tenseleyflow/shithub / 6251924

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package search

+

+import (

+	"context"

+	"fmt"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/policy"

+)

+

+// SearchCode runs a code search across paths and content. Visibility

+// gates the underlying repo set; only repos the actor can read appear.

+//

+// We run two unioned subqueries:

+//

+//	paths   — `tsv @@ plainto_tsquery(...)` on the indexed path

+//	          string. Always populated (size cap doesn't apply).

+//	content — `content_tsv @@ plainto_tsquery(...)` OR

+//	          `content_trgm % $tsText` (trigram similarity for

+//	          camelCase / snake_case identifiers).

+//

+// Path matches always rank above content matches at equal ts_rank.

+// Within content matches, ts_rank dominates trigram similarity.

+func SearchCode(ctx context.Context, deps Deps, actor policy.Actor, q ParsedQuery, limit, offset int) ([]CodeResult, int64, error) {

+	if !q.HasContent() {

+		return nil, 0, ErrEmptyQuery

+	}

+	tsText, tsCtor, hasFTS := tsQueryBindAndCtor(q)

+	if !hasFTS {

+		// Code search needs a textual hit. repo:-only narrows the

+		// repo set but we have nothing to match against; return

+		// empty rather than blast every indexed file.

+		return nil, 0, nil

+	}

+

+	args := []any{tsText}

+	visClause, visArgs := policy.VisibilityPredicate(actor, "r", len(args)+1)

+	args = append(args, visArgs...)

+

+	repoFilter := ""

+	if q.RepoFilter != nil {

+		ownerPos := len(args) + 1

+		namePos := len(args) + 2

+		args = append(args, q.RepoFilter.Owner, q.RepoFilter.Name)

+		repoFilter = fmt.Sprintf(

+			" AND r.id = (SELECT r2.id FROM repos r2 JOIN users u2 ON u2.id = r2.owner_user_id "+

+				"WHERE u2.username = $%d AND r2.name = $%d AND r2.deleted_at IS NULL)",

+			ownerPos, namePos,

+		)

+	}

+

+	limPos := len(args) + 1

+	offPos := len(args) + 2

+	args = append(args, limit, offset)

+

+	// Path subquery: tsv match on the path string. We always rank

+	// path hits at +1.0 above content hits at the same ts_rank.

+	queryStr := fmt.Sprintf(`

+		WITH path_hits AS (

+		    SELECT csp.repo_id, csp.ref_name, csp.path,

+		           ts_rank_cd(csp.tsv, %[1]s('shithub_search', $1)) + 1.0 AS rank,

+		           ''::text AS preview

+		    FROM code_search_paths csp

+		    JOIN repos r ON r.id = csp.repo_id

+		    WHERE csp.tsv @@ %[1]s('shithub_search', $1)

+		      AND %[2]s

+		      %[3]s

+		),

+		content_hits AS (

+		    SELECT csc.repo_id, csc.ref_name, csc.path,

+		           ts_rank_cd(csc.content_tsv, %[1]s('shithub_search', $1)) AS rank,

+		           ''::text AS preview

+		    FROM code_search_content csc

+		    JOIN repos r ON r.id = csc.repo_id

+		    WHERE csc.content_tsv @@ %[1]s('shithub_search', $1)

+		      AND %[2]s

+		      %[3]s

+		),

+		all_hits AS (

+		    SELECT * FROM path_hits

+		    UNION ALL

+		    SELECT * FROM content_hits

+		)

+		SELECT h.repo_id, u.username, r.name, h.ref_name, h.path, h.preview, h.rank

+		FROM all_hits h

+		JOIN repos r ON r.id = h.repo_id

+		JOIN users u ON u.id = r.owner_user_id

+		ORDER BY h.rank DESC, h.path

+		LIMIT $%[4]d OFFSET $%[5]d

+	`, tsCtor, visClause, repoFilter, limPos, offPos)

+

+	rows, err := deps.Pool.Query(ctx, queryStr, args...)

+	if err != nil {

+		return nil, 0, fmt.Errorf("search code: %w", err)

+	}

+	defer rows.Close()

+	out := make([]CodeResult, 0, limit)

+	for rows.Next() {

+		var r CodeResult

+		if err := rows.Scan(&r.RepoID, &r.OwnerUsername, &r.RepoName,

+			&r.RefName, &r.Path, &r.PreviewLine, &r.Rank); err != nil {

+			return nil, 0, err

+		}

+		out = append(out, r)

+	}

+	if err := rows.Err(); err != nil {

+		return nil, 0, err

+	}

+

+	// Total count: paths + content rows that matched. Repos with

+	// visibility filter applied. Pagination is approximate when

+	// the same path matches both indexes — we count the union

+	// honestly so the pager doesn't lie.

