Add cmd/ entrypoints, fix auth, deploy to K8s

- cmd/indexer/main.go: CLI with full/repo/webhook/search subcommands
  Clones repos via Gitea API, walks files, indexes to MeiliSearch.
  Webhook HTTP server on :8080 for real-time push reindexing.
- cmd/mcp-server/main.go: MCP stdio server wiring meili + mcp packages
- internal/gitea/client.go: Use Authorization header instead of ?token=
  query param (required by current Gitea API)
- k8s/indexer-cronjob.yaml: Remove embedded secret (foot-gun),
  pin image to v1.0.1, add imagePullPolicy: IfNotPresent
- .gitignore: Anchor binary patterns to root so cmd/ dirs aren't ignored

Deployed: 1,003 documents from 39 repos indexed in 83s.
Global Gitea webhook configured for real-time reindexing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/gitea/client.go

@@ -45,14 +45,15 @@ func (c *Client) ListAllRepos() ([]Repo, error) {
 	limit := 50
 
 	for {
-		url := fmt.Sprintf("%s/api/v1/repos/search?page=%d&limit=%d&token=%s",
-			c.baseURL, page, limit, c.token)
+		url := fmt.Sprintf("%s/api/v1/repos/search?page=%d&limit=%d",
+			c.baseURL, page, limit)
 
 		req, err := http.NewRequest("GET", url, nil)
 		if err != nil {
 			return nil, fmt.Errorf("creating request: %w", err)
 		}
 		req.Header.Set("Accept", "application/json")
+		req.Header.Set("Authorization", "token "+c.token)
 
 		resp, err := c.httpClient.Do(req)
 		if err != nil {
@@ -99,13 +100,14 @@ func (c *Client) ListAllRepos() ([]Repo, error) {
 
 // GetRepo returns a single repository by owner/name.
 func (c *Client) GetRepo(fullName string) (*Repo, error) {
-	url := fmt.Sprintf("%s/api/v1/repos/%s?token=%s", c.baseURL, fullName, c.token)
+	url := fmt.Sprintf("%s/api/v1/repos/%s", c.baseURL, fullName)
 
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {
 		return nil, fmt.Errorf("creating request: %w", err)
 	}
 	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Authorization", "token "+c.token)
 
 	resp, err := c.httpClient.Do(req)
 	if err != nil {