice (e.g. logger.LogInformation), especially in high-performance scenarios or if your logs are in a hot path:

• High-performance logging in .NET
• Compile-time logging source generation

Canonical logs

There is also a different way of logging, based on having more attributes in one single log line. I’ve seen this in Stripe where they call it canonical log lines. Charity Majors also references this canonical logs term in her blog post about Observability 2.0 (that I reference in the Resources section).

This idea is very interesting, but might lack awareness. At least in .NET land, I didn’t find many references to this style of logging or example code that we could follow when there are many ILogger instances involved.

Traces

For traces in .NET we have these best practices. So far I’ve seen four common solutions for adding correlation ids in traces (not all are standards):

• W3C trace context – current standard in the HTTP protocol for tracing
• X-Correlation-Id – a non-standard HTTP header for RESTful APIs (also known as X-Request-Id). I thought this was a standard since it’s widely used, but I didn’t find a RFC from IETF or any other organization.
• Request-Id – this is a known header in the .NET ecosystem
• B3 Zipkin propagation – Zipkin format standard
• AWS X-Ray Trace Id – proprietary solution for AWS that adds headers for tracing

Not every company/project uses W3C trace context, you have some options above to pick from. I prefer the standard W3C trace context 😄 (maybe the industry will widely adopt this in the future) and using OpenTelemetry to manage these headers (HTTP, AMQP, etc) and correlation with logs automatically. The code you don’t write can’t have bugs 😆.

With that said, in some situations, you might have integrations with 3rd party software and need to use their custom headers or project limitations and need to use a particular format. At the end of the day what’s important is that you have distributed tracing working E2E.

There is also a relevant spec for distributed tracing called Baggage which OpenTelemetry implements and we can use in our apps. The most important part here is trace propagation to get the full trace from the publisher to the consumer.

Metrics

For metrics, it’s important to follow naming conventions for custom metrics. Especially if your organization has a platform team, setting conventions helps everyone. I do know some otel semantic conventions aren’t stable, and that also leads to some nuget packages being pre-release.

But anyhow, set conventions for your team or read and follow OpenTelemetry semantic conventions.
An important resource I found is the comments on Prometheus best practices related to high cardinality metrics.

When I started trying out custom metrics instrumentation I discovered that OpenTelemetry is not always used (the SDK + OTLP). We have the Prometheus SDK which is mature and widely used. Then for Java there are other solutions like Micrometer and others that integrate very well with Spring. In regards to the Java ecosystem, I read this otel Java benchmarks and this Spring post just because I was interested in knowing what the industry is adopting and why.

General Best Practices

There is a ton to be learned with SRE principles and practices. But one in particular was very useful for me and my team: always categorize our custom metrics according to the 4 Golden Signals. Any metric we can’t categorize is probably not useful for us.

Source of Denise Yu’s art.

Google’s SRE book is amazing to learn more about the 4 Golden signals and creating SLO-based alerts. All our alerts should be actionable (or the support team will not be happy), so it helps if they are based on SLOs that are defined as a team.

They also have some best practices for production services.

Resources

• Glossary of many observability terms in case you’re not familiar with them: https://github.com/prathamesh-sonpatki/o11y-wiki
• Awesome Observability GitHub repo
• If dashboards make you happy check the Grafana observability report dashboard
• AWS observability best practices guide
• About RED and USE method
• Traces Instrumentation best practices in .NET
• What are the Limitations of Prometheus Labels?
• CNCF OpenTelemetry certification
• TAG Observability whitepaper – this is an amazing resource with tons of information! I also recommend checking out the other resources they have in the tag-observability repo and community
• Resources specifically about Observability 2.0:
  • Observability 2.0 by Charity Majors
  • Re-Redefining Observability
  • Is It Time To Version Observability? (Signs Point To Yes) – Charity Majors
• Talks
  • How Prometheus Revolutionized Monitoring at SoundCloud – Björn Rabenstein
  • How to Include Latency in SLO-based Alerting – Björn Rabenstein, Grafana Labs
  • Myths and Historical Accidents: OpenTelemetry and the Future of Observability Part 1
  • Modern Platform Engineering: 9 Secrets of Generative Teams – Liz Fong-Jones
  • Context Propagation makes OpenTelemetry awesome

GitHub demo repo

I’ve been developing a demo app (it has fewer features than the otel demo) to demonstrate how to build an app with OpenTelemetry, Grafana and Prometheus. It’s primarily focused on a small app I can showcase in my talks.

If you’re interested take a look: https://github.com/BOLT04/grafana-observability-demo

Conclusion

Hopefully, some of these resources I’ve shared are useful to you 😄. I still have a ton to learn and explore, but I’m happy with the knowledge I’ve acquired so far.

