Promote Go backend to primary (v0.3.0): migration, CLI review, /index/cancel

.env.example

@@ -1,7 +1,12 @@
-API_KEY=cix_<generated-64-hex>
-PORT=21847
-EMBEDDING_MODEL=nomic-ai/CodeRankEmbed
-MAX_FILE_SIZE=524288
-EXCLUDED_DIRS=node_modules,.git,.venv,__pycache__,dist,build,.next,.cache,.DS_Store
-CHROMA_PERSIST_DIR=~/.cix/data/chroma
-SQLITE_PATH=~/.cix/data/sqlite/projects.db
+CIX_API_KEY=cix_<generated-64-hex>
+CIX_PORT=21847
+CIX_EMBEDDING_MODEL=awhiteside/CodeRankEmbed-Q8_0-GGUF
+CIX_MAX_FILE_SIZE=524288
+CIX_EXCLUDED_DIRS=node_modules,.git,.venv,__pycache__,dist,build,.next,.cache,.DS_Store
+CIX_CHROMA_PERSIST_DIR=~/.cix/data/chroma
+CIX_SQLITE_PATH=~/.cix/data/sqlite/projects.db
+CIX_GGUF_CACHE_DIR=~/.cix/data/models
+CIX_LLAMA_BIN_DIR=/app
+CIX_N_GPU_LAYERS=0
+CIX_LLAMA_STARTUP_TIMEOUT=60
+CIX_EMBEDDINGS_ENABLED=true

.github/workflows/ci-go.yml

@@ -0,0 +1,43 @@
+name: CI — Go server
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "server/**"
+      - ".github/workflows/ci-go.yml"
+  pull_request:
+    branches: [main]
+    paths:
+      - "server/**"
+      - ".github/workflows/ci-go.yml"
+
+# Read-only token: this workflow runs vet/test/build only — no writes to
+# the repo, no SARIF upload, no package publish. CodeQL flagged the
+# missing block (.github/workflows/ci-go.yml:37 — go/missing-permissions).
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: server
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: server/go.mod
+          cache-dependency-path: server/go.sum
+
+      - name: go vet
+        run: go vet ./...
+
+      - name: go test
+        run: go test -race ./...
+
+      - name: go build
+        run: go build ./...

.github/workflows/release-server.yml

@@ -0,0 +1,93 @@
+name: Release Server
+
+on:
+  push:
+    tags:
+      - "server/v*"
+
+permissions:
+  contents: write
+
+jobs:
+  docker-cpu:
+    name: Build + push CPU image (multi-arch)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Extract version
+        id: ver
+        run: echo "version=${GITHUB_REF_NAME#server/}" >> "$GITHUB_OUTPUT"
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build and push CPU image
+        uses: docker/build-push-action@v6
+        with:
+          context: server
+          file: server/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          build-args: VERSION=${{ steps.ver.outputs.version }}
+          tags: |
+            dvcdsys/code-index:${{ steps.ver.outputs.version }}
+            dvcdsys/code-index:latest
+
+  docker-cuda:
+    name: Build + push CUDA image (amd64)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Extract version
+        id: ver
+        run: echo "version=${GITHUB_REF_NAME#server/}" >> "$GITHUB_OUTPUT"
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build and push CUDA image
+        uses: docker/build-push-action@v6
+        with:
+          context: server
+          file: server/Dockerfile.cuda
+          platforms: linux/amd64
+          push: true
+          build-args: VERSION=${{ steps.ver.outputs.version }}
+          tags: |
+            dvcdsys/code-index:${{ steps.ver.outputs.version }}-cu128
+            dvcdsys/code-index:cu128
+
+  release:
+    name: Create GitHub Release
+    needs: [docker-cpu, docker-cuda]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Extract version
+        id: ver
+        run: echo "version=${GITHUB_REF_NAME#server/}" >> "$GITHUB_OUTPUT"
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          generate_release_notes: true
+          body: |
+            ## Docker Images
+
+            | Tag | Image |
+            |---|---|
+            | CPU (multi-arch) | `dvcdsys/code-index:${{ steps.ver.outputs.version }}` |
+            | CUDA 12.8 | `dvcdsys/code-index:${{ steps.ver.outputs.version }}-cu128` |
+
+            See [doc/MIGRATION_FROM_PYTHON.md](doc/MIGRATION_FROM_PYTHON.md) if upgrading from the Python backend.

