fix: harden b7 packaging and extension toolchain (#25)

Constrain the MCP extra away from incompatible httpx prereleases, refresh the VS Code extension packaging toolchain to remove the vulnerable uuid chain, and keep mypy/pre-commit stable when build artifacts exist.

Author: orenlab

.pre-commit-config.yaml

@@ -31,7 +31,7 @@ repos:
 
       - id: mypy
         name: Mypy
-        entry: mypy .
+        entry: mypy
         language: system
         pass_filenames: false
         types: [ python ]

CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [2.0.0b7] - 2026-04-28
+
+`2.0.0b7` is a beta hotfix for packaging-only issues found after the `2.0.0b6` publish.
+
+### Packaging
+
+- Constrain the optional MCP extra to `httpx>=0.27.1,<1` so prerelease install flows such as
+  `uv tool install --pre "codeclone[mcp]"` do not resolve incompatible `httpx 1.0.dev*` builds through the upstream MCP
+  dependency graph.
+- Pin the preview VS Code extension packaging tool to `@vscode/vsce@2.25.0`, removing the vulnerable transitive
+  `uuid<14` chain from `package-lock.json` while preserving `.vsix` packaging.
+- Keep local pre-commit runs stable after package builds by letting mypy use the configured source roots and ignoring
+  generated `build/` and `site/` artifacts.
+
 ## [2.0.0b6] - 2026-04-28
 
 The global package refactor lands here: the entire runtime moves onto the

extensions/vscode-codeclone/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Change Log
 
+## 0.2.5
+
+- pin the packaging toolchain to `@vscode/vsce@2.25.0` to remove the vulnerable transitive `uuid<14` chain from the
+  extension lockfile
+- keep the generated `.vsix` package behavior unchanged after the packaging dependency refresh
+
 ## 0.2.4
 
 - restore repo-local `uv run codeclone-mcp` fallback for the refactored MCP server layout