@opencodehub/cli 0.2.2 → 0.2.3

package/dist/plugin-assets/skills/opencodehub-impact-analysis/SKILL.md

@@ -0,0 +1,151 @@
+---
+name: opencodehub-impact-analysis
+description: "Use when the user wants to know what will break if they change something, or needs safety analysis before editing or merging code. Examples: \"Is it safe to change X?\", \"What depends on this?\", \"What will break?\", \"Blast radius for this change\"."
+---
+
+# Impact Analysis with OpenCodeHub
+
+## When to Use
+
+- "Is it safe to change this function?"
+- "What will break if I modify X?"
+- "Show me the blast radius."
+- "Who uses this code?"
+- Before committing or merging a non-trivial change.
+
+## Decision Tree
+
+```
+Is the target a symbol (function, class, method, property)?
+  └─ yes → mcp__opencodehub__impact
+Is the target an HTTP route or API endpoint?
+  └─ yes → mcp__opencodehub__api_impact + mcp__opencodehub__route_map
+Is the change a response-shape edit on a route?
+  └─ yes → mcp__opencodehub__shape_check (find consumer key-access mismatches)
+Is the target a dependency version bump?
+  └─ yes → mcp__opencodehub__dependencies + mcp__opencodehub__license_audit
+Want to see what the working tree currently touches?
+  └─ yes → mcp__opencodehub__detect_changes
+```
+
+## Workflow
+
+```
+1. mcp__opencodehub__impact({ name, direction: "upstream", repo })  → Dependents of the target
+2. Read confidenceBreakdown                                          → Trust the confirmed count
+3. If HTTP-adjacent: mcp__opencodehub__api_impact + shape_check      → Route + shape mismatches
+4. mcp__opencodehub__detect_changes                                  → Map the current diff to flows
+5. Assess risk tier and write the summary
+```
+
+> If the context envelope warns the index is stale, run `codehub analyze` first — stale impact results are worse than no impact results.
+
+## Checklist
+
+```
+- [ ] mcp__opencodehub__impact({ name, direction: "upstream", repo })
+- [ ] Review byDepth.d1 first — these WILL BREAK
+- [ ] Read confidenceBreakdown; demand confirmed >= heuristic for destructive calls
+- [ ] Filter to confidence >= 0.9 if the target is load-bearing (auth, payments, data integrity)
+- [ ] If target is a Route: mcp__opencodehub__api_impact + mcp__opencodehub__shape_check
+- [ ] mcp__opencodehub__detect_changes to map the current diff to affected processes
+- [ ] Produce a risk tier and a one-paragraph summary
+```
+
+## Understanding impact output
+
+Risk levels map to blast-radius tiers:
+
+| Depth | Risk Level       | Meaning                                |
+| ----- | ---------------- | -------------------------------------- |
+| d=1   | WILL BREAK       | Direct callers / importers / overrides |
+| d=2   | LIKELY AFFECTED  | One hop through d=1                    |
+| d=3   | MAY NEED TESTING | Two hops — transitive effects          |
+
+`confidenceBreakdown` on the impact response categorises the edges the tool actually traversed:
+
+- `confirmed` — a SCIP indexer (scip-typescript, scip-python, scip-go, rust-analyzer, scip-java) confirmed the edge at confidence ≥ 0.95. Trust these for refactor/impact decisions.
+- `heuristic` — tree-sitter or tier-1/tier-2 inference; no SCIP indexer covers this triple. Treat as a signal, not a ground truth.
+- `unknown` — confidence ≤ 0.2. The demote phase flagged the edge (`+scip-unconfirmed`). Do not act on these alone.