There are some specific standards + projects that I’ll dive in and explore more, like: eBPF; OpenMetrics. OpenMetrics is something I’d like to spend some quality time reading about, but I know it’s archived and reddit says the same. Just want to read and watch some talks about it to feed my curiosity 😃.

Last but not least, I want to follow the work that some industry leaders are doing like Charity Majors, specifically about Observability 2.0 😄. I discovered this term in the Thouthworks tech radar, and the part “high-cardinality event data in a single data store” caught my interest.
I’m still learning, researching, and listening to the opinions of industry leaders about this term to then develop my own opinions. Maybe I’ll make a blog post about this in the future 😁.

If you’re interested, check out my other blog posts:

• Dreamforce 2023 Highlights
• Getting Started with CloudEvents and AsyncAPI

The post Learning: Observability appeared first on Blog IT.

In this blog post we are going to be showing you can configure Azure Application Insights to send your logs, exceptions and performance metrics from a .NET 6 API.

Installation
Start by installing the Microsoft.ApplicationInsights.AspNetCore nugget package.

Now in your startup class you will need to configure some options for the telemetry collection.
You can use the AddApplicationInsightsTelemetry extension method on the IServiceCollection and pass your options as so:

public class Startup
{
    public virtual void ConfigureServices(IServiceCollection services)
    {
        services.AddApplicationInsightsTelemetry(GetApplicationInsightsServiceOptions());    
    }

    private static ApplicationInsightsServiceOptions GetApplicationInsightsServiceOptions()
    {
        return new ApplicationInsightsServiceOptions
        {
            AddAutoCollectedMetricExtractor = false,
            EnableEventCounterCollectionModule = false,
            EnableDiagnosticsTelemetryModule = false,
            EnablePerformanceCounterCollectionModule = true,
            EnableDependencyTrackingTelemetryModule = true,
            EnableRequestTrackingTelemetryModule = false,
            ConnectionString = Configuration[ConfigurationConstants.ApplicationInsightsConnectionString],
        };
    }
}

This is where we define the types of telemetry we want to collect.
The documention of the options are here: https://learn.microsoft.com/en-us/azure/azure-monitor/app/asp-net-core?tabs=netcorenew#use-applicationinsightsserviceoptions
We are also getting the connection string of the application insights resource from our appsettings.

Telemetry modules
Now if we want to go further, we can even specify what metrics to collect for each module.
For instance, let’s say we want to indicate which performance metrics to collect. Then you can do the following:

        services.ConfigureTelemetryModule<PerformanceCollectorModule>((module, applicationInsightsServiceOptions) =>
        {
            module.DefaultCounters.Add(new PerformanceCounterCollectionRequest(@"\Process(??APP_WIN32_PROC??)\Private Bytes", @"\Process(??APP_WIN32_PROC??)\Private Bytes"));
            module.DefaultCounters.Add(new PerformanceCounterCollectionRequest(@"\Process(??APP_WIN32_PROC??)\% Processor Time", @"\Process(??APP_WIN32_PROC??)\% Processor Time"));
        });

You can view the documentation on configuring telemetry modules here: https://learn.microsoft.com/en-us/azure/azure-monitor/app/asp-net-core?tabs=netcorenew#configure-or-remove-default-telemetrymodules

Extensibility
To add or remove properties from collected telemetry (before it gets sent to Azure) you can create classes that implement the ITelemetryInitializer class from the Azure Application Insights SDK (https://learn.microsoft.com/en-us/azure/azure-monitor/app/asp-net-core?tabs=netcorenew#add-telemetryinitializers).

A classic example for a telemetry initializer is a correlation id initializer. You would get a correlation id from your http request and pass it to all telemetry so that you can have a nice trace of everything that went through your system:

public class CorrelationIdInitializer : ITelemetryInitializer
{
    private readonly IHttpContextAccessor _httpContextAccessor;
    private const string CorrelationIdProperty = "CorrelationId";

    public CorrelationIdInitializer(IHttpContextAccessor httpContextAccessor)
    {
        _httpContextAccessor = httpContextAccessor;
    }

    public void Initialize(ITelemetry telemetry)
    {
        ISupportProperties telemetryProperties = (ISupportProperties)telemetry;

        // This is just an extension method where you would extract the correlation id from the request headers according to your header name.
        string correlationId = _httpContextAccessor.HttpContext.GetCorrelationId();

        if (!string.IsNullOrWhiteSpace(correlationId) && !telemetryProperties.Properties.ContainsKey(CorrelationIdProperty))
        {
            telemetryProperties.Properties.Add(CorrelationIdProperty, correlationId);
        }
    }

To register the telemetry initializer, simply register the class and its respective interface (always ITelemetryInitializer) on your service collection: services.AddSingleton<ITelemetryInitializer, CorrelationIdInitializer>();

Filtering
Additionally, you also have the ability to filter out telemetry from being collected. This is a great feature that allows you to focus only storing what you really care about and will save you a LOT of costs.
Do keep in mind that filtering out telemetry does mean that you won’t be able to query it and therefore can make your tracing a bit difficult.
This is all related to telemetry processors (https://learn.microsoft.com/en-us/azure/azure-monitor/app/asp-net-core?tabs=netcorenew#add-telemetry-processors).