.github/workflows/security.yml

@@ -13,33 +13,43 @@ permissions:
   security-events: write  # для завантаження SARIF у GitHub Security tab
 
 jobs:
-  pip-audit:
-    name: pip-audit (Python deps)
+  govulncheck:
+    name: govulncheck (Go server)
     runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: server
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-go@v5
         with:
-          python-version: "3.12"
+          go-version-file: server/go.mod
+          cache-dependency-path: server/go.sum
 
-      - name: Install pip-audit
-        run: pip install pip-audit
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
 
-      - name: Audit Python dependencies
-        run: pip-audit -r api/requirements.txt --strict --ignore-vuln CVE-2026-4539  # pygments: no fix yet (2.19.2 is latest)
+      - name: Run govulncheck
+        run: govulncheck ./...
 
   trivy:
     name: trivy (vuln, second opinion)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - name: Run Trivy
         uses: aquasecurity/trivy-action@0.35.0
         with:
           scan-type: fs
           scan-ref: .
+          # server/bench is a Phase 0 PoC module (chromem + tree-sitter
+          # benchmarks). It pins an old golang.org/x/net via its own
+          # go.mod and replace directive, and is never shipped in the
+          # cix-server binary. Scan it separately if needed, not as part
+          # of the prod CVE gate.
+          skip-dirs: server/bench
           scanners: vuln
           severity: HIGH,CRITICAL
           format: sarif

.gitignore

@@ -40,6 +40,10 @@ data/
 cli/build/
 cli/dist/
 
+# Server build artifacts + runtime logs
+server/dist/
+server/exec.log
+
 # uv
 .python-version
 
@@ -48,3 +52,8 @@ docs/
 
 # Claude Code
 .claude/
+
+# Third-party tooling accidentally dropped in repo root
+portainer_mcp/
+portainer-mcp*
+tools.yaml

CONTRIBUTING.md

@@ -4,44 +4,48 @@
 
 ```
 code-index/
-├── api/              # Python API server (FastAPI + embeddings)
-│   ├── app/
-│   │   ├── routers/  # HTTP endpoints
-│   │   ├── services/ # business logic (indexing, search, embeddings)
-│   │   ├── schemas/  # Pydantic models
-│   │   └── core/     # config, exceptions, language detection
-│   └── Dockerfile
+├── server/           # Go API server (cix-server)
+│   ├── cmd/          # main entrypoint
+│   ├── internal/     # config, db, httpapi, embeddings, indexer, vectorstore, ...
+│   ├── Dockerfile    # CPU multi-arch build
+│   └── Dockerfile.cuda  # CUDA 3-stage build
 ├── cli/              # Go CLI (cix binary)
 │   ├── cmd/          # cobra commands
 │   └── internal/     # client, config, daemon, indexer, watcher
-├── mcp_server/       # MCP server wrapper
-├── tests/            # Python integration tests
+├── legacy/python-api/  # archived Python backend (deprecated, see doc/MIGRATION_FROM_PYTHON.md)
 └── skills/           # Claude Code skill definitions
 ```
 
 ## Prerequisites
 
 | Tool | Version | Purpose |
 |------|---------|---------|
-| Go | 1.21+ | CLI |
-| Python | 3.11+ | API server |
-| uv | latest | Python package manager |
+| Go | 1.24+ | server + CLI |
 | Docker | 24+ | containerized server |
 | make | any | build shortcuts |
 