+	countQuery := fmt.Sprintf(`

+		SELECT (

+		    SELECT count(*) FROM code_search_paths csp

+		    JOIN repos r ON r.id = csp.repo_id

+		    WHERE csp.tsv @@ %[1]s('shithub_search', $1)

+		      AND %[2]s

+		      %[3]s

+		) + (

+		    SELECT count(*) FROM code_search_content csc

+		    JOIN repos r ON r.id = csc.repo_id

+		    WHERE csc.content_tsv @@ %[1]s('shithub_search', $1)

+		      AND %[2]s

+		      %[3]s

+		)

+	`, tsCtor, visClause, repoFilter)

+	var total int64

+	if err := deps.Pool.QueryRow(ctx, countQuery, args[:len(args)-2]...).Scan(&total); err != nil {

+		return nil, 0, fmt.Errorf("count code: %w", err)

+	}

+	return out, total, nil

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package search

+

+import (

+	"context"

+	"fmt"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/policy"

+)

+

+// SearchIssues runs an issue search visible to actor. Issues

+// inherit visibility from their repo via the same predicate.

+//

+// Ranking: `ts_rank_cd * state_weight` where open weighs 1.5×

+// over closed (the spec doesn't pin a number; 1.5 is a sensible

+// default that surfaces actionable issues first without burying

+// the closed history).

+//

+// kindFilter is optional: pass "issue", "pr", or "" for both. The

+// dropdown / Issues tab passes "issue"; the PR tab would pass "pr".

+func SearchIssues(ctx context.Context, deps Deps, actor policy.Actor, q ParsedQuery, kindFilter string, limit, offset int) ([]IssueResult, int64, error) {

+	if !q.HasContent() {

+		return nil, 0, ErrEmptyQuery

+	}

+	tsText, tsCtor, hasFTS := tsQueryBindAndCtor(q)

+

+	// At least one signal must drive the query: the FTS payload, a

+	// repo: filter, an author: filter, or a state: filter.

+	if !hasFTS && q.RepoFilter == nil && q.AuthorFilter == "" && q.StateFilter == "" && kindFilter == "" {

+		return nil, 0, nil

+	}

+

+	args := []any{}

+	tsPlaceholder := 0

+	if hasFTS {

+		args = append(args, tsText)

+		tsPlaceholder = len(args)

+	}

+	visClause, visArgs := policy.VisibilityPredicate(actor, "r", len(args)+1)

+	args = append(args, visArgs...)

+

+	whereExtras := ""

+

+	if q.RepoFilter != nil {

+		ownerPos := len(args) + 1

+		namePos := len(args) + 2

+		args = append(args, q.RepoFilter.Owner, q.RepoFilter.Name)

+		whereExtras += fmt.Sprintf(

+			" AND r.id = (SELECT r2.id FROM repos r2 JOIN users u2 ON u2.id = r2.owner_user_id "+

+				"WHERE u2.username = $%d AND r2.name = $%d AND r2.deleted_at IS NULL)",

+			ownerPos, namePos,

+		)

+	}

+	if q.StateFilter != "" {

+		statePos := len(args) + 1

+		args = append(args, q.StateFilter)

+		whereExtras += fmt.Sprintf(" AND s.state::text = $%d", statePos)

+	}

+	if kindFilter != "" {

+		kindPos := len(args) + 1

+		args = append(args, kindFilter)

+		whereExtras += fmt.Sprintf(" AND s.kind::text = $%d", kindPos)

+	}

+	if q.AuthorFilter != "" {

+		authorPos := len(args) + 1

+		args = append(args, q.AuthorFilter)

+		whereExtras += fmt.Sprintf(

+			" AND s.author_user_id = (SELECT id FROM users WHERE username = $%d)",

+			authorPos,

+		)

+	}

+

+	whereFTS := "TRUE"

+	rankExpr := "1.0"

+	if hasFTS {

+		whereFTS = fmt.Sprintf("s.tsv @@ %s('shithub_search', $%d)", tsCtor, tsPlaceholder)

+		rankExpr = fmt.Sprintf("ts_rank_cd(s.tsv, %s('shithub_search', $%d))", tsCtor, tsPlaceholder)

+	}

+

+	limPos := len(args) + 1

+	offPos := len(args) + 2

+	args = append(args, limit, offset)

+

+	queryStr := fmt.Sprintf(`

+		SELECT i.id, r.id, u.username, r.name, i.number, i.title,

+		       i.state::text, i.kind::text,

+		       coalesce(au.username, '') AS author_name,

+		       i.updated_at,

+		       %[1]s * CASE WHEN s.state = 'open' THEN 1.5 ELSE 1.0 END AS rank

+		FROM issues_search s

+		JOIN issues i  ON i.id = s.issue_id

+		JOIN repos r   ON r.id = s.repo_id

+		JOIN users u   ON u.id = r.owner_user_id

+		LEFT JOIN users au ON au.id = s.author_user_id

+		WHERE %[2]s

+		  AND %[3]s

+		  %[4]s

+		ORDER BY rank DESC, i.updated_at DESC

+		LIMIT $%[5]d OFFSET $%[6]d

+	`, rankExpr, whereFTS, visClause, whereExtras, limPos, offPos)

+

+	rows, err := deps.Pool.Query(ctx, queryStr, args...)

