Release server/v0.6.0 + cli/v0.6.0 — workspaces, hybrid search, auth model, managed tunnels

.claude-plugin/marketplace.json

@@ -0,0 +1,25 @@
+{
+  "$schema": "https://json.schemastore.org/claude-code-marketplace.json",
+  "name": "code-index",
+  "owner": {
+    "name": "dvcdsys",
+    "email": "dvcdsys@gmail.com"
+  },
+  "description": "Marketplace for cix — semantic code search and navigation tooling for Claude Code",
+  "plugins": [
+    {
+      "name": "cix",
+      "source": "./plugins/cix",
+      "description": "Semantic code search and navigation. Bundles the cix CLI, slash commands, behavioral hooks, and the experimental cix-workspace skill + cix-workspace-investigator sub-agent for cross-project research across cix workspaces.",
+      "author": {
+        "name": "dvcdsys"
+      },
+      "homepage": "https://github.com/dvcdsys/code-index",
+      "repository": "https://github.com/dvcdsys/code-index",
+      "license": "MIT",
+      "keywords": ["search", "code-search", "semantic", "navigation", "indexing", "embeddings", "workspace", "cross-project", "sub-agent"],
+      "category": "developer-tools",
+      "tags": ["search", "indexing", "ai", "embeddings", "workspace", "cross-project"]
+    }
+  ]
+}

.env.example

@@ -17,6 +17,10 @@ CIX_PORT=21847
 CIX_CHROMA_PERSIST_DIR=~/.cix/data/chroma
 CIX_SQLITE_PATH=~/.cix/data/sqlite/projects.db
 CIX_GGUF_CACHE_DIR=~/.cix/data/models
+# Base dir for cloned GitHub repos (each clone lives at <dir>/repos/<hash>/).
+# Defaults to <CIX_SQLITE_PATH parent>/repos. Point at a dedicated volume —
+# cloned repos can be large. (Legacy alias: CIX_WORKSPACES_DATA_DIR.)
+# CIX_REPOS_DIR=/data/cix-repos
 
 # ── Indexing ──────────────────────────────────────────────────────────────
 CIX_EMBEDDING_MODEL=awhiteside/CodeRankEmbed-Q8_0-GGUF

.github/workflows/ci-cli.yml

@@ -2,12 +2,12 @@ name: "CI: CLI"
 
 on:
   push:
-    branches: [main]
+    branches: [main, develop]
     paths:
       - "cli/**"
       - ".github/workflows/ci-cli.yml"
   pull_request:
-    branches: [main]
+    branches: [main, develop]
     paths:
       - "cli/**"
       - ".github/workflows/ci-cli.yml"

