.gitignore

@@ -25,5 +25,4 @@ package-lock.json
 yarn.lock
 .gemini
 .omg
-/.sqry
-deploy/.server.yaml
+/.sqry

apps/gingress/src/controller/reconciler.rs

@@ -111,7 +111,6 @@ impl Reconciler {
     /// The Secret watcher stores the cert at key `tls:<secretName>`.
     /// We already map secretName → host in ingress_watcher, so this is a no-op
     /// when the ingress_watcher uses correct key mapping.
-    #[allow(dead_code)]
     pub fn cross_reference_tls(&self) -> HashMap<String, TlsCert> {
         let mut host_certs: HashMap<String, TlsCert> = HashMap::new();
 

docker/app.Dockerfile

@@ -4,7 +4,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 RUN useradd --system --create-home appuser
 WORKDIR /home/appuser
-COPY ./target/release/app /bin
+COPY target/release/app /bin
 USER appuser
 EXPOSE 3000
 CMD ["app"]

docker/email.Dockerfile

@@ -4,7 +4,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 RUN useradd --system --create-home appuser
 WORKDIR /home/appuser
-COPY ./target/release/email-worker /bin
+COPY target/release/email-worker /bin
 USER appuser
 EXPOSE 8084
 CMD ["email-worker"]

docker/gingress.Dockerfile

@@ -4,7 +4,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 RUN useradd --system --create-home appuser
 WORKDIR /home/appuser
-COPY ./target/release/gingress /bin
+COPY target/release/gingress /bin
 USER appuser
 EXPOSE 80 443 8080
 CMD ["gingress"]

docker/githook.Dockerfile

@@ -4,7 +4,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 RUN useradd --system --create-home appuser
 WORKDIR /home/appuser
-COPY ./target/release/git-hook /bin
+COPY target/release/git-hook /bin
 USER appuser
 EXPOSE 8083
 CMD ["git-hook"]

docker/gitserver.Dockerfile

@@ -4,7 +4,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 RUN useradd --system --create-home appuser
 WORKDIR /home/appuser
-COPY ./target/release/gitserver /bin
+COPY target/release/gitserver /bin
 USER appuser
 EXPOSE 8021 2222
 CMD ["gitserver"]

docker/metrics.Dockerfile

@@ -4,7 +4,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 RUN useradd --system --create-home appuser
 WORKDIR /home/appuser
-COPY ./target/release/metrics-aggregator /bin
+COPY target/release/metrics-aggregator /bin
 USER appuser
 EXPOSE 9090
 CMD ["metrics-aggregator"]

docker/static.Dockerfile

@@ -4,7 +4,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 RUN useradd --system --create-home appuser
 WORKDIR /home/appuser
-COPY ./target/release/static-server /bin
+COPY target/release/static-server /bin
 USER appuser
 EXPOSE 8081
 CMD ["static-server"]

libs/api/build.rs

@@ -43,6 +43,7 @@ fn compute_etag(data: &[u8]) -> String {
 // ── Asset collection ─────────────────────────────────────────────────────
 
 struct Asset {
+    path: String,
     data: Vec<u8>,
     etag: String,
     brotli: Option<Vec<u8>>,
@@ -70,6 +71,7 @@ fn collect_assets(dist_dir: &Path) -> BTreeMap<String, Asset> {
         assets.insert(
             path_str.clone(),
             Asset {
+                path: path_str,
                 data,
                 etag,
                 brotli: brotli_data,

libs/api/lib.rs

@@ -17,7 +17,6 @@ pub mod skill;
 pub mod user;
 
 // Auto-generated frontend module (from build.rs) serving embedded dist/ assets
-#[allow(dead_code)]
 mod frontend;
 
 pub use error::{api_success, ApiError, ApiResponse};

libs/gingress-proxy/src/filters/header_inject.rs

@@ -7,6 +7,7 @@
 use super::{FilterContext, PostFilter, PreFilter};
 use crate::config::{ConfigStore, HeaderOp};
 use pingora::proxy::Session;
+use std::sync::Arc;
 
 pub struct HeaderInjectFilter {
     store: ConfigStore,

libs/gingress-proxy/src/filters/mod.rs

@@ -9,6 +9,7 @@ pub mod real_ip;
 pub mod session_sticky;
 pub mod ws_upgrade;
 
+use http::HeaderMap;
 use pingora::proxy::Session;
 
 /// Context passed through the filter chain for a single request.

libs/gingress-proxy/src/filters/real_ip.rs

@@ -8,7 +8,6 @@ use pingora::proxy::Session;
 
 pub struct RealIpFilter {
     /// Whether to trust Proxy Protocol headers (TCP-level).
-    #[allow(dead_code)]
     trust_proxy_protocol: bool,
     /// Maximum number of trusted proxy hops.
     trusted_hops: usize,

libs/gingress-proxy/src/health_checker.rs

@@ -14,10 +14,8 @@ pub struct HealthChecker {
     #[allow(dead_code)]
     interval: std::time::Duration,
     /// Failure threshold for passive health checks.
-    #[allow(dead_code)]
     passive_fail_threshold: u32,
     /// Success threshold for recovery.
-    #[allow(dead_code)]
     passive_success_threshold: u32,
 }
 

libs/gingress-proxy/src/hot_reload.rs

@@ -4,6 +4,8 @@
 //! configuration changes without dropping active connections.
 
 use crate::config::ConfigStore;
+use std::sync::Arc;
+use tokio::sync::watch;
 
 /// Hot-reload watcher that listens for config changes.
 pub struct HotReloadWatcher {

libs/gingress-proxy/src/tls.rs

@@ -5,8 +5,12 @@
 
 use crate::config::ConfigStore;
 use anyhow::Context;
+use rustls::pki_types::CertificateDer;
+use rustls::pki_types::PrivateKeyDer;
+use rustls::pki_types::PrivatePkcs8KeyDer;
 use rustls::server::ResolvesServerCert;
 use rustls::sign::CertifiedKey;
+use rustls::sign::SigningKey;
 use rustls::ServerConfig;
 use std::collections::HashMap;
 use std::fmt;