package search import ( "context" "log/slog" "net/http" "strconv" "strings" "github.com/go-chi/chi/v5" "go.bigb.es/auxilia/culpa" "go.bigb.es/auxilia/scribe" "sourcecraft.dev/bigbes/lethe/internal/domain/session" "sourcecraft.dev/bigbes/lethe/internal/pkg/apierror" "sourcecraft.dev/bigbes/lethe/internal/pkg/httputil" "sourcecraft.dev/bigbes/lethe/internal/server/auth" ) const ( defaultLimit = 50 maxLimit = 200 ) const allOwnersSentinel = "*" // Handler is the steward-managed HTTP boundary for the search read API. // Repo is the injected SQL steward; the Handler holds no other state. type Handler struct { Repo *Repository `inject:""` } // Init satisfies the steward Initer contract. func (h *Handler) Init(_ context.Context) error { return nil } // Mount registers the read route under r. Server.Init mounts this inside // the /api/v1 group, so the effective path is /api/v1/search. func (h *Handler) Mount(r chi.Router) { r.Get("/search", h.List) } // List handles GET /search. It resolves the owner scope, parses query // parameters, clamps pagination, and writes a search.Result. Errors surface // through apierror.Render as RFC 7807. func (h *Handler) List(w http.ResponseWriter, r *http.Request) { scope, err := h.resolveScope(r) if err != nil { apierror.Render(w, r, err) return } q := r.URL.Query() filter := Filter{Owner: scope} filter.Query = strings.TrimSpace(q.Get("q")) if filter.Query == "" { apierror.Render(w, r, culpa.WithCode( culpa.WithPublic(culpa.New("search query is empty"), "q must not be empty"), "INVALID", )) return } if v := q.Get("include_tool_outputs"); v == "1" { filter.IncludeToolOutputs = true } if v := q.Get("tool"); v != "" { filter.Tool = &v } if v := q.Get("host"); v != "" { filter.Host = &v } if v := q.Get("since"); v != "" { n, perr := strconv.ParseInt(v, 10, 64) if perr != nil { apierror.Render(w, r, culpa.WithCode( culpa.WithPublic(culpa.Wrap(perr, "parse since"), "since must be an integer (unix epoch seconds)"), "INVALID", )) return } filter.Since = &n } if v := q.Get("until"); v != "" { n, perr := strconv.ParseInt(v, 10, 64) if perr != nil { apierror.Render(w, r, culpa.WithCode( culpa.WithPublic(culpa.Wrap(perr, "parse until"), "until must be an integer (unix epoch seconds)"), "INVALID", )) return } filter.Until = &n } if filter.Since != nil && filter.Until != nil && *filter.Since > *filter.Until { apierror.Render(w, r, culpa.WithCode( culpa.WithPublic(culpa.New("since > until"), "since must be <= until"), "INVALID", )) return } filter.Limit = clampLimit(q.Get("limit")) filter.Cursor = q.Get("cursor") result, err := h.Repo.Search(r.Context(), filter) if err != nil { apierror.Render(w, r, err) return } if writeErr := httputil.WriteJSON(w, http.StatusOK, result); writeErr != nil { slog.Default().ErrorContext(r.Context(), "write search response", scribe.Err(writeErr)) } } // resolveScope reads the authenticated identity off the context and the // optional `?owner=` query parameter, then returns the appropriate // session.OwnerScope. Non-admin requests with `?owner=` set are 403. func (h *Handler) resolveScope(r *http.Request) (session.OwnerScope, error) { id := auth.MustIdentity(r.Context()) param := r.URL.Query().Get("owner") if param == "" { return session.OwnerScope{User: id.User}, nil } if !id.IsAdmin { return session.OwnerScope{}, culpa.WithCode( culpa.WithPublic(culpa.New("?owner= is admin-only"), "?owner= is admin-only"), "FORBIDDEN", ) } if param == allOwnersSentinel { return session.OwnerScope{User: id.User, AllOwners: true}, nil } owner := strings.ToLower(param) return session.OwnerScope{User: id.User, SpecificOwner: &owner}, nil } // clampLimit returns the effective limit: defaultLimit when missing, // non-numeric, or negative; capped at maxLimit when the parsed value // exceeds it. func clampLimit(raw string) int { if raw == "" { return defaultLimit } n, err := strconv.Atoi(raw) if err != nil || n < 0 { return defaultLimit } if n > maxLimit { return maxLimit } return n }