Imagine you have thousands of fast dependencies (see the list of automatically tracked dependencies https://learn.microsoft.com/en-us/azure/azure-monitor/app/asp-net-dependencies#automatically-tracked-dependencies) that are being stored by your system but you come to a conclusion that they only make it hard to monitor your system and you don’t really need them.
Filtering them out is the way to go OR you could consider sampling instead https://learn.microsoft.com/en-us/azure/azure-monitor/app/asp-net-core?tabs=netcorenew#sampling.
Lets create a processor that filters out successful dependencies that had a duration under 500 milliseconds:

public class FastDependencyProcessor : ITelemetryProcessor
{
    private ITelemetryProcessor Next { get; set; }

    public FastDependencyProcessor(ITelemetryProcessor next)
    {
        Next = next;
    }

    public void Process(ITelemetry item)
    {
        if (!ShouldFilterTelemetry(item))
        {
            Next.Process(item);
        }
    }

    public bool ShouldFilterTelemetry(ITelemetry item)
    {
        bool shouldFilterTelemetry = false;

        DependencyTelemetry dependency = item as DependencyTelemetry;

        if (dependency != null
            && dependency.Duration.TotalMilliseconds < 500
            && dependency.Success.HasValue && dependency.Success.Value)
        {
            shouldFilterTelemetry = true;
        }

        return shouldFilterTelemetry;
    }
}

After creating the class, you have to register the telemetry processor as part of your service collection like so:
services.AddApplicationInsightsTelemetryProcessor<FastDependencyProcessor>();

Keep in mind that if your telemetry processors will be executed in the order in which you’ve called them in your register process.

Final notes

– Azure Application Insights is a great tool that gives you visibility on how your application is doing.
You can use the SDK to collect most telemetry automatically or you could even instrument specific scenarios manually by making use of the TelemetryClient instance (https://learn.microsoft.com/en-us/azure/azure-monitor/app/asp-net-core?tabs=netcorenew#how-can-i-track-telemetry-thats-not-automatically-collected).
– It is important to monitor your costs as it is easy to end up storing everything and not only what you need. So start by defining what you need to collect and what metrics will be relevant for you.
Then you can filter out the irrelevant data and from there on you could even create alerts from the data you collect, using Azure Monitor.
If you are trying out Application Insights on a test environment, you can even set a daily cap of X GB so that you control your spending. Simply navigate to the Azure Application Insights resource through the Azure Portal and click “Usage and estimated Costs” on the sidebar:

– From what I’ve seen so far, the collection of dependencies/exceptions can represent the majority of costs as you may have a lot of dependencies flowing through your system and because exceptions are a type of telemetry that occupies a lot of space. Filtering out irrelevant dependencies will definitely help.
As for exceptions, you may consider using the Result pattern instead of using exceptions for the normal control flow of your code. This also has the advantage of decreasing the impact on performance lead by exceptions to your application since you reduce the amount of exceptions thrown.

The post Configuring Azure Application Insights on a .NET 6 API appeared first on Blog IT.

Tuples have support for deconstruction which lets you unpackage all their items in a single operation.
Here is an example with and without deconstruction:

public static void Main()
{
    var result = QueryCityData("New York City");

    // Without deconstruction:
    var city = result.Item1;
    var pop = result.Item2;
    var size = result.Item3;

    // With deconstruction:
   (string city, int population, double area) = QueryCityData("New York City");
}

private static (string city, int population, double area) QueryCityData(string name)
{
    return (name, 8175133, 468.48);
}

You may be interested in the values of only some elements.
You can take advantage of C#’s support for discards, which are variables whose values you ignore by using the underscore character.
Using the previous example:

public static void Main ()
{
    // city and population were discarded.
    (, , double area) = QueryCityData("Portugal");
}

Other system types and deconstruction

Here are some system types that implement deconstruction, such as dictionary entries:

Dictionary<string,int> customerToTaxMapping = new Dictionary<string, int>();

foreach ((string key, int taxId) in customerToTaxMapping)
{
     // Do something with key and taxId
}

You can deconstruct KeyValuePair instances (depending on your C# version, was introduced in .NET Core 2.0):

(string id, string taxId) = new KeyValuePair("id", "taxId");

