refactor: make MCP and API strictly read-only — no data manipulation

Removed analyze_codebase from MCP tools and POST /api/analyze from REST API.
The serving layer (MCP + API + UI) is read-only — it queries the pre-built
graph, never modifies it.

Architecture:
  Local machine:  code-iq analyze/index → H2 cache + bundle
  Remote server:  code-iq serve (auto-enrich from H2 → Neo4j) → read-only API/MCP

The remote server may not have source code access (bundle deployment model),
so triggering analysis from MCP/API was broken by design.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: aksOps

src/main/java/io/github/randomcodespace/iq/api/GraphController.java

@@ -1,7 +1,5 @@
 package io.github.randomcodespace.iq.api;
 
-import io.github.randomcodespace.iq.analyzer.AnalysisResult;
-import io.github.randomcodespace.iq.analyzer.Analyzer;
 import io.github.randomcodespace.iq.config.CodeIqConfig;
 import io.github.randomcodespace.iq.query.QueryService;
 import org.springframework.http.HttpStatus;
@@ -10,7 +8,6 @@
 import org.springframework.context.annotation.Profile;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
@@ -20,13 +17,8 @@
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.concurrent.atomic.AtomicBoolean;
-
-import io.github.randomcodespace.iq.graph.GraphStore;
-import org.springframework.cache.CacheManager;
 
 /**
  * REST API controller matching the Python OSSCodeIQ API paths.
@@ -37,22 +29,12 @@
 public class GraphController {
 
     private final QueryService queryService;
-    private final Analyzer analyzer;
     private final CodeIqConfig config;
-    private final CacheManager cacheManager;
-    private final GraphStore graphStore;
-    private final AtomicBoolean analysisRunning = new AtomicBoolean(false);
 
     public GraphController(@org.springframework.beans.factory.annotation.Autowired(required = false) QueryService queryService,
-                           Analyzer analyzer,
-                           CodeIqConfig config,
-                           @org.springframework.beans.factory.annotation.Autowired(required = false) CacheManager cacheManager,
-                           @org.springframework.beans.factory.annotation.Autowired(required = false) GraphStore graphStore) {
+                           CodeIqConfig config) {
         this.queryService = queryService;
-        this.analyzer = analyzer;
         this.config = config;
-        this.cacheManager = cacheManager;
-        this.graphStore = graphStore;
     }
 
     @GetMapping("/stats")
@@ -268,39 +250,7 @@ public ResponseEntity<String> readFile(
         }
     }
 
-    @PostMapping("/analyze")
-    public ResponseEntity<?> triggerAnalysis(
-            @RequestParam(defaultValue = "false") boolean incremental) {
-        if (!analysisRunning.compareAndSet(false, true)) {
-            return ResponseEntity.status(HttpStatus.CONFLICT)
-                    .body(Map.of("error", "Analysis already in progress"));
-        }
-        try {
-            AnalysisResult result = analyzer.run(Path.of(config.getRootPath()), null);
-
-            // Persist to Neo4j if GraphStore is available
-            if (graphStore != null && result.nodes() != null && !result.nodes().isEmpty()) {
-                graphStore.bulkSave(result.nodes());
-            }
-
-            // Evict all Spring caches so queries pick up new data
-            if (cacheManager != null) {
-                cacheManager.getCacheNames().forEach(name -> {
-                    var cache = cacheManager.getCache(name);
-                    if (cache != null) cache.clear();
-                });
-            }
-
-            Map<String, Object> response = new LinkedHashMap<>();
-            response.put("status", "complete");
-            response.put("total_files", result.totalFiles());
-            response.put("files_analyzed", result.filesAnalyzed());
-            response.put("node_count", result.nodeCount());
-            response.put("edge_count", result.edgeCount());
-            response.put("elapsed_ms", result.elapsed().toMillis());
-            return ResponseEntity.ok(response);
-        } finally {
-            analysisRunning.set(false);
-        }
-    }
+    // POST /api/analyze removed — API/MCP server is read-only.
+    // Analysis is done locally via CLI: code-iq analyze / code-iq index
+    // Data is loaded into Neo4j on serve startup (auto-enrich).
 }

