package search
import (
"context"
"log/slog"
"net/http"
"strconv"
"strings"
"github.com/go-chi/chi/v5"
"go.bigb.es/auxilia/culpa"
"go.bigb.es/auxilia/scribe"
"sourcecraft.dev/bigbes/lethe/internal/domain/session"
"sourcecraft.dev/bigbes/lethe/internal/pkg/apierror"
"sourcecraft.dev/bigbes/lethe/internal/pkg/httputil"
"sourcecraft.dev/bigbes/lethe/internal/server/auth"
)
const (
defaultLimit = 50
maxLimit = 200
)
const allOwnersSentinel = "*"
// Handler is the steward-managed HTTP boundary for the search read API.
// Repo is the injected SQL steward; the Handler holds no other state.
type Handler struct {
Repo *Repository `inject:""`
}
// Init satisfies the steward Initer contract.
func (h *Handler) Init(_ context.Context) error { return nil }
// Mount registers the read route under r. Server.Init mounts this inside
// the /api/v1 group, so the effective path is /api/v1/search.
func (h *Handler) Mount(r chi.Router) {
r.Get("/search", h.List)
}
// List handles GET /search. It resolves the owner scope, parses query
// parameters, clamps pagination, and writes a search.Result. Errors surface
// through apierror.Render as RFC 7807.
func (h *Handler) List(w http.ResponseWriter, r *http.Request) {
scope, err := h.resolveScope(r)
if err != nil {
apierror.Render(w, r, err)
return
}
q := r.URL.Query()
filter := Filter{Owner: scope}
filter.Query = strings.TrimSpace(q.Get("q"))
if filter.Query == "" {
apierror.Render(w, r, culpa.WithCode(
culpa.WithPublic(culpa.New("search query is empty"), "q must not be empty"),
"INVALID",
))
return
}
if v := q.Get("include_tool_outputs"); v == "1" {
filter.IncludeToolOutputs = true
}
if v := q.Get("tool"); v != "" {
filter.Tool = &v
}
if v := q.Get("host"); v != "" {
filter.Host = &v
}
if v := q.Get("since"); v != "" {
n, perr := strconv.ParseInt(v, 10, 64)
if perr != nil {
apierror.Render(w, r, culpa.WithCode(
culpa.WithPublic(culpa.Wrap(perr, "parse since"), "since must be an integer (unix epoch seconds)"),
"INVALID",
))
return
}
filter.Since = &n
}
if v := q.Get("until"); v != "" {
n, perr := strconv.ParseInt(v, 10, 64)
if perr != nil {
apierror.Render(w, r, culpa.WithCode(
culpa.WithPublic(culpa.Wrap(perr, "parse until"), "until must be an integer (unix epoch seconds)"),
"INVALID",
))
return
}
filter.Until = &n
}
if filter.Since != nil && filter.Until != nil && *filter.Since > *filter.Until {
apierror.Render(w, r, culpa.WithCode(
culpa.WithPublic(culpa.New("since > until"), "since must be <= until"),
"INVALID",
))
return
}
filter.Limit = clampLimit(q.Get("limit"))
filter.Cursor = q.Get("cursor")
result, err := h.Repo.Search(r.Context(), filter)
if err != nil {
apierror.Render(w, r, err)
return
}
if writeErr := httputil.WriteJSON(w, http.StatusOK, result); writeErr != nil {
slog.Default().ErrorContext(r.Context(), "write search response", scribe.Err(writeErr))
}
}
// resolveScope reads the authenticated identity off the context and the
// optional `?owner=` query parameter, then returns the appropriate
// session.OwnerScope. Non-admin requests with `?owner=` set are 403.
func (h *Handler) resolveScope(r *http.Request) (session.OwnerScope, error) {
id := auth.MustIdentity(r.Context())
param := r.URL.Query().Get("owner")
if param == "" {
return session.OwnerScope{User: id.User}, nil
}
if !id.IsAdmin {
return session.OwnerScope{}, culpa.WithCode(
culpa.WithPublic(culpa.New("?owner= is admin-only"), "?owner= is admin-only"),
"FORBIDDEN",
)
}
if param == allOwnersSentinel {
return session.OwnerScope{User: id.User, AllOwners: true}, nil
}
owner := strings.ToLower(param)
return session.OwnerScope{User: id.User, SpecificOwner: &owner}, nil
}
// clampLimit returns the effective limit: defaultLimit when missing,
// non-numeric, or negative; capped at maxLimit when the parsed value
// exceeds it.
func clampLimit(raw string) int {
if raw == "" {
return defaultLimit
}
n, err := strconv.Atoi(raw)
if err != nil || n < 0 {
return defaultLimit
}
if n > maxLimit {
return maxLimit
}
return n
}