If you are on C# 12 (.NET 8), then you can make use of the Deconstruct methods for DateTime, DateOnly and DateTimeOffset:

(DateOnly date, TimeOnly time) = new DateTime(2023, 1, 2, 4, 5, 59, 999);

(int year, int month, int day) = new DateTime(2023, 1, 2);

(int year, int month, int day) = new DateOnly(2023, 5, 1);

// Instantiate date and time using years, months, days,
// hours, minutes, seconds and a time span.
(DateOnly date, TimeOnly time, TimeSpan offset) = new DateTimeOffset(2008, 5, 1, 8, 6, 32, new TimeSpan(1, 0, 0));

Deconstruct user-defined types:

You can add public methods named Deconstruct and specify the out parameters that will define the parameters you want when applying deconstruction.

public class Person
{
    public string Id { get; set; }
    public string FirstName { get; set; }
    public string LastName { get; set; }

    public void Deconstruct(out string firstName, out string lastName)
    {
        firstName = FirstName;
        lastName = LastName;
    }

    public void Deconstruct(out string id, out string firstName, out string lastName)
    {
        id = Id;
        firstName = FirstName;
        lastName = LastName;
    }
}

If you don’t have control over the types that you want to provide deconstruction support for, then you can create a static class with a Deconstruct extension method with the same signature as displayed previously, for that given type.

Additionally, when you declare a record type by using two or more positional parameters, the compiler creates a Deconstruct method within the record declaration.

Note: You can’t deconstruct dynamic objects.

References:
https://learn.microsoft.com/en-us/dotnet/csharp/fundamentals/functional/deconstruct
https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/expressions#127-deconstruction

The post Deconstruct types in C# appeared first on Blog IT.

You can also watch Salesforce Keynote highlights of the event.

Einstein 1 Platform

Salesforce announced the Einstein Trust Layer which seems to be their focus of what’s behind the Einstein 1 Platform. This makes sense since Salesforce’s core value is trust, this product might be the core that separates Salesforce AI functionality from other solutions. I’m very interested in learning more about each specific part they announced, like data masking, zero retention, and dynamic grounding. We should know what prompt is sent to the LLMs, how the CRM and other enterprise data are used in prompts (for dynamic grounding), and how exactly zero retention is implemented in each LLM provider (e.g. OpenAI). It’s great seeing a slide explaining Einstein Trust Layer makes sure the prompt is not used by the LLMs to train their model, but I think it’s important to challenge these claims and ask questions 🙂.

It would also be interesting to try and connect external models or cloud services, like LAMA, Amazon SageMaker or Azure OpenAI service. This way we take advantage of the middleware inside the Trust Layer that guarantees security and input moderation. As partners, we have access to some Salesforce events and I definitely recommend attending “AI & Einstein Office Hours” on Tuesdays. Claudio Moraes from Salesforce is sharing extremely useful information about Einstein GPT, the details of the Trust Layer, and more AI topics!

Here are some interesting videos that Salesforce has already done, explaining further the Einstein Trust layer and Einstein GPT:

• Build The Future of Business with Einstein GPT
• Salesforce AI day: Calling All Trailblazers

Einstein Copilot

Well… as you know, 2023 was the year of copilots. Salesforce is also taking advantage of that wave and has introduced Einstein Copilot and Einstein Copilot Studio. This looks a lot like what they announced some time ago, Einstein GPT.

I think it’s great that Einstein is more integrated across various products, especially Commerce and Service Cloud. Facilitating the manual work that the business has to do in various merchandising operations only brings benefits.

Generative AI in SFCC Page Designer

About generative Page Designer that they announced, we could simply say “yup, LGTM” and simply use it… but I do have some questions that need answering 😅. The demo they showed looks good and it’s probably a feature that brings tons of value to a lot of customers. But watching it made my mind go through endless questions. At first glance it’s amazing, we could really speed up the development of new components. UI/UX designers, merchandisers, and other business profiles can ask an AI to generate a component without a dev.

Still, I think as a developer we need to understand what is happening underneath, where is the generated code saved, what is the prompt used to generate the component, does it have context of the whole codebase, etc. This might have been the most interesting announcement and something to watch out for. However, we must also criticize and understand the limitations of this technology. In the demo they created, the user enters a brief description of the layout and content they want in the component, then the code is generated in React (it also supports ISML). I don’t believe React is actually used in SFRA, only in the Headless architecture, so their demo raises some questions about how it works underneath.

But anyway, I look at this as if it were v0.dev, that is, the 1st version or v0 of a component. The business or UI designers can experiment and generate several iterations of a component with this functionality, and then paste the generated code into a user story in a scrum board for a developer to retrieve. But it would just be a v0, something to be iterated over before going to production. I don’t think we’re ready yet for generative AI to know the website’s design system, know what caching considerations to apply to the component, have context about the logic behind add to cart if it’s integrated with a 3rd party vendor, etc. But we could also be optimistic and in all the use cases where gen AI struggles, it’s only going to improve.