+
+## Risk Tier Guide
+
+| Signal                                         | Risk     |
+| ---------------------------------------------- | -------- |
+| < 5 symbols, ≤ 1 process, all confirmed        | LOW      |
+| 5–15 symbols, 2–5 processes                    | MEDIUM   |
+| > 15 symbols OR many processes OR many heuristic edges | HIGH |
+| Critical path (auth, payments, data integrity) | CRITICAL |
+
+## Tools
+
+### `mcp__opencodehub__impact` — symbol blast radius
+
+```
+mcp__opencodehub__impact({
+  name: "validateUser",
+  direction: "upstream",
+  depth: 3,
+  repo: "my-app"
+})
+
+→ target: {uid, kind, filePath}
+→ byDepth: {d1: [...], d2: [...], d3: [...]}
+→ affected_processes: [CheckoutFlow, LoginFlow]
+→ confidenceBreakdown: {confirmed, heuristic, unknown}
+→ risk: LOW | MEDIUM | HIGH | CRITICAL
+```
+
+Disambiguation: if the name is ambiguous, `impact` returns a ranked candidate list; pass `uid` (preferred) or `{name, file_path, kind}` to pick one.
+
+### `mcp__opencodehub__api_impact` — route blast radius
+
+```
+mcp__opencodehub__api_impact({ method: "POST", path: "/api/payments", repo })
+
+→ consumers: FETCHES callers across this repo (and across repos when a group is defined)
+→ middleware: applied handlers
+→ mismatches: producer/consumer shape mismatches
+→ affected_processes: flows that pass through this route
+```
+
+### `mcp__opencodehub__shape_check` — response-shape sanity
+
+```
+mcp__opencodehub__shape_check({ repo })
+
+→ mismatches: [{route, producer_keys, consumer_access, consumer_file}]
+```
+
+Run it when a PR changes a response payload. Any new entry in `mismatches` is a bug surface.
+
+### `mcp__opencodehub__detect_changes` — map the current diff to flows
+
+```
+mcp__opencodehub__detect_changes({ scope: "staged", repo })
+
+→ changed_symbols: [{uid, name, kind, filePath, change}]
+→ affected_processes: [...]
+→ risk_level: LOW | MEDIUM | HIGH | CRITICAL
+```
+
+Scopes: `unstaged`, `staged`, `all`, `compare` (requires `base_ref`).
+
+## Example: "What breaks if I change `validateUser`?"
+
+```
+1. mcp__opencodehub__impact({ name: "validateUser", direction: "upstream", depth: 3, repo: "my-app" })
+   → byDepth.d1: loginHandler, apiMiddleware (WILL BREAK)
+   → byDepth.d2: authRouter, sessionManager (LIKELY AFFECTED)
+   → affected_processes: [LoginFlow, TokenRefresh]
+   → confidenceBreakdown: {confirmed: 4, heuristic: 0, unknown: 0}
+   → risk: MEDIUM
+
+2. Every d=1 edge is LSP-confirmed — high trust. Two processes touch the target.
+
+3. mcp__opencodehub__detect_changes({ scope: "unstaged", repo: "my-app" })
+   → changed_symbols: [validateUser]
+   → affected_processes: [LoginFlow, TokenRefresh]
+
+4. Verdict: MEDIUM risk. LoginFlow and TokenRefresh need regression tests before merging.
+```

package/dist/plugin-assets/skills/opencodehub-pr-review/SKILL.md

@@ -0,0 +1,246 @@
+---
+name: opencodehub-pr-review
+description: "Use when the user wants to review a pull request, understand what a PR changes, assess risk of merging, or check missing test coverage. Examples: \"Review this PR\", \"What does PR #42 change?\", \"Is this PR safe to merge?\", \"Audit the dependencies in this PR\"."
+---
+
+# PR Review with OpenCodeHub
+
+## When to Use
+
+- "Review this PR."
+- "What does PR #42 change?"
+- "Is this safe to merge?"
+- "What's the blast radius of this PR?"
+- "Are there missing tests for this PR?"
+- "Did this PR introduce a copyleft / unknown license?"
+- Reviewing someone else's code changes before merge.
