feat(core): optimize MCP payloads, harden MCP safety semantics, and streamline report/html internals

Author: orenlab

CHANGELOG.md

@@ -17,13 +17,15 @@ sync SPDX headers.
   remediation, granular checks, gate preview, PR summary, and session review markers.
 - Bounded run retention (`--history-limit`), `--allow-remote` guard, `cache_policy=refresh` rejected to preserve
   read-only semantics.
-- Agent-optimised payloads: slim inventory counts in summaries, `base_uri` envelope with relative locations,
-  single-dimension `health` in `check_*`, three-tier `detail_level` on finding cards, and `metrics` / `metrics_detail`
-  split — all without changing canonical report schema until the later `2.2` report-threshold update below.
-- `cache.effective_freshness` marker and `get_production_triage` / `codeclone://latest/triage` for compact
-  production-first overview.
+- Agent-optimised payloads: short MCP run/finding ids, slim summary inventory, compact summary/default finding cards,
+  single-dimension `health` in `check_*`, bounded `metrics_detail`, and compact changed-files / compare-runs responses
+  — all without changing the canonical report contract.
+- `cache.freshness` marker and `get_production_triage` / `codeclone://latest/triage` for compact production-first
+  overview.
 - Honest run comparison: `compare_runs` reports `mixed` / `incomparable` instead of misleading single verdicts;
   `clones_only` runs surface `health: unavailable` instead of zeroed placeholders.
+- Safety hardening: MCP analysis now requires an absolute repository root and rejects relative roots like `.`, so the
+  server cannot silently analyze the wrong directory when its cwd differs from the client workspace.
 - Fix hotlist key resolution for `production_hotspots` and `test_fixture_hotspots`.
 - Bump cache schema to `2.3` (stale metric entries rebuilt, not reused).
 

codeclone/_html_report/_assemble.py

@@ -163,7 +163,7 @@ def _tab_badge(count: int) -> str:
         tab_icon = section_icon_html(
             tab_icon_keys.get(tab_id, ""),
             class_name="main-tab-icon",
-            size=14,
+            size=15,
         )
         tab_buttons.append(
             f'<button class="main-tab" role="tab" data-tab="{tab_id}" '

codeclone/_html_report/_components.py

@@ -11,14 +11,11 @@
 from collections.abc import Mapping
 from typing import Literal
 
-from .. import _coerce
+from .._coerce import as_int as _as_int
 from .._html_badges import _source_kind_badge_html
 from .._html_escape import _escape_attr, _escape_html
 from ._icons import section_icon_html
 
-_as_int = _coerce.as_int
-_as_mapping = _coerce.as_mapping
-
 Tone = Literal["ok", "warn", "risk", "info"]
 
 _EMPTY_ICON = (

codeclone/_html_report/_context.py

@@ -12,7 +12,7 @@
 from dataclasses import dataclass
 from typing import TYPE_CHECKING
 
-from .. import _coerce
+from .._coerce import as_mapping as _as_mapping
 from ..contracts import REPORT_SCHEMA_VERSION
 from ..report.overview import build_report_overview, materialize_report_overview
 
@@ -26,9 +26,6 @@
         Suggestion,
     )
 
-_as_mapping = _coerce.as_mapping
-_as_sequence = _coerce.as_sequence
-
 
 @dataclass(frozen=True, slots=True)
 class ReportContext:

codeclone/_html_report/_icons.py

@@ -94,16 +94,16 @@ def _svg_with_class(size: int, sw: str, body: str, *, class_name: str = "") -> s
 