Note: Page Designer’s Generative AI is expected to launch in beta in February 2024.

Commerce Concierge

Salesforce also announced a new product that is in beta called Commerce Concierge. Basically, the product is centered on the concept of Conversational Commerce. We can integrate our e-commerce website into WhatsApp as if it were one of those ChatGPT plugins that allow you to make purchases on a website.

For example, a customer takes a photo of a product and asks if there is a store with stock so they can make the purchase. If the customer happens to make a purchase on WhatsApp, the bot can respond with new product suggestions trying to effectively cross-sell. Technically, Commerce Concierge uses APIs from Commerce Cloud, Service Cloud, Data Cloud, and the AI ​​layer with Einstein GPT. At the moment I think it will only be launched for Commerce B2B and not B2C. This makes sense to me since it is easier to integrate Clouds that are already within the Salesforce Core Platform… but I hope we have this for SFCC in the future 🙂. I also think it will be possible to expand to more touchpoints, not just WhatsApp.

It’s also important to be aware of new attack vectors. Innovation is awesome and we should strive for more and tinker with these new capabilities. However, innovation can bring new security concerns. In these apps that will be available straight from WhatsApp or our storefront, we should be aware of Prompt injection, Jailbreaking, etc.

Conclusion

It was a great event and I can’t wait to get my hands on some Einstein GPT features for B2C! Hopefully, there will be more features on SFCC that are only available for customers of B2B and D2C 🙏. For example generating product descriptions or commerce intelligence 🙂.

Generating product descriptions with Einstein seems to be really useful if we have a batch of new products that we want to launch. It would be great to have this available in an HTTP API, so that we could integrate this functionality in use cases where our PIM (Product Information Management) is a custom system, or just use them in SFCC. Again… for now some features are only on B2B and D2C side of the commerce products (the ones integrated in Salesforce Core Platform).

If you’re interested in learning about session management in SFCC read this blog post.

The post Dreamforce 2023 Highlights appeared first on Blog IT.

We have a great feature available to us in Salesforce Commerce Cloud (SFCC) called SEO meta tag rules. This is a module inside SEO in Business Manager (BM). However, currently there is only support for PDP/PLP pages made in page designer that support these meta tag rules.

In this blog post we’ll see how to support SEO meta tag rules for all pages made in page designer.

The problem

Before going any further, I want to mention some disclaimers. At the time of writing this, not all pages in page designer support this. This could be added to SFCC and be directly supported without custom development. I posted this idea as a feature enhancement for Salesforce in IdeaExchange.

With that said, let’s take a step back and understand the problem.

The SEO experts on a business operate mostly on the SEO meta tag rules BM module. If they need a more granular level of SEO customization, most System Objects (e.g. Products, Content Assets, Categories) of SFCC support SEO fields like pageUrl, pageTitle, pageDescription. SEO experts can define rules that act as fallbacks, and then if some merchants don’t define these fields for particular categories or pieces of content. You still have some meta tags being added to the page by these rules.

Now, even though this feature supports many types of pages, like home page, product pages or product listing pages. It doesn’t support all types of Page Designer (PD) pages. You can also take a look at the Page class, and check that it doesn’t have the pageMetaTags field like the Content class does. Page Designer pages are very similar to Content Assets, in the sense that underneath, these pages are persisted as the same content objects on the SFCC’s database. But there are still differences, the support for meta tag rules is one of them.

Ultimately, these differences makes it harder for merchants or SEO experts that want to leverage the same functionality available on the rest of the site.

Now that you have a better understanding about the problem, let’s shift our focus into a solution.

The solution

Content Assets

The whole premise of this solution is that it’s supported by the SEO meta tag rules module of BM. In this module we have support for the following:

• Homepage
• Product pages
• Content Detail pages
• Content Listing pages

The only one that fits well with a page designer page is Content Detail page. Meaning we’ll create content assets as a way to support these SEO rules for Page Designer. Each page can have it’s corresponding content asset, where the content ID follows a naming convention like “-seo”. This way in Page.js you can get the meta tags for that page, through that content asset. Here is an example of the Page-Show extension:

server.prepend("Show", function (req, res, next) {
   var PageMgr = require('dw/experience/PageMgr')
   var ContentModel = require('*/cartridge/models/content')
   var pageMetaHelper = require("*/cartridge/scripts/helpers/pageMetaHelper")

    var page = PageMgr.getPage(req.querystring.cid);
    if (page != null && page.isVisible()) {
        var pageContent = ContentMgr.getContent(page.ID + "-seo")
        if (pageContent) {
            var content = new ContentModel(pageContent, "content/content")

            pageMetaHelper.setPageMetaData(req.pageMetaData, content)
            pageMetaHelper.setPageMetaTags(req.pageMetaData, content)
        }
    }
    next()
})

Now you don’t need to create a content asset for every since page from PD. For example, if you business doesn’t use the syntax ${Content.pageTitle} in your meta tag rules, or any expression regarding the object Content. Then in that case you could simply create one content asset for each folder the business wants to have. You might be wondering why I’m mentioning folders and how they fit in the solution, so let’s take a deeper look.