+
+## The Golden Workflow
+
+```
+1. mcp__opencodehub__verdict({ base, head })                      → 5-tier merge decision
+2. mcp__opencodehub__list_findings_delta({ base })                → New / fixed / unchanged / updated findings
+3. mcp__opencodehub__detect_changes({ scope: "compare", base_ref }) → Changed symbols + affected flows
+4. For each non-trivial changed symbol:
+   mcp__opencodehub__impact({ name, direction: "upstream" })     → Blast radius + confidenceBreakdown
+5. mcp__opencodehub__license_audit                                → Copyleft / unknown / proprietary tiers
+6. mcp__opencodehub__scan (opt-in)                                → Fresh scanner run — spawns processes
+7. Write the review using the output template below
+```
+
+> If the context envelope warns the index is stale, run `codehub analyze` before starting — stale graphs produce stale verdicts.
+
+## Checklist
+
+```
+- [ ] Fetch the PR diff (gh pr diff <n> or git diff <base>...<head>)
+- [ ] mcp__opencodehub__verdict — start here; it aggregates the review signal
+- [ ] Capture the verdict tier, top drivers, and blockers
+- [ ] mcp__opencodehub__list_findings_delta — new findings since the baseline
+- [ ] mcp__opencodehub__detect_changes — map the diff to affected processes
+- [ ] mcp__opencodehub__impact on each non-trivial changed symbol
+- [ ] Inspect confidenceBreakdown per impact — prefer confirmed edges for breakage claims
+- [ ] mcp__opencodehub__license_audit — flag copyleft or unknown license changes
+- [ ] (optional) mcp__opencodehub__scan to re-run scanners if the baseline is stale
+- [ ] Write the review in the output template below
+```
+
+## Tools
+
+### `mcp__opencodehub__verdict` — the starting point
+
+```
+mcp__opencodehub__verdict({ base: "main", head: "HEAD", repo: "my-app" })
+
+→ tier: "auto_merge" | "single_review" | "dual_review" | "expert_review" | "block"
+→ drivers: [{ signal, weight, evidence }]  // top reasons the tier was chosen
+→ blockers: [...]                          // non-empty only for tier=block
+→ next_action: "merge" | "request review from X" | "add tests for Y" | "fix finding Z"
+→ exit_code: 0 | 1 | 2
+```
+
+Always lead your review with the tier. If it is `block`, do not recommend merge. If it is `auto_merge`, the rest of the review is confirmation, not discovery.
+
+### `mcp__opencodehub__list_findings_delta` — what changed since baseline
+
+```
+mcp__opencodehub__list_findings_delta({
+  repo: "my-app",
+  base: "main"      // compare current scan output to the baseline frozen at base
+})
+
+→ new: [{rule, severity, file, line, message}]        // introduced by this PR — the scariest bucket
+→ fixed: [...]                                        // removed by this PR — give credit
+→ unchanged: [...]                                    // still present, not touched
+→ updated: [...]                                      // same rule hit at a shifted location
+```
+
+The `new` bucket is the first thing to surface — it is the PR author's new debt.
+
+### `mcp__opencodehub__detect_changes` — diff → flows
+
+```
+mcp__opencodehub__detect_changes({ scope: "compare", base_ref: "main", repo: "my-app" })
+
+→ changed_symbols: [{uid, name, kind, filePath, change}]
+→ affected_processes: [CheckoutFlow, RefundFlow]
+→ risk_level: LOW | MEDIUM | HIGH | CRITICAL
+```
+
+### `mcp__opencodehub__impact` — blast radius per changed symbol
+
+```
+mcp__opencodehub__impact({
+  name: "validatePayment",
+  direction: "upstream",
+  depth: 2,
+  repo: "my-app"
+})
+
+→ byDepth.d1: processCheckout, webhookHandler        // WILL BREAK if signature changed
+→ byDepth.d2: checkoutRouter                         // LIKELY AFFECTED
+→ affected_processes: [CheckoutFlow]
+→ confidenceBreakdown: {confirmed, heuristic, unknown}
+→ risk: MEDIUM
+```
+
+If any d=1 caller is NOT in the PR diff, flag it as a potential breakage in your review.