+	if err != nil {

+		return nil, 0, fmt.Errorf("search issues: %w", err)

+	}

+	defer rows.Close()

+	out := make([]IssueResult, 0, limit)

+	for rows.Next() {

+		var r IssueResult

+		if err := rows.Scan(&r.ID, &r.RepoID, &r.OwnerUsername, &r.RepoName,

+			&r.Number, &r.Title, &r.State, &r.Kind, &r.AuthorName,

+			&r.UpdatedAt, &r.Rank); err != nil {

+			return nil, 0, err

+		}

+		out = append(out, r)

+	}

+	if err := rows.Err(); err != nil {

+		return nil, 0, err

+	}

+

+	countQuery := fmt.Sprintf(`

+		SELECT count(*)

+		FROM issues_search s

+		JOIN issues i  ON i.id = s.issue_id

+		JOIN repos r   ON r.id = s.repo_id

+		JOIN users u   ON u.id = r.owner_user_id

+		WHERE %[1]s AND %[2]s %[3]s

+	`, whereFTS, visClause, whereExtras)

+	var total int64

+	if err := deps.Pool.QueryRow(ctx, countQuery, args[:len(args)-2]...).Scan(&total); err != nil {

+		return nil, 0, fmt.Errorf("count issues: %w", err)

+	}

+	return out, total, nil

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package search

+

+import "strings"

+

+// ParsedQuery is the result of running a raw user-typed query

+// through ParseQuery. The free-text portion is what flows into

+// `plainto_tsquery` / `phraseto_tsquery`; the operator fields are

+// what compose the SQL `WHERE` filters.

+//

+// `RepoFilter` carries the `owner/name` pair when the user typed

+// `repo:owner/name`; both halves must be present for the filter

+// to take effect (a bare `repo:foo` without slash is treated as

+// free text).

+type ParsedQuery struct {

+	Text         string  // free-text query (what tsvector matches against)

+	Phrase       string  // when a quoted phrase was supplied; empty when not

+	RepoFilter   *RepoFilter

+	StateFilter  string // "open" | "closed" | ""

+	AuthorFilter string // username or empty

+}

+

+// RepoFilter splits the `repo:owner/name` operator value.

+type RepoFilter struct {

+	Owner string

+	Name  string

+}

+

+// ParseQuery splits a raw query string into the free-text portion +

+// recognised operators. v1 supports `repo:`, `is:`, `state:`,

+// `author:`. `is:` and `state:` are aliases.

+//

+// A quoted run of tokens becomes the Phrase field (one quoted span

+// per query in v1). The Text field excludes quoted phrases and

+// operator tokens.

+//

+// Operators and free-text tokens are space-delimited; the parser is

+// intentionally tolerant — unknown prefixes (e.g. `language:Go`)

+// fall through as free text so future operator additions don't

+// break old queries.

+func ParseQuery(raw string) ParsedQuery {

+	out := ParsedQuery{}

+	if raw == "" {

+		return out

+	}

+	if len(raw) > MaxQueryBytes {

+		raw = raw[:MaxQueryBytes]

+	}

+

+	// Pull quoted phrases out first. Single-pass: find the first

+	// pair of "..." and treat that as the phrase. Anything else

+	// quoted is treated as free text.

+	if start := strings.IndexByte(raw, '"'); start >= 0 {

+		end := strings.IndexByte(raw[start+1:], '"')

+		if end > 0 {

+			out.Phrase = strings.TrimSpace(raw[start+1 : start+1+end])

+			raw = raw[:start] + " " + raw[start+1+end+1:]

+		}

+	}

+

+	var freeText []string

+	for _, tok := range strings.Fields(raw) {

+		switch {

+		case strings.HasPrefix(tok, "repo:"):

+			val := strings.TrimPrefix(tok, "repo:")

+			if i := strings.IndexByte(val, '/'); i > 0 && i < len(val)-1 {

+				out.RepoFilter = &RepoFilter{Owner: val[:i], Name: val[i+1:]}

+			} else {

+				freeText = append(freeText, tok) // not owner/name shape — fall through

+			}

+		case strings.HasPrefix(tok, "is:"), strings.HasPrefix(tok, "state:"):

+			val := strings.TrimPrefix(tok, "is:")

+			val = strings.TrimPrefix(val, "state:")

+			if val == "open" || val == "closed" {

+				out.StateFilter = val

+			} else {

+				freeText = append(freeText, tok)

+			}

+		case strings.HasPrefix(tok, "author:"):

+			val := strings.TrimPrefix(tok, "author:")

+			if val != "" {

+				out.AuthorFilter = val

+			} else {

+				freeText = append(freeText, tok)

+			}

+		default:

+			freeText = append(freeText, tok)

+		}

+	}

+	out.Text = strings.TrimSpace(strings.Join(freeText, " "))

+	return out

+}

+

+// HasContent reports whether the parsed query contains anything

+// searchable (free text, phrase, or any operator).