Folders

Folders are the way you can group multiple pages, and make all of them inherit the same meta tag rules. Once a folder is created, the business can use it in the SEO meta tag rules module inside BM. Imagine you have a group of pages that are part of the same marketing campaign. As an SEO expert, of course you’d like to have page titles, descriptions, open graph and other meta tags for all of them. But maybe the content team hasn’t reached the maturity level to configure this for every since page. So you create a meta tag rule, acting as a fallback in case the content team doesn’t configure some pages.

So far the solution revolves around the business creating manually: folders, assigning them to pages and creating content assets for every page (in case they want to leverage page properties) or every folder. I believe we can improve on this solution, so let’s jump in to some automation!

Automation

This is a critical step, since having all this manual work doesn’t make sense for business people. As engineers we can do better and automate the creation of these content assets. We can develop two different pieces that play together:

• A job to ensure every page from Page Designer, has it’s associated content asset and all the rest
• A new BM module to automate folder creation, specifically creating multiple folders

Let’s go through the job first, its responsible to update the content assets associated with each page. This means creating that content asset if it doesn’t already exist, then assign it to the same folders as the page. To implement this job you need:

1. Get the list of all Page Designer pages
2. Iterate through all pages
3. For each page, create the content asset and assign the appropriate folders

Here is a code snippet (in ES6) representing a possible implementation:

const libraryGateway = require("*/cartridge/scripts/gateways/libraryGateway")
const pagesList = getAllPageDesignerPages()

pagesList.forEach(page => {
    const contentId = `${page.ID}-seo`
    const result = libraryGateway.createContentAsset({
        id: contentId,
        pageTitle: page.pageTitle
    })
    if (result.error) {
        throw new Error("Error creating content asset")
    }
    
    page.folders.forEach(folder => {
        const result = libraryGateway.assignContentAssetToFolder(contentId, folder.ID)
    })
})

function getAllPageDesignerPages() {
    const ContentSearchModel = require("dw/content/ContentSearchModel")
    const apiContentSearchModel = new ContentSearchModel()
    const libraryID = "someId"
    
    apiContentSearchModel.setRecursiveFolderSearch(true)
    apiContentSearchModel.setFilteredByFolder(false)
    apiContentSearchModel.setFolderID(libraryID)
    
    apiContentSearchModel.search()
    const contentSearchResultIterator = apiContentSearchModel.getContent()
    const count = Number(apiContentSearchModel.getCount())
    
    const pages = []
    if (contentSearchResultIterator && count > 0) {
        while (contentSearchResultIterator.hasNext()) {
            const contentResult = contentSearchResultIterator.next()
            if (contentResult?.page) {
                // transform some contentResult fields to other types...
                pages.push(contentResult)
            }
        }
    }
    
    return pages
}

In the implementation above, getting all pages from page designer is done through the ContentSearchModel API. Although this works, it’s not ideal in my opinion since these pages are required to be searchable (a setting on all pages) and online. If they aren’t, they won’t be on the Content index. Which seems to be the only way to get all PD pages on the site. To create content assets and assigning them to folders, we delegate that responsibility to the libraryGateway module. To implement this module we need to use OCAPI.

OCAPI

We can use OCAPI Data APIs to create content assets/folders and assign content assets to folders. While researching I tried finding another way, but I didn’t find anything easier. The Salesforce Commerce API (dw library accessible server-side) doesn’t seem to have APIs for these operations. I didn’t find any pipelets or jobs steps that do this either… perhaps by exporting the content library, then creating a custom job that reads that file, edits it with the new content objects, and finally runs a job step to import that edited file.

Interacting with OCAPI is not an expensive development effort, so you can develop a custom cartridge for this. We won’t go through the details about that cartridge, perhaps on a separate blog post.

OCAPI endpoints

All the operations we want to do can be found on the Libraries resource from the Data API. To create a content asset we can use this endpoint, to assign it to a folder we can use this endpoint. One thing to keep in mind, creating a content asset is an idempotent operation. This means it creates the object if it doesn’t already exist, but if it does it ignores the existing object and writes a new one on top.