+
+### `mcp__opencodehub__license_audit` — dependency license tiers
+
+```
+mcp__opencodehub__license_audit({ repo: "my-app" })
+
+→ by_tier: {
+    copyleft: [{ name, ecosystem, version, license, manifest }],
+    unknown:  [...],
+    proprietary: [...],
+    permissive: [...]
+  }
+→ warnings: [...]   // e.g. "package `foo` has no license field in manifest"
+```
+
+If the PR diff touches `package.json`, `pyproject.toml`, `go.mod`, or `Cargo.toml`, run this and compare tiers against the pre-PR baseline. A new `copyleft` or `unknown` entry is a review finding.
+
+### `mcp__opencodehub__scan` — re-run scanners
+
+Only run this when the baseline is obviously stale. `scan` has `openWorldHint: true` and spawns child processes, so use it deliberately.
+
+```
+mcp__opencodehub__scan({ repo: "my-app" })
+```
+
+### `mcp__opencodehub__risk_trends` — context on the area being changed
+
+```
+mcp__opencodehub__risk_trends({ repo: "my-app" })
+
+→ communities: [{ name, risk_score, trend, projection_30d }]
+```
+
+Useful when a PR lands inside a community whose risk is already trending up — call that out in the review.
+
+### `mcp__opencodehub__owners` — who should review?
+
+```
+mcp__opencodehub__owners({ repo: "my-app", path: "src/payments" })
+
+→ [{ owner, source: "codeowners" | "git-blame", files, recent_edits }]
+```
+
+## Review Dimensions
+
+| Dimension            | OpenCodeHub surface                                                       |
+| -------------------- | ------------------------------------------------------------------------- |
+| **Correctness**      | `context` shows callers — are they all compatible with the change?        |
+| **Blast radius**     | `impact.byDepth` — anything at d=1 not in the diff is a potential miss    |
+| **Completeness**     | `detect_changes.affected_processes` — are they all handled?               |
+| **Confidence**       | `confidenceBreakdown.confirmed` vs `heuristic` — LSP-backed claims win    |
+| **Net new bugs**     | `list_findings_delta.new` — introduced by this PR                         |
+| **Tests**            | `impact` filtered to `kind = 'Function'` inside test files                |
+| **License hygiene**  | `license_audit` before/after diff                                         |
+| **Ownership**        | `owners` — right reviewers requested?                                     |
+| **Trend**            | `risk_trends` — is this area already hot?                                 |
+
+## Risk Tier Guide
+
+| Signal                                                  | Risk     |
+| ------------------------------------------------------- | -------- |
+| < 3 symbols touched, 0–1 processes, no new findings     | LOW      |
+| 3–10 symbols, 2–5 processes, ≤ 1 new finding            | MEDIUM   |
+| > 10 symbols OR many processes OR several new findings  | HIGH     |
+| Touches auth, payments, data integrity, or new copyleft | CRITICAL |
+| d=1 callers exist outside the PR diff                   | Flag it  |
+
+## Example: "Review PR #42"
+
+```
+1. gh pr diff 42 > /tmp/pr42.diff
+   → 4 files changed: payments.ts, checkout.ts, types.ts, utils.ts
+
+2. mcp__opencodehub__verdict({ base: "main", head: "HEAD", repo: "my-app" })
+   → tier: "dual_review"
+   → drivers: [
+       {signal: "high-impact symbol changed", weight: 0.4, evidence: "validatePayment"},
+       {signal: "new scanner finding", weight: 0.3, evidence: "security/no-eval"},
+       {signal: "missing test coverage on CheckoutFlow", weight: 0.3}
+     ]
+   → next_action: "request review from @payments-team"
+
+3. mcp__opencodehub__list_findings_delta({ repo: "my-app", base: "main" })
+   → new: [{rule: "security/no-eval", severity: "error", file: "src/utils/format.ts", line: 44}]
+   → fixed: []
+
+4. mcp__opencodehub__detect_changes({ scope: "compare", base_ref: "main", repo: "my-app" })
+   → changed_symbols: [validatePayment, PaymentInput, formatAmount]
+   → affected_processes: [CheckoutFlow, RefundFlow]
+   → risk_level: MEDIUM
+
+5. mcp__opencodehub__impact({ name: "validatePayment", direction: "upstream", repo: "my-app" })
+   → byDepth.d1: processCheckout, webhookHandler
+   → webhookHandler is NOT in the PR diff — flag as potential breakage.