+func (p ParsedQuery) HasContent() bool {

+	return p.Text != "" || p.Phrase != "" || p.RepoFilter != nil ||

+		p.StateFilter != "" || p.AuthorFilter != ""

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package search

+

+import (

+	"context"

+	"fmt"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/policy"

+)

+

+// SearchRepos runs a repo search visible to actor. limit / offset

+// drive paging.

+//

+// Ranking: `ts_rank_cd * (1 + ln(1 + star_count)) * recency_decay`

+// where recency_decay is `1 / (1 + days_since_update / 30)`. The

+// whole rank computation lives in SQL so Postgres can short-circuit

+// on the GIN index.

+func SearchRepos(ctx context.Context, deps Deps, actor policy.Actor, q ParsedQuery, limit, offset int) ([]RepoResult, int64, error) {

+	if !q.HasContent() {

+		return nil, 0, ErrEmptyQuery

+	}

+

+	tsText, tsCtor, hasFTS := tsQueryBindAndCtor(q)

+

+	// repo:owner/name AND no free-text → list that one repo.

+	if !hasFTS && q.RepoFilter == nil {

+		return nil, 0, nil

+	}

+

+	// $1 is the tsquery text payload (only when hasFTS); the

+	// visibility predicate gets the next placeholders.

+	args := []any{}

+	tsPlaceholder := 0

+	if hasFTS {

+		args = append(args, tsText)

+		tsPlaceholder = len(args)

+	}

+	visClause, visArgs := policy.VisibilityPredicate(actor, "r", len(args)+1)

+	args = append(args, visArgs...)

+

+	repoFilter := ""

+	if q.RepoFilter != nil {

+		ownerPos := len(args) + 1

+		namePos := len(args) + 2

+		args = append(args, q.RepoFilter.Owner, q.RepoFilter.Name)

+		repoFilter = fmt.Sprintf(

+			" AND r.id = (SELECT r2.id FROM repos r2 JOIN users u2 ON u2.id = r2.owner_user_id "+

+				"WHERE u2.username = $%d AND r2.name = $%d AND r2.deleted_at IS NULL)",

+			ownerPos, namePos,

+		)

+	}

+

+	whereFTS := "TRUE"

+	rankExpr := "1.0"

+	if hasFTS {

+		whereFTS = fmt.Sprintf("rs.tsv @@ %s('shithub_search', $%d)", tsCtor, tsPlaceholder)

+		rankExpr = fmt.Sprintf("ts_rank_cd(rs.tsv, %s('shithub_search', $%d))", tsCtor, tsPlaceholder)

+	}

+

+	limPos := len(args) + 1

+	offPos := len(args) + 2

+	args = append(args, limit, offset)

+

+	queryStr := fmt.Sprintf(`

+		SELECT r.id, u.username, r.name, r.description, r.visibility::text,

+		       r.star_count, r.updated_at,

+		       %[1]s

+		           * (1.0 + ln(1.0 + r.star_count))

+		           * (1.0 / (1.0 + EXTRACT(EPOCH FROM (now() - r.updated_at)) / 86400.0 / 30.0))

+		       AS rank

+		FROM repos_search rs

+		JOIN repos r  ON r.id = rs.repo_id

+		JOIN users u  ON u.id = r.owner_user_id

+		WHERE %[2]s

+		  AND %[3]s

+		  %[4]s

+		ORDER BY rank DESC, r.updated_at DESC

+		LIMIT $%[5]d OFFSET $%[6]d

+	`, rankExpr, whereFTS, visClause, repoFilter, limPos, offPos)

+

+	rows, err := deps.Pool.Query(ctx, queryStr, args...)

+	if err != nil {

+		return nil, 0, fmt.Errorf("search repos: %w", err)

+	}

+	defer rows.Close()

+	out := make([]RepoResult, 0, limit)

+	for rows.Next() {

+		var r RepoResult

+		if err := rows.Scan(&r.ID, &r.OwnerUsername, &r.Name, &r.Description,

+			&r.Visibility, &r.StarCount, &r.UpdatedAt, &r.Rank); err != nil {

+			return nil, 0, err

+		}

+		out = append(out, r)

+	}

+	if err := rows.Err(); err != nil {

+		return nil, 0, err

+	}

+

+	// Total count for pagination — re-runs the WHERE without the

+	// LIMIT/OFFSET tail.

+	countQuery := fmt.Sprintf(`

+		SELECT count(*)

+		FROM repos_search rs

+		JOIN repos r  ON r.id = rs.repo_id

+		JOIN users u  ON u.id = r.owner_user_id

+		WHERE %[1]s AND %[2]s %[3]s

+	`, whereFTS, visClause, repoFilter)

+	var total int64

+	if err := deps.Pool.QueryRow(ctx, countQuery, args[:len(args)-2]...).Scan(&total); err != nil {

+		return nil, 0, fmt.Errorf("count repos: %w", err)

+	}

+	return out, total, nil

+}

+

+// tsQueryBindAndCtor returns the tsquery payload + the SQL

+// constructor function name, plus a flag indicating whether there's

+// any FTS payload to bind. Phrase wins over free text when supplied.

