feat(search): implement advanced query builder and parser

- Added a new `QueryBuilder` component for constructing complex search queries with AND/OR logic.
- Introduced a `parseSearchQuery` function to parse raw search strings into structured terms and groups.
- Created a `search-query-builder` module to generate SQL conditions for ClickHouse based on parsed queries.
- Enhanced the `useSearch` hook to utilize the new query parsing logic for detecting search types.
- Implemented support for field prefixes (e.g., domain:, user:) and various match types (exact, contains, wildcard).
- Added UI components for managing search terms and exclusions, including term pills and inline input fields.
- Updated the overall search functionality to accommodate the new query structure and improve user experience.

Author: mastomii

app/api/domain-recon/credentials/route.ts

@@ -2,6 +2,8 @@ import { NextRequest, NextResponse } from "next/server"
 import { executeQuery as executeClickHouseQuery } from "@/lib/clickhouse"
 import { validateRequest } from "@/lib/auth"
 import { throwIfAborted, getRequestSignal, handleAbortError } from "@/lib/api-helpers"
+import { parseSearchQuery } from "@/lib/query-parser"
+import { buildDomainReconCondition, buildKeywordReconCondition } from "@/lib/search-query-builder"
 
 export async function POST(request: NextRequest) {
   // ✅ Check abort VERY EARLY - before validateRequest
@@ -24,11 +26,13 @@ export async function POST(request: NextRequest) {
     }
 
     // Normalize Domain
-    let cleanDomain = targetDomain.trim().toLowerCase()
-    cleanDomain = cleanDomain.replace(/^https?:\/\//, '').replace(/^www\./, '').split('/')[0].split(':')[0]
+    const cleanDomain = targetDomain.trim().toLowerCase()
+
+    // Parse query for operator support (OR, NOT, wildcard, exact)
+    const parsed = parseSearchQuery(cleanDomain)
 
     // Cleaner log: only show search if present
-    const logData: any = { type: searchType, domain: cleanDomain }
+    const logData: any = { type: searchType, domain: cleanDomain, terms: parsed.terms.length }
     if (searchQuery && searchQuery.trim()) {
       logData.search = searchQuery.trim()
     }
@@ -41,7 +45,7 @@ export async function POST(request: NextRequest) {
     throwIfAborted(request)
 
     // Call the new data getter function
-    const credentialsData = await getCredentialsDataOptimized(cleanDomain, filters, pagination, searchQuery, searchType, body.keywordMode, signal)
+    const credentialsData = await getCredentialsDataOptimized(parsed, filters, pagination, searchQuery, searchType, body.keywordMode, signal)
 
     // Check abort after operations
     throwIfAborted(request)
@@ -71,7 +75,7 @@ export async function POST(request: NextRequest) {
 }
 
 async function getCredentialsDataOptimized(
-  query: string,
+  parsed: import("@/lib/query-parser").ParsedQuery,
   filters?: any,
   pagination?: any,
   searchQuery?: string,
@@ -99,44 +103,19 @@ async function getCredentialsDataOptimized(
   // ==========================================
   // 1. BUILD PREWHERE (Main Table Filters)
   // ==========================================
-  // PREWHERE is the key to speed in ClickHouse. 
-  // It filters before JOIN and before reading heavy columns.
+  // Use the shared query builder for the main domain/keyword condition
 
   const prewhereConditions: string[] = []
   const params: Record<string, any> = {}
 
   if (searchType === 'domain') {
-    // DOMAIN OPTIMIZATION:
-    // 1. Check Exact Match domain
-    // 2. Check Subdomain using endsWith (much faster than ilike/regex)
-    // 3. Fallback to URL pattern match only if needed
-    
-    params['targetDomain'] = query
-    params['dotTargetDomain'] = '.' + query
-    
-    // Logic: Domain column exact match OR Domain column ends with .target.com
-    // This leverages suffix index if available, or at least fast string scan
-    prewhereConditions.push(`(
-      c.domain = {targetDomain:String} OR 
-      endsWith(c.domain, {dotTargetDomain:String}) OR
-      c.url ilike {urlPattern:String} 
-    )`)
-    // Fallback URL pattern for catch-all
-    params['urlPattern'] = `%${query}%`
-
+    const built = buildDomainReconCondition(parsed, { notNullCheck: false })
+    prewhereConditions.push(`(${built.condition})`)
+    Object.assign(params, built.params)
   } else {
-    // KEYWORD SEARCH
-    params['keyword'] = query
-    params['likeKeyword'] = `%${query}%`
-    
-    if (keywordMode === 'domain-only') {
-      prewhereConditions.push(`(c.domain ilike {likeKeyword:String})`)
-    } else {
-      // Optimization: multiSearchAnyCase is faster than OR OR OR
-      // But for simplicity and param binding, we use ilike in PREWHERE 
-      // because PREWHERE already significantly reduces cost.
-      prewhereConditions.push(`(c.url ilike {likeKeyword:String} OR c.domain ilike {likeKeyword:String})`)
-    }
+    const built = buildKeywordReconCondition(parsed, keywordMode)
+    prewhereConditions.push(`(${built.condition})`)
+    Object.assign(params, built.params)
   }
 