 _SECTION_ICON_BODIES: dict[str, tuple[str, str]] = {
     "overview": (
-        "2",
-        '<rect x="3" y="4" width="8" height="7" rx="1.5"/>'
-        '<rect x="13" y="4" width="8" height="7" rx="1.5"/>'
-        '<rect x="3" y="13" width="8" height="7" rx="1.5"/>'
-        '<rect x="13" y="13" width="8" height="7" rx="1.5"/>',
+        "1.8",
+        '<rect x="3" y="3" width="7.5" height="7.5" rx="1.5"/>'
+        '<rect x="13.5" y="3" width="7.5" height="7.5" rx="1.5"/>'
+        '<rect x="3" y="13.5" width="7.5" height="7.5" rx="1.5"/>'
+        '<rect x="13.5" y="13.5" width="7.5" height="7.5" rx="1.5"/>',
     ),
     "clones": (
         "2",
-        '<rect x="9" y="9" width="10" height="10" rx="2"/>'
-        '<rect x="5" y="5" width="10" height="10" rx="2"/>',
+        '<rect x="9" y="9" width="11" height="11" rx="2"/>'
+        '<rect x="4" y="4" width="11" height="11" rx="2"/>',
     ),
     "quality": (
         "2",
@@ -113,9 +113,9 @@ def _svg_with_class(size: int, sw: str, body: str, *, class_name: str = "") -> s
     ),
     "dependencies": (
         "2",
-        '<circle cx="6" cy="6" r="2"/><circle cx="18" cy="6" r="2"/>'
-        '<circle cx="12" cy="18" r="2"/><path d="M8 7.5l2.5 6.5"/>'
-        '<path d="M16 7.5l-2.5 6.5"/>',
+        '<circle cx="6" cy="6" r="2.5"/><circle cx="18" cy="6" r="2.5"/>'
+        '<circle cx="12" cy="18" r="2.5"/><path d="M8 7.8l2.7 6.4"/>'
+        '<path d="M16 7.8l-2.7 6.4"/>',
     ),
     "dead-code": (
         "2",
@@ -124,14 +124,14 @@ def _svg_with_class(size: int, sw: str, body: str, *, class_name: str = "") -> s
     ),
     "suggestions": (
         "2",
-        '<path d="M12 3l1.8 4.7L18.5 9.5l-4.7 1.8L12 16l-1.8-4.7L5.5 9.5l4.7-1.8Z"/>'
-        '<path d="M19 16l.8 2.2L22 19l-2.2.8L19 22l-.8-2.2L16 19l2.2-.8Z"/>',
+        '<path d="M11.5 3l1.9 5 5 1.9-5 1.9L11.5 17l-1.9-5-5-1.9 5-1.9Z"/>'
+        '<path d="M19.5 16l.8 2 2 .8-2 .8-.8 2-.8-2-2-.8 2-.8Z"/>',
     ),
     "structural-findings": (
         "2",
-        '<circle cx="6" cy="6" r="2"/><circle cx="18" cy="18" r="2"/>'
-        '<circle cx="18" cy="6" r="2"/><path d="M8 6h8"/>'
-        '<path d="M6 8v8a2 2 0 0 0 2 2h8"/>',
+        '<circle cx="6" cy="6" r="2.5"/><circle cx="18" cy="18" r="2.5"/>'
+        '<circle cx="18" cy="6" r="2.5"/><path d="M8.5 6h7"/>'
+        '<path d="M6 8.5v7a2 2 0 0 0 2 2h7"/>',
     ),
     "top-risks": (
         "2",
@@ -164,8 +164,8 @@ def _svg_with_class(size: int, sw: str, body: str, *, class_name: str = "") -> s
     ),
     "clone-groups": (
         "2",
-        '<rect x="9" y="9" width="10" height="10" rx="2"/>'
-        '<rect x="5" y="5" width="10" height="10" rx="2"/>',
+        '<rect x="9" y="9" width="11" height="11" rx="2"/>'
+        '<rect x="4" y="4" width="11" height="11" rx="2"/>',
     ),
     "low-cohesion": (
         "2",

codeclone/blockhash.py

@@ -8,9 +8,9 @@
 
 from typing import TYPE_CHECKING
 
-from .blockhash import stmt_hashes
 from .fingerprint import sha1
 from .models import BlockUnit, SegmentUnit
+from .normalize import stmt_hashes
 
 if TYPE_CHECKING:
     import ast

codeclone/blocks.py

@@ -18,7 +18,6 @@
 from typing import TYPE_CHECKING, Literal, NamedTuple
 
 from . import qualnames as _qualnames
-from .blockhash import stmt_hashes
 from .blocks import extract_blocks, extract_segments
 from .cfg import CFGBuilder
 from .errors import ParseError
@@ -46,6 +45,7 @@
     AstNormalizer,
     NormalizationConfig,
     normalized_ast_dump_from_list,
+    stmt_hashes,
 )
 from .paths import is_test_filepath
 from .structural_findings import scan_function_structure