# codebeam - Doramagic AI Context Pack

> Positioning: a pre-install experience and judgment asset. It helps the host AI get off to a good start, but it does not mean the project has already been installed, run, or validated.

## Sufficiency Principle

- **Sufficiency over compression**: The AI Context Pack should be sufficient for the host AI to understand the project's value, capability boundaries, entrypoints, risks, and evidence sources before starting work; it may be layered, but it does not aim for the shortest possible summary.
- **Compression policy**: Compress only noise and duplication, never context that affects judgment or the quality of the work.

## How the Host AI Should Use This

You are reading the AI Context Pack that Doramagic compiled for codebeam. Treat it as pre-work context: help the user understand who it fits, what it can do, how to start, what must be verified after install, and where the risks are. Do not claim that you have already installed, run, or executed the target project.

## Claim Consumption Rules

- **Fact source**: Repo Evidence + Claim/Evidence Graph; the Human Wiki only supplies salience, terminology, and narrative structure.
- **Minimum status for a fact**: `supported`
- `supported`: May be used as a project fact, but the answer must cite the claim_id and evidence path.
- `weak`: Usable only as a low-confidence lead; the user must be asked to keep verifying.
- `inferred`: Usable only for risk notes or open questions; must not be packaged as a project fact.
- `unverified`: Must not be used as fact; state clearly that evidence is insufficient.
- `contradicted`: Must show the conflicting sources and must not force a single version on the user's behalf.

## Who It Fits Best

- **Developers already using host AIs such as Claude/Codex/Cursor/Gemini**: The README or plugin config mentions multiple host AIs. Evidence: `README.md` Claim: `clm_0002` supported 0.86

## What It Can Do

- **Command-Line Startup or Install Flow** (Verify after install): The project documentation contains runnable commands; real use requires running them in a local or host environment. Evidence: `README.md` Claim: `clm_0001` supported 0.86

## How to Start

- `curl -fsSL https://raw.githubusercontent.com/clement-tourriere/codebeam/main/install.sh | sh` Evidence: `README.md` Claim: `clm_0003` supported 0.86
- `claude mcp add codebeam -- codebeam mcp` Evidence: `README.md` Claim: `clm_0004` supported 0.86

## Continue-or-Stop Decision Card

- **Current recommendation**: Needs admin / security approval
- **Why**: Continuing may involve secrets, accounts, external services, or sensitive context; get admin or security approval first.

### 30-Second Read

- **What to do now**: Needs admin / security approval
- **Minimum safe next step**: Run Prompt Preview first; if credentials or an enterprise environment are involved, get approval before trialing
- **Do not trust yet**: Tool permission boundaries cannot be trusted before install.
- **Continuing will touch**: Command execution, Local environment or project files, Environment variables / API keys

### What You Can Trust Now

- **Target-audience signal: Developers already using host AIs such as Claude/Codex/Cursor/Gemini** (supported): Backed by a supported claim or project evidence, but that still is not the same as real install results. Evidence: `README.md` Claim: `clm_0002` supported 0.86
- **Capability exists: Command-Line Startup or Install Flow** (supported): You can trust that the project contains signals of this capability; whether it fits your specific task still needs trial or after-install verification. Evidence: `README.md` Claim: `clm_0001` supported 0.86
- **There are Quick Start / install-command signals** (supported): You can trust that the docs mention a startup or install entrypoint; do not run it directly in your primary environment because of that. Evidence: `README.md` Claim: `clm_0003` supported 0.86

### What You Cannot Trust Yet

- **Tool permission boundaries cannot be trusted before install.** (unverified): MCP/tool projects usually touch files, the network, the browser, or external APIs, so permissions and logs must be checked for real.
- **Real output quality cannot be trusted before install.** (unverified): Prompt Preview can only show how it guides you; it cannot prove result quality in the real project.
- **Host AI version compatibility cannot be trusted before install.** (unverified): Host loading rules and version differences across Claude, Cursor, Codex, Gemini, and others must be verified in a real environment.
- **That it will not pollute your existing host AI's behavior cannot be trusted directly.** (inferred): Skill, plugin, and AGENTS/CLAUDE/GEMINI instructions may change the host AI's default behavior.
- **Safe rollback cannot be assumed by default.** (unverified): Unless the project clearly provides uninstall and recovery instructions, verify in an isolated environment first.
- **After a real install, is it compatible with the user's current host AI version?** (unverified): Compatibility can only be verified in the actual host environment.
- **Does the project's output quality meet the user's specific task?** (unverified): The pre-install preview can only show flow and boundaries; it cannot replace real evaluation.
- **Do the install commands require network access, permissions, or global writes?** (unverified): This affects install risk in both enterprise and personal environments. Evidence: `README.md`

### What Continuing Will Touch

- **Command execution**: Package managers, network downloads, the local plugin directory, project config, or the user's home directory. Why: Running the very first command can already change your environment; decide whether it is worth running first. Evidence: `README.md`
- **Local environment or project files**: Install results, plugin caches, project config, or local dependency directories. Why: The write scope and rollback path cannot be proven before install and need isolated verification. Evidence: `README.md`
- **Environment variables / API keys**: Project entry docs explicitly showing API key, token, secret, or account credential configuration. Why: If a real install needs credentials, use test credentials first and go through a permission/compliance review. Evidence: `README.md`, `docs/src/content/docs/cli.md`, `docs/src/content/docs/configuration.md`, `docs/src/content/docs/deployment.md` et al.
- **Host AI context**: The AI Context Pack, Prompt Preview, Skill routing, risk rules, and project facts. Why: Importing context affects the host AI's later judgment, so avoid packaging unverified items as facts.

### Minimum Safe Next Steps

- **Run Prompt Preview first**: Use a pre-install interactive trial to judge whether the way of working fits; it needs no authorization or environment change. (applies when: Applies to any project, especially when output quality is unknown.)
- **Trial-install only in an isolated directory or a test account**: Avoid letting install commands pollute your primary host AI, real projects, or home directory. (applies when: When there are signals of command execution, plugin config, or local writes.)
- **Do not use real production credentials**: Once an environment variable / API key enters the host or toolchain, it can create account and compliance risk. (applies when: When environment signals like API, TOKEN, KEY, or SECRET appear.)
- **After install, verify just one minimal task**: Verify loading, compatibility, output quality, and rollback first, then decide whether to use it deeply. (applies when: When moving from a trial into a real workflow.)