   // Additional Filters to PREWHERE (To filter faster at the start)

app/api/domain-recon/overview/route.ts

@@ -2,59 +2,8 @@ import { NextRequest, NextResponse } from "next/server"
 import { executeQuery as executeClickHouseQuery } from "@/lib/clickhouse"
 import { validateRequest } from "@/lib/auth"
 import { throwIfAborted, getRequestSignal, handleAbortError } from "@/lib/api-helpers"
-
-/**
- * Build WHERE clause for domain matching (ClickHouse version)
- * Uses named parameters
- */
-function buildDomainWhereClause(targetDomain: string): { whereClause: string; params: Record<string, string> } {
-  const whereClause = `WHERE (
-    c.domain = {domain:String} OR 
-    c.domain ilike concat('%.', {domain:String}) OR
-    c.url ilike {pattern1:String} OR
-    c.url ilike {pattern2:String} OR
-    c.url ilike {pattern3:String} OR
-    c.url ilike {pattern4:String}
-  ) AND c.domain IS NOT NULL`
-  
-  return {
-    whereClause,
-    params: {
-      domain: targetDomain,
-      pattern1: `%://${targetDomain}/%`,
-      pattern2: `%://${targetDomain}:%`,
-      pattern3: `%://%.${targetDomain}/%`,
-      pattern4: `%://%.${targetDomain}:%`
-    }
-  }
-}
-
-/**
- * Build WHERE clause for keyword search (ClickHouse version)
- */
-function buildKeywordWhereClause(keyword: string, mode: 'domain-only' | 'full-url' = 'full-url'): { whereClause: string; params: Record<string, string> } {
-  if (mode === 'domain-only') {
-    // Extract hostname safe logic without Arrays
-    // IMPORTANT: Use domain() native function with fallback extract() regex
-    const hostnameExpr = `if(
-      length(domain(c.url)) > 0,
-      domain(c.url),
-      extract(c.url, '^(?:https?://)?([^/:]+)')
-    )`
-    
-    const whereClause = `WHERE ${hostnameExpr} ilike {keyword:String} AND c.url IS NOT NULL`
-    return {
-      whereClause,
-      params: { keyword: `%${keyword}%` }
-    }
-  } else {
-    const whereClause = `WHERE c.url ilike {keyword:String} AND c.url IS NOT NULL`
-    return {
-      whereClause,
-      params: { keyword: `%${keyword}%` }
-    }
-  }
-}
+import { parseSearchQuery } from "@/lib/query-parser"
+import { buildDomainReconCondition, buildKeywordReconCondition } from "@/lib/search-query-builder"
 
 export async function POST(request: NextRequest) {
   // ✅ Check abort VERY EARLY - before validateRequest
@@ -80,19 +29,19 @@ export async function POST(request: NextRequest) {
     const signal = getRequestSignal(request)
 
     let whereClause = ''
-    let params: Record<string, string> = {}
+    let params: Record<string, unknown> = {}
 
     if (searchType === 'keyword') {
       const keyword = targetDomain.trim()
       const keywordMode = body.keywordMode || 'full-url'
-      const built = buildKeywordWhereClause(keyword, keywordMode)
-      whereClause = built.whereClause
+      const parsed = parseSearchQuery(keyword)
+      const built = buildKeywordReconCondition(parsed, keywordMode)
+      whereClause = `WHERE ${built.condition}`
       params = built.params
     } else {
-    let normalizedDomain = targetDomain.trim().toLowerCase()
-      normalizedDomain = normalizedDomain.replace(/^https?:\/\//, '').replace(/^www\./, '').split('/')[0].split(':')[0]
-      const built = buildDomainWhereClause(normalizedDomain)
-      whereClause = built.whereClause
+      const parsed = parseSearchQuery(targetDomain)
+      const built = buildDomainReconCondition(parsed, { notNullCheck: true })
+      whereClause = `WHERE ${built.condition}`
       params = built.params
     }
 
@@ -229,7 +178,7 @@ export async function POST(request: NextRequest) {
   }
 }
 
-async function getTimelineData(whereClause: string, params: Record<string, string>, granularity: string, signal?: AbortSignal) {
+async function getTimelineData(whereClause: string, params: Record<string, unknown>, granularity: string, signal?: AbortSignal) {
   // OPTIMIZED DATE PARSING STRATEGY (POST-NORMALIZATION)
   // After normalization, log_date is already in standard YYYY-MM-DD format
   // Query becomes very simple and fast - directly toDate() without complex parsing
@@ -315,7 +264,7 @@ async function getTimelineData(whereClause: string, params: Record<string, strin
 
 async function getTopSubdomains(
   whereClause: string, 
-  params: Record<string, string>, 
+  params: Record<string, unknown>, 
   limit: number,
   searchType: string,
   keywordMode: string,
@@ -355,7 +304,7 @@ async function getTopSubdomains(
   }))
 }
 
