chore(deps): bump esbuild and vite in /server/dashboard

.cixignore

@@ -0,0 +1,27 @@
+# Files / dirs the cix indexer skips for this repo.
+# Pattern syntax mirrors .gitignore.
+
+# Frontend toolchain noise — don't index 50k+ files of node_modules / build output
+server/dashboard/node_modules/
+server/internal/httpapi/dashboard/dist/
+
+# Build artefacts
+server/dist/
+cli/build/
+cli/dist/
+
+# Generated code (regenerate with `npm run gen:api`)
+server/dashboard/src/api/generated.ts
+
+# Embedded vendored bundles already covered by the linked sources elsewhere
+server/internal/httpapi/docs/swagger-ui/
+
+# Local data / runtime state
+data/
+.local-data/
+*.db
+*.db-wal
+*.db-shm
+
+# Legacy archived tree (see commit 063a14e)
+legacy/python-api/

.claude-plugin/marketplace.json

@@ -0,0 +1,25 @@
+{
+  "$schema": "https://json.schemastore.org/claude-code-marketplace.json",
+  "name": "code-index",
+  "owner": {
+    "name": "dvcdsys",
+    "email": "dvcdsys@gmail.com"
+  },
+  "description": "Marketplace for cix — semantic code search and navigation tooling for Claude Code",
+  "plugins": [
+    {
+      "name": "cix",
+      "source": "./plugins/cix",
+      "description": "Semantic code search and navigation. Bundles the cix CLI and nudges Claude to prefer cix over Grep for semantic queries.",
+      "author": {
+        "name": "dvcdsys"
+      },
+      "homepage": "https://github.com/dvcdsys/code-index",
+      "repository": "https://github.com/dvcdsys/code-index",
+      "license": "MIT",
+      "keywords": ["search", "code-search", "semantic", "navigation", "indexing", "embeddings"],
+      "category": "developer-tools",
+      "tags": ["search", "indexing", "ai", "embeddings"]
+    }
+  ]
+}

.env.example

@@ -1,12 +1,46 @@
+# cix-server environment template. Copy to .env and fill in real values.
+
+# ── Auth ──────────────────────────────────────────────────────────────────
+# Header API key for direct CLI / CI traffic. Generate with:
+#   openssl rand -hex 32 | sed 's/^/cix_/'
 CIX_API_KEY=cix_<generated-64-hex>
+
+# First-boot admin seed (REQUIRED when the DB has no users yet — the server
+# refuses to start otherwise). The user is flagged must_change_password=true,
+# so the temporary password only works for the first login. Generate with:
+#   openssl rand -base64 18 | tr -d '/+=' | cut -c1-20
+CIX_BOOTSTRAP_ADMIN_EMAIL=admin@example.com
+CIX_BOOTSTRAP_ADMIN_PASSWORD=change-me-on-first-login
+
+# ── Networking + storage ──────────────────────────────────────────────────
 CIX_PORT=21847
-CIX_EMBEDDING_MODEL=awhiteside/CodeRankEmbed-Q8_0-GGUF
-CIX_MAX_FILE_SIZE=524288
-CIX_EXCLUDED_DIRS=node_modules,.git,.venv,__pycache__,dist,build,.next,.cache,.DS_Store
 CIX_CHROMA_PERSIST_DIR=~/.cix/data/chroma
 CIX_SQLITE_PATH=~/.cix/data/sqlite/projects.db
 CIX_GGUF_CACHE_DIR=~/.cix/data/models
+
+# ── Indexing ──────────────────────────────────────────────────────────────
+CIX_EMBEDDING_MODEL=awhiteside/CodeRankEmbed-Q8_0-GGUF
+CIX_MAX_FILE_SIZE=524288
+CIX_EXCLUDED_DIRS=node_modules,.git,.venv,__pycache__,dist,build,.next,.cache,.DS_Store
+
+# ── llama-server sidecar ──────────────────────────────────────────────────
 CIX_LLAMA_BIN_DIR=/app
+# 99 = offload all layers (CUDA / Metal). 0 = CPU only.
 CIX_N_GPU_LAYERS=0
 CIX_LLAMA_STARTUP_TIMEOUT=60
 CIX_EMBEDDINGS_ENABLED=true
+
+# ── PR-E runtime tunables (also editable from /dashboard/server) ──────────
+# 0 = auto. Threads → runtime.NumCPU()/2; batch → match n_ctx.
+CIX_LLAMA_THREADS=0
+CIX_LLAMA_BATCH=0
+# Embedding queue parallelism. 5 is the new default — pipelines host-side
+# prep with device inference. Drop to 1 if you observe contention.
+CIX_MAX_EMBEDDING_CONCURRENCY=5
+CIX_EMBEDDING_QUEUE_TIMEOUT=300
+
+# ── Optional: bootstrap the GGUF cache from a host-side file ──────────────
+# Paired with the bind-mount example in docker-compose.{yml,cuda.yml}.
+# Uncomment + set after wiring the bind, then drop both once the cache
+# is seeded.
+# CIX_BOOTSTRAP_GGUF_PATH=/bootstrap/model.gguf

.github/workflows/ci-cli.yml

@@ -0,0 +1,46 @@
+name: "CI: CLI"
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "cli/**"
+      - ".github/workflows/ci-cli.yml"
+  pull_request:
+    branches: [main]
+    paths:
+      - "cli/**"
+      - ".github/workflows/ci-cli.yml"
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: Test (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+    defaults:
+      run:
+        working-directory: cli
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: cli/go.mod
+          cache-dependency-path: cli/go.sum
+
+      - name: Vet
+        run: go vet ./...
+
+      - name: Test
+        run: go test -race ./...
+
+      - name: Build
+        run: go build ./...

