2.0.0b6: land the architecture split, adaptive dependency profiling, and security review surfaces

.github/actions/codeclone/README.md

@@ -73,7 +73,7 @@ jobs:
 
 | Input                   | Default                         | Purpose                                                                                                           |
 |-------------------------|---------------------------------|-------------------------------------------------------------------------------------------------------------------|
-| `python-version`        | `3.13`                          | Python version used to run the action                                                                             |
+| `python-version`        | `3.14`                          | Python version used to run the action                                                                             |
 | `package-version`       | `""`                            | CodeClone version from PyPI for remote installs; ignored when the action runs from the checked-out CodeClone repo |
 | `path`                  | `.`                             | Project root to analyze                                                                                           |
 | `json-path`             | `.cache/codeclone/report.json`  | JSON report output path                                                                                           |

.github/actions/codeclone/action.yml

@@ -13,7 +13,7 @@ inputs:
   python-version:
     description: "Python version"
     required: false
-    default: "3.13"
+    default: "3.14"
 
   package-version:
     description: "CodeClone version from PyPI for remote installs (ignored when the action runs from the checked-out CodeClone repo)"

.github/workflows/benchmark.yml

@@ -87,7 +87,7 @@ jobs:
         if: env.BENCH_ENABLED == '1' && runner.os == 'macOS'
         uses: actions/setup-python@v6.2.0
         with:
-          python-version: "3.13"
+          python-version: "3.14"
           allow-prereleases: true
 
       - name: Set up uv (macOS local benchmark)
@@ -98,7 +98,7 @@ jobs:
 
       - name: Install dependencies (macOS local benchmark)
         if: env.BENCH_ENABLED == '1' && runner.os == 'macOS'
-        run: uv sync --all-extras --dev
+        run: uv sync --extra dev
 
       - name: Set benchmark output path
         if: env.BENCH_ENABLED == '1'

.github/workflows/codeclone.yml

@@ -26,7 +26,7 @@ jobs:
       - name: Run CodeClone
         uses: ./.github/actions/codeclone
         with:
-          python-version: "3.13"
+          python-version: "3.14"
           fail-on-new: "true"
           fail-health: "60"
           sarif: "true"

.github/workflows/docs.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v6.2.0
         with:
-          python-version: "3.13"
+          python-version: "3.14"
           allow-prereleases: true
 
       - name: Set up uv
@@ -33,7 +33,7 @@ jobs:
           enable-cache: true
 
       - name: Install project dependencies
-        run: uv sync --dev
+        run: uv sync --extra dev
 
       - name: Configure GitHub Pages
         uses: actions/configure-pages@v5

.github/workflows/publish.yml

@@ -0,0 +1,116 @@
+name: publish
+run-name: >-
+  publish • ${{ github.event_name }} •
+  ${{ github.event.release.tag_name || inputs.repository || github.ref_name }}
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      repository:
+        description: Target package index
+        required: true
+        default: testpypi
+        type: choice
+        options:
+          - testpypi
+          - pypi
+
+permissions:
+  contents: read
+
+concurrency:
+  group: publish-${{ github.event.release.tag_name || github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6.0.2
+
+      - name: Set up Python
+        uses: actions/setup-python@v6.2.0
+        with:
+          python-version: "3.14"
+          allow-prereleases: true
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+
+      - name: Verify release tag matches project version
+        if: ${{ github.event_name == 'release' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          project_version="$(python - <<'PY'
+          import pathlib, tomllib
+          payload = tomllib.loads(pathlib.Path("pyproject.toml").read_text(encoding="utf-8"))
+          print(payload["project"]["version"])
+          PY
+          )"
+          release_tag="${{ github.event.release.tag_name }}"
+          normalized_tag="${release_tag#v}"
+          if [ "$normalized_tag" != "$project_version" ]; then
+            echo "release tag $release_tag does not match project version $project_version" >&2
+            exit 1
+          fi
+
+      - name: Build distributions
+        run: uv run --with build python -m build --sdist --wheel
+
+      - name: Validate distributions
+        run: uv run --with twine twine check dist/*
+
+      - name: Upload distributions
+        uses: actions/upload-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+          if-no-files-found: error
+
+  publish-testpypi:
+    if: ${{ github.event_name == 'workflow_dispatch' && inputs.repository == 'testpypi' }}
+    needs: build
+    runs-on: ubuntu-latest
+    environment: testpypi
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Download distributions
+        uses: actions/download-artifact@v5
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      - name: Publish to TestPyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+
+  publish-pypi:
+    if: >-
+      ${{
+        github.event_name == 'release' ||
+        (github.event_name == 'workflow_dispatch' && inputs.repository == 'pypi')
+      }}
+    needs: build
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Download distributions
+        uses: actions/download-artifact@v5
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

.github/workflows/tests.yml

@@ -35,19 +35,19 @@ jobs:
           enable-cache: true
 
       - name: Install dependencies
-        run: uv sync --all-extras --dev
+        run: uv sync --extra dev --extra mcp
 
       - name: Run tests
         # Smoke CLI tests intentionally disable subprocess coverage collection
         # to avoid runner-specific flakiness while keeping parent-process coverage strict.
         run: uv run pytest --cov=codeclone --cov-report=term-missing --cov-fail-under=99
 
       - name: Verify baseline exists
-        if: ${{ matrix.python-version == '3.13' }}
+        if: ${{ matrix.python-version == '3.14' }}
         run: test -f codeclone.baseline.json
 
       - name: Check for new clones vs baseline
-        if: ${{ matrix.python-version == '3.13' }}
+        if: ${{ matrix.python-version == '3.14' }}
         run: uv run codeclone . --ci
 
   lint:
@@ -59,15 +59,15 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v6.2.0
         with:
-          python-version: "3.13"
+          python-version: "3.14"
 
       - name: Set up uv
         uses: astral-sh/setup-uv@v5
         with:
           enable-cache: true
 
       - name: Install dependencies
-        run: uv sync --all-extras --dev
+        run: uv sync --extra dev --extra mcp
 
       - name: Ruff
         run: uv run ruff check .

.gitignore

@@ -40,3 +40,8 @@ site/
 /package-lock.json
 extensions/vscode-codeclone/node_modules
 /coverage.xml
+/.cgcignore
+/mcp.json
+/scripts/refactor_guard.sh
+/docs/refactoring-spec.md
+/smoke_cli.sh