.github/workflows/ci-plugin.yml

@@ -0,0 +1,78 @@
+name: Plugin Tests
+
+# Trigger only when plugin files change — server/CLI/dashboard work
+# is unaffected and shouldn't run plugin tests. Branch list matches
+# ci-cli.yml / ci-server.yml so plugin work lands on equal footing
+# (the integration branch is `develop`, not feature branches).
+on:
+  push:
+    branches: [main, develop]
+    paths:
+      - 'plugins/cix/**'
+      - '.claude-plugin/**'
+      - '.github/workflows/ci-plugin.yml'
+  pull_request:
+    branches: [main, develop]
+    paths:
+      - 'plugins/cix/**'
+      - '.claude-plugin/**'
+      - '.github/workflows/ci-plugin.yml'
+
+# Minimum permissions required by the workflow (CodeQL workflow-permissions advisory).
+# Read-only on repo contents is enough — we don't push code, comments, or releases.
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: bats + shellcheck on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install bats, jq, shellcheck (Linux)
+        if: runner.os == 'Linux'
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y bats jq shellcheck
+
+      - name: Install bats, jq, shellcheck (macOS)
+        if: runner.os == 'macOS'
+        run: |
+          brew install bats-core jq shellcheck
+
+      - name: Verify bats version
+        run: bats --version
+
+      - name: Run bats test suites
+        run: bats --tap plugins/cix/tests/*.bats
+
+      - name: ShellCheck on hook scripts
+        run: |
+          # `--severity=warning` filters out style nags; `-x` follows
+          # sourced files (we don't source any in v0.1, but defensive).
+          shellcheck --severity=warning plugins/cix/scripts/*.sh
+
+      - name: Validate JSON manifests with jq
+        run: |
+          jq . .claude-plugin/marketplace.json
+          jq . plugins/cix/.claude-plugin/plugin.json
+          jq . plugins/cix/hooks/hooks.json
+
+      - name: Verify symlink integrity
+        run: |
+          # The bin/cix symlink MUST point at scripts/cix-wrapper.sh.
+          if [[ ! -L plugins/cix/bin/cix ]]; then
+            echo "::error::plugins/cix/bin/cix is not a symlink"
+            exit 1
+          fi
+          target=$(readlink plugins/cix/bin/cix)
+          if [[ "$target" != "../scripts/cix-wrapper.sh" ]]; then
+            echo "::error::bin/cix points to '$target' (expected '../scripts/cix-wrapper.sh')"
+            exit 1
+          fi

.github/workflows/ci-server.yml

@@ -2,12 +2,12 @@ name: "CI: Server"
 
 on:
   push:
-    branches: [main]
+    branches: [main, develop]
     paths:
       - "server/**"
       - ".github/workflows/ci-server.yml"
   pull_request:
-    branches: [main]
+    branches: [main, develop]
     paths:
       - "server/**"
       - ".github/workflows/ci-server.yml"

.github/workflows/llama-pin-check.yml

@@ -0,0 +1,65 @@
+name: "llama.cpp pin freshness"
+
+# The CUDA image pins ghcr.io/ggml-org/llama.cpp:server-cuda by digest for
+# reproducible builds (see server/Dockerfile.cuda). That pin would otherwise
+# rot silently. This job checks weekly whether upstream has shipped a newer
+# build and, if so, opens (or updates) a tracking issue so the bump doesn't
+# get forgotten. The same check also runs on every CUDA image build as a
+# build-log annotation — this workflow is the persistent, can't-miss reminder.
+on:
+  schedule:
+    - cron: "0 8 * * 1" # Mondays 08:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  check:
+    name: Check pinned llama.cpp digest
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Compare pinned vs upstream digest
+        id: check
+        run: server/scripts/check-llama-pin.sh server/Dockerfile.cuda
+
+      - name: Open or update reminder issue
+        if: steps.check.outputs.stale == 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PINNED: ${{ steps.check.outputs.pinned }}
+          CURRENT: ${{ steps.check.outputs.current }}
+        run: |
+          set -euo pipefail
+          title="chore(server/cuda): bump pinned llama.cpp digest"
+          body="$(cat <<EOF
+          Upstream \`ghcr.io/ggml-org/llama.cpp:server-cuda\` has moved past the digest pinned in \`server/Dockerfile.cuda\`.
+
+          | | digest |
+          |---|---|
+          | pinned | \`${PINNED}\` |
+          | current | \`${CURRENT}\` |
+
+          ### To update
+          1. Bump the \`FROM ghcr.io/ggml-org/llama.cpp:server-cuda@sha256:…\` digest in \`server/Dockerfile.cuda\` to \`${CURRENT}\`.
+          2. \`cd server && make scout-cuda\` to rebuild + scan (the shared-lib layout may have changed — the Dockerfile copies all \`/app/*.so*\` to stay robust).
+          3. Confirm \`/app/llama-server\` still resolves all libs, then promote.
+
+          _Auto-filed by the weekly \`llama.cpp pin freshness\` workflow._
+          EOF
+          )"
+          existing="$(gh issue list --state open --search "$title in:title" --json number --jq '.[0].number // empty')"
+          if [ -n "$existing" ]; then
+            echo "Updating existing issue #$existing"
+            gh issue comment "$existing" --body "$body"
+          else
+            echo "Opening new reminder issue"
+            gh issue create --title "$title" --body "$body"
+          fi

