feat: full-text search across pages (#30) (#53)

* feat: full-text search across pages (#30)

Co-authored-by: Ona <no-reply@ona.com>

* chore: re-trigger PR review

Co-authored-by: Ona <no-reply@ona.com>

* fix(search): add membership guard to search_pages RPC and add API tests

- Add auth.uid() membership check in search_pages before executing query,
  preventing cross-workspace search by unauthenticated workspace members
- Add integration tests for GET /api/search covering all code paths:
  503 (not configured), 400 (missing params, query too long), 401 (unauth),
  500 (RPC error), 200 (results and empty results)

Co-authored-by: Ona <no-reply@ona.com>

---------

Co-authored-by: Ona <no-reply@ona.com>

Author: zacharias-ona

.agents/architecture.md

@@ -46,7 +46,8 @@ workspaces
         ├── parent_id → pages.id (nullable, enables nesting)
         ├── content: jsonb (Lexical editor state — NOT a separate blocks table)
         ├── position: integer (ordering among siblings)
-        └── created_by → profiles.id
+        ├── created_by → profiles.id
+        └── search_vector: tsvector (generated, title weight A + content text weight B, GIN indexed)
 
 Sign-up flow (atomic, via DB trigger):
   1. auth.users row created by Supabase Auth
@@ -70,7 +71,7 @@ Sign-up flow (atomic, via DB trigger):
 | Session management | Next.js 16 proxy (not middleware) | `src/proxy.ts` with `updateSession` — Next.js 16 convention replacing middleware |
 | Floating UI | `@floating-ui/react` | Positioning for slash command menu, floating toolbar, link editor (same as Lexical playground) |
 | Image storage | Supabase Storage | Bucket for uploaded images, public URL stored in ImageNode |
-| Full-text search | PostgreSQL `tsvector` + `tsquery` | Generated column or trigger on page title + extracted content text |
+| Full-text search | PostgreSQL `tsvector` + `tsquery` | Generated column on pages combining title (weight A) + extracted content text (weight B), GIN index, `search_pages` RPC |
 
 ## Lexical Editor — Implementation Plan
 
@@ -158,7 +159,8 @@ src/
 │   │       ├── page.tsx    # /[workspaceSlug] — workspace home (page list or empty state)
 │   │       └── [pageId]/page.tsx  # /[workspaceSlug]/[pageId] — page with title + editor placeholder
 │   └── api/
-│       └── health/route.ts # Health check endpoint (DB connectivity)
+│       ├── health/route.ts # Health check endpoint (DB connectivity)
+│       └── search/route.ts # Full-text search (GET ?q=&workspace_id=) → calls search_pages RPC
 ├── components/
 │   ├── auth/
 │   │   ├── oauth-buttons.tsx    # GitHub + Google buttons (disabled, "coming soon" tooltip)
@@ -169,6 +171,7 @@ src/
 │   │   ├── sidebar-context.tsx  # React context for sidebar open/close state + ⌘+\ shortcut
 │   │   ├── workspace-switcher.tsx # Dropdown listing all workspaces, create workspace trigger
 │   │   ├── create-workspace-dialog.tsx # Dialog for creating a new workspace
+│   │   ├── page-search.tsx      # Full-text search input + results dropdown (debounced, 300ms)
 │   │   ├── page-tree.tsx        # Hierarchical page tree with CRUD, drag-and-drop, nest/unnest
 │   │   └── user-menu.tsx        # User dropdown with settings link + sign-out
 │   ├── editor/                  # Lexical block editor