### Exit Plan

- **Preserve the pre-install state**: Record the original host config and project state so you can later judge whether it is recoverable.
- **Record the install commands and written paths**: Without clear uninstall instructions, you at least need to know which directories or configs to clean up manually.
- **Be ready to revoke test API keys or tokens**: If test credentials leak or are misused, you can cut losses quickly.
- **If there is no rollback path, do not enter your primary environment**: No rollback is a blocker before continuing; do not proceed on trust or luck.

## What Can Only Be Previewed

- Explain who the project fits and what it can do
- Demonstrate a typical conversation flow based on project docs
- Help the user decide whether it is worth installing or researching further

## What Must Be Verified After Install

- Actually installing the Skill, plugin, or CLI
- Running scripts, modifying local files, or accessing external services
- Verifying real output quality, performance, and compatibility

## Boundary & Risk Decision Card

- **Mistaking the pre-install preview for a real run**: The user may overestimate how much configuration, permission, and compatibility verification the project has already done. Mitigation: Clearly separate prompt_preview_can_do from runtime_required. Claim: `clm_0005` inferred 0.45
- **Command execution will modify the local environment**: Install commands may write to the user's home directory, the host plugin directory, or project configuration. Mitigation: Run in an isolated environment or a test account first. Evidence: `README.md` Claim: `clm_0006` supported 0.86
- **To confirm**: After a real install, is it compatible with the user's current host AI version?. Why: Compatibility can only be verified in the actual host environment.
- **To confirm**: Does the project's output quality meet the user's specific task?. Why: The pre-install preview can only show flow and boundaries; it cannot replace real evaluation.
- **To confirm**: Do the install commands require network access, permissions, or global writes?. Why: This affects install risk in both enterprise and personal environments.

## Pre-Work Working Context

### Loading Order

- First read how_to_use.host_ai_instruction to establish the boundaries of this pre-install judgment asset.
- Read claim_graph_summary to confirm facts come from the Claim/Evidence Graph, not the Human Wiki narrative.
- Then read intended_users, capabilities, and quick_start_candidates to judge whether the user is a match.
- When you need to carry out a concrete task, check role_skill_index first, then evidence_index.
- For real install, file modification, network access, performance, or compatibility questions, turn to risk_card and boundaries.runtime_required.

### Task Routes

- **Command-Line Startup or Install Flow**: State that this is an after-install capability first, then give a pre-install checklist. Boundary: Must be verified after a real install or run. Evidence: `README.md` Claim: `clm_0001` supported 0.86

### Context Scale

- Total files: 110
- Important-file coverage: 40/110
- Evidence index entries: 68
- Role / Skill entries: 14

### Handling Insufficient Evidence

- **missing_evidence**: State that evidence is insufficient and ask the user for the target file, a README section, or after-install verification records; do not fill in facts.
- **out_of_scope_request**: State that the task is beyond the current AI Context Pack's evidence scope and suggest the user check the Human Manual or verify after a real install.
- **runtime_request**: Provide a pre-install checklist and command sources, but do not run commands for the user or claim they have been run.
- **source_conflict**: Show the conflicting sources side by side, mark them as unverified, and do not force a single version.

## Prompt Recipes

### Fit assessment

- Goal: Judge whether this project fits the user's current task.
- Expected output: A fit conclusion, key reasons, evidence citations, what can be previewed before install, what must be verified after install, and a next-step recommendation.

```text
Based on the AI Context Pack for codebeam, ask me 3 necessary questions first, then judge whether it fits my task. The answer must cover: who it fits, what it can do, what it cannot do, whether it is worth installing, and where the evidence comes from. Every project fact must cite evidence_refs, source_paths, or a claim_id.
```

### Pre-install experience

- Goal: Let the user feel the core workflow before installing, while avoiding packaging the preview as real capability or a marketing promise.
- Expected output: An experience script with boundary labels, an after-install verification checklist, and a cautious recommendation; with no real-run promises or strong marketing language.

```text
Treat codebeam as a pre-install experience asset, not an already-installed tool or a real runtime environment.

Output exactly four parts:
1. Ask me 3 necessary questions first.
2. Give an "experience script": use the three labels [Previewable before install], [Must verify after install], and [Insufficient evidence] to show how it might guide the workflow.
3. Give an after-install verification checklist: list which capabilities can only be confirmed after a real install, real host loading, and a real project run.
4. Give a cautious recommendation: only "worth researching/trialing further", "add information before deciding", or "not recommended to continue"; do not endorse the project.

Hard boundaries:
- Do not claim you have installed, run, executed tests, modified files, or produced real results.
- Do not write promise-like phrasing such as "auto-adapts", "guarantees passing", "perfect fit", or "strongly recommend installing".
- If you describe how it works after install, you must use a conditional such as "if installed successfully and the host loads the Skill correctly, it might...".
- The experience script may only be written as "example lines / hypothetical flow": use "might ask / might suggest / might show", not "has written, has generated, has passed, is running, is generating".
- Prompt Preview does not hand out install commands; if the user is ready to trial, only prompt them to read Quick Start and the Risk Card first and to verify in an isolated environment.
- Every project fact must come from a supported claim, evidence_refs, or source_paths; inferred/unverified items can only be risks or open questions.

```

### Role / Skill selection

- Goal: Pick the best-matching asset from the project's roles or Skills.
- Expected output: A list of candidate roles or Skills, each with an applicable scenario, evidence paths, risk boundary, and whether after-install verification is needed.

```text
Read role_skill_index and recommend 3-5 of the most relevant roles or Skills for my target task. For each recommendation, state the applicable scenario, likely output, risk boundary, and evidence_refs.
```

### Risk pre-check

- Goal: Identify environment, permission, rule-conflict, and quality risks before installing or adopting.
- Expected output: A checklist of environment, permission, dependency, license, host-conflict, quality risk, and unknown items.

```text
Based on risk_card, boundaries, and quick_start_candidates, give me a pre-install risk pre-check list. Do not run commands for me; only explain what I should check, why, and what impact a failure would have.
```

### Host AI kickoff instruction

- Goal: Turn the project context into a host AI instruction for the start of a conversation.
- Expected output: A pre-work instruction with clear boundaries and clear evidence citations, suitable to copy to a host AI.

```text
Based on the AI Context Pack for codebeam, generate a pre-work instruction I can paste to my host AI. This instruction must obey not_runtime=true and must not claim the project has been installed, run, or produced real results.
```

## Role / Skill Index

- Indexed 14 role / Skill / project-doc entries.