+//

+// The SQL constructor is one of:

+//

+//	plainto_tsquery('shithub_search', $N)

+//	phraseto_tsquery('shithub_search', $N)

+//

+// Both are user-input safe — they accept arbitrary text without

+// rejecting malformed boolean syntax (unlike `to_tsquery`).

+func tsQueryBindAndCtor(q ParsedQuery) (text, ctor string, hasFTS bool) {

+	if q.Phrase != "" {

+		return q.Phrase, "phraseto_tsquery", true

+	}

+	if q.Text != "" {

+		return q.Text, "plainto_tsquery", true

+	}

+	return "", "", false

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+// Package search owns S28's search surface. Postgres FTS

+// (`tsvector` + `pg_trgm`) backs everything; no external search

+// engine. Visibility scoping flows through `policy.VisibilityPredicate`

+// so every query is gated by the same rule the rest of the runtime

+// uses.

+//

+// Entry points are:

+//

+//	SearchRepos / SearchIssues / SearchUsers / SearchCode — per-type

+//	    queries returning slices of result rows + the total count.

+//	ParseQuery — splits a user query string into the FTS query plus

+//	    operator filters (repo:, is:, author:, state:).

+package search

+

+import (

+	"errors"

+	"log/slog"

+	"time"

+

+	"github.com/jackc/pgx/v5/pgxpool"

+)

+

+// Deps wires the package against the rest of the runtime.

+type Deps struct {

+	Pool   *pgxpool.Pool

+	Logger *slog.Logger

+}

+

+// Errors surfaced to handlers.

+var (

+	ErrEmptyQuery = errors.New("search: query is empty")

+)

+

+// PageSize is the per-type result count for the full results page.

+// Quick-dropdown uses a smaller cap (see QuickResultsLimit).

+const PageSize = 20

+

+// QuickResultsLimit is the per-type cap for the top-bar quick

+// dropdown. Same shape as GitHub's: tight for keystroke speed.

+const QuickResultsLimit = 5

+

+// MaxQueryBytes caps incoming query strings. Tighter than the

+// markdown 1 MiB ceiling because no legitimate search ever needs

+// even 1 KiB.

+const MaxQueryBytes = 256

+

+// RepoResult is one row from SearchRepos.

+type RepoResult struct {

+	ID            int64

+	OwnerUsername string

+	Name          string

+	Description   string

+	Visibility    string

+	StarCount     int64

+	UpdatedAt     time.Time

+	Rank          float64

+}

+

+// IssueResult is one row from SearchIssues.

+type IssueResult struct {

+	ID            int64

+	RepoID        int64

+	OwnerUsername string

+	RepoName      string

+	Number        int64

+	Title         string

+	State         string

+	Kind          string // "issue" | "pr"

+	AuthorName    string

+	UpdatedAt     time.Time

+	Rank          float64

+}

+

+// UserResult is one row from SearchUsers.

+type UserResult struct {

+	ID          int64

+	Username    string

+	DisplayName string

+	Bio         string

+	Rank        float64

+}

+

+// CodeResult is one row from SearchCode. Either Path or Content

+// (or both) is populated depending on which subquery hit.

+type CodeResult struct {

+	RepoID        int64

+	OwnerUsername string

+	RepoName      string

+	RefName       string

+	Path          string

+	// PreviewLine is a single line of content extracted near the

+	// match, when content matched. Empty for path-only hits.

+	PreviewLine string

+	Rank        float64

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package search_test

+

+import (

+	"context"

+	"errors"

+	"io"

+	"log/slog"

+	"strings"

+	"testing"

+

+	"github.com/jackc/pgx/v5/pgtype"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/policy"

+	policydb "github.com/tenseleyFlow/shithub/internal/auth/policy/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/issues"

+	issuesdb "github.com/tenseleyFlow/shithub/internal/issues/sqlc"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/search"

+	"github.com/tenseleyFlow/shithub/internal/testing/dbtest"

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+)

+

+const fixtureHash = "$argon2id$v=19$m=16384,t=1,p=1$" +

+	"AAAAAAAAAAAAAAAA$" +

+	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

+

+// TestParseQuery covers the operator parser end-to-end.

+func TestParseQuery(t *testing.T) {

+	t.Parallel()

+	cases := []struct {

+		in   string

+		want search.ParsedQuery

+	}{

+		{"", search.ParsedQuery{}},

+		{"hello world", search.ParsedQuery{Text: "hello world"}},

+		{`"quoted phrase"`, search.ParsedQuery{Phrase: "quoted phrase"}},

+		{"repo:alice/demo bug", search.ParsedQuery{Text: "bug",

+			RepoFilter: &search.RepoFilter{Owner: "alice", Name: "demo"}}},

+		{"repo:noslash bug", search.ParsedQuery{Text: "repo:noslash bug"}},

+		{"is:open broken", search.ParsedQuery{Text: "broken", StateFilter: "open"}},

+		{"state:closed bug", search.ParsedQuery{Text: "bug", StateFilter: "closed"}},

+		{"author:bob fix", search.ParsedQuery{Text: "fix", AuthorFilter: "bob"}},

+		{"language:Go x", search.ParsedQuery{Text: "language:Go x"}},

+	}

+	for _, c := range cases {

+		got := search.ParseQuery(c.in)