In practice, this means if someone edits these content assets (e.g. through BM, locking the resource and updating the description field), that modification will be lost. If you don’t want to lose those edits, you should consider using the endpoint to get the content asset, and use that data on your PUT request payload. In my case, these content assets are supposed to be “hidden”, so no one should need to edit them.

BM extension to create folders

Now let’s discuss the custom BM module to create folders. If business people want to create multiple filters in one go, instead of doing it through the BM UI and then going to Page Designer to assign pages to folders, they input the filter names in an input box and click a button. We can simply develop a web page that has this input box and a button (and some instructions on how to use it). This is possible by extending BM and building a custom cartridge, with this UI and the controller that executes the creation of folders. We won’t go to much into detail about this custom cartridge, I’ve added additional links at the bottom to help you building this cartridge.

Alternative solutions to SEO meta tag rules

In the case where the content object quotas are hit, we can consider building something entirely custom. What I mean is we would not use the SEO meta tag rules module from BM anymore. We would build our piece of software to handle this scenario – all page designer page types. Of course that means building software that does the same as Salesforce’s built-in module of BM, considering: Storage to store these rules, meta tag definitions, and others; an API that at least exposes a way to get meta tags for a given page, taking into account API design, SLA (important if you’ll call this in a middleware of the Page.js controller), etc.

This is a discussion you must have with your business/client, explaining the trade-offs of each scenario.

In my opinion, it’s generally often better to reuse existing functionality or an off-the-shelf solution like a plugin cartridge. Something that either is standardized and known in the community, instead of your own solution… but as always, this depends on the context we’re in. For SEO meta tag rules of SFCC in particular, we can’t extend this module. So if we really needed to support this feature and we hit the API quotas of the SFCC platform, we would consider building a cost-effective solution outside SFCC, considering the need of a custom parser for if statements, context variables… again a discussion to be made with the business and architects.

Improvements to this solution

One important note about this solution is that pages would only inherit meta tags assigned to the default folder (primary folder). From my research, a content asset can only have one default folder, and that is the folder the meta tags come from. In my use case the ideal was to setup some hierarchy, where a page could have 3 folders, and you could get all meta tags assigned to those folders. Now you kind of have this hierarchy (primary folder, then parent folders, up to root), but it’s not the exact behavior I needed.

Conclusion

In conclusion, you can develop a custom cartridge with this functionality, and support this for your business or clients. In the future, this could be supported out of the box by SFCC. The greatest challenges were: analyzing ways to extend the SEO meta tag rules module; an API to get all page designer pages and understanding the limitations of our solution. Let us know in the comments if this feature is something you’d like to have, or vote and comment on the IdeaExchange’s post. I hope this has been helpful.

Check out my other blog post on session management for SFCC.

Additional links

Here are some links to documentation and other resources, that can help you in building this feature for your business:

• IdeaExchange’s post
• How to get a list of pages of Page Designer using code?
• OCAPI Data Libraries resource
• Configuring the Business Manager Site

The post How to use SEO meta tag rules for Page Designer in SFCC appeared first on Blog IT.

In this post I’ll reference what I consider to be the most interesting and hot topics on the React community… and try to make it short.

If you haven’t seen the conference, you can take a look at this YT playlist for all sessions.

The state of React 2022

So first of all, what is the state of React currently? With React 18, what was once called concurrent mode is now concurrent features. This changes the approach into an incremental adoption, so that you could use concurrent features in specific places of your React app.

In this talk, Lee also announces Next.js new routing system which resembles Remix a lot. They want to take advantage of nested routes which is great! This allows us to provide a better user experience on pages that have one component that blocks rendering.

Last but not least, there are new developments when it comes to server-side rendering, and new client-side rendering APIs.

Edge computing

If you are unaware of this type of compute, Edge computing allows a better user experience, because it reduces the time you get a response with the content you want to visualize. The time is reduced because to process your request you don’t need to “talk” to a distant server on the oasis.

CDN providers like Cloudflare, are building new runtimes to allow you to run code closer to your customers – on the edge. Cloudflare workers for example, don’t use Node.js or Deno under the hood, it’s their own JS runtime. Of course, an effort is being done to standardize these runtimes.

In this talk, Kent talks about how Remix improves the developer experience for edge computing. First they use the Web Fetch API, and depending on where you want to deploy your function. Remix then translates the request/response objects to the respective platform’s API. They also support streaming in the edge, in order to send some content to the user quickly, and then send the rest.

With that said, this is all in JS/TS or WASM land. At least I haven’t seen a lot of support for other languages and runtimes (e.g. C#) on services that provide edge computing.

Streaming server components

With React 18 it’s now possible to stream changes to the browser, with new APIs like Suspense that allows for asynchronous processing.