.github/workflows/ci-plugin.yml

@@ -0,0 +1,75 @@
+name: Plugin Tests
+
+# Trigger only when plugin files change — server/CLI/dashboard work
+# is unaffected and shouldn't run plugin tests.
+on:
+  push:
+    branches: [main, 'feat/*', 'fix/*']
+    paths:
+      - 'plugins/cix/**'
+      - '.claude-plugin/**'
+      - '.github/workflows/ci-plugin.yml'
+  pull_request:
+    paths:
+      - 'plugins/cix/**'
+      - '.claude-plugin/**'
+      - '.github/workflows/ci-plugin.yml'
+
+# Minimum permissions required by the workflow (CodeQL workflow-permissions advisory).
+# Read-only on repo contents is enough — we don't push code, comments, or releases.
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: bats + shellcheck on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install bats, jq, shellcheck (Linux)
+        if: runner.os == 'Linux'
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y bats jq shellcheck
+
+      - name: Install bats, jq, shellcheck (macOS)
+        if: runner.os == 'macOS'
+        run: |
+          brew install bats-core jq shellcheck
+
+      - name: Verify bats version
+        run: bats --version
+
+      - name: Run bats test suites
+        run: bats --tap plugins/cix/tests/*.bats
+
+      - name: ShellCheck on hook scripts
+        run: |
+          # `--severity=warning` filters out style nags; `-x` follows
+          # sourced files (we don't source any in v0.1, but defensive).
+          shellcheck --severity=warning plugins/cix/scripts/*.sh
+
+      - name: Validate JSON manifests with jq
+        run: |
+          jq . .claude-plugin/marketplace.json
+          jq . plugins/cix/.claude-plugin/plugin.json
+          jq . plugins/cix/hooks/hooks.json
+
+      - name: Verify symlink integrity
+        run: |
+          # The bin/cix symlink MUST point at scripts/cix-wrapper.sh.
+          if [[ ! -L plugins/cix/bin/cix ]]; then
+            echo "::error::plugins/cix/bin/cix is not a symlink"
+            exit 1
+          fi
+          target=$(readlink plugins/cix/bin/cix)
+          if [[ "$target" != "../scripts/cix-wrapper.sh" ]]; then
+            echo "::error::bin/cix points to '$target' (expected '../scripts/cix-wrapper.sh')"
+            exit 1
+          fi

.github/workflows/ci-go.yml → .github/workflows/ci-server.yml

@@ -1,37 +1,43 @@
-name: CI — Go server
+name: "CI: Server"
 
 on:
   push:
     branches: [main]
     paths:
       - "server/**"
-      - ".github/workflows/ci-go.yml"
+      - ".github/workflows/ci-server.yml"
   pull_request:
     branches: [main]
     paths:
       - "server/**"
-      - ".github/workflows/ci-go.yml"
+      - ".github/workflows/ci-server.yml"
+
+# Read-only: vet/test/build only. CodeQL flagged the implicit block as
+# go/missing-permissions, hence the explicit declaration.
+permissions:
+  contents: read
 
 jobs:
   test:
     runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: server
-
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4
 
-      - uses: actions/setup-go@v5
+      - name: Set up Go
+        uses: actions/setup-go@v5
         with:
           go-version-file: server/go.mod
           cache-dependency-path: server/go.sum
 
-      - name: go vet
+      - name: Vet
         run: go vet ./...
 
-      - name: go test
+      - name: Test
         run: go test -race ./...
 
-      - name: go build
+      - name: Build
         run: go build ./...

.github/workflows/codeql.yml

@@ -0,0 +1,55 @@
+name: "CodeQL"
+
+# Advanced setup. Replaces GitHub's "default setup" which auto-detects
+# and scans every language it finds — that included java-kotlin, ruby,
+# rust, javascript-typescript, and c-cpp false-positives from vendored
+# CGO deps.
+#
+# To stop the duplicate runs you also need to disable the default
+# setup once: GitHub repo → Settings → Code security → Code scanning
+# → "CodeQL analysis" → Switch to advanced (or Disable).
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1"  # Mondays at 06:00 UTC, mirrors security.yml
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        # Keep tightly scoped: only languages that actually ship code.
+        # `actions` lints workflow YAML; `go` covers server + CLI.
+        # Do NOT add c-cpp (only transitive CGO deps, no first-party C).
+        language: [actions, go]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # security-extended adds rules beyond the default set; matches
+          # what the default setup runs.
+          queries: security-extended
+
+      - name: Autobuild
+        if: matrix.language == 'go'
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"