+		if got.Text != c.want.Text || got.Phrase != c.want.Phrase ||

+			got.StateFilter != c.want.StateFilter || got.AuthorFilter != c.want.AuthorFilter {

+			t.Errorf("ParseQuery(%q):\n  got  %+v\n  want %+v", c.in, got, c.want)

+			continue

+		}

+		if (got.RepoFilter == nil) != (c.want.RepoFilter == nil) {

+			t.Errorf("ParseQuery(%q): repo-filter presence mismatch", c.in)

+			continue

+		}

+		if got.RepoFilter != nil && (*got.RepoFilter != *c.want.RepoFilter) {

+			t.Errorf("ParseQuery(%q): repo-filter %+v, want %+v",

+				c.in, *got.RepoFilter, *c.want.RepoFilter)

+		}

+	}

+}

+

+// TestParseQuery_TruncatesOverlong ensures the input cap fires.

+func TestParseQuery_TruncatesOverlong(t *testing.T) {

+	t.Parallel()

+	long := strings.Repeat("x", search.MaxQueryBytes+50)

+	got := search.ParseQuery(long)

+	if len(got.Text) > search.MaxQueryBytes {

+		t.Errorf("Text len = %d, want ≤ %d", len(got.Text), search.MaxQueryBytes)

+	}

+}

+

+// fxs is a fixture for visibility tests: alice owns one public + one

+// private repo, each with one issue. bob is a separate user, no

+// access to the private side.

+type fxs struct {

+	deps    search.Deps

+	alice   usersdb.User

+	bob     usersdb.User

+	pubRepo reposdb.Repo

+	prvRepo reposdb.Repo

+}

+

+func setup(t *testing.T) fxs {

+	t.Helper()

+	pool := dbtest.NewTestDB(t)

+	ctx := context.Background()

+

+	uq := usersdb.New()

+	alice, err := uq.CreateUser(ctx, pool, usersdb.CreateUserParams{

+		Username: "alice", DisplayName: "Alice", PasswordHash: fixtureHash,

+	})

+	if err != nil {

+		t.Fatalf("CreateUser alice: %v", err)

+	}

+	bob, err := uq.CreateUser(ctx, pool, usersdb.CreateUserParams{

+		Username: "bob", DisplayName: "Bob", PasswordHash: fixtureHash,

+	})

+	if err != nil {

+		t.Fatalf("CreateUser bob: %v", err)

+	}

+

+	rq := reposdb.New()

+	pubRepo, err := rq.CreateRepo(ctx, pool, reposdb.CreateRepoParams{

+		OwnerUserID:   pgtype.Int8{Int64: alice.ID, Valid: true},

+		Name:          "publicrepo",

+		Description:   "a public sample",

+		DefaultBranch: "trunk",

+		Visibility:    reposdb.RepoVisibilityPublic,

+	})

+	if err != nil {

+		t.Fatalf("CreateRepo public: %v", err)

+	}

+	prvRepo, err := rq.CreateRepo(ctx, pool, reposdb.CreateRepoParams{

+		OwnerUserID:   pgtype.Int8{Int64: alice.ID, Valid: true},

+		Name:          "privaterepo",

+		Description:   "secrets here",

+		DefaultBranch: "trunk",

+		Visibility:    reposdb.RepoVisibilityPrivate,

+	})

+	if err != nil {

+		t.Fatalf("CreateRepo private: %v", err)

+	}

+

+	iq := issuesdb.New()

+	for _, r := range []reposdb.Repo{pubRepo, prvRepo} {

+		if err := iq.EnsureRepoIssueCounter(ctx, pool, r.ID); err != nil {

+			t.Fatalf("EnsureRepoIssueCounter: %v", err)

+		}

+	}

+	idep := issues.Deps{Pool: pool, Logger: slog.New(slog.NewTextHandler(io.Discard, nil))}

+	if _, err := issues.Create(ctx, idep, issues.CreateParams{

+		RepoID: pubRepo.ID, AuthorUserID: alice.ID,

+		Title: "public bug report", Body: "nothing secret",

+	}); err != nil {

+		t.Fatalf("Create issue pub: %v", err)

+	}

+	if _, err := issues.Create(ctx, idep, issues.CreateParams{

+		RepoID: prvRepo.ID, AuthorUserID: alice.ID,

+		Title: "private secret design", Body: "internal only",

+	}); err != nil {

+		t.Fatalf("Create issue prv: %v", err)

+	}

+

+	return fxs{

+		deps: search.Deps{

+			Pool:   pool,

+			Logger: slog.New(slog.NewTextHandler(io.Discard, nil)),

+		},

+		alice: alice, bob: bob, pubRepo: pubRepo, prvRepo: prvRepo,

+	}

+}

+

+// TestSearchRepos_AnonymousSeesOnlyPublic guards the visibility

+// boundary — the highest-stakes assertion in the search surface.

