Fix TUI registry browser and harden search API

- TUI: Use list_tools for browsing (no query), search_tools only when user enters a search term. Fixes 500 error on initial registry load. - API: Sanitize FTS5 queries by escaping special characters (* " ( ) etc) Prevents SQL errors from malformed search queries like "*" Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-13 20:36:21 -04:00 · 2026-01-13 20:36:21 -04:00 · 86d82fcd72
parent 19e5be7e5a
commit 86d82fcd72
2 changed files with 18 additions and 2 deletions
--- a/src/cmdforge/registry/app.py
+++ b/src/cmdforge/registry/app.py
@ -479,6 +479,15 @@ def create_app() -> Flask:
        query_text = request.args.get("q", "").strip()
        if not query_text:
            return error_response("VALIDATION_ERROR", "Missing search query")
+
+        # Sanitize query for FTS5 - escape special characters that cause syntax errors
+        # FTS5 special chars: * " ( ) : ^ - NOT AND OR NEAR
+        # For safety, we'll quote the entire query if it contains special chars
+        fts5_special = set('*"():^-')
+        if any(c in fts5_special for c in query_text) or query_text.upper() in ('NOT', 'AND', 'OR', 'NEAR'):
+            # Escape double quotes and wrap in quotes for literal search
+            query_text = '"' + query_text.replace('"', '""') + '"'
+
        page, per_page, sort, order, error = parse_pagination("/tools/search", "downloads")
        if error:
            return error
--- a/src/cmdforge/ui_urwid/init.py
+++ b/src/cmdforge/ui_urwid/init.py
@ -1465,12 +1465,19 @@ No explanations, no markdown fencing, just the code."""
        def do_search(_=None):
            query = search_edit.base_widget.edit_text.strip()
            self._registry_search_query = query
-            status_text.set_text(('label', f"Searching for '{query}'..."))
+            if query:
+                status_text.set_text(('label', f"Searching for '{query}'..."))
+            else:
+                status_text.set_text(('label', "Loading all tools..."))
            self.refresh()

            try:
                client = RegistryClient()
-                result = client.search_tools(query=query if query else "*", per_page=50)
+                # Use list_tools for browsing, search_tools only when there's a query
+                if query:
+                    result = client.search_tools(query=query, per_page=50)
+                else:
+                    result = client.list_tools(per_page=50)
                self._registry_tools = result.data

                # Update the list