- **Codebeam** (project_doc): Codebeam is a local-first Sourcegraph-style code search prototype backed by Zoekt. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `README.md`
- **Demo Repository** (project_doc): This tiny repository is here so Codebeam can index and search something immediately. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `testdata/repos/demo/README.md`
- **Structural Search with ast-grep — Design & Implementation** (project_doc): Structural Search with ast-grep — Design & Implementation Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/ast-grep-structural-search-plan.md`
- **Install** (project_doc): Search your indexed repositories from any terminal — browser login for humans, a token variable for agents and CI. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/src/content/docs/cli.md`
- **Typical configurations** (project_doc): Complete environment-variable reference — server, secrets, paths, code hosts, indexing, and search limits. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/src/content/docs/configuration.md`
- **Production checklist** (project_doc): Run Codebeam as a shared service for your team, with Docker or a plain binary behind a reverse proxy. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/src/content/docs/deployment.md`
- **1. Install** (project_doc): Install Codebeam, add your first repository, and run your first search in five minutes. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/src/content/docs/getting-started.md`
- **MCP server** (project_doc): Connect Claude Code and other MCP clients, pack context with the CLI, or call the JSON API. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/src/content/docs/integrations.md`
- **Choosing a method** (project_doc): Sign-in methods, code-host connections, SSO, API tokens, roles, and permission sync. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/src/content/docs/oauth.md`
- **Where repositories come from** (project_doc): Add repositories from any source, control which branches are indexed, and let Codebeam keep everything fresh. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/src/content/docs/repositories-indexing.md`
- **Writing queries** (project_doc): Query syntax, symbol and structural search, result filters, and the code viewer. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/src/content/docs/searching.md`
- **Quick checks** (project_doc): Common setup, sign-in, indexing, search, and deployment problems — and their fixes. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/src/content/docs/troubleshooting.md`
- **v0.2.0 2026-07-07** (project_doc): - cli : add cb, a command-line client for any Codebeam server Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `CHANGELOG.md`
- **Codebeam — Product Vision & Strategy** (project_doc): Codebeam — Product Vision & Strategy Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `VISION.md`

## Evidence Index

- Indexed 68 evidence entries.