.agents/conventions.md

@@ -404,6 +404,7 @@ await supabase.auth.signUp({
 });
 ```
 
+<<<<<<< HEAD
 ## Lexical Editor Plugins
 
 Editor plugins live in `src/components/editor/`. Each plugin is a separate file with
@@ -517,6 +518,27 @@ toast.error("Something went wrong", { duration: 8000 });
 Per design spec: toasts use `rounded-sm`, position bottom-right. Only show toasts for
 errors, async completions, and destructive actions with undo — not for routine actions.
 
+## Supabase RPC (database functions)
+
+When a query requires features not available through the Supabase query builder
+(e.g., `ts_rank`, `ts_headline`, complex joins with computed columns), create a
+PostgreSQL function and call it via `supabase.rpc()`.
+
+```typescript
+// Calling an RPC function from a route handler
+const { data, error } = await supabase.rpc("search_pages", {
+  query: "search term",
+  ws_id: workspaceId,
+  result_limit: 20,
+});
+```
+
+Rules:
+- Define the function in a migration with `security definer` and `set search_path = ''`.
+- Use `stable` for read-only functions, `volatile` for mutations.
+- Keep the function focused — one purpose per function.
+- Return a `table(...)` type for multi-row results so the client gets typed arrays.
+
 ## This file evolves
 
 When you discover a new pattern that should be replicated, or an anti-pattern that

src/app/api/search/route.test.ts

@@ -0,0 +1,165 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { NextRequest } from "next/server";
+
+// Mock next/headers cookies before importing the route
+vi.mock("next/headers", () => ({
+  cookies: vi.fn().mockResolvedValue({
+    getAll: () => [],
+    set: vi.fn(),
+  }),
+}));
+
+// Mock the Supabase server client
+vi.mock("@/lib/supabase/server", () => ({
+  createClient: vi.fn(),
+}));
+
+import { GET } from "./route";
+import { createClient } from "@/lib/supabase/server";
+
+const mockedCreateClient = vi.mocked(createClient);
+
+function makeRequest(params: Record<string, string> = {}): NextRequest {
+  const url = new URL("http://localhost:3000/api/search");
+  for (const [key, value] of Object.entries(params)) {
+    url.searchParams.set(key, value);
+  }
+  return new NextRequest(url);
+}
+
+beforeEach(() => {
+  vi.restoreAllMocks();
+  process.env.NEXT_PUBLIC_SUPABASE_URL = "https://example.supabase.co";
+  process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY = "test-key";
+});
+
+describe("GET /api/search", () => {
+  it("returns 503 when Supabase is not configured", async () => {
+    delete process.env.NEXT_PUBLIC_SUPABASE_URL;
+
+    const response = await GET(makeRequest({ q: "test", workspace_id: "ws-1" }) );
+    const body = await response.json();
+
+    expect(response.status).toBe(503);
+    expect(body.error).toBe("Supabase not configured");
+  });
+
+  it("returns 400 when q parameter is missing", async () => {
+    const response = await GET(makeRequest({ workspace_id: "ws-1" }) );
+    const body = await response.json();
+
+    expect(response.status).toBe(400);
+    expect(body.error).toContain("Missing required parameters");
+  });
+
+  it("returns 400 when workspace_id parameter is missing", async () => {
+    const response = await GET(makeRequest({ q: "test" }) );
+    const body = await response.json();
+
+    expect(response.status).toBe(400);
+    expect(body.error).toContain("Missing required parameters");
+  });
+
+  it("returns 400 when query exceeds 200 characters", async () => {
+    const longQuery = "a".repeat(201);
+    const response = await GET(
+      makeRequest({ q: longQuery, workspace_id: "ws-1" }) as never,
+    );
+    const body = await response.json();
+
+    expect(response.status).toBe(400);
+    expect(body.error).toContain("Query too long");
+  });
+
+  it("returns 401 when user is not authenticated", async () => {
+    const mockGetUser = vi.fn().mockResolvedValue({ data: { user: null } });
+    mockedCreateClient.mockResolvedValue({
+      auth: { getUser: mockGetUser },
+    } as unknown as Awaited<ReturnType<typeof createClient>>);
+
+    const response = await GET(
+      makeRequest({ q: "test", workspace_id: "ws-1" }) as never,
+    );
+    const body = await response.json();
+
+    expect(response.status).toBe(401);
+    expect(body.error).toBe("Unauthorized");
+  });
+
+  it("returns 500 when RPC call fails", async () => {
+    const mockGetUser = vi
+      .fn()
+      .mockResolvedValue({ data: { user: { id: "user-1" } } });
+    const mockRpc = vi
+      .fn()
+      .mockResolvedValue({ data: null, error: { message: "RPC error" } });