+   → confidenceBreakdown: {confirmed: 2, heuristic: 0, unknown: 0}
+
+6. mcp__opencodehub__impact({ name: "PaymentInput", direction: "upstream", repo: "my-app" })
+   → byDepth.d1: validatePayment (in PR), createPayment (NOT in PR)
+   → createPayment uses the old PaymentInput shape — breaking change.
+
+7. mcp__opencodehub__license_audit({ repo: "my-app" })
+   → No tier changes vs. main — clean.
+
+8. Compose the review (template below).
+```
+
+## Review Output Template
+
+```markdown
+## PR Review: <title>
+
+**Tier: dual_review**   **Risk: MEDIUM**
+
+### Verdict drivers
+- validatePayment blast radius crosses the PR boundary
+- 1 new scanner finding: security/no-eval at src/utils/format.ts:44
+- CheckoutFlow has no test coverage for the new branch
+
+### Changes
+- 3 symbols changed across 4 files
+- 2 execution flows affected: CheckoutFlow, RefundFlow
+
+### Findings
+1. **[blocker]** `webhookHandler` (src/webhooks.ts:15) calls `validatePayment`
+   but is NOT updated in this PR. New signature will throw at runtime.
+2. **[blocker]** `createPayment` (src/payments/create.ts:22) uses the old
+   `PaymentInput` shape. This change is breaking.
+3. **[error]** New scanner finding: security/no-eval at src/utils/format.ts:44.
+   `eval(userInput)` is unsafe.
+4. **[ok]** `formatAmount` added optional param — backwards compatible.
+
+### Missing coverage
+- CheckoutFlow has no integration test for the new branch.
+- No webhook test exercises validatePayment.
+
+### Recommendation
+REQUEST CHANGES — resolve the three blockers and add a CheckoutFlow
+integration test before re-review.
+```

package/dist/plugin-assets/skills/opencodehub-refactoring/SKILL.md

@@ -0,0 +1,180 @@
+---
+name: opencodehub-refactoring
+description: "Use when the user wants to rename, extract, split, move, or restructure code safely. Examples: \"Rename this function\", \"Extract this into a module\", \"Refactor this class\", \"Move this to a separate file\"."
+---
+
+# Refactoring with OpenCodeHub
+
+## When to Use
+
+- "Rename this function safely."
+- "Extract this into a module."
+- "Split this service."
+- "Move this to a new file."
+- Any task involving renaming, extracting, splitting, or restructuring code.
+
+## Workflow
+
+```
+1. mcp__opencodehub__impact({ name: target, direction: "upstream" })   → All dependents
+2. mcp__opencodehub__context({ name: target })                         → Incoming / outgoing / processes
+3. mcp__opencodehub__rename({ ..., dry_run: true })                    → Preview every edit
+4. Review confidence tags on each edit (graph vs. text-search)
+5. mcp__opencodehub__rename({ ..., dry_run: false })                   → Apply
+6. mcp__opencodehub__detect_changes                                    → Verify the diff matches the plan
+7. Run tests for the affected processes
+```
+
+> If the context envelope warns the index is stale, run `codehub analyze` first — a stale graph produces incomplete rename plans.
