feat(core): slim MCP payloads, fix stale analysis drift, and relicense code to MPL-2.0

- slim MCP summary and finding payloads: summary inventory now returns counts, `metrics` is summary-only, `metrics_detail` exposes the full dump, list/check envelopes expose `base_uri`, and summary/normal finding views drop repeated location `uri` and `priority_factors`
- fix stale analysis drift by bumping cache schema to `2.3`, invalidating stale per-file cache entries after semantic analysis changes, and documenting the new cache compatibility rule
- fix AST normalization side effects that corrupted downstream cohesion metrics and remove duplicated branch logic without changing canonical report schema
- refresh the repository baseline and health snapshot after the analysis fix (`81 -> 85`) and update MCP/docs/tests to lock the new behavior
- relicense repository code to `MPL-2.0`, keep documentation under `MIT`, update package metadata and user-facing license notes, add Mozilla file notices to Python sources, and add directory-level MPL notices for golden fixtures without changing fixture contents

Author: orenlab

.github/actions/codeclone/_action_impl.py

@@ -1,4 +1,8 @@
-# SPDX-License-Identifier: MIT
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+# SPDX-License-Identifier: MPL-2.0
+# Copyright (c) 2026 Den Rozhnovskiy
 
 from __future__ import annotations
 

.github/actions/codeclone/render_pr_comment.py

@@ -1,4 +1,8 @@
-# SPDX-License-Identifier: MIT
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+# SPDX-License-Identifier: MPL-2.0
+# Copyright (c) 2026 Den Rozhnovskiy
 
 from __future__ import annotations
 

.github/actions/codeclone/run_codeclone.py

@@ -1,4 +1,8 @@
-# SPDX-License-Identifier: MIT
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+# SPDX-License-Identifier: MPL-2.0
+# Copyright (c) 2026 Den Rozhnovskiy
 
 from __future__ import annotations
 

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## [Unreleased]
+
+### Licensing
+
+- Re-license repository code to MPL-2.0 and keep documentation under MIT.
+
+### Packaging
+
+- Ship both `LICENSE` and `LICENSE-docs`, update package metadata, and sync file-level SPDX headers.
+
 ## [2.0.0b3]
 
 ### MCP server
@@ -11,6 +21,18 @@
 - Require explicit `--allow-remote` for non-loopback `streamable-http` binds; reject `cache_policy=refresh` to preserve
   read-only semantics.
 - Defer MCP process-count policy to the core runtime when `processes` is not explicitly overridden.
+- Slim MCP summary payloads for agent usage: `get_run_summary`, summary resources, and `analyze_changed_paths` now
+  replace `inventory.file_registry.items` with `{encoding, count}` while `analyze_repository` keeps the full registry.
+- Split `get_report_section(section="metrics")` into a summary-only projection and add `metrics_detail` for the full
+  metrics payload, without changing canonical report schema `2.1`.
+- Slim `health.dimensions` in granular `check_*` responses to the single dimension relevant to each tool.
+- Keep hotspot `source_kind` aligned with canonical finding payloads, including fixture-scoped findings.
+- Add envelope-level `base_uri` to `list_findings`, `list_hotspots`, and `check_*`, while removing repeated per-location
+  `uri` values from summary/normal finding payloads.
+- Slim finding list payloads further: summary responses drop `priority_factors` and keep only `file` + `line` in
+  locations; normal responses keep `symbol` but still omit `uri` and `priority_factors`; `get_finding` remains full.
+- Bump cache schema to `2.3` so stale per-file analysis entries from older metric semantics are ignored and rebuilt
+  instead of being treated as reusable cache hits.
 
 ### CLI
 

CONTRIBUTING.md

@@ -3,7 +3,7 @@
 Thank you for your interest in contributing to **CodeClone**.
 
 CodeClone provides **structural code quality analysis** for Python, including clone detection,
-quality metrics, and baseline-aware CI governance.
+quality metrics, baseline-aware CI governance, and an optional MCP agent interface.
 
 Contributions are welcome — especially those that improve **signal quality**, **CFG semantics**,
 and **real-world CI usability**.
@@ -31,8 +31,11 @@ We especially welcome contributions in the following areas:
 - Control Flow Graph (CFG) construction and semantics
 - AST normalization improvements
 - Segment-level clone detection and reporting
+- Quality metrics (complexity, coupling, cohesion, dead-code, dependencies)
 - False-positive reduction
 - HTML report UX improvements
+- MCP server tools and agent workflows
+- GitHub Action improvements
 - Performance optimizations
 - Documentation and real-world examples
 
@@ -51,6 +54,8 @@ When reporting issues related to clone detection, include:
     - AST-related,
     - CFG-related,
     - normalization-related,
+    - metrics-related,
+    - MCP-related,
     - reporting / UI-related.
 