-async function getTopPaths(whereClause: string, params: Record<string, string>, limit: number, signal?: AbortSignal) {
+async function getTopPaths(whereClause: string, params: Record<string, unknown>, limit: number, signal?: AbortSignal) {
   // SECURITY: Validate limit parameter
   const safeLimit = Math.min(1000, Math.max(1, Math.floor(Number(limit)) || 10))
 

app/api/domain-recon/passwords/route.ts

@@ -2,61 +2,8 @@ import { NextRequest, NextResponse } from "next/server"
 import { executeQuery as executeClickHouseQuery } from "@/lib/clickhouse"
 import { validateRequest } from "@/lib/auth"
 import { throwIfAborted, getRequestSignal, handleAbortError } from "@/lib/api-helpers"
-
-/**
- * Build WHERE clause for domain matching that supports subdomains (ClickHouse version)
- * OPTIMIZED: Avoid heavy string manipulation in SQL
- * Uses named parameters for ClickHouse
- */
-function buildDomainWhereClause(targetDomain: string): { whereClause: string; params: Record<string, string> } {
-  // Use ilike for case-insensitive matching (data in DB might be mixed case)
-  const whereClause = `WHERE (
-    c.domain = {domain:String} OR 
-    c.domain ilike concat('%.', {domain:String}) OR
-    c.url ilike {pattern1:String} OR
-    c.url ilike {pattern2:String}
-  ) AND c.domain IS NOT NULL`
-  
-  return {
-    whereClause,
-    params: {
-      domain: targetDomain,                              // Exact domain match
-      pattern1: `%://${targetDomain}/%`,                   // Match: https://target.com/
-      pattern2: `%://${targetDomain}:%`                    // Match: https://target.com:8080/
-    }
-  }
-}
-
-/**
- * Build WHERE clause for keyword search (ClickHouse version)
- * OPTIMIZED: Use simple LIKE instead of heavy string manipulation
- * Uses ilike for case-insensitive search
- */
-function buildKeywordWhereClause(keyword: string, mode: 'domain-only' | 'full-url' = 'full-url'): { whereClause: string; params: Record<string, string> } {
-  if (mode === 'domain-only') {
-    // For domain-only, check both domain column and URL (ClickHouse: use ilike)
-    const whereClause = `WHERE (
-      c.domain ilike {keyword:String} OR
-      c.url ilike {pattern1:String} OR
-      c.url ilike {pattern2:String}
-    ) AND c.url IS NOT NULL`
-    return {
-      whereClause,
-      params: {
-        keyword: `%${keyword}%`,           // Domain column contains keyword
-        pattern1: `%://%${keyword}%/%`,     // URL contains keyword in hostname
-        pattern2: `%://%${keyword}%:%`       // URL contains keyword in hostname with port
-      }
-    }
-  } else {
-    // Full URL mode: search keyword anywhere in URL (ClickHouse: use ilike)
-    const whereClause = `WHERE c.url ilike {keyword:String} AND c.url IS NOT NULL`
-    return {
-      whereClause,
-      params: { keyword: `%${keyword}%` }
-    }
-  }
-}
+import { parseSearchQuery } from "@/lib/query-parser"
+import { buildDomainReconCondition, buildKeywordReconCondition } from "@/lib/search-query-builder"
 
 export async function POST(request: NextRequest) {
   // ✅ Check abort VERY EARLY - before validateRequest
@@ -82,24 +29,20 @@ export async function POST(request: NextRequest) {
     const signal = getRequestSignal(request)
 
     let whereClause: string
-    let params: Record<string, string>
+    let params: Record<string, unknown>
 
     if (searchType === 'keyword') {
       const keyword = targetDomain.trim()
       const mode = keywordMode || 'full-url'
-      const result = buildKeywordWhereClause(keyword, mode)
-      whereClause = result.whereClause
-      params = result.params
+      const parsed = parseSearchQuery(keyword)
+      const built = buildKeywordReconCondition(parsed, mode)
+      whereClause = `WHERE ${built.condition}`
+      params = built.params
     } else {
-      let normalizedDomain = targetDomain.trim().toLowerCase()
-      normalizedDomain = normalizedDomain.replace(/^https?:\/\//, '')
-      normalizedDomain = normalizedDomain.replace(/^www\./, '')
-      normalizedDomain = normalizedDomain.replace(/\/$/, '')
-      normalizedDomain = normalizedDomain.split('/')[0].split(':')[0]
-
-      const result = buildDomainWhereClause(normalizedDomain)
-      whereClause = result.whereClause
-      params = result.params
+      const parsed = parseSearchQuery(targetDomain)
+      const built = buildDomainReconCondition(parsed, { notNullCheck: true })
+      whereClause = `WHERE ${built.condition}`
+      params = built.params
     }
 
     // Check abort before expensive operations