- **Codebeam** (documentation): Codebeam is a local-first Sourcegraph-style code search prototype backed by Zoekt. Evidence: `README.md`
- **Demo Repository** (documentation): This tiny repository is here so Codebeam can index and search something immediately. Evidence: `testdata/repos/demo/README.md`
- **Package** (package_manifest): { "name": "codebeam-docs", "private": true, "version": "0.1.0", "type": "module", "scripts": { "dev": "astro dev", "build": "astro build", "preview": "astro preview" }, "dependencies": { "@astrojs/starlight": "^0.41.1", "astro": "^7.0.3" } } Evidence: `docs/package.json`
- **Package** (package_manifest): { "name": "codebeam", "private": true, "version": "0.1.0", "scripts": { "build": "tailwindcss -i ./assets/css/input.css -o ../static/app.css --minify && cp ./node modules/htmx.org/dist/htmx.min.js ../static/htmx.min.js", "watch": "tailwindcss -i ./assets/css/input.css -o ../static/app.css --watch" }, "dependencies": { "@tailwindcss/cli": "^4.1.11", "daisyui": "^5.0.43", "htmx.org": "^2.0.4", "tailwindcss": "^4.1.11" } } Evidence: `frontend/package.json`
- **Package** (package_manifest): { "name": "codebeam-vscode", "displayName": "Codebeam", "description": "Search the selected text in Codebeam.", "version": "0.1.0", "publisher": "codebeam", "engines": { "vscode": "^1.90.0" }, "categories": "Other" , "activationEvents": "onCommand:codebeam.searchSelection" , "main": "./out/extension.js", "contributes": { "commands": { "command": "codebeam.searchSelection", "title": "Codebeam: Search Selection" } , "configuration": { "title": "Codebeam", "properties": { "codebeam.baseUrl": { "type": "string", "default": "http://localhost:8080", "description": "Base URL of the Codebeam instance." } } } }, "scripts": { "compile": "tsc -p ./", "watch": "tsc -watch -p ./" }, "devDependencies": {… Evidence: `extensions/vscode/package.json`
- **License** (source_file): Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files the "Software" , to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: Evidence: `LICENSE`
- **Structural Search with ast-grep — Design & Implementation** (documentation): Structural Search with ast-grep — Design & Implementation Evidence: `docs/ast-grep-structural-search-plan.md`
- **Install** (documentation): cb brings Codebeam's index to the command line. It talks to a Codebeam server over the same authenticated /mcp endpoint AI agents use, so it returns the same cited, permission-scoped results — from any machine that can reach the server, with nothing but a single binary. Evidence: `docs/src/content/docs/cli.md`
- **Typical configurations** (documentation): Codebeam is configured entirely through environment variables, read once at process start. Defaults are designed so that a local instance needs no configuration at all — you only set variables when you move data, share the instance, or connect code hosts. Evidence: `docs/src/content/docs/configuration.md`
- **Production checklist** (documentation): A shared Codebeam instance is deliberately boring to run: one process, one data directory, no external services . Deploy the Docker image or the self-contained binary, put a reverse proxy in front for HTTPS, and back up one directory. git must be available at runtime — Codebeam shells out to it to clone and read repositories the Docker image includes it, plus Universal Ctags for symbol search . Evidence: `docs/src/content/docs/deployment.md`
- **1. Install** (documentation): This page takes you from nothing to your first search result. You need a machine with git installed — that's the only hard requirement. Evidence: `docs/src/content/docs/getting-started.md`
- **MCP server** (documentation): Codebeam was built with AI coding agents in mind. An agent that greps a checkout burns context on false positives and can't see repositories it hasn't cloned; Codebeam gives it the opposite — precise, indexed retrieval over everything , with every result carrying a repo:path:line@commit citation the agent can verify. Evidence: `docs/src/content/docs/integrations.md`
- **Choosing a method** (documentation): Codebeam has two related but distinct kinds of authentication: Evidence: `docs/src/content/docs/oauth.md`
- **Where repositories come from** (documentation): Codebeam searches what it has indexed. This page covers the full lifecycle: adding repositories, choosing branches, monitoring index jobs, and the automatic freshness machinery that means you rarely think about any of it. Evidence: `docs/src/content/docs/repositories-indexing.md`
- **Writing queries** (documentation): Everything on this page happens on the Search page /search . The same capabilities are available to scripts and agents through the JSON API and MCP tools /codebeam/integrations/ . Evidence: `docs/src/content/docs/searching.md`
- **Quick checks** (documentation): Before debugging a specific feature: Evidence: `docs/src/content/docs/troubleshooting.md`
- **Embed** (source_file): package codebeam ⋮---- import "embed" ⋮---- //go:embed templates Evidence: `embed.go`
- **Main** (source_file): package main ⋮---- import "context" "os" "os/signal" "syscall" "github.com/ctourriere/codebeam/internal/cli" ⋮---- "context" "os" "os/signal" "syscall" ⋮---- "github.com/ctourriere/codebeam/internal/cli" ⋮---- func main Evidence: `cmd/cb/main.go`
- **Ctx** (source_file): package main ⋮---- import "context" "errors" "flag" "fmt" "io" "strings" "github.com/ctourriere/codebeam/internal/config" codesearch "github.com/ctourriere/codebeam/internal/search" ⋮---- "context" "errors" "flag" "fmt" "io" "strings" ⋮---- "github.com/ctourriere/codebeam/internal/config" codesearch "github.com/ctourriere/codebeam/internal/search" ⋮---- const defaultCtxMaxChars = 12000 ⋮---- func runCtxCommand ctx context.Context, cfg config.Config, args string, stdout, stderr io.Writer error ⋮---- func writeContextBundle w io.Writer, result codesearch.Result, maxChars, maxFiles int ⋮---- func plainSegments segments codesearch.Segment string ⋮---- var b strings.Builder ⋮---- func shortCommi… Evidence: `cmd/codebeam/ctx.go`
- **Main** (source_file): package main ⋮---- import "context" "errors" "fmt" "log/slog" "net/http" "os" "os/signal" "syscall" "time" "github.com/ctourriere/codebeam/internal/config" "github.com/ctourriere/codebeam/internal/indexer" "github.com/ctourriere/codebeam/internal/scheduler" "github.com/ctourriere/codebeam/internal/version" "github.com/ctourriere/codebeam/internal/watcher" "github.com/ctourriere/codebeam/internal/web" ⋮---- "context" "errors" "fmt" "log/slog" "net/http" "os" "os/signal" "syscall" "time" ⋮---- "github.com/ctourriere/codebeam/internal/config" "github.com/ctourriere/codebeam/internal/indexer" "github.com/ctourriere/codebeam/internal/scheduler" "github.com/ctourriere/codebeam/internal/version" "… Evidence: `cmd/codebeam/main.go`
