chore: release 0.7.11

Headline: C, C++, and Markdown language support land via #102 and #104
(both by @szavadsky). Plus the docs-deploy fix (#135) that resolves
the vitepress build break caused by my unbounded vite override in 0.7.10.

Also the live test of npm trusted publishing now that the repo's
trusted-publisher config is verified saved on the npm side.

See CHANGELOG.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

chore: release 0.7.10

Ships #133 (security: 11 CodeQL alerts + 4 npm transitives closed) and
#134 (clippy pedantic auto-fix cleanup across 27 files).

After this release: open security alerts = 0 across both Dependabot
and CodeQL surfaces.

Cutting partly so the in-flight community PRs (#102 C/C++ support, #104
markdown support) have a clean current base to rebase on.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

chore: release 0.7.9

Hotfix for the npm publish failure in 0.7.8. #131 switched npm
publishing to Trusted Publishing (OIDC) — no NPM_TOKEN required,
+ SLSA provenance attestation on the published tarball.

This is the first release where @beaconbay/ck-search will actually
land on npm.

See CHANGELOG.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

chore: release 0.7.8

Ships everything merged today on top of 0.7.7:

- #117 npm distribution as @beaconbay/ck-search
- #118 dependabot config + safe cargo bumps (incl. openssl CVE fix)
- #119 tar 6 → 7 + engines.node >= 18
- #120 GitHub Actions: checkout v6, codeql v4
- #121 @types/vscode patch
- #122 vue patch (docs-site)
- #125 cargo-safe 20-pack (anyhow, tokio, clap, fastembed 5.13, uuid, etc.)
- #127 shlex 1.3 → 2.0

First release that also publishes to npm. See CHANGELOG.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

chore: release 0.7.7

Hotfix release for #116: pinning ort to =2.0.0-rc.11 so users
running \`cargo install ck-search\` (without --locked) don't
get 36 compile errors from a rc.12 upgrade they didn't ask for.

See CHANGELOG.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

chore: release 0.7.6

Ships the bug fixes and security work merged today:

- #111 fix: scoped semantic search returned [] when global top_k
  was consumed by chunks outside the requested path scope
- #112 security: MCP tool handlers were sandbox-escapable via
  any readable host path; added allowed_roots + canonicalize check
- #106 fix: MCP tool schemas now Gemini-API compatible
  (no more union types in JSON Schema)
- #100 fix: oneshot 0.1.13 patches a use-after-free race
- #99 chore: docs-site + ck-vscode dev-dep bumps

See CHANGELOG.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

fix(release): make publish-crates fail loud (pipefail + token check)

Two compounding silent-failure modes in publish_crate:

1. **\`cargo publish | tee\` masked cargo's exit code.** Without
   pipefail the pipeline always returns tee's exit (0), so even an
   auth 403 from crates.io printed "Successfully published" and
   moved on to the verify loop. The verify loop then spent 10 minutes
   polling for a crate that never uploaded. Whole job looked like
   it was working until the timeout.

2. **No explicit check that CARGO_REGISTRY_TOKEN is set.** If the
   repo secret is missing or empty, cargo invocation just fails with
   403 — masked by the pipe issue above — and the operator has no
   signal until the job runs in vain for ages.

Add \`set -euo pipefail\` and an upfront token presence check.
Failures from this point on will exit fast and loud.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

fix: Build macOS x86_64 without any embedding features

Both fastembed and mixedbread depend on ort, which doesn't provide
prebuilt binaries for x86_64-apple-darwin. Intel Mac users get
regex/lexical search only (like Windows).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

chore: Bump version to 0.7.3

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

ci: Fix crates.io API verification with User-Agent header

- Add User-Agent header to curl requests for crates.io API
- Add missing ck-tui crate to publish list
- Increase wait time between retries to avoid rate limiting

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>