 Screenshots alone are usually insufficient for analysis.
@@ -73,8 +78,6 @@ Well-argued false-positive reports are valuable and appreciated.
 
 ## CFG Semantics Discussions
 
-CFG behavior in CodeClone is intentionally conservative in the 1.x series.
-
 If proposing changes to CFG semantics, include:
 
 - a description of the current behavior;
@@ -98,15 +101,13 @@ Such changes often require design-level discussion and may be staged across vers
 
 ## Baseline & CI
 
-### Baseline contract (v1)
+### Baseline contract (v2)
 
-- The baseline schema is versioned (`meta.schema_version`).
+- The baseline schema is versioned (`meta.schema_version`, currently `2.0`).
 - Compatibility/trust gates include `schema_version`, `fingerprint_version`, `python_tag`,
   and `meta.generator.name`.
-- Integrity is tamper-evident via `meta.payload_sha256` over canonical payload:
-  `clones.functions`, `clones.blocks`, `meta.fingerprint_version`, `meta.python_tag`.
-  `meta.schema_version`, `meta.generator.name`, `meta.generator.version`, and `created_at`
-  are excluded from payload hashing.
+- Integrity is tamper-evident via `meta.payload_sha256` over canonical payload.
+- The baseline may embed a `metrics` section for metrics-baseline-aware CI gating.
 
 ### When baseline regeneration is required
 
@@ -131,12 +132,55 @@ Such changes often require design-level discussion and may be staged across vers
 
 ---
 
+## Versioned schemas
+
+CodeClone maintains several versioned schema contracts:
+
+| Schema           | Current version | Owner                               |
+|------------------|-----------------|-------------------------------------|
+| Baseline         | `2.0`           | `codeclone/baseline.py`             |
+| Report           | `2.1`           | `codeclone/report/json_contract.py` |
+| Cache            | `2.2`           | `codeclone/cache.py`                |
+| Metrics baseline | `1.0`           | `codeclone/metrics_baseline.py`     |
+
+Any change to schema shape or semantics requires version review, documentation, and tests.
+
+---
+
+## MCP Interface
+
+CodeClone includes an optional **read-only MCP server** (`codeclone[mcp]`) for AI agents.
+
+When contributing to MCP:
+
+- MCP must remain **read-only** — it must never mutate baselines, source files, or repo state.
+- Session-local review markers are the only allowed mutable state (in-memory, ephemeral).
+- MCP reuses pipeline/report contracts — do not create a second analysis truth path.
+- Tool names, resource URIs, and response shapes are public surfaces — changes require tests and docs.
+
+See `docs/mcp.md` and `docs/book/20-mcp-interface.md` for details.
+
+---
+
+## GitHub Action
+
+CodeClone ships a composite GitHub Action (`.github/actions/codeclone/`).
+
+When contributing to the Action:
+
+- Never inline `${{ inputs.* }}` in shell scripts — pass through `env:` variables.
+- Prefer major-tag pinning for actions (e.g., `actions/setup-python@v5`).
+- Add timeouts to all `subprocess.run` calls.
+
+---
+
 ## Development Setup
 
 ```bash
 git clone https://github.com/orenlab/codeclone.git
 cd codeclone
 uv sync --all-extras --dev
+uv run pre-commit install
 ```
 
 Run tests:
@@ -148,16 +192,26 @@ uv run pytest
 Static checks:
 
 ```bash
-uv run mypy .
-uv run ruff check .
-uv run ruff format .
+uv run pre-commit run --all-files
+```
+
+Build documentation (if you touched `docs/` or `mkdocs.yml`):
+
+```bash
+uv run --with mkdocs --with mkdocs-material mkdocs build --strict
+```
+
+Run MCP tests (if you touched `mcp_service.py` or `mcp_server.py`):
+
+```bash
+uv run pytest -q tests/test_mcp_service.py tests/test_mcp_server.py
 ```
 
 ---
 
 ## Code Style
 
-- Python **3.10–3.14**
+- Python **3.10 – 3.14**
 - Type annotations are required
 - `Any` should be minimized; prefer precise types and small typed helpers
 - `mypy` must pass
@@ -182,5 +236,7 @@ and may require a `fingerprint_version` bump (and thus baseline regeneration).
 
 ## License
 
-By contributing to CodeClone, you agree that your contributions will be licensed
-under the **MIT License**.
+By contributing code to CodeClone, you agree that your contributions will be
+licensed under **MPL-2.0**.
+
+Documentation contributions are licensed under **MIT**.