Skip to content

CodeClone 2.0.0b6: land the architecture split, adaptive dependency profiling, and security review surfaces

Pre-release
Pre-release

Choose a tag to compare

View all tags
@orenlab orenlab released this 28 Apr 15:29
· 7 commits to main since this release
v2.0.0b6
5f6f0fc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

The global package refactor lands here: the entire runtime moves onto the canonical module layout and legacy shims are removed for good. On top of that, dependency-depth scoring is replaced with an adaptive project-relative model, and the report/cache contracts advance to surface the new depth profile and the report-only security_surfaces layer.

Package layout and contracts

  • Move the runtime fully onto the canonical package layout: main + surfaces/cli, surfaces/mcp, core, analysis, baseline, cache, contracts, report/document, report/renderers, and report/html.
  • Remove remaining legacy root shims and stale compatibility modules in favor of direct canonical imports.
  • Remove stale deleted-file cache entries and trim post-refactor import tails that were inflating dependency depth and clone pressure.
  • Bump report schema to 2.10 and cache schema to 2.6 for additive dependency depth profile fields and security_surfaces facts; keep clone baseline schema 2.1 and metrics-baseline schema 1.2 unchanged.
  • Preserve deterministic contracts and read-only MCP semantics across the new layout.

Dependency depth scoring

  • Replace the old fixed dependency-depth penalty (max_depth > 8) with an adaptive internal-graph profile based on avg_depth, p95_depth, and max_depth.
  • Keep dependency cycles as the hard signal; treat acyclic depth as adaptive pressure relative to the project's own dependency profile.
  • Limit dependency-depth scoring to the internal module graph instead of external imports such as typing or argparse.
  • Surface the dependency depth profile in the canonical report, HTML Dependencies tab, and CLI/CI summaries.

Security surfaces

  • Add metrics.families.security_surfaces: a report-only exact inventory of security-relevant capability surfaces and trust-boundary code.
  • Surface compact security_surfaces facts in canonical report JSON, CLI Metrics, HTML Quality, text/markdown projections, and MCP summaries / metrics_detail.
  • Keep the layer honest: no vulnerability claims, no score impact, no gates, no SARIF security findings, and no baseline truth.

Tooling, docs, and UX

  • Refresh AGENTS, docs/book, and changelog content for the b6 package layout and report schema 2.10.
  • Tighten preview client metadata and install guidance for VS Code, Claude Desktop, and Codex.
  • Replace the Codex plugin shell snippet with a repo-local shell-free launcher, and parallelize VS Code post-run MCP artifact hydration.
  • Add a quiet one-time VS Code extension hint in interactive VS Code terminals, tracked per CodeClone version next to the resolved project cache path.
Assets 2
Loading