- **Mcp** (source_file): package main ⋮---- import "context" "flag" "io" "github.com/ctourriere/codebeam/internal/config" "github.com/ctourriere/codebeam/internal/indexer" mcpserver "github.com/ctourriere/codebeam/internal/mcp" codesearch "github.com/ctourriere/codebeam/internal/search" "github.com/ctourriere/codebeam/internal/structural" ⋮---- "context" "flag" "io" ⋮---- "github.com/ctourriere/codebeam/internal/config" "github.com/ctourriere/codebeam/internal/indexer" mcpserver "github.com/ctourriere/codebeam/internal/mcp" codesearch "github.com/ctourriere/codebeam/internal/search" "github.com/ctourriere/codebeam/internal/structural" ⋮---- func runMCPCommand ctx context.Context, cfg config.Config, args string, std… Evidence: `cmd/codebeam/mcp.go`
- **Store** (source_file): package main ⋮---- import "context" "log/slog" "path/filepath" "strings" "github.com/ctourriere/codebeam/internal/config" "github.com/ctourriere/codebeam/internal/secretbox" "github.com/ctourriere/codebeam/internal/store" ⋮---- "context" "log/slog" "path/filepath" "strings" ⋮---- "github.com/ctourriere/codebeam/internal/config" "github.com/ctourriere/codebeam/internal/secretbox" "github.com/ctourriere/codebeam/internal/store" ⋮---- func openStore ctx context.Context, cfg config.Config store.Store, error ⋮---- func insideDir path, dir string bool Evidence: `cmd/codebeam/store.go`
- **Cli** (source_file): package cli ⋮---- import "context" "errors" "flag" "fmt" "io" "net/http" "os" "regexp" "strconv" "strings" "time" "github.com/ctourriere/codebeam/internal/version" ⋮---- "context" "errors" "flag" "fmt" "io" "net/http" "os" "regexp" "strconv" "strings" "time" ⋮---- "github.com/ctourriere/codebeam/internal/version" ⋮---- const usage = cb — search your Codebeam-indexed repositories from the command line cb talks to a Codebeam server over the same authenticated endpoint MCP agents use, so results are identical: ranked snippets with repo:path:line citations. Usage: cb flags args Search commands: search Lexical/regex search Zoekt syntax: file:, lang:, sym:, ... ast --lang Structural AST search wi… Evidence: `internal/cli/cli.go`
- **Config** (source_file): package cli ⋮---- import "encoding/json" "errors" "net/url" "os" "path/filepath" "strings" "github.com/ctourriere/codebeam/internal/config" ⋮---- "encoding/json" "errors" "net/url" "os" "path/filepath" "strings" ⋮---- "github.com/ctourriere/codebeam/internal/config" ⋮---- const envToken = "CODEBEAM TOKEN" envServer = "CODEBEAM URL" envConfigPath = "CODEBEAM CLI CONFIG" ⋮---- const defaultServer = "http://localhost:8080" ⋮---- type credentials struct { Kind string json:"kind" Token string json:"token,omitempty" ClientID string json:"client id,omitempty" AccessToken string json:"access token,omitempty" RefreshToken string json:"refresh token,omitempty" ExpiresAt int64 json:"expires at,omitemp… Evidence: `internal/cli/config.go`
- **Oauth** (source_file): package cli ⋮---- import "context" "crypto/rand" "crypto/sha256" "encoding/base64" "encoding/json" "errors" "fmt" "io" "net" "net/http" "net/url" "os/exec" "runtime" "strings" "time" ⋮---- "context" "crypto/rand" "crypto/sha256" "encoding/base64" "encoding/json" "errors" "fmt" "io" "net" "net/http" "net/url" "os/exec" "runtime" "strings" "time" ⋮---- const loginTimeout = 5 time.Minute ⋮---- type authServerMeta struct { AuthorizationEndpoint string json:"authorization endpoint" TokenEndpoint string json:"token endpoint" RegistrationEndpoint string json:"registration endpoint" } ⋮---- func discoverAuthServer ctx context.Context, hc http.Client, server string authServerMeta ⋮---- var meta auth… Evidence: `internal/cli/oauth.go`
- **Config** (source_file): package config ⋮---- import "net" "net/url" "os" "path/filepath" "runtime" "strconv" "strings" "time" ⋮---- "net" "net/url" "os" "path/filepath" "runtime" "strconv" "strings" "time" ⋮---- const DefaultSessionSecret = "dev-secret-change-me" ⋮---- const ZoektMaxBranches = 64 ⋮---- const DefaultMaxIndexedBranches = 20 ⋮---- type Config struct { Addr string BaseURL string DataDir string DBPath string RepoDir string IndexDir string StaticDir string TemplateGlob string SessionSecret string EncryptionKey string EncryptionKeyFile string DevLogin bool WatchLocalRepos bool CTagsPath string IndexConcurrency int IndexFileConcurrency int MaxIndexedBranches int AutoIndexRemote bool RemoteRefreshInterval… Evidence: `internal/config/config.go`
- **Blobs** (source_file): package indexer ⋮---- import "context" "fmt" "strings" "github.com/ctourriere/codebeam/internal/store" ⋮---- "context" "fmt" "strings" ⋮---- "github.com/ctourriere/codebeam/internal/store" ⋮---- type BranchFile struct { Path string Blob string Size int64 } ⋮---- func i Indexer ResolveBranchRef ctx context.Context, repo store.Repo, branch string string, error ⋮---- func i Indexer ListBranchFiles ctx context.Context, repo store.Repo, ref string BranchFile, error ⋮---- type BlobReader struct { batch gitCatFileBatch } ⋮---- func i Indexer OpenBlobReader ctx context.Context, repo store.Repo BlobReader, error ⋮---- func r BlobReader Read ctx context.Context, blob string byte, error ⋮---- func r B… Evidence: `internal/indexer/blobs.go`
- **Indexer** (source_file): package indexer ⋮---- import "bufio" "bytes" "context" "database/sql" "encoding/base64" "encoding/json" "errors" "fmt" "io" "io/fs" "log/slog" "os" "os/exec" "path/filepath" "slices" "sort" "strconv" "strings" "sync" "time" "github.com/ctourriere/codebeam/internal/codehost" "github.com/ctourriere/codebeam/internal/config" "github.com/ctourriere/codebeam/internal/store" "github.com/sourcegraph/zoekt" zindex "github.com/sourcegraph/zoekt/index" ⋮---- "bufio" "bytes" "context" "database/sql" "encoding/base64" "encoding/json" "errors" "fmt" "io" "io/fs" "log/slog" "os" "os/exec" "path/filepath" "slices" "sort" "strconv" "strings" "sync" "time" ⋮---- "github.com/ctourriere/codebeam/internal/code… Evidence: `internal/indexer/indexer.go`
- **Mcp** (source_file): package mcp ⋮---- import "bufio" "bytes" "context" "encoding/json" "errors" "fmt" "io" "io/fs" "log/slog" "os" "path/filepath" "regexp" "sort" "strconv" "strings" "time" "github.com/ctourriere/codebeam/internal/codehost" "github.com/ctourriere/codebeam/internal/indexer" codesearch "github.com/ctourriere/codebeam/internal/search" "github.com/ctourriere/codebeam/internal/store" "github.com/ctourriere/codebeam/internal/structural" ⋮---- "bufio" "bytes" "context" "encoding/json" "errors" "fmt" "io" "io/fs" "log/slog" "os" "path/filepath" "regexp" "sort" "strconv" "strings" "time" ⋮---- "github.com/ctourriere/codebeam/internal/codehost" "github.com/ctourriere/codebeam/internal/indexer" codesearc… Evidence: `internal/mcp/mcp.go`
- **Oidc** (source_file): package oidc ⋮---- import "context" "crypto/sha256" "encoding/base64" "encoding/json" "errors" "fmt" "io" "net/http" "net/url" "strings" "sync" "time" ⋮---- "context" "crypto/sha256" "encoding/base64" "encoding/json" "errors" "fmt" "io" "net/http" "net/url" "strings" "sync" "time" ⋮---- type Config struct { Issuer string ClientID string ClientSecret string Scopes string } ⋮---- type Identity struct { Subject string Email string EmailVerified bool Name string Picture string } ⋮---- type Client struct { cfg Config http http.Client mu sync.Mutex disc discovery } ⋮---- type discovery struct { Issuer string json:"issuer" AuthorizationEndpoint string json:"authorization endpoint" TokenEndpoint st… Evidence: `internal/oidc/oidc.go`
