fix(store): retry FTS5 parse errors with safe-quoted form (#209)

## Summary

Fixes #208 — `Store.Search` / `Store.SearchRanked` no longer surface
opaque `SQL logic error: ...` driver messages for adversarial input.

`rewriteQuery` short-circuits on FTS5 operator characters, passing input
verbatim to SQLite when any of `" : * ( OR AND NOT NEAR(` appears. Many
inputs that match that gate aren't valid FTS5 (`foo"`, `*`,
`"unterminated`, `foo:bar`) — SQLite raises a parse error that bubbles
to MCP clients as a 5xx-equivalent.

**Fix (issue option 2 — try-then-fall-back):** keep `rewriteQuery` and
its operator-passthrough contract unchanged; route `Search` /
`SearchRanked` through a new `queryFTS` that retries with safely-quoted
terms (`quoteAllTerms`) on FTS5 parse error.

- Preserves the advanced-query affordance for `label:foo`, `snap*`,
`"exact phrase"` (existing `TestRewriteQuery` rows still green).
- Adversarial input degrades to zero results instead of erroring.
- Retry trigger matches the `SQL logic error:` class modernc surfaces
FTS5 parse failures under (not `fts5: syntax error` — the actual driver
wording). The retry is idempotent for non-FTS5 logic errors, so real DB
issues still surface.

## Test plan

- [x] `TestQuoteAllTerms` — table-driven, covers `"` escape, single-char
ops, empty
- [x] `TestSearch_AdversarialInput` — 6 inputs from the issue table;
asserts `err == nil` for both `Search` and `SearchRanked`
- [x] `TestRewriteQuery` operator-passthrough contract preserved
(`label:snapshot`, `snap*`, `"exact phrase"`)
- [x] `make build`, `make test`, `gofmt -l`, `go vet ./pkg/store/...`
all green

Reviewed by `go-style-reviewer` (project subagent) + Codex (generic, via
`/forge ... codex`). Loop converged in 2 passes.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: radimsem

pkg/store/search.go

@@ -12,7 +12,7 @@ type RankedNode struct {
 }
 
 func (s *Store) Search(ctx context.Context, query string, limit int) ([]*Node, error) {
-	rows, err := s.db.QueryContext(ctx, qSearchFTS, rewriteQuery(query), limit)
+	rows, err := s.queryFTS(ctx, qSearchFTS, query, limit)
 	if err != nil {
 		return nil, err
 	}
@@ -22,7 +22,7 @@ func (s *Store) Search(ctx context.Context, query string, limit int) ([]*Node, e
 }
 
 func (s *Store) SearchRanked(ctx context.Context, query string, limit int) ([]*RankedNode, error) {
-	rows, err := s.db.QueryContext(ctx, qSearchRanked, rewriteQuery(query), limit)
+	rows, err := s.queryFTS(ctx, qSearchRanked, query, limit)
 	if err != nil {
 		return nil, err
 	}
@@ -75,3 +75,39 @@ func rewriteQuery(q string) string {
 
 	return strings.Join(quoted, " OR ")
 }
+
+// Quote each term as an FTS5 phrase, escaping internal " as "" per FTS5 syntax.
+func quoteAllTerms(q string) string {
+	q = strings.TrimSpace(q)
+	if q == "" {
+		return q
+	}
+
+	terms := strings.Fields(q)
+	quoted := make([]string, len(terms))
+	for i, t := range terms {
+		quoted[i] = `"` + strings.ReplaceAll(t, `"`, `""`) + `"`
+	}
+
+	return strings.Join(quoted, " OR ")
+}
+
+// Match the SQLite logic-error class FTS5 parse failures arrive under in modernc.
+func isFTS5SyntaxError(err error) bool {
+	if err == nil {
+		return false
+	}
+	return strings.Contains(err.Error(), "SQL logic error:")
+}
+
+// Retry with safely-quoted terms on FTS5 parse error so adversarial input degrades to zero results.
+func (s *Store) queryFTS(ctx context.Context, stmt, q string, limit int) (*sql.Rows, error) {
+	rows, err := s.db.QueryContext(ctx, stmt, rewriteQuery(q), limit)
+	if err == nil {
+		return rows, nil
+	}
+	if !isFTS5SyntaxError(err) {
+		return nil, err
+	}
+	return s.db.QueryContext(ctx, stmt, quoteAllTerms(q), limit)
+}

pkg/store/store_test.go

@@ -1183,6 +1183,33 @@ func TestRewriteQuery(t *testing.T) {
 	}
 }
 
+func TestQuoteAllTerms(t *testing.T) {
+	tests := []struct {
+		in   string
+		want string
+	}{
+		{"", ""},
+		{"hello", `"hello"`},
+		{"hello world", `"hello" OR "world"`},
+		// Operator-bearing inputs that rewriteQuery would pass through verbatim
+		// are sanitized to well-formed FTS5 phrases here.
+		{`foo"`, `"foo"""`},
+		{`"unterminated`, `"""unterminated"`},
+		{"*", `"*"`},
+		{"(", `"("`},
+		{"foo:bar", `"foo:bar"`},
+		{"snap*", `"snap*"`},
+		{"ZEBRA-4471", `"ZEBRA-4471"`},
+	}
+
+	for _, tt := range tests {
+		got := quoteAllTerms(tt.in)
+		if got != tt.want {
+			t.Errorf("quoteAllTerms(%q) = %q, want %q", tt.in, got, tt.want)
+		}
+	}
+}
+
 func TestSearchMultiWord(t *testing.T) {
 	st := openTestDB(t)
 	ctx := context.Background()
@@ -1246,6 +1273,37 @@ func TestSearchPunctuation(t *testing.T) {
 	}
 }
 
+func TestSearch_AdversarialInput(t *testing.T) {
+	st := openTestDB(t)
+	ctx := context.Background()
+
+	n := testNode("aaaaaaaa", "")
+	n.Content = "the quick brown fox jumps over the lazy dog"
+	n.Label = "fox sentence"
+	must(t, st.UpsertNode(ctx, n))
+
+	// Inputs from issue #208 — operator-bearing but not valid FTS5. Pre-fix each
+	// surfaced an opaque "fts5: syntax error" from the driver; post-fix each
+	// must return cleanly (empty or matched), never an error.
+	inputs := []string{
+		`foo"`,
+		`foo(`,
+		`*`,
+		`"unterminated`,
+		`foo:bar`,
+		`(`,
+	}
+
+	for _, in := range inputs {
+		if _, err := st.Search(ctx, in, 10); err != nil {
+			t.Errorf("Search(%q): %v", in, err)
+		}
+		if _, err := st.SearchRanked(ctx, in, 10); err != nil {
+			t.Errorf("SearchRanked(%q): %v", in, err)
+		}
+	}
+}
+
 func TestListFileSummaries(t *testing.T) {
 	st := openTestDB(t)
 	ctx := context.Background()