src/main/java/io/github/randomcodespace/iq/mcp/McpTools.java

@@ -2,10 +2,9 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import io.github.randomcodespace.iq.analyzer.AnalysisResult;
-import io.github.randomcodespace.iq.analyzer.Analyzer;
 import io.github.randomcodespace.iq.config.CodeIqConfig;
 import io.github.randomcodespace.iq.flow.FlowEngine;
+// Note: No Analyzer import — MCP server is read-only. Analysis is done via CLI only.
 import io.github.randomcodespace.iq.flow.FlowModels.FlowDiagram;
 import io.github.randomcodespace.iq.graph.GraphStore;
 import io.github.randomcodespace.iq.model.CodeEdge;
@@ -38,7 +37,6 @@
 public class McpTools {
 
     private final QueryService queryService;
-    private final Analyzer analyzer;
     private final CodeIqConfig config;
     private final ObjectMapper objectMapper;
     private final FlowEngine flowEngine;
@@ -47,13 +45,12 @@ public class McpTools {
     private final TopologyService topologyService;
     private final GraphStore graphStore;
 
-    public McpTools(QueryService queryService, Analyzer analyzer,
+    public McpTools(QueryService queryService,
                     CodeIqConfig config, ObjectMapper objectMapper,
                     Optional<FlowEngine> flowEngine, GraphDatabaseService graphDb,
                     StatsService statsService, TopologyService topologyService,
                     GraphStore graphStore) {
         this.queryService = queryService;
-        this.analyzer = analyzer;
         this.config = config;
         this.objectMapper = objectMapper;
         this.flowEngine = flowEngine.orElse(null);
@@ -252,30 +249,9 @@ public String generateFlow(
         }
     }
 
-    @McpTool(name = "analyze_codebase", description = "Trigger codebase analysis. Scans files, runs detectors, builds the code graph.")
-    public String analyzeCodebase(
-            @McpToolParam(description = "Use incremental analysis", required = false) Boolean incremental) {
-        try {
-            boolean useIncremental = incremental != null ? incremental : true;
-            AnalysisResult result = analyzer.run(Path.of(config.getRootPath()), null, useIncremental, null);
-
-            // Persist to Neo4j
-            if (graphStore != null && result.nodes() != null && !result.nodes().isEmpty()) {
-                graphStore.bulkSave(result.nodes());
-            }
-
-            Map<String, Object> response = new LinkedHashMap<>();
-            response.put("status", "complete");
-            response.put("total_files", result.totalFiles());
-            response.put("files_analyzed", result.filesAnalyzed());
-            response.put("node_count", result.nodeCount());
-            response.put("edge_count", result.edgeCount());
-            response.put("elapsed_ms", result.elapsed().toMillis());
-            return toJson(response);
-        } catch (Exception e) {
-            return toJson(Map.of("error", e.getMessage()));
-        }
-    }
+    // analyze_codebase removed — MCP server runs on remote hosts where
+    // source code is not available (only the bundled graph). Analysis is
+    // done locally via CLI: code-iq analyze / code-iq index
 
     @McpTool(name = "run_cypher", description = "Execute a read-only Cypher query against the Neo4j graph database.")
     public String runCypher(

src/test/java/io/github/randomcodespace/iq/api/GraphControllerTest.java

@@ -1,7 +1,5 @@
 package io.github.randomcodespace.iq.api;
 
-import io.github.randomcodespace.iq.analyzer.AnalysisResult;
-import io.github.randomcodespace.iq.analyzer.Analyzer;
 import io.github.randomcodespace.iq.config.CodeIqConfig;
 import io.github.randomcodespace.iq.query.QueryService;
 import org.junit.jupiter.api.BeforeEach;
@@ -18,7 +16,6 @@
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.time.Duration;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
@@ -27,7 +24,6 @@
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
 