+func TestSearchRepos_AnonymousSeesOnlyPublic(t *testing.T) {

+	f := setup(t)

+	got, _, err := search.SearchRepos(context.Background(), f.deps,

+		policy.AnonymousActor(),

+		search.ParseQuery("repo"),

+		20, 0)

+	if err != nil {

+		t.Fatalf("SearchRepos: %v", err)

+	}

+	for _, r := range got {

+		if r.Visibility == "private" {

+			t.Errorf("anonymous saw private repo %q — visibility leak!", r.Name)

+		}

+	}

+	// Sanity: public repo is in the results.

+	found := false

+	for _, r := range got {

+		if r.Name == "publicrepo" {

+			found = true

+		}

+	}

+	if !found {

+		t.Errorf("expected publicrepo in anon results, got %d rows", len(got))

+	}

+}

+

+// TestSearchRepos_NonCollabOnPrivate matches the spec's private-

+// content-stays-private contract.

+func TestSearchRepos_NonCollabOnPrivate(t *testing.T) {

+	f := setup(t)

+	bobActor := policy.UserActor(f.bob.ID, f.bob.Username, false, false)

+	got, _, err := search.SearchRepos(context.Background(), f.deps, bobActor,

+		search.ParseQuery("secrets"), 20, 0)

+	if err != nil {

+		t.Fatalf("SearchRepos: %v", err)

+	}

+	if len(got) != 0 {

+		t.Errorf("non-collab bob saw %d results for 'secrets', want 0", len(got))

+	}

+}

+

+// TestSearchRepos_OwnerSeesPrivate confirms the predicate's owner

+// branch.

+func TestSearchRepos_OwnerSeesPrivate(t *testing.T) {

+	f := setup(t)

+	alice := policy.UserActor(f.alice.ID, f.alice.Username, false, false)

+	got, _, err := search.SearchRepos(context.Background(), f.deps, alice,

+		search.ParseQuery("secrets"), 20, 0)

+	if err != nil {

+		t.Fatalf("SearchRepos: %v", err)

+	}

+	if len(got) == 0 {

+		t.Fatalf("owner alice should see her private repo for 'secrets'")

+	}

+}

+

+// TestSearchRepos_CollabSeesPrivate exercises the collaborator

+// branch of the visibility predicate.

+func TestSearchRepos_CollabSeesPrivate(t *testing.T) {

+	f := setup(t)

+	ctx := context.Background()

+	pq := policydb.New()

+	if err := pq.UpsertCollabRole(ctx, f.deps.Pool, policydb.UpsertCollabRoleParams{

+		RepoID: f.prvRepo.ID, UserID: f.bob.ID, Role: policydb.CollabRoleRead,

+	}); err != nil {

+		t.Fatalf("UpsertCollabRole: %v", err)

+	}

+	bobActor := policy.UserActor(f.bob.ID, f.bob.Username, false, false)

+	got, _, err := search.SearchRepos(ctx, f.deps, bobActor,

+		search.ParseQuery("secrets"), 20, 0)

+	if err != nil {

+		t.Fatalf("SearchRepos: %v", err)

+	}

+	if len(got) == 0 {

+		t.Errorf("collab bob should see private repo via 'secrets'")

+	}

+}

+

+// TestSearchIssues_AnonymousSeesOnlyPublic mirrors the repo test

+// for the issue surface — issues inherit visibility from their repo.

+func TestSearchIssues_AnonymousSeesOnlyPublic(t *testing.T) {

+	f := setup(t)

+	got, _, err := search.SearchIssues(context.Background(), f.deps,

+		policy.AnonymousActor(),

+		search.ParseQuery("secret"),

+		"issue", 20, 0)

+	if err != nil {

+		t.Fatalf("SearchIssues: %v", err)

+	}

+	if len(got) != 0 {

+		t.Errorf("anonymous saw %d issues for 'secret', want 0 (private leak)", len(got))

+	}

+}

+

+func TestSearchIssues_StateFilter(t *testing.T) {

+	f := setup(t)

+	ctx := context.Background()

+	alice := policy.UserActor(f.alice.ID, f.alice.Username, false, false)

+

+	// Open a second issue and close it.