- **Normalize** (source_file): package search ⋮---- import "regexp/syntax" "sort" "unicode" "github.com/sourcegraph/zoekt/query" ⋮---- "regexp/syntax" "sort" "unicode" ⋮---- "github.com/sourcegraph/zoekt/query" ⋮---- const normalizedRegexpFlags = syntax.ClassNL syntax.PerlX syntax.UnicodeGroups ⋮---- func normalizeQuery q query.Q query.Q ⋮---- func normalizeSubstring q query.Substring query.Q ⋮---- func normalizeRegexpQuery q query.Regexp query.Q ⋮---- func normalizeRegexp r syntax.Regexp, caseSensitive bool syntax.Regexp, bool ⋮---- var changed bool ⋮---- func normalizeLiteralRunes runes rune, caseSensitive bool syntax.Regexp, bool ⋮---- var sub syntax.Regexp var literal rune ⋮---- func normalizeCharClass ranges rune, c… Evidence: `internal/search/normalize.go`
- **Search** (source_file): package search ⋮---- import "context" "errors" "fmt" "hash/fnv" "os/exec" "path" "regexp" "sort" "strconv" "strings" "time" "github.com/ctourriere/codebeam/internal/store" "github.com/sourcegraph/zoekt" "github.com/sourcegraph/zoekt/query" zsearch "github.com/sourcegraph/zoekt/search" ⋮---- "context" "errors" "fmt" "hash/fnv" "os/exec" "path" "regexp" "sort" "strconv" "strings" "time" ⋮---- "github.com/ctourriere/codebeam/internal/store" "github.com/sourcegraph/zoekt" "github.com/sourcegraph/zoekt/query" zsearch "github.com/sourcegraph/zoekt/search" ⋮---- const facetFileBudget = 20000 facetMatchBudget = 200000 displayFileLimit = 100 topPathRootValue = " root " noExtensionValue = " none " un… Evidence: `internal/search/search.go`
- **Auth** (source_file): package store ⋮---- import "context" "crypto/rand" "crypto/sha256" "crypto/subtle" "database/sql" "encoding/base64" "encoding/hex" "encoding/json" "errors" "fmt" "strings" "time" "unicode/utf8" ⋮---- "context" "crypto/rand" "crypto/sha256" "crypto/subtle" "database/sql" "encoding/base64" "encoding/hex" "encoding/json" "errors" "fmt" "strings" "time" "unicode/utf8" ⋮---- const RoleAdmin = "admin" RoleMember = "member" ⋮---- const patPrefix = "cbp " oauthAccessPrefix = "cbo " oauthRefreshPrefix = "cbr " ⋮---- const OAuthCodeTTL = 10 time.Minute OAuthAccessTokenTTL = time.Hour OAuthRefreshTokenTTL = 30 24 time.Hour ⋮---- type APIToken struct { ID int64 UserID int64 Name string Prefix string Cr… Evidence: `internal/store/auth.go`
- **Store** (source_file): package store ⋮---- import "context" "database/sql" "encoding/json" "errors" "fmt" "os" "path/filepath" "regexp" "sort" "strconv" "strings" "time" "github.com/ctourriere/codebeam/internal/secretbox" "modernc.org/sqlite" ⋮---- "context" "database/sql" "encoding/json" "errors" "fmt" "os" "path/filepath" "regexp" "sort" "strconv" "strings" "time" ⋮---- "github.com/ctourriere/codebeam/internal/secretbox" "modernc.org/sqlite" ⋮---- type Store struct { db sql.DB cipher secretbox.Cipher } ⋮---- type User struct { ID int64 Email string Name string AvatarURL string Role string CreatedAt int64 } ⋮---- type Identity struct { ID int64 UserID int64 Provider string ProviderUserID string Username string U… Evidence: `internal/store/store.go`
- **Engine** (source_file): package structural ⋮---- import "bytes" "context" "errors" "fmt" "io/fs" "os" "path/filepath" "regexp" "sort" "strings" "sync" "time" "unicode/utf8" "github.com/ctourriere/codebeam/internal/indexer" codesearch "github.com/ctourriere/codebeam/internal/search" "github.com/ctourriere/codebeam/internal/store" ⋮---- "bytes" "context" "errors" "fmt" "io/fs" "os" "path/filepath" "regexp" "sort" "strings" "sync" "time" "unicode/utf8" ⋮---- "github.com/ctourriere/codebeam/internal/indexer" codesearch "github.com/ctourriere/codebeam/internal/search" "github.com/ctourriere/codebeam/internal/store" ⋮---- const maxFileSize = 2 << 20 contextLines = 2 maxMatchBodyLines = 8 maxMetaVarText = 200 ⋮---- type… Evidence: `internal/structural/engine.go`
- **Wasm** (source_file): package structural ⋮---- import "context" "embed" "encoding/json" "fmt" "os" "runtime" "sync" "sync/atomic" "github.com/tetratelabs/wazero" wazeroapi "github.com/tetratelabs/wazero/api" "github.com/tetratelabs/wazero/imports/wasi snapshot preview1" ⋮---- "context" "embed" "encoding/json" "fmt" "os" "runtime" "sync" "sync/atomic" ⋮---- "github.com/tetratelabs/wazero" wazeroapi "github.com/tetratelabs/wazero/api" "github.com/tetratelabs/wazero/imports/wasi snapshot preview1" ⋮---- //go:embed astgrep.wasm var astGrepWasm byte ⋮---- type Span struct { Start int json:"start" End int json:"end" } ⋮---- type WasmMatch struct { ByteStart int json:"byteStart" ByteEnd int json:"byteEnd" StartLine int… Evidence: `internal/structural/wasm.go`
- **Mcp** (source_file): package web ⋮---- import "encoding/json" "io" "net/http" mcpserver "github.com/ctourriere/codebeam/internal/mcp" ⋮---- "encoding/json" "io" "net/http" ⋮---- mcpserver "github.com/ctourriere/codebeam/internal/mcp" ⋮---- const maxMCPBody = 4 << 20 ⋮---- func s Server handleMCP w http.ResponseWriter, r http.Request Evidence: `internal/web/mcp.go`
- **Oauth** (source_file): package web ⋮---- import "crypto/sha256" "database/sql" "encoding/base64" "encoding/json" "errors" "net/http" "net/url" "strings" "github.com/ctourriere/codebeam/internal/store" ⋮---- "crypto/sha256" "database/sql" "encoding/base64" "encoding/json" "errors" "net/http" "net/url" "strings" ⋮---- "github.com/ctourriere/codebeam/internal/store" ⋮---- const protectedResourceMetadataPath = "/.well-known/oauth-protected-resource/mcp" oauthScope = "codebeam" ⋮---- func s Server mcpResource string ⋮---- func oauthCORS w http.ResponseWriter, r http.Request handled bool ⋮---- func s Server handleProtectedResourceMetadata w http.ResponseWriter, r http.Request ⋮---- func s Server handleAuthServerMetadat… Evidence: `internal/web/oauth.go`
- **Oidc** (source_file): package web ⋮---- import "errors" "net/http" "strings" "time" ⋮---- "errors" "net/http" "strings" "time" ⋮---- const oidcAuthCookie = "codebeam oidc auth" oidcAuthTTL = 10 time.Minute oidcProvider = "oidc" ⋮---- func s Server handleOIDCStart w http.ResponseWriter, r http.Request ⋮---- func s Server handleOIDCCallback w http.ResponseWriter, r http.Request ⋮---- "", // no provider API token to keep — OIDC is login-only ⋮---- func s Server checkOIDCDomain email string, verified bool error Evidence: `internal/web/oidc.go`
- **Oidc Login Test** (source_file): package web ⋮---- import "context" "encoding/base64" "encoding/json" "net/http" "net/http/httptest" "net/url" "strings" "testing" "time" "github.com/ctourriere/codebeam/internal/codehost" "github.com/ctourriere/codebeam/internal/oidc" "github.com/ctourriere/codebeam/internal/store" ⋮---- "context" "encoding/base64" "encoding/json" "net/http" "net/http/httptest" "net/url" "strings" "testing" "time" ⋮---- "github.com/ctourriere/codebeam/internal/codehost" "github.com/ctourriere/codebeam/internal/oidc" "github.com/ctourriere/codebeam/internal/store" ⋮---- type fakeIdP struct { server httptest.Server clientID string email string emailVerified bool nonce string challenge string badNonce bool t t… Evidence: `internal/web/oidc_login_test.go`
