Add ast-grep structural search

[dutifulbob]

Summary

• add ast-grep structural search on top of the local git mirror
• expose the new feature through /v1/search/repos/{owner}/{repo}/ast-grep and ghr search ast-grep
• ship the ast-grep binary in the production image and document the new API and CLI surface

Testing

• go test ./...
• go vet ./...
• go build ./cmd/ghreplica && go build ./cmd/ghr
• npm run docs:check

[dutifulbob]

Final report:

Merged and deployed on main commit 979463a0430ca6bf26d22b53e4e1ecf5766d743b.

Validation run:

• go test ./... -> passed
• go vet ./... -> passed
• go build ./cmd/ghreplica && go build ./cmd/ghr -> passed
• npm run docs:check -> passed
• git diff --check -> passed
• docker compose -f deploy/gcp/docker-compose.yml config -> passed
• codex review --base main -> ran on the final branch head; no actionable findings/comments surfaced
• PR CI validate -> passed
• merged main CI -> passed: https://github.com/dutifuldev/ghreplica/actions/runs/24480873280

What could not be tested locally:

• local Docker image build, because this environment cannot access the Docker daemon socket

Production deploy:

• fast-forwarded the VM repo to main
• ran sudo docker compose --env-file deploy/gcp/ghreplica.env -f deploy/gcp/docker-compose.yml --profile ops run --rm ghreplica-migrate
• ran sudo docker compose --env-file deploy/gcp/ghreplica.env -f deploy/gcp/docker-compose.yml up -d --build
• verified deployed VM repo at 979463a0430ca6bf26d22b53e4e1ecf5766d743b
• fixed two VM-level runtime issues exposed by the new Debian-based image:
  • GitHub App private key mount permissions were too restrictive for the container user
  • existing git-mirror data was owned by the old container UID, which caused Git safe.directory failures until the host data directory was re-owned by the current container user

Production verification:

• curl -fsS https://ghreplica.dutiful.dev/healthz -> passed
• curl -fsS https://ghreplica.dutiful.dev/readyz -> passed
• API structural-search matrix -> passed 11/11
• CLI structural-search matrix -> passed 7/7

Representative live checks that passed:

• ref search on dutifuldev/ghreplica for os.MkdirTemp($DIR, $PATTERN)
• ref search on dutifuldev/ghreplica for context.WithTimeout($CTX, $DUR)
• path-filtered ref search on dutifuldev/ghreplica for exec.CommandContext($CTX, $BIN, $$$ARGS)
• exact commit_sha search on dutifuldev/ghreplica
• PR-head + changed_files_only search on openclaw/openclaw PR #59883
• empty-result behavior
• invalid request handling for missing target, multiple targets, changed_files_only without PR, and unknown commit SHA

Production API is now serving:

• POST /v1/search/repos/{owner}/{repo}/ast-grep

Production CLI is now serving:

• ghr search ast-grep