+
+## Checklists
+
+### Rename a symbol
+
+```
+- [ ] mcp__opencodehub__impact({ name, direction: "upstream" }) — enumerate all dependents
+- [ ] mcp__opencodehub__rename({ name, new_name, dry_run: true })
+      (pass `file_path` and/or `kind` to disambiguate when the name is ambiguous)
+- [ ] Review edits: graph edges (high confidence, LSP-backed where available)
+      vs. text_search edits (review line-by-line — config files, docs, tests)
+- [ ] Cross-check the dry-run edit count against impact's d=1 count —
+      gaps mean a dynamic reference the rename missed
+- [ ] mcp__opencodehub__rename({ ..., dry_run: false }) — apply
+- [ ] mcp__opencodehub__detect_changes({ scope: "unstaged" }) — confirm scope
+- [ ] Run tests for every affected process
+```
+
+### Extract a module
+
+```
+- [ ] mcp__opencodehub__context({ name: target }) — see every external ref
+- [ ] mcp__opencodehub__impact({ name: target, direction: "upstream" }) — callers outside the new module
+- [ ] Define the new public surface (exports only what external callers use)
+- [ ] Move code; update imports
+- [ ] mcp__opencodehub__detect_changes — verify scope
+- [ ] Run tests for the affected processes
+- [ ] Re-run codehub analyze so the next agent sees the new module boundary
+```
+
+### Split a function or service
+
+```
+- [ ] mcp__opencodehub__context({ name: target }) — understand outgoing calls
+- [ ] Group outgoing calls by responsibility (the seams for the split)
+- [ ] mcp__opencodehub__impact({ name: target, direction: "upstream" }) — map callers to update
+- [ ] Create the new functions / services
+- [ ] Update callers
+- [ ] mcp__opencodehub__detect_changes — verify scope
+- [ ] Run tests
+```
+
+## Tools
+
+### `mcp__opencodehub__rename` — multi-file coordinated rename
+
+```
+mcp__opencodehub__rename({
+  name: "validateUser",
+  new_name: "authenticateUser",
+  repo: "my-app",
+  dry_run: true                 // default: true
+})
+
+→ edits: [{
+    file_path,
+    line,
+    old_text,
+    new_text,
+    confidence,       // 0.95+ = graph-backed (ideally LSP-confirmed); lower = text_search
+    source            // "graph" | "text_search"
+  }]
+→ summary: {total, by_source: {graph, text_search}}
+```
+
+**Rule**: always review `text_search` edits line-by-line. They are the ones that hit dynamic references (config JSON, doc comments, test fixtures) where a rename may or may not be correct. Graph-backed edits on LSP-confirmed edges are safe to apply in bulk.
+
+Disambiguation: when `name` matches more than one symbol, pass `file_path` and optionally `kind` to pick the target. A future wave will add `symbol_uid` for a direct UID-only path.
+
+### `mcp__opencodehub__impact` — enumerate dependents before renaming
+
+```
+mcp__opencodehub__impact({
+  name: "validateUser",
+  direction: "upstream",
+  depth: 2,
+  repo: "my-app"
+})
+
+→ byDepth.d1: direct callers — every one needs updating
+→ confidenceBreakdown: {confirmed, heuristic, unknown}
+```
+
+If `unknown > 0`, the demote phase contradicted a heuristic edge. That edge may not be a real call — inspect before updating.
+
+### `mcp__opencodehub__detect_changes` — verify the post-refactor diff
+
+```
+mcp__opencodehub__detect_changes({ scope: "unstaged", repo: "my-app" })
+
+→ changed_symbols: [...]
+→ affected_processes: [...]
+→ risk_level: LOW | MEDIUM | HIGH | CRITICAL
+```
+
+Always run this **after** applying the rename. Any symbol you did not expect to change is a miss.