+    mockedCreateClient.mockResolvedValue({
+      auth: { getUser: mockGetUser },
+      rpc: mockRpc,
+    } as unknown as Awaited<ReturnType<typeof createClient>>);
+
+    const response = await GET(
+      makeRequest({ q: "test", workspace_id: "ws-1" }) as never,
+    );
+    const body = await response.json();
+
+    expect(response.status).toBe(500);
+    expect(body.error).toBe("Search failed");
+    expect(mockRpc).toHaveBeenCalledWith("search_pages", {
+      query: "test",
+      ws_id: "ws-1",
+      result_limit: 20,
+    });
+  });
+
+  it("returns 200 with results on success", async () => {
+    const mockResults = [
+      {
+        id: "page-1",
+        workspace_id: "ws-1",
+        parent_id: null,
+        title: "Test Page",
+        icon: "📄",
+        snippet: "<<test>> content here",
+        rank: 0.5,
+      },
+    ];
+    const mockGetUser = vi
+      .fn()
+      .mockResolvedValue({ data: { user: { id: "user-1" } } });
+    const mockRpc = vi
+      .fn()
+      .mockResolvedValue({ data: mockResults, error: null });
+    mockedCreateClient.mockResolvedValue({
+      auth: { getUser: mockGetUser },
+      rpc: mockRpc,
+    } as unknown as Awaited<ReturnType<typeof createClient>>);
+
+    const response = await GET(
+      makeRequest({ q: "test", workspace_id: "ws-1" }) as never,
+    );
+    const body = await response.json();
+
+    expect(response.status).toBe(200);
+    expect(body.results).toEqual(mockResults);
+  });
+
+  it("returns 200 with empty array when no results", async () => {
+    const mockGetUser = vi
+      .fn()
+      .mockResolvedValue({ data: { user: { id: "user-1" } } });
+    const mockRpc = vi.fn().mockResolvedValue({ data: null, error: null });
+    mockedCreateClient.mockResolvedValue({
+      auth: { getUser: mockGetUser },
+      rpc: mockRpc,
+    } as unknown as Awaited<ReturnType<typeof createClient>>);
+
+    const response = await GET(
+      makeRequest({ q: "test", workspace_id: "ws-1" }) as never,
+    );
+    const body = await response.json();
+
+    expect(response.status).toBe(200);
+    expect(body.results).toEqual([]);
+  });
+});

src/app/api/search/route.ts

@@ -0,0 +1,61 @@
+import { NextResponse, type NextRequest } from "next/server";
+import { createClient } from "@/lib/supabase/server";
+
+export async function GET(request: NextRequest) {
+  if (
+    !process.env.NEXT_PUBLIC_SUPABASE_URL ||
+    !process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY
+  ) {
+    return NextResponse.json(
+      { error: "Supabase not configured" },
+      { status: 503 }
+    );
+  }
+
+  const { searchParams } = request.nextUrl;
+  const query = searchParams.get("q")?.trim();
+  const workspaceId = searchParams.get("workspace_id");
+
+  if (!query || !workspaceId) {
+    return NextResponse.json(
+      { error: "Missing required parameters: q, workspace_id" },
+      { status: 400 }
+    );
+  }
+
+  if (query.length > 200) {
+    return NextResponse.json(
+      { error: "Query too long (max 200 characters)" },
+      { status: 400 }
+    );
+  }
+
+  try {
+    const supabase = await createClient();
+
+    const { data: user } = await supabase.auth.getUser();
+    if (!user.user) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    const { data, error } = await supabase.rpc("search_pages", {
+      query,
+      ws_id: workspaceId,
+      result_limit: 20,
+    });
+
+    if (error) {
+      return NextResponse.json(
+        { error: "Search failed" },
+        { status: 500 }
+      );
+    }
+
+    return NextResponse.json({ results: data ?? [] });
+  } catch {
+    return NextResponse.json(
+      { error: "Internal server error" },
+      { status: 500 }
+    );
+  }
+}

src/components/sidebar/app-sidebar.tsx

@@ -10,6 +10,7 @@ import {
 } from "@/components/ui/sheet";
 import { useSidebar } from "@/components/sidebar/sidebar-context";
 import { WorkspaceSwitcher } from "@/components/sidebar/workspace-switcher";
+import { PageSearch } from "@/components/sidebar/page-search";
 import { PageTree } from "@/components/sidebar/page-tree";
 import { UserMenu } from "@/components/sidebar/user-menu";
 
@@ -28,6 +29,8 @@ function SidebarContent({
     <div className="flex h-full flex-col gap-2 p-2">
       <WorkspaceSwitcher userId={userId} />
       <Separator className="bg-white/[0.06]" />
+      <PageSearch />
+      <Separator className="bg-white/[0.06]" />
       <PageTree userId={userId} />
       <Separator className="bg-white/[0.06]" />
       <UserMenu displayName={displayName} email={email} />