Why is this cool? Because we don’t want to block rendering with data fetching. When our component needs to fetch data before rendering what the user wants to see, we need to render a loading spinner… which ain’t cool.

How about we initiate fetches before we render. This way the requests are in parallel and don’t block rendering. Using streaming server rendering fixes this, which is why it’s so awesome! Ryan Florence goes more in detail how this is done in this talk: When to fetch: Remixing React Router.

Bear in mind, this is just one way of rendering. Last year at React Conf 2021 there was an intro session about this topic as well: Streaming Server Rendering with Suspense. Another great session that talks about the different rendering patterns: Advanced Rendering Patterns: Lydia Hallie. It’s an amazing session to help you visualize the impacts on performance, and what are the trade-offs of each pattern.

The post Reactathon 2022 – A Short Summary appeared first on Blog IT.

Recently, I had a challenge in our production system that was a bit annoying to figure out how to solve. Who knew that code can be deployed on a production environment and not work, even though it works on all other environments…

I did some digging and asked in forums what was the difference between session management on different environments on Salesforce Commerce Cloud (SFCC). Unfortunately I didn’t find anything, only limits and good practices that didn’t help in this case.

Well that’s life right? What do you do?? You decide to be pragmatic because a feature that works and is on the hands of real people, is far better than dreams of a perfect world.

The session problem

All you know is that attributes that you are saving on the SFCC platform’s session object, are not available where you need them. For the sake of this example, let’s say we are talking about a flow between the SFCC site and an API.

The code at the moment is something like this:

// apiGateway.js script
const apiResponse = { data: "something" };
session.privacy.myCustomField = JSON.stringify(apiResponse);

The flow starts by the site calling this API, and some time later receiving a callback from the API on a specific endpoint of SomeEndpoint.js controller. Then the site makes an API call to get data (specific to a given user) for further processing. Some of it is saved in the privacy field of the session object. As stated in SFCC docs, this field is a dictionary where we can store custom properties. The next step on the flow is to redirect to an action on the Login controller, and inside that action retrieve the information that was stored.

// SomeEndpoint.js controller
res.redirect(URLUtils.https("Login-Show"));

// Login-Show action
var apiResponse = session.privacy.myCustomField ? JSON.parse(session.privacy.myCustomField) : "";
// use apiResponse for further processing

The problem happens when running the Login-Show action, session.privacy.myCustomField is equal to null so we can’t retrieve the information that was saved in the previous controller, before the redirect.

Thinking about solutions

First you try to keep using the session object provided by SFCC, but saving the data on another field called custom. The difference between custom and privacy is that data inside custom won’t be deleted when the user logs out.

Then we try to think of another approach because storing in any field of the session might not work. So we try to store this information in Custom Objects (CO). It’s important to note a very important security detail with the custom objects approach. Creating and retrieving these custom objects happen in different controller actions. So in order for the second action to know how to retrieve the correct custom object that holds the API response data, it needs the ID for the CO.

Since moving from one action to the other happens through a redirect, we can only use query parameters. On top of that, the second action is Login-Show which renders HTML to the client in the end. Which means this custom object ID is publicly available in the user’s address bar… not good! This of course means you could simply type an ID in the URL and try to find a valid custom object containing some user’s data. Of course in the Login-Show action we can retrieve the custom object and delete it afterwards. But there is still a window where this data is accessible.

In order to prevent this exploit, we add code on the Login-Show action to validate the user accessing the login page is on the same session that initiated the login flow… but wait, did I just say “same session”. If we are having problems with this session not being the same, how can we guarantee validating this sessionID will work?? We have no guarantees basically.

After a lot of thinking, experimenting and reading docs, we decide to contact Salesforce by opening a support ticket. After that we were able to schedule a meeting and showed our problem. They investigated and got back to us with feedback on what was happening to the session, during the flow described earlier.

Final solution

The final solutions is… to not change any code. The problem was the hostname that was configured in the API that called the site. We simply configured it with the correct URL, which is the same domain in which the site uses when calling this API. In order to keep the correct session in the login page after the redirect, we made these changes:

BEFORE: https://production-zone-digitmarket.demandware.net/on/demandware.store/Sites-Awesome-Site/pt_PT/SomeEndpoint-Action

AFTER: https://awesome-domain.com/on/demandware.store/Sites-Awesome-Site/pt_PT/SomeEndpoint-Action

Conclusion

Hopefully this post helped you know how session management works in Salesforce B2C Commerce Cloud. The moral of the story is: when code works everywhere except on one environment, it’s generally an environment configuration problem.

If you enjoyed this post or learned something from it, leave a comment with your thoughts.

The post Session management in Salesforce B2C Commerce Cloud appeared first on Blog IT.