 /**
@@ -41,9 +37,6 @@ class GraphControllerTest {
     @Mock
     private QueryService queryService;
 
-    @Mock
-    private Analyzer analyzer;
-
     private CodeIqConfig config;
 
     @BeforeEach
@@ -52,7 +45,7 @@ void setUp() {
         config.setMaxDepth(10);
         config.setMaxRadius(10);
         config.setRootPath(".");
-        var controller = new GraphController(queryService, analyzer, config, null, null);
+        var controller = new GraphController(queryService, config);
         mockMvc = MockMvcBuilders.standaloneSetup(controller).build();
     }
 
@@ -423,7 +416,7 @@ void searchGraphShouldReturnResults() throws Exception {
     void readFileShouldReturnContent(@TempDir Path tempDir) throws Exception {
         Files.writeString(tempDir.resolve("hello.txt"), "Hello World", StandardCharsets.UTF_8);
         config.setRootPath(tempDir.toAbsolutePath().toString());
-        var controller = new GraphController(queryService, analyzer, config, null, null);
+        var controller = new GraphController(queryService, config);
         var fileMvc = MockMvcBuilders.standaloneSetup(controller).build();
 
         fileMvc.perform(get("/api/file").param("path", "hello.txt"))
@@ -434,7 +427,7 @@ void readFileShouldReturnContent(@TempDir Path tempDir) throws Exception {
     @Test
     void readFileShouldReturn404ForMissing(@TempDir Path tempDir) throws Exception {
         config.setRootPath(tempDir.toAbsolutePath().toString());
-        var controller = new GraphController(queryService, analyzer, config, null, null);
+        var controller = new GraphController(queryService, config);
         var fileMvc = MockMvcBuilders.standaloneSetup(controller).build();
 
         fileMvc.perform(get("/api/file").param("path", "nonexistent.txt"))
@@ -444,7 +437,7 @@ void readFileShouldReturn404ForMissing(@TempDir Path tempDir) throws Exception {
     @Test
     void readFileShouldBlockPathTraversal(@TempDir Path tempDir) throws Exception {
         config.setRootPath(tempDir.toAbsolutePath().toString());
-        var controller = new GraphController(queryService, analyzer, config, null, null);
+        var controller = new GraphController(queryService, config);
         var fileMvc = MockMvcBuilders.standaloneSetup(controller).build();
 
         fileMvc.perform(get("/api/file").param("path", "../../../etc/passwd"))
@@ -457,7 +450,7 @@ void readFileShouldReturnLineRange(@TempDir Path tempDir) throws Exception {
         Files.writeString(tempDir.resolve("multi.txt"), "line1\nline2\nline3\nline4\nline5",
                 StandardCharsets.UTF_8);
         config.setRootPath(tempDir.toAbsolutePath().toString());
-        var controller = new GraphController(queryService, analyzer, config, null, null);
+        var controller = new GraphController(queryService, config);
         var fileMvc = MockMvcBuilders.standaloneSetup(controller).build();
 
         fileMvc.perform(get("/api/file")
@@ -472,27 +465,13 @@ void readFileShouldReturnLineRange(@TempDir Path tempDir) throws Exception {
     void readFileShouldReturnFullContentWithoutLineParams(@TempDir Path tempDir) throws Exception {
         Files.writeString(tempDir.resolve("full.txt"), "aaa\nbbb\nccc", StandardCharsets.UTF_8);
         config.setRootPath(tempDir.toAbsolutePath().toString());
-        var controller = new GraphController(queryService, analyzer, config, null, null);
+        var controller = new GraphController(queryService, config);
         var fileMvc = MockMvcBuilders.standaloneSetup(controller).build();
 
         fileMvc.perform(get("/api/file").param("path", "full.txt"))
                 .andExpect(status().isOk())
                 .andExpect(content().string("aaa\nbbb\nccc"));
     }
 