- **Server** (source_file): package web ⋮---- import "context" "crypto/hmac" "crypto/rand" "crypto/sha256" "database/sql" "encoding/base64" "errors" "fmt" "html/template" "io" "io/fs" "log/slog" "net/http" "net/url" "os" "os/exec" "path/filepath" "sort" "strconv" "strings" "time" codebeam "github.com/ctourriere/codebeam" "github.com/ctourriere/codebeam/internal/codehost" "github.com/ctourriere/codebeam/internal/config" "github.com/ctourriere/codebeam/internal/indexer" "github.com/ctourriere/codebeam/internal/oidc" codesearch "github.com/ctourriere/codebeam/internal/search" "github.com/ctourriere/codebeam/internal/store" "github.com/ctourriere/codebeam/internal/structural" ⋮---- "context" "crypto/hmac" "crypto/rand" "c… Evidence: `internal/web/server.go`
- **Main** (source_file): package main ⋮---- import "fmt" ⋮---- func main ⋮---- func searchExample input string bool Evidence: `testdata/repos/demo/main.go`
- **v0.2.0 2026-07-07** (documentation): - cli : add cb, a command-line client for any Codebeam server Evidence: `CHANGELOG.md`
- **Codebeam — Product Vision & Strategy** (documentation): Codebeam — Product Vision & Strategy Evidence: `VISION.md`
- **Tsconfig** (structured_config): { "extends": "astro/tsconfigs/strict" } Evidence: `docs/tsconfig.json`
- **Tsconfig** (structured_config): { "compilerOptions": { "module": "commonjs", "target": "ES2022", "outDir": "out", "lib": "ES2022" , "sourceMap": true, "rootDir": "src", "strict": true }, "exclude": "node modules", ".vscode-test" } Evidence: `extensions/vscode/tsconfig.json`
- **The git tags are the single source of truth for the version; the binary gets** (source_file): tool.commitizen name = "cz conventional commits" The git tags are the single source of truth for the version; the binary gets it injected at build time via -ldflags, so no version file needs bumping. version provider = "scm" tag format = "v$version" Annotated tags carry a message, so signing tag.gpgsign=true works non-interactively instead of hanging on an editor prompt; they are also what git push --follow-tags pushes. annotated tag = true update changelog on bump = true changelog incremental = true Pre-1.0: breaking changes bump the minor version, not the major. major version zero = true Evidence: `.cz.toml`
- **.dockerignore** (source_file): .git bin/ docs/ testdata/ /node modules .env .codebeam/ Dockerfile .dockerignore Evidence: `.dockerignore`
- **Copy this file to .env and fill the values you need.** (source_file): Copy this file to .env and fill the values you need. mise.toml loads .env automatically for mise run dev , mise run build , etc. Evidence: `.env.example`
- **.gitignore** (source_file): .codebeam/ .cache/ .env .env. !.env.example bin/ frontend/node modules/ docs/node modules/ docs/dist/ docs/.astro/ extensions/vscode/node modules/ extensions/vscode/out/ static/app.css static/htmx.min.js .db .db-shm .db-wal wasm/astgrep/target/ Evidence: `.gitignore`
- **syntax=docker/dockerfile:1** (source_file): --- Frontend: Tailwind/DaisyUI CSS + HTMX vendoring writes into static/ --- FROM node:22-alpine AS frontend WORKDIR /src COPY frontend/package.json frontend/package-lock.json frontend/ RUN npm --prefix frontend ci Tailwind v4 auto-detects class usage from the surrounding source tree, so the templates and the rest of the repo must be present when the CSS is built. COPY . . RUN npm --prefix frontend run build Evidence: `Dockerfile`
- **Astro.Config** (source_file): // GitHub Pages project site: served under /codebeam/. Evidence: `docs/astro.config.mjs`
- **Go** (source_file): module github.com/ctourriere/codebeam/frontend Evidence: `frontend/go.mod`
- **Go** (source_file): module github.com/ctourriere/codebeam Evidence: `go.mod`
- **Hk** (source_file): amends "package://github.com/jdx/hk/releases/download/v1.48.0/hk@1.48.0 /Config.pkl" import "package://github.com/jdx/hk/releases/download/v1.48.0/hk@1.48.0 /Builtins.pkl" Evidence: `hk.pkl`
- **cb the CLI ships alongside the server binary since v0.2; older archives** (source_file): set -eu REPO="clement-tourriere/codebeam" err { printf 'error: %s\n' "$1" &2; exit 1; } info { printf '%s\n' "$1"; } command -v curl /dev/null 2 &1 err "curl is required" command -v tar /dev/null 2 &1 err "tar is required" os=$ uname -s tr ' :upper: ' ' :lower: ' case "$os" in linux darwin ;; err "unsupported OS: $os use the Docker image instead: ghcr.io/$REPO " ;; esac arch=$ uname -m case "$arch" in x86 64 amd64 arch=amd64 ;; aarch64 arm64 arch=arm64 ;; err "unsupported architecture: $arch" ;; esac version="${CODEBEAM VERSION:-}" if -z "$version" ; then version=$ curl -fsSL "https://api.github.com/repos/$REPO/releases/latest" \ grep '"tag name"' head -n1 cut -d'"' -f4 -n "$version" err "c… Evidence: `install.sh`
- **Mise** (source_file): tools go = "1.25.11" hk = "latest" node = "22" pkl = "latest" uv = "latest" "pipx:commitizen" = "latest" Evidence: `mise.toml`
- **App** (source_file): function setMatchAll bulk, on ⋮---- function checkVisible bulk, on ⋮---- function refreshBulkState ⋮---- function applyTheme theme ⋮---- function scrollToFocusedLine ⋮---- function syncRepoSearch ⋮---- function normalizeSearchText value ⋮---- function uniqueValues values ⋮---- function initRepoCombobox root ⋮---- function optionValue option ⋮---- function optionLabel option ⋮---- function findByValue value ⋮---- function findExact text ⋮---- function selectedSet ⋮---- function updateClear ⋮---- function visibleOptions ⋮---- function setActive option ⋮---- function renderSelected ⋮---- function filterOptions ⋮---- function openMenu ⋮---- function closeMenu ⋮---- function applyOption option ⋮… Evidence: `static/app.js`
- **Code** (source_file): {{define "partial code"}} {{range .Crumbs}}{{if .Last}} {{.Name}} {{else}} {{.Name}} / {{end}}{{end}} {{len .Lines}} lines {{if .Symbols}} Symbols {{len .Symbols}} {{$repo := .Repo}} {{range .Symbols}} {{.Kind}} {{.Name}} {{if .Scope}} {{.Scope}} {{end}} :{{.Line}} refs {{end}} {{end}} {{range .Lines}} {{.Number}} {{.HTML}} {{else}} Empty file. {{end}} {{end}} Evidence: `templates/code.html`
- **Layout** (source_file): {{define "shell start"}} Codebeam function { try { var t = localStorage.getItem "codebeam-theme" ; // Migrate the pre-rebrand theme names. if t === "winter" { t = "codebeam"; } if t === "dim" { t = "codebeam-dark"; } if !t && window.matchMedia && window.matchMedia " prefers-color-scheme: dark " .matches { t = "codebeam-dark"; } if t { document.documentElement.dataset.theme = t; } } catch e {} } ; {{end}} {{define "nav"}} Codebeam {{if .User}} Search Repositories Navigate Search Repositories Settings Settings &amp; users Sources Manage repositories {{displayUserName .User}} Sign out {{else}} {{end}} {{end}} {{define "shell end"}} {{end}} Evidence: `templates/layout.html`
- The remaining 8 evidence entries are in `AI_CONTEXT_PACK.json` or `EVIDENCE_INDEX.json`.