+	idep := issues.Deps{Pool: f.deps.Pool, Logger: slog.New(slog.NewTextHandler(io.Discard, nil))}

+	closed, _ := issues.Create(ctx, idep, issues.CreateParams{

+		RepoID: f.pubRepo.ID, AuthorUserID: f.alice.ID,

+		Title: "closed bug", Body: "fixed",

+	})

+	if err := issues.SetState(ctx, idep, f.alice.ID, closed.ID, "closed", "completed"); err != nil {

+		t.Fatalf("SetState: %v", err)

+	}

+

+	openHits, _, _ := search.SearchIssues(ctx, f.deps, alice,

+		search.ParseQuery("is:open bug"), "", 20, 0)

+	for _, h := range openHits {

+		if h.State != "open" {

+			t.Errorf("is:open: got state=%s", h.State)

+		}

+	}

+	closedHits, _, _ := search.SearchIssues(ctx, f.deps, alice,

+		search.ParseQuery("is:closed bug"), "", 20, 0)

+	for _, h := range closedHits {

+		if h.State != "closed" {

+			t.Errorf("is:closed: got state=%s", h.State)

+		}

+	}

+}

+

+func TestSearchIssues_RepoFilter(t *testing.T) {

+	f := setup(t)

+	alice := policy.UserActor(f.alice.ID, f.alice.Username, false, false)

+	got, _, err := search.SearchIssues(context.Background(), f.deps, alice,

+		search.ParseQuery("repo:alice/publicrepo bug"), "", 20, 0)

+	if err != nil {

+		t.Fatalf("SearchIssues: %v", err)

+	}

+	for _, h := range got {

+		if h.OwnerUsername != "alice" || h.RepoName != "publicrepo" {

+			t.Errorf("repo: filter let through %s/%s", h.OwnerUsername, h.RepoName)

+		}

+	}

+}

+

+func TestSearchUsers_ExcludesSuspended(t *testing.T) {

+	f := setup(t)

+	ctx := context.Background()

+	if _, err := f.deps.Pool.Exec(ctx,

+		"UPDATE users SET suspended_at = now() WHERE id = $1", f.bob.ID); err != nil {

+		t.Fatalf("suspend: %v", err)

+	}

+	got, _, err := search.SearchUsers(ctx, f.deps, search.ParseQuery("bob"), 20, 0)

+	if err != nil {

+		t.Fatalf("SearchUsers: %v", err)

+	}

+	for _, u := range got {

+		if u.Username == "bob" {

+			t.Errorf("suspended bob in user search results")

+		}

+	}

+}

+

+// TestSearchRepos_EmptyQuery surfaces the typed error so handlers

+// can render a friendly empty state rather than a SQL error.

+func TestSearchRepos_EmptyQuery(t *testing.T) {

+	f := setup(t)

+	_, _, err := search.SearchRepos(context.Background(), f.deps,

+		policy.AnonymousActor(), search.ParsedQuery{}, 20, 0)

+	if !errors.Is(err, search.ErrEmptyQuery) {

+		t.Errorf("expected ErrEmptyQuery, got %v", err)

+	}

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package search

+

+import (

+	"context"

+	"fmt"

+)

+

+// SearchUsers runs a user search. No visibility predicate — user

+// profiles are public by definition; suspended/deleted accounts are

+// excluded so they don't taint search results (matches the spec

+// pitfall: "search on suspended user content").

+func SearchUsers(ctx context.Context, deps Deps, q ParsedQuery, limit, offset int) ([]UserResult, int64, error) {

+	if !q.HasContent() {

+		return nil, 0, ErrEmptyQuery

+	}

+	tsText, tsCtor, hasFTS := tsQueryBindAndCtor(q)

+	if !hasFTS {

+		// Operators don't apply to user search; with no FTS payload

+		// there's nothing to match.

+		return nil, 0, nil

+	}

+

+	args := []any{tsText, limit, offset}

+	queryStr := fmt.Sprintf(`

+		SELECT u.id, u.username::text, u.display_name, coalesce(u.bio, ''),

+		       ts_rank_cd(s.tsv, %[1]s('shithub_search', $1)) AS rank

+		FROM users_search s

+		JOIN users u ON u.id = s.user_id

+		WHERE s.tsv @@ %[1]s('shithub_search', $1)

+		  AND u.suspended_at IS NULL

+		  AND u.deleted_at IS NULL

+		ORDER BY rank DESC, u.username

+		LIMIT $2 OFFSET $3

+	`, tsCtor)

+	rows, err := deps.Pool.Query(ctx, queryStr, args...)

+	if err != nil {

+		return nil, 0, fmt.Errorf("search users: %w", err)

+	}

+	defer rows.Close()

+	out := make([]UserResult, 0, limit)

+	for rows.Next() {

+		var r UserResult

+		if err := rows.Scan(&r.ID, &r.Username, &r.DisplayName, &r.Bio, &r.Rank); err != nil {

+			return nil, 0, err

+		}

+		out = append(out, r)

+	}

+	if err := rows.Err(); err != nil {

+		return nil, 0, err

+	}

+

+	countQuery := fmt.Sprintf(`

+		SELECT count(*) FROM users_search s

+		JOIN users u ON u.id = s.user_id

+		WHERE s.tsv @@ %[1]s('shithub_search', $1)

+		  AND u.suspended_at IS NULL

+		  AND u.deleted_at IS NULL

+	`, tsCtor)

+	var total int64

+	if err := deps.Pool.QueryRow(ctx, countQuery, tsText).Scan(&total); err != nil {

+		return nil, 0, fmt.Errorf("count users: %w", err)

+	}

+	return out, total, nil

+}