feat: v8.1 refactoring tools improvements

[SimplyLiz]

Summary

• Function-level complexity in auditRisk: Wire tree-sitter complexity analyzer to produce per-function cyclomatic/cognitive scores instead of file-level only
• Graceful degradation messaging: Compound tools now warn when SCIP is missing/stale or git is unavailable, with capability percentages and fix commands
• Test gap analysis: New analyzeTestGaps tool identifies untested functions using SCIP references or heuristic name matching, sorted by complexity
• Richer prepareChange for rename/extract: Rename returns classified call sites, type refs, and import paths; extract returns boundary analysis with parameter/return detection
• Unified planRefactor compound tool: Single tool that combines impact analysis, risk assessment, test gaps, and generates ordered refactoring steps

Test plan

• go build ./cmd/ckb compiles
• go test ./internal/... — all 52 packages pass
• go install ./cmd/ckb — binary installs
• Manual MCP test: auditRisk response includes functionComplexity[]
• Manual MCP test: explore with stale index returns degradation warnings
• Manual MCP test: analyzeTestGaps returns untested functions
• Manual MCP test: prepareChange with changeType: "rename" includes renameDetail
• Manual MCP test: planRefactor returns combined risk + impact + tests + steps

🤖 Generated with Claude Code

[github-actions]

🟡 Change Impact Analysis

Metric	Value
Risk Level	MEDIUM 🟡
Files Changed	17
Symbols Changed	409
Directly Affected	1
Transitively Affected	146

Blast Radius: 0 modules, 1 files, 147 unique callers

📝 Changed Symbols (409)

Symbol	File	Type	Confidence
AnalyzeOptions	internal/query/testgap.go	added	100%
AnalyzeOptions#Limit	internal/query/testgap.go	added	100%
AnalyzeOptions#MinLines	internal/query/testgap.go	added	100%
AnalyzeOptions#Target	internal/query/testgap.go	added	100%
AnalyzeTestGapsOptions	internal/mcp/tool_impls_testgap.go	added	100%
AnalyzeTestGapsOptions#Limit	internal/mcp/tool_impls_testgap.go	added	100%
AnalyzeTestGapsOptions#MinLines	internal/mcp/tool_impls_testgap.go	added	100%
AnalyzeTestGapsOptions#Target	internal/mcp/tool_impls_testgap.go	added	100%
Analyzer	internal/testgap/analyzer.go	added	100%
Analyzer#Analyze	internal/query/testgap.go	added	100%
Analyzer#checkTestedViaHeuristic	internal/testgap/analyzer.go	added	100%
Analyzer#checkTestedViaSCIP	internal/testgap/analyzer.go	added	100%
Analyzer#collectFiles	internal/testgap/analyzer.go	added	100%
Analyzer#complexityAnalyzer	internal/audit/analyzer.go	modified	100%
Analyzer#complexityAnalyzer	internal/testgap/analyzer.go	added	100%
…	+394 more

🎯 Affected Downstream (20)

Symbol	Module	Distance	Kind
unknown	``	1	type-dependency
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/cmd/ckb/runAudit().	``	2	transitive-caller
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/api/Server#handleAudit().	``	2	transitive-caller
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/audit/Analyzer#analyzeFile().	``	2	transitive-caller
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/audit/TestComputeSummary().	``	2	transitive-caller
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/audit/TestDetectSecurityKeywords().	``	2	transitive-caller
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/audit/TestDetectSecurityKeywordsNonexistent().	``	2	transitive-caller
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/audit/TestFindQuickWins().	``	2	transitive-caller
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/audit/TestFindSourceFiles().	``	2	transitive-caller
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/audit/TestGenerateRecommendation().	``	2	transitive-caller
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/audit/TestGetComplexity().	``	2	transitive-caller
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/audit/TestGetComplexityNonexistent().	``	2	transitive-caller
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/audit/TestHasTestFile().	``	2	transitive-caller
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/audit/TestNewAnalyzer().	``	2	transitive-caller
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/mcp/MCPServer#RegisterTools().	``	2	transitive-caller
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/mcp/MCPServer#toolAnalyzeTestGaps().	``	2	transitive-caller
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/mcp/MCPServer#toolAuditRisk().	``	2	transitive-caller
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/mcp/MCPServer#toolPlanRefactor().	``	2	transitive-caller
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/query/Engine#AnalyzeTestGaps().	``	2	transitive-caller
scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/query/Engine#PlanRefactor().	``	2	transitive-caller

Recommendations

• ⚠️ test: Significant transitive impact (146 symbols). Run comprehensive test suite.
  • Action: Run full test suite before merging

⚠️ Index is 0 commit(s) behind HEAD. Results may be incomplete.