-    // --- /api/analyze ---
-
-    @Test
-    void triggerAnalysisShouldReturnResult() throws Exception {
-        var analysisResult = new AnalysisResult(
-                100, 80, 500, 200, Map.of(), Map.of(), Map.of(), Map.of(), Duration.ofMillis(1500)
-        );
-        when(analyzer.run(any(), any())).thenReturn(analysisResult);
-
-        mockMvc.perform(post("/api/analyze"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.status").value("complete"))
-                .andExpect(jsonPath("$.total_files").value(100))
-                .andExpect(jsonPath("$.node_count").value(500));
-    }
+    // POST /api/analyze removed — API is read-only
 }

src/test/java/io/github/randomcodespace/iq/api/TopologyEndpointTest.java

@@ -74,7 +74,7 @@ void setUp() {
         var topologyController = new TopologyController(topologyService, graphStore, config);
         mockMvc = MockMvcBuilders.standaloneSetup(topologyController).build();
 
-        mcpTools = new McpTools(queryService, analyzer, config, objectMapper,
+        mcpTools = new McpTools(queryService, config, objectMapper,
                 Optional.empty(), graphDb, new StatsService(),
                 new TopologyService(), graphStore);
     }

src/test/java/io/github/randomcodespace/iq/mcp/McpToolsTest.java

@@ -2,8 +2,6 @@
 
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import io.github.randomcodespace.iq.analyzer.AnalysisResult;
-import io.github.randomcodespace.iq.analyzer.Analyzer;
 import io.github.randomcodespace.iq.config.CodeIqConfig;
 import io.github.randomcodespace.iq.flow.FlowEngine;
 import io.github.randomcodespace.iq.flow.FlowModels.FlowDiagram;
@@ -42,9 +40,6 @@ class McpToolsTest {
     @Mock
     private QueryService queryService;
 
-    @Mock
-    private Analyzer analyzer;
-
     @Mock
     private FlowEngine flowEngine;
 
@@ -66,7 +61,7 @@ void setUp() {
         config = new CodeIqConfig();
         config.setRootPath(".");
         objectMapper = new ObjectMapper();
-        mcpTools = new McpTools(queryService, analyzer, config, objectMapper, java.util.Optional.ofNullable(flowEngine), graphDb, statsService, new io.github.randomcodespace.iq.query.TopologyService(), graphStore);
+        mcpTools = new McpTools(queryService, config, objectMapper, java.util.Optional.ofNullable(flowEngine), graphDb, statsService, new io.github.randomcodespace.iq.query.TopologyService(), graphStore);
     }
 
     private Map<String, Object> parseJson(String json) throws IOException {
@@ -340,31 +335,7 @@ void generateFlowShouldHandleInvalidView() throws IOException {
         assertTrue(parsed.get("error").toString().contains("Unknown view"));
     }
 
-    // --- analyze_codebase ---
-
-    @Test
-    void analyzeCodebaseShouldReturnResult() throws IOException {
-        var analysisResult = new AnalysisResult(
-                100, 80, 500, 200, Map.of(), Map.of(), Map.of(), Map.of(), Duration.ofMillis(1500)
-        );
-        when(analyzer.run(any(), any(), anyBoolean(), any())).thenReturn(analysisResult);
-
-        String result = mcpTools.analyzeCodebase(false);
-        Map<String, Object> parsed = parseJson(result);
-
-        assertEquals("complete", parsed.get("status"));
-        assertEquals(500, parsed.get("node_count"));
-    }
-
-    @Test
-    void analyzeCodebaseShouldHandleError() throws IOException {
-        when(analyzer.run(any(), any(), anyBoolean(), any())).thenThrow(new RuntimeException("Analysis failed"));
-
-        String result = mcpTools.analyzeCodebase(false);
-        Map<String, Object> parsed = parseJson(result);
-
-        assertNotNull(parsed.get("error"));
-    }
+    // analyze_codebase removed — MCP is read-only
 
     // --- run_cypher ---