+
+### `mcp__opencodehub__sql` — custom reference query
+
+All files referencing a symbol (useful when rename misses dynamic refs):
+
+```sql
+SELECT DISTINCT caller.file_path
+FROM relations r
+JOIN nodes caller ON caller.id = r.from_id
+JOIN nodes target ON target.id = r.to_id
+WHERE r.type IN ('CALLS', 'REFERENCES', 'IMPORTS')
+  AND target.name = 'validateUser'
+ORDER BY caller.file_path;
+```
+
+## Risk Rules
+
+| Risk factor                       | Mitigation                                                              |
+| --------------------------------- | ----------------------------------------------------------------------- |
+| Many callers (> 5)                | Let `rename` do the mechanical work — do not hand-edit                  |
+| Cross-module references           | Run `detect_changes` after applying; watch for missed imports           |
+| String / dynamic references       | Use `sql` with `type = 'REFERENCES'` + text_search edits                |
+| Public / exported API             | Version and deprecate; mirror symbol names in a transition layer        |
+| Heuristic edges (confirmed = 0)   | Cross-check by reading source; LSP did not weigh in                     |
+
+## Example: Rename `validateUser` to `authenticateUser`
+
+```
+1. mcp__opencodehub__impact({ name: "validateUser", direction: "upstream", repo: "my-app" })
+   → d=1: loginHandler, apiMiddleware, tests/auth.test.ts
+   → affected_processes: [LoginFlow, TokenRefresh]
+   → confidenceBreakdown: {confirmed: 3, heuristic: 0, unknown: 0}
+
+2. mcp__opencodehub__rename({
+     name: "validateUser", new_name: "authenticateUser",
+     repo: "my-app", dry_run: true
+   })
+   → 12 edits across 8 files
+   → summary: {graph: 10, text_search: 2}
+   → text_search edits: config/routes.json (line 14), docs/auth.md (line 33)
+
+3. Review text_search edits: config/routes.json references validateUser by
+   string name — apply the rename manually, the JSON schema allows it.
+   docs/auth.md is prose, safe to rewrite.
+
+4. mcp__opencodehub__rename({ ..., dry_run: false })
+   → Applied 12 edits across 8 files.
+
+5. mcp__opencodehub__detect_changes({ scope: "unstaged", repo: "my-app" })
+   → changed_symbols: [authenticateUser, loginHandler, apiMiddleware, ...]
+   → affected_processes: [LoginFlow, TokenRefresh]
+   → risk_level: MEDIUM
+
+6. Run LoginFlow + TokenRefresh integration tests. Re-run codehub analyze
+   so the graph picks up the new name.
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opencodehub/cli",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "description": "OpenCodeHub — codehub CLI (analyze, setup, mcp, list, status, clean, query, context, impact, sql)",
   "license": "Apache-2.0",
   "repository": {
@@ -26,7 +26,9 @@
     "dist/**/*.js.map",
     "!dist/**/*.test.js.map",
     "dist/**/*.d.ts.map",
-    "!dist/**/*.test.d.ts.map"
+    "!dist/**/*.test.d.ts.map",
+    "dist/plugin-assets/**",
+    "dist/commands/ci-templates/**"
   ],
   "dependencies": {
     "@iarna/toml": "2.2.5",
@@ -37,17 +39,17 @@
     "write-file-atomic": "8.0.0",
     "yaml": "2.8.4",
     "@opencodehub/analysis": "0.1.2",
-    "@opencodehub/ingestion": "0.3.1",
-    "@opencodehub/embedder": "0.1.2",
-    "@opencodehub/mcp": "0.3.0",
-    "@opencodehub/pack": "0.1.2",
     "@opencodehub/core-types": "0.3.0",
-    "@opencodehub/scanners": "0.1.2",
+    "@opencodehub/embedder": "0.1.2",
+    "@opencodehub/policy": "0.1.1",
+    "@opencodehub/pack": "0.1.3",
     "@opencodehub/sarif": "0.1.2",
+    "@opencodehub/mcp": "0.3.1",
+    "@opencodehub/scanners": "0.1.2",
     "@opencodehub/search": "0.1.2",
-    "@opencodehub/storage": "0.1.2",
+    "@opencodehub/ingestion": "0.3.2",
     "@opencodehub/wiki": "0.1.1",
-    "@opencodehub/policy": "0.1.1"
+    "@opencodehub/storage": "0.1.2"
   },
   "devDependencies": {
     "@types/node": "25.6.2",