## Rules the Host AI Must Follow

- **Treat this asset as pre-work context, not a runtime environment.**: The AI Context Pack contains only an evidence-backed understanding of the project, not the project's executable state. Evidence: `README.md`, `testdata/repos/demo/README.md`, `docs/package.json`
- **When answering the user, distinguish what can be previewed from what can only be verified after install.**: The consumer value of the pre-install experience comes from reducing bad installs and misjudgments, not from pretending to be a real run. Evidence: `README.md`, `testdata/repos/demo/README.md`, `docs/package.json`

## Questions the User Should Answer First

- Which host AI or local environment do you plan to use it in?
- Do you just want to experience the workflow first, or are you ready to actually install?
- What matters most to you: install cost, output quality, or conflicts with your existing rules?

## Acceptance Checks

- Every capability claim can be traced back to a file path in evidence_refs.
- AI_CONTEXT_PACK.md does not package previews as a real run.
- The user can understand who it fits, what it can do, how to start, and the risk boundaries within 3 minutes.

---

## Doramagic Context Augmentation

The following sections strengthen the repository context for a host AI. Human Manual data is a reading route, and pitfall notes become operating constraints.

## Human Manual Outline

Usage rule: this is only a reading route and salience signal, not factual authority. Concrete claims must still return to repo evidence or Claim Graph.

Host AI hard rules:
- Do not treat page titles, section order, summaries, or importance values as factual project evidence.
- When explaining the Human Manual outline, state that it is only a reading route or salience signal.
- Capability, installation, compatibility, runtime state, and risk claims must cite repo evidence, source paths, or Claim Graph.

- **System Architecture and Code Layout**: importance `high`
  - source_paths: cmd/codebeam/main.go, internal/web/server.go, internal/store/store.go, internal/indexer/indexer.go, internal/config/config.go
- **Search Engines and Indexing Pipeline**: importance `high`
  - source_paths: internal/indexer/indexer.go, internal/indexer/blobs.go, internal/search/search.go, internal/search/normalize.go, internal/structural/engine.go
- **MCP Server, CLI, and Agent Integration**: importance `high`
  - source_paths: internal/mcp/mcp.go, internal/web/mcp.go, cmd/codebeam/mcp.go, cmd/codebeam/ctx.go, cmd/cb/main.go
- **Authentication, Authorization, and Deployment**: importance `medium`
  - source_paths: internal/store/auth.go, internal/cli/oauth.go, internal/web/oauth.go, internal/web/oidc.go, internal/web/oidc_login_test.go

## Repo Inspection Evidence

- repo_clone_verified: true
- repo_inspection_verified: true
- repo_commit: `a9839cc753ce78ffd8287d865ce7ec10e6d41756`
- inspected_files: `Dockerfile`, `README.md`, `docs/ast-grep-structural-search-plan.md`, `docs/package-lock.json`, `docs/package.json`, `docs/src/content/docs/cli.md`, `docs/src/content/docs/configuration.md`, `docs/src/content/docs/deployment.md`, `docs/src/content/docs/getting-started.md`, `docs/src/content/docs/index.mdx`, `docs/src/content/docs/integrations.md`, `docs/src/content/docs/oauth.md`, `docs/src/content/docs/repositories-indexing.md`, `docs/src/content/docs/searching.md`, `docs/src/content/docs/troubleshooting.md`, `docs/src/content.config.ts`, `docs/tsconfig.json`

Host AI hard rules:
- Without repo_clone_verified=true, do not claim that the source code has been read.
- Without repo_inspection_verified=true, do not write README, docs, or package-file conclusions as facts.
- Without quick_start_verified=true, do not claim that the Quick Start path has run successfully.

## Doramagic Pitfall Constraints

These rules come from Doramagic discovery, validation, or compilation findings. The host AI must treat them as operating constraints, not background notes.

### Constraint 1: Capability evidence risk requires verification

- Trigger: README/documentation is current enough for a first validation pass.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: capability.assumptions | https://github.com/clement-tourriere/codebeam
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 2: Security or permission risk requires verification

- Trigger: no_demo
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: downstream_validation.risk_items | https://github.com/clement-tourriere/codebeam
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 3: Security or permission risk requires verification

- Trigger: no_demo
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: risks.scoring_risks | https://github.com/clement-tourriere/codebeam
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 4: Maintenance risk requires verification

- Trigger: issue_or_pr_quality=unknown。
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: evidence.maintainer_signals | https://github.com/clement-tourriere/codebeam
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 5: Maintenance risk requires verification

- Trigger: release_recency=unknown。
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: evidence.maintainer_signals | https://github.com/clement-tourriere/codebeam
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.