---

_{Generated by CKB}

[github-actions]

🔐 Security Audit Results

⚠️ Security gate passed with warnings - 7 issue(s) found (review recommended)

Category	Findings
🔑 Secrets	✅ 0
🛡️ SAST	✅ 0
📦 Dependencies	⚠️ 7
📜 Licenses	⚠️ 144 non-permissive

📦 Dependency Vulnerabilities

Found 7 vulnerability(ies) across 2 scanner(s)

Details

Trivy (4 findings)

• CVE-2026-22036 (MEDIUM): undici - undici: Undici: Denial of Service via excessive de...
• CVE-2025-54410 (LOW): github.com/docker/docker - github.com/moby/moby: Moby's Firewalld reload remo...
• GHSA-vrw8-fxc6-2r93 (MEDIUM): github.com/go-chi/chi/v5 - chi Allows Host Header Injection which Leads to Op...
• CVE-2025-47908 (MEDIUM): github.com/rs/cors - github.com/rs/cors: Denial of service via maliciou...

OSV-Scanner (3 findings)

• github.com/docker/docker: 2 vulnerabilities
• github.com/go-chi/chi/v5: 1 vulnerabilities
• github.com/rs/cors: 2 vulnerabilities

📜 License Issues

Found 144 non-permissive license(s)

Details

• github.com/BurntSushi/toml: MIT (notice)
• github.com/google/uuid: BSD-3-Clause (notice)
• github.com/klauspost/compress: Apache-2.0 (notice)
• github.com/klauspost/compress: BSD-3-Clause (notice)
• github.com/klauspost/compress: MIT (notice)
• github.com/pelletier/go-toml/v2: MIT (notice)
• github.com/smacker/go-tree-sitter: MIT (notice)
• github.com/sourcegraph/go-diff: MIT (notice)
• github.com/sourcegraph/scip: Apache-2.0 (notice)
• github.com/spf13/cobra: Apache-2.0 (notice)
• ... and 134 more

---

_{Generated by CKB Security Audit | View Details | Security Tab}

[codecov]

Codecov Report

❌ Patch coverage is 11.75617% with 608 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/query/compound_refactor.go	0.0%	180 Missing ⚠️
internal/testgap/analyzer.go	0.0%	162 Missing ⚠️
internal/query/prepare_rename.go	0.0%	70 Missing ⚠️
internal/mcp/tool_impls_compound.go	0.0%	41 Missing ⚠️
internal/query/prepare_extract.go	0.0%	41 Missing ⚠️
internal/audit/analyzer.go	21.0%	30 Missing ⚠️
internal/mcp/tool_impls_testgap.go	0.0%	25 Missing ⚠️
internal/query/compound.go	28.0%	16 Missing and 2 partials ⚠️
internal/mcp/tool_impls_v65.go	0.0%	14 Missing ⚠️
internal/query/degradation.go	64.7%	10 Missing and 2 partials ⚠️
... and 2 more

❌ Your patch status has failed because the patch coverage (11.7%) is below the target coverage (30.0%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff            @@
##           develop    #127     +/-   ##
=========================================
- Coverage     44.9%   44.6%   -0.4%     
=========================================
  Files          350     357      +7     
  Lines        60028   60687    +659     
=========================================
+ Hits         27004   27077     +73     
- Misses       31188   31769    +581     
- Partials      1836    1841      +5     

Flag	Coverage Δ
unit	44.6% <11.7%> (-0.4%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

📢 Thoughts on this report? Let us know!

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

CKB Analysis

🎯 409 changed → 146 affected · 🔥 5 hotspots · 📊 7 complex · 💣 2 blast · 📚 143 stale

Risk factors: Medium-sized PR with 17 files • High churn: 1396 lines changed • Touches 5 hotspot(s)

Metric	Value
Impact Analysis	409 symbols → 146 affected	🟡
Doc Coverage	9.090909090909092%	⚠️
Complexity	7 violations	⚠️
Coupling	0 gaps	✅
Blast Radius	0 modules, 1 files	✅
Index	indexed (7s)	💾

🎯 Change Impact Analysis · 🟡 MEDIUM · 409 changed → 20 affected

Metric	Value
Symbols Changed	409
Directly Affected	1
Transitively Affected	146
Modules in Blast Radius	0
Files in Blast Radius	1

Symbols changed in this PR:

• AnalyzeOptions [added] (100%) — internal/query/testgap.go
• AnalyzeOptions#Limit [added] (100%) — internal/query/testgap.go
• AnalyzeOptions#MinLines [added] (100%) — internal/query/testgap.go
• AnalyzeOptions#Target [added] (100%) — internal/query/testgap.go
• AnalyzeTestGapsOptions [added] (100%) — internal/mcp/tool_impls_testgap.go
• AnalyzeTestGapsOptions#Limit [added] (100%) — internal/mcp/tool_impls_testgap.go
• AnalyzeTestGapsOptions#MinLines [added] (100%) — internal/mcp/tool_impls_testgap.go
• AnalyzeTestGapsOptions#Target [added] (100%) — internal/mcp/tool_impls_testgap.go
• Analyzer [added] (100%) — internal/testgap/analyzer.go
• Analyzer#Analyze [added] (100%) — internal/query/testgap.go
• … and 399 more

Downstream symbols affected:
Direct callers (1):

• unknown
  Transitive callers (19):
• scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/cmd/ckb/runAudit(). (depth 2)
• scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/api/Server#handleAudit(). (depth 2)
• scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/audit/Analyzer#analyzeFile(). (depth 2)
• scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/audit/TestComputeSummary(). (depth 2)
• scip-go gomod github.com/SimplyLiz/CodeMCP 556b2151da40 github.com/SimplyLiz/CodeMCP/internal/audit/TestDetectSecurityKeywords(). (depth 2)
• … and 14 more transitive callers

Recommendations:

• ⚠️ Significant transitive impact (146 symbols). Run comprehensive test suite.
  • Action: Run full test suite before merging

⚠️ Index is undefined commit(s) behind HEAD. Results may be incomplete. Run ckb index to refresh.

💣 Blast radius · 0 symbols · 2 tests · 0 consumers

Tests that may break:

• internal/audit/audit_test.go
• internal/mcp/presets_test.go

🔥 Hotspots · 5 volatile files

File	Churn Score
internal/mcp/presets.go	8.51
internal/mcp/tool_impls_compound.go	9.32
internal/mcp/tool_impls_deadcode.go	7.76
internal/mcp/tools.go	12.03
internal/query/compound.go	11.65

📦 Modules · 2 at risk

	Module	Files
🟡	internal/mcp	7
🟡	internal/query	6

📊 Complexity · 7 violations

File	Cyclomatic	Cognitive
internal/audit/analyzer.go	⚠️ 19	⚠️ 49
internal/mcp/presets_test.go	⚠️ 21	⚠️ 35
internal/mcp/tool_impls_compound.go	15	⚠️ 28
internal/mcp/tool_impls_deadcode.go	⚠️ 19	⚠️ 32
internal/query/compound.go	⚠️ 31	⚠️ 52
internal/query/compound_refactor.go	⚠️ 29	⚠️ 62
internal/testgap/analyzer.go	⚠️ 16	⚠️ 27

💡 Quick wins · 10 suggestions

• 🟡 Add tests → internal/query/engine_test.go
• 🟡 Add tests → internal/api/index_processor.go
• 🟡 Add tests → internal/incremental/store_test.go
• 🟡 Add tests → internal/identity/identity_test.go
• 🟡 Add tests → internal/backends/scip/references.go
• 🟢 Assign backup owner → internal/query/engine_test.go
• 🟢 Assign backup owner → internal/api/index_processor.go
• 🟢 Assign backup owner → internal/incremental/store_test.go

📚 Stale docs · 143 broken references

• docs/CONTRIBUTING.md:108 → errors.New
• docs/CONTRIBUTING.md:108 → errors.SYMBOL_NOT_FOUND
• docs/CONTRIBUTING.md:111 → errors.Wrap
• docs/backlog/index-refresh-improvements.md:36 → watcher.Add
• docs/backlog/index-refresh-improvements.md:36 → filepath.Join
• docs/backlog/index-refresh-improvements.md:97 → time.Second
• docs/featureplans/change-impact-analysis-checklist.md:208 → coverage.out
• docs/featureplans/change-impact-analysis-checklist.md:214 → lcov.info
• docs/featureplans/change-impact-analysis-checklist.md:309 → coverage.out
• docs/featureplans/change-impact-analysis.md:448 → scip.SCIPIndex
• docs/featureplans/change-impact-analysis.md:478 → context.Context
• docs/featureplans/change-impact-analysis.md:669 → coverage.out
• docs/ideas.md:16 → provenance.backends
• docs/ideas.md:21 → queryPolicy.coalesceWindowMs
• docs/ideas.md:302 → confidence.factors

---

_{Generated by CKB · Run details}

[SimplyLiz]

Superseded by #128 which includes both batch 1 and batch 2 of the v8.1 refactoring tools.