 ## Local development setup
 
-### API server
+### Server
 
 ```bash
-python3 -m venv .venv && source .venv/bin/activate
-pip install -r api/requirements.txt
+cd server
+go mod download
+
+# Run unit tests
+go test ./...
 
-cp .env.example .env
-# Edit .env — set API_KEY to anything for local dev
+# Build binary
+make build   # → server/dist/cix-darwin-arm64/cix-server (or linux-amd64)
 
-source .env
-cd api && uvicorn app.main:app --host 0.0.0.0 --port 21847 --reload
+# Build + fetch llama-server (for local E2E)
+make bundle
+
+# Run server locally (no embeddings)
+CIX_PORT=21847 CIX_EMBEDDINGS_ENABLED=false \
+  CIX_SQLITE_PATH=/tmp/cix-dev.db \
+  CIX_CHROMA_PERSIST_DIR=/tmp/cix-chroma \
+  ./dist/cix-darwin-arm64/cix-server
 ```
 
 ### CLI
@@ -51,69 +55,68 @@ cd cli
 go mod download
 go build -o cix .
 
-# Run directly without installing
 ./cix config set api.url http://localhost:21847
 ./cix config set api.key <your-api-key>
 ```
 
 Or install globally:
 
 ```bash
-make build && make install   # → /usr/local/bin/cix
+cd cli && make build && make install   # → /usr/local/bin/cix
 ```
 
 ## Running tests
 
 ```bash
-# Python tests (requires running API server)
-source .venv/bin/activate
-pytest tests/ -v
+# Server unit tests
+cd server && go test ./...
+
+# Server parity gate (requires make bundle + a local GGUF)
+cd server && make test-gate
 
-# Go — no tests yet, just build check
+# CLI build check
 cd cli && go build ./...
 ```
 
 ## Making changes
 
-### API (Python)
+### Server (Go)
 
-- Endpoints go in `api/app/routers/`
-- Business logic goes in `api/app/services/`
-- Request/response models go in `api/app/schemas/`
-- After changes: restart uvicorn (auto-reloads with `--reload`)
+- Endpoints: `server/internal/httpapi/`
+- Business logic: `server/internal/indexer/`, `server/internal/embeddings/`
+- Config: `server/internal/config/config.go`
+- After changes: `go build ./...` + `go test ./...`
+- **Do not touch `cli/`** — CLI is a separate module with its own scope.
 
 ### CLI (Go)
 
-- New commands go in `cli/cmd/` as a new `.go` file, registered in `root.go`
-- HTTP client lives in `cli/internal/client/`
+- New commands: `cli/cmd/` as a new `.go` file, registered in `root.go`
+- HTTP client: `cli/internal/client/`
 - After changes: `cd cli && go build -o cix .`
 
 ## Building the Docker image
 
 ```bash
-# Local build (for testing)
-docker compose up -d --build
+# CPU multi-arch (linux/amd64 + linux/arm64)
+# (run via GitHub Actions on server/v* tag — manual push rarely needed)
 
-# Push to Docker Hub (multi-arch)
-make docker-setup                              # once per machine
-make docker-push-all DOCKER_USER=yourname
+# CUDA amd64
+make docker-build-cuda   # from repo root
 ```
 
-See [README — Building and Publishing to Docker Hub](README.md#building-and-publishing-to-docker-hub) for details.
+See [README — Building and Publishing](README.md#building-and-publishing-to-docker-hub) for details.
 
 ## Pull requests
 
-- All changes to `main` must go through a pull request — direct pushes are not allowed
-- At least **1 approval** from a contributor is required before merging
+- All changes to `main` must go through a pull request
+- At least **1 approval** required before merging
 - Keep PRs focused — one feature or fix per PR
-- Test against a running API server before submitting
-- For CLI changes: make sure `go vet ./...` passes
-- For API changes: make sure `pytest tests/` passes
+- For server changes: `go test ./...` must pass in `server/`
+- For CLI changes: `go vet ./...` must pass in `cli/`
 
 ## Reporting issues
 
 Open an issue at https://github.com/dvcdsys/code-index/issues with:
 - OS and architecture
-- Docker or local mode
-- `cix --version` output
+- Docker image tag or binary version (`cix-server -v`)
 - Relevant logs (`docker compose logs` or `~/.cix/logs/watcher.log`)