.github/workflows/prerelease-cli.yml

@@ -0,0 +1,136 @@
+name: "Pre-release: CLI (develop)"
+
+# Triggered on push to `develop` (i.e. PR merges; direct pushes are blocked
+# by branch protection) with CLI-touching changes. Force-updates the floating
+# `cli/develop` GitHub release with fresh artifacts for all four platforms so
+# `install-develop.sh` always pulls the latest develop build.
+#
+# Stable releases live under `cli/v*` and are handled by release-cli.yml —
+# this workflow never touches those tags. The floating tag has no leading
+# `v`, so install.sh's `^cli/v` filter naturally ignores it.
+on:
+  push:
+    branches: [develop]
+    paths:
+      - "cli/**"
+      - ".github/workflows/prerelease-cli.yml"
+
+permissions:
+  contents: write
+
+jobs:
+  build:
+    name: Build (${{ matrix.target }})
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - target: linux-amd64
+            runner: ubuntu-latest
+            goos: linux
+            goarch: amd64
+            cgo: "0"
+          - target: linux-arm64
+            runner: ubuntu-latest
+            goos: linux
+            goarch: arm64
+            cgo: "0"
+          - target: darwin-amd64
+            runner: macos-latest
+            goos: darwin
+            goarch: amd64
+            cgo: "1"
+          - target: darwin-arm64
+            runner: macos-latest
+            goos: darwin
+            goarch: arm64
+            cgo: "1"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: cli/go.mod
+          cache-dependency-path: cli/go.sum
+
+      - name: Build
+        working-directory: cli
+        env:
+          GOOS: ${{ matrix.goos }}
+          GOARCH: ${{ matrix.goarch }}
+          CGO_ENABLED: ${{ matrix.cgo }}
+        run: |
+          # Stamp short SHA so `cix --version` distinguishes one dev build
+          # from another even though the tag is floating.
+          VERSION="develop-${GITHUB_SHA::7}"
+          go build \
+            -ldflags="-s -w -X 'github.com/anthropics/code-index/cli/cmd.Version=${VERSION}'" \
+            -o "dist/cix" .
+
+      - name: Package
+        working-directory: cli/dist
+        run: |
+          tar -czf "cix-${{ matrix.target }}.tar.gz" cix
+          rm cix
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: cix-${{ matrix.target }}
+          path: cli/dist/cix-${{ matrix.target }}.tar.gz
+
+  release:
+    name: Publish develop release
+    needs: [build]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: artifacts
+          merge-multiple: true
+
+      - name: Compute checksums
+        working-directory: artifacts
+        run: sha256sum * > checksums.txt
+
+      - name: Delete previous develop release + tag
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # `|| true` because the release/tag may not exist on the first run.
+          gh release delete cli/develop \
+            --cleanup-tag --yes \
+            --repo "${{ github.repository }}" || true
+
+      - name: Create develop release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: cli/develop
+          target_commitish: develop
+          name: "CLI develop (${{ github.sha }})"
+          prerelease: true
+          make_latest: "false"
+          files: |
+            artifacts/*.tar.gz
+            artifacts/checksums.txt
+          body: |
+            **Floating develop release** — force-updated on every merge to
+            `develop` that touches `cli/**`. Not a stable release.
+
+            Built from commit ${{ github.sha }}.
+
+            ## Install
+
+            ```bash
+            curl -fsSL https://raw.githubusercontent.com/dvcdsys/code-index/main/install-develop.sh | bash
+            ```
+
+            Re-run the same command later to pick up the next develop build.
+            For stable, use [`install.sh`](https://github.com/dvcdsys/code-index/blob/main/install.sh) instead.