feat(core): initialize project with access control and AI integration

Remove unused imports and add #[allow(dead_code)] annotations to
intentionally retained fields/methods. Also add deploy/.server.yaml
to .gitignore to prevent accidental credential exposure.

.gitignore

@@ -25,4 +25,5 @@ package-lock.json
 yarn.lock
 .gemini
 .omg
-/.sqry
+/.sqry
+deploy/.server.yaml

apps/gingress/src/controller/reconciler.rs

@@ -111,6 +111,7 @@ impl Reconciler {
     /// The Secret watcher stores the cert at key `tls:<secretName>`.
     /// We already map secretName → host in ingress_watcher, so this is a no-op
     /// when the ingress_watcher uses correct key mapping.
+    #[allow(dead_code)]
     pub fn cross_reference_tls(&self) -> HashMap<String, TlsCert> {
         let mut host_certs: HashMap<String, TlsCert> = HashMap::new();
 

docker/app.Dockerfile

@@ -4,7 +4,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 RUN useradd --system --create-home appuser
 WORKDIR /home/appuser
-COPY target/release/app /bin
+COPY ./target/release/app /bin
 USER appuser
 EXPOSE 3000
 CMD ["app"]

docker/email.Dockerfile

@@ -4,7 +4,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 RUN useradd --system --create-home appuser
 WORKDIR /home/appuser
-COPY target/release/email-worker /bin
+COPY ./target/release/email-worker /bin
 USER appuser
 EXPOSE 8084
 CMD ["email-worker"]

docker/gingress.Dockerfile

@@ -4,7 +4,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 RUN useradd --system --create-home appuser
 WORKDIR /home/appuser
-COPY target/release/gingress /bin
+COPY ./target/release/gingress /bin
 USER appuser
 EXPOSE 80 443 8080
 CMD ["gingress"]

docker/githook.Dockerfile

@@ -4,7 +4,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 RUN useradd --system --create-home appuser
 WORKDIR /home/appuser
-COPY target/release/git-hook /bin
+COPY ./target/release/git-hook /bin
 USER appuser
 EXPOSE 8083
 CMD ["git-hook"]

docker/gitserver.Dockerfile

@@ -4,7 +4,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 RUN useradd --system --create-home appuser
 WORKDIR /home/appuser
-COPY target/release/gitserver /bin
+COPY ./target/release/gitserver /bin
 USER appuser
 EXPOSE 8021 2222
 CMD ["gitserver"]

docker/metrics.Dockerfile

@@ -4,7 +4,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 RUN useradd --system --create-home appuser
 WORKDIR /home/appuser
-COPY target/release/metrics-aggregator /bin
+COPY ./target/release/metrics-aggregator /bin
 USER appuser
 EXPOSE 9090
 CMD ["metrics-aggregator"]

docker/static.Dockerfile

@@ -4,7 +4,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 RUN useradd --system --create-home appuser
 WORKDIR /home/appuser
-COPY target/release/static-server /bin
+COPY ./target/release/static-server /bin
 USER appuser
 EXPOSE 8081
 CMD ["static-server"]

libs/api/build.rs

@@ -43,7 +43,6 @@ fn compute_etag(data: &[u8]) -> String {
 // ── Asset collection ─────────────────────────────────────────────────────
 
 struct Asset {
-    path: String,
     data: Vec<u8>,
     etag: String,
     brotli: Option<Vec<u8>>,
@@ -71,7 +70,6 @@ fn collect_assets(dist_dir: &Path) -> BTreeMap<String, Asset> {
         assets.insert(
             path_str.clone(),
             Asset {
-                path: path_str,
                 data,
                 etag,
                 brotli: brotli_data,

libs/api/lib.rs

@@ -17,6 +17,7 @@ pub mod skill;
 pub mod user;
 
 // Auto-generated frontend module (from build.rs) serving embedded dist/ assets
+#[allow(dead_code)]
 mod frontend;
 
 pub use error::{api_success, ApiError, ApiResponse};

libs/gingress-proxy/src/filters/header_inject.rs

@@ -7,7 +7,6 @@
 use super::{FilterContext, PostFilter, PreFilter};
 use crate::config::{ConfigStore, HeaderOp};
 use pingora::proxy::Session;
-use std::sync::Arc;
 
 pub struct HeaderInjectFilter {
     store: ConfigStore,

libs/gingress-proxy/src/filters/mod.rs

@@ -9,7 +9,6 @@ pub mod real_ip;
 pub mod session_sticky;
 pub mod ws_upgrade;
 
-use http::HeaderMap;
 use pingora::proxy::Session;
 
 /// Context passed through the filter chain for a single request.

libs/gingress-proxy/src/filters/real_ip.rs

@@ -8,6 +8,7 @@ use pingora::proxy::Session;
 
 pub struct RealIpFilter {
     /// Whether to trust Proxy Protocol headers (TCP-level).
+    #[allow(dead_code)]
     trust_proxy_protocol: bool,
     /// Maximum number of trusted proxy hops.
     trusted_hops: usize,

libs/gingress-proxy/src/health_checker.rs

@@ -14,8 +14,10 @@ pub struct HealthChecker {
     #[allow(dead_code)]
     interval: std::time::Duration,
     /// Failure threshold for passive health checks.
+    #[allow(dead_code)]
     passive_fail_threshold: u32,
     /// Success threshold for recovery.
+    #[allow(dead_code)]
     passive_success_threshold: u32,
 }
 

libs/gingress-proxy/src/hot_reload.rs

@@ -4,8 +4,6 @@
 //! configuration changes without dropping active connections.
 
 use crate::config::ConfigStore;
-use std::sync::Arc;
-use tokio::sync::watch;
 
 /// Hot-reload watcher that listens for config changes.
 pub struct HotReloadWatcher {

libs/gingress-proxy/src/tls.rs

@@ -5,12 +5,8 @@
 
 use crate::config::ConfigStore;
 use anyhow::Context;
-use rustls::pki_types::CertificateDer;
-use rustls::pki_types::PrivateKeyDer;
-use rustls::pki_types::PrivatePkcs8KeyDer;
 use rustls::server::ResolvesServerCert;
 use rustls::sign::CertifiedKey;
-use rustls::sign::SigningKey;
 use rustls::ServerConfig;
 use std::collections::HashMap;
 use std::fmt;