AI Fixes & Caching
CodeStax generates remediation guidance for security and code-quality findings using AI. Each fix includes a direct patch, an optional CLI command, and a one-line explanation. To keep AI quota usage predictable, fixes are cached per finding — clicking “Get Fix” on the same finding twice does not consume your AI quota a second time.
How AI Fixes Are Generated
Fix generation runs in two paths:
- Scan-time generation (default) — when a scan completes, the AI triage pipeline generates a fix for high-confidence findings as part of the scan. The fix is stored on the finding row alongside other AI metadata (severity reasoning, exploitability, business impact).
- On-demand generation — when you click “Get Fix” on a finding that doesn’t yet have one (older scan, lower-confidence finding), the platform generates one immediately and caches it for future clicks.
When Cached, When Fresh
| Action | Cache Behavior | AI Quota Used |
|---|---|---|
| Click “Get Fix” on a finding with a stored fix | Returns instantly from cache | None |
| Click “Get Fix” on a finding without a stored fix | Calls AI, stores result, returns | One remediation call |
| Click “Regenerate Fix” | Bypasses cache, generates fresh fix, overwrites stored | One remediation call |
| Run a new scan on changed code | New finding rows = new cache (old cache unaffected) | One per finding (scan-time) |
The cache is stable for the lifetime of a finding row. CodeStax never invalidates a cached fix in-place — when code changes, a new scan creates new finding rows, naturally regenerating fixes.
How to Tell if a Fix Was Cached
After clicking “Get Fix”:
- “Cached fix loaded — no AI quota used” — instant return, free
- “Fix generated successfully!” — AI call made, stored for next time
- “Fresh fix generated” — explicit regenerate, AI call made
Regenerating a Fix
Sometimes the cached fix isn’t right — maybe you’ve refactored adjacent code, or the AI’s first attempt missed nuance. Use the Regenerate button (circular arrow icon next to the fix button) to force a fresh AI call.
Quota note: Regenerate counts against your monthly AI remediation quota. Use it deliberately. The standard “Get Fix” click is free after the first generation.
Quota Limits
Each plan has a monthly AI remediation budget:
| Plan | AI Remediations / Month |
|---|---|
| Free | 7 |
| Growth | Unlimited (per seat) |
| Pro | Unlimited |
| Enterprise | Unlimited |
When the quota is exhausted, the platform returns a 402 (payment required) and surfaces an upgrade prompt. Cached fixes are not subject to quota limits — even on the Free plan, viewing previously-generated fixes never costs anything.
Multi-Tenant Safety
Cached fixes are scoped per-organization. Two organizations scanning identical code would each generate and cache their own fix — there is no cross-tenant sharing of AI output. This is enforced at the database level via the org-id check on every fix lookup.
API Reference
POST /api/quality/fix
Content-Type: application/jsonRequest:
{
"code": "<code snippet>",
"issue": "<issue description>",
"issue_id": 12345, // optional — enables caching
"force_refresh": false // optional — bypasses cache
}| Field | Type | Description |
|---|---|---|
code | string | The code containing the issue |
issue | string | Description of the issue to fix |
issue_id | integer | When supplied, looks up the corresponding ScanIssue row to read/write cached fix |
force_refresh | boolean | When true, bypasses cache and regenerates |
Response:
{
"patch": "<the fix>",
"cached": true,
"source": "scan_cache",
"direct_fix": "<one-line fix instruction (when cached)>",
"cli_command": "<shell command, if applicable>"
}| Field | Type | Description |
|---|---|---|
patch | string | The fix content (always present) |
cached | boolean | True when the fix came from cache (no AI call made) |
source | string | scan_cache (cached at scan time), fresh (just generated), force_refresh (regenerated) |
direct_fix | string | null | One-line fix instruction (only when cached, populated at scan time) |
cli_command | string | null | Shell command to apply the fix, if applicable |
If you omit issue_id, the endpoint behaves like a stateless code-fix tool — generates a fix from raw code without caching. Useful for ad-hoc analysis but consumes AI quota on every call. Always pass issue_id when fixing a real finding.
Audit Trail
Every fix-generation call is logged to your audit trail with token usage:
- Action:
ai_fix.cache_hit(no quota used) orai_fix.cache_miss(one call) orai_fix.cache_store(cached for future) - Includes: user, organization, finding ID, model used, token counts
View at /dashboard/audit-logs filtered by category “AI” or via the /api/audit/logs endpoint.
Related
- Triage Vulnerabilities
- Compliance Dashboard
- Plans & Billing — AI remediation quota per plan