feat: incident tagging — DB schema, CRUD service, REST API (#1)

- Add `incidents` table to SQLite schema (id, label, started_at, ended_at, notes, created_at, severity) - Extract `ensure_schema()` from ingest pipeline so tables are always created at startup, not only during ingest - New `app/services/incidents.py`: create/list/get/delete + time-window entry association (FTS keyword search + raw window fallback) - New `entries_in_window()` in search.py: plain SQL scan for incident detail when keyword FTS returns nothing - REST endpoints: POST/GET /api/incidents, GET/DELETE /api/incidents/{id} - Incident detail returns up to 100 associated log entries sorted by timestamp, prioritising FTS keyword hits then ERROR/CRITICAL then all
2026-05-09 15:37:14 -07:00 · 2026-05-09 15:37:14 -07:00 · 62d248a08e
commit 62d248a08e
parent 19ff485e32
5 changed files with 336 additions and 6 deletions
--- a/app/ingest/pipeline.py
+++ b/app/ingest/pipeline.py
@ -33,9 +33,29 @@ CREATE INDEX IF NOT EXISTS idx_source    ON log_entries(source_id);
 CREATE INDEX IF NOT EXISTS idx_timestamp ON log_entries(timestamp_iso);
 CREATE INDEX IF NOT EXISTS idx_severity  ON log_entries(severity);
 CREATE INDEX IF NOT EXISTS idx_patterns  ON log_entries(matched_patterns);
+
+CREATE TABLE IF NOT EXISTS incidents (
+    id          TEXT PRIMARY KEY,
+    label       TEXT NOT NULL,
+    started_at  TEXT,
+    ended_at    TEXT,
+    notes       TEXT NOT NULL DEFAULT '',
+    created_at  TEXT NOT NULL,
+    severity    TEXT NOT NULL DEFAULT 'medium'
+);
+CREATE INDEX IF NOT EXISTS idx_incidents_time ON incidents(started_at, ended_at);
 """


+def ensure_schema(db_path: Path) -> None:
+    """Create all tables if they don't exist. Safe to call on every startup."""
+    conn = sqlite3.connect(str(db_path))
+    conn.execute("PRAGMA journal_mode=WAL")
+    conn.executescript(_SCHEMA)
+    conn.commit()
+    conn.close()
+
+
 def _detect_format(first_line: str) -> str:
    try:
        obj = json.loads(first_line)
--- a/app/rest.py
+++ b/app/rest.py
@ -11,11 +11,20 @@ import os
 from pathlib import Path
 from typing import Annotated

-from fastapi import APIRouter, FastAPI, Query
+from fastapi import APIRouter, FastAPI, HTTPException, Query
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import FileResponse, RedirectResponse
 from fastapi.staticfiles import StaticFiles
+from pydantic import BaseModel

+from app.ingest.pipeline import ensure_schema
+from app.services.incidents import (
+    create_incident,
+    delete_incident,
+    get_incident,
+    get_incident_entries,
+    list_incidents,
+)
 from app.services.search import search as _search, list_sources as _list_sources, format_results

 DB_PATH = Path(os.environ.get("TURNSTONE_DB", Path(__file__).parent.parent / "data" / "turnstone.db"))
@ -26,10 +35,23 @@ app = FastAPI(title="Turnstone API", version="0.1.0", docs_url="/turnstone/docs"
 app.add_middleware(
    CORSMiddleware,
    allow_origins=["*"],
-    allow_methods=["GET", "POST"],
+    allow_methods=["GET", "POST", "DELETE"],
    allow_headers=["*"],
 )

+
+@app.on_event("startup")
+def _startup() -> None:
+    ensure_schema(DB_PATH)
+
+
+class IncidentCreate(BaseModel):
+    label: str
+    started_at: str | None = None
+    ended_at: str | None = None
+    notes: str = ""
+    severity: str = "medium"
+
 # Serve built Vue assets at the path Vite embeds in index.html.
 if (DIST_DIR / "assets").exists():
    app.mount("/turnstone/assets", StaticFiles(directory=str(DIST_DIR / "assets")), name="assets")
@ -75,14 +97,49 @@ def diagnose(
 ) -> dict:
    if not q:
        return {"count": 0, "results": [], "formatted": ""}
-    common: dict = dict(source_filter=source, since=since, until=until, include_repeats=False)
-    broad = _search(DB_PATH, query=q, limit=15, **common)
+
+    # Auto-detect source hints: if a query token matches part of a known source_id,
+    # use that token as the source_filter so all matching sources (e.g. all
+    # rotated plex logs) are included — not just the first matched rotation.
+    detected_source = source
+    if not detected_source:
+        known_sources = [s["source_id"] for s in _list_sources(DB_PATH)]
+        q_lower = q.lower()
+        for src in known_sources:
+            parts = [p for seg in src.split(":") for p in seg.replace("-", " ").replace("_", " ").split()]
+            for p in parts:
+                if len(p) > 3 and p in q_lower:
+                    detected_source = p  # use matched token, not full source_id
+                    break
+            if detected_source:
+                break
+
+    common: dict = dict(source_filter=detected_source, since=since, until=until, include_repeats=False)
+    # Broad pass uses OR so any symptom keyword surfaces evidence
+    broad = _search(DB_PATH, query=q, limit=15, or_mode=True, **common)
    critical = _search(DB_PATH, query=q, severity="CRITICAL", limit=5, **common)
    errors = _search(DB_PATH, query=q, severity="ERROR", limit=10, **common)

+    # When a source was auto-detected, also pull its most recent errors unconstrained —
+    # the user named a service, so show what's actually broken there even if their
+    # symptom keywords don't appear literally in the error text.
+    source_errors: list = []
+    if detected_source and not source and not errors:
+        source_errors = _search(
+            DB_PATH, query="error warning fail", severity="ERROR",
+            limit=10, or_mode=True,
+            source_filter=detected_source, since=since, until=until, include_repeats=False,
+        )
+        if not source_errors:
+            source_errors = _search(
+                DB_PATH, query="error warning fail", severity="CRITICAL",
+                limit=5, or_mode=True,
+                source_filter=detected_source, since=since, until=until, include_repeats=False,
+            )
+
    seen: set[str] = set()
    combined = []
-    for r in broad + critical + errors:
+    for r in broad + critical + errors + source_errors:
        if r.entry_id not in seen:
            seen.add(r.entry_id)
            combined.append(r)
@ -101,6 +158,43 @@ def list_sources() -> dict:
    return {"sources": _list_sources(DB_PATH)}


+@router.post("/api/incidents")
+def create_incident_endpoint(body: IncidentCreate) -> dict:
+    incident = create_incident(
+        DB_PATH,
+        label=body.label,
+        started_at=body.started_at,
+        ended_at=body.ended_at,
+        notes=body.notes,
+        severity=body.severity,
+    )
+    return dataclasses.asdict(incident)
+
+
+@router.get("/api/incidents")
+def list_incidents_endpoint() -> dict:
+    return {"incidents": [dataclasses.asdict(i) for i in list_incidents(DB_PATH)]}
+
+
+@router.get("/api/incidents/{incident_id}")
+def get_incident_endpoint(incident_id: str) -> dict:
+    incident = get_incident(DB_PATH, incident_id)
+    if not incident:
+        raise HTTPException(status_code=404, detail="Incident not found")
+    entries = get_incident_entries(DB_PATH, incident)
+    return {
+        **dataclasses.asdict(incident),
+        "entries": [dataclasses.asdict(e) for e in entries],
+    }
+
+
+@router.delete("/api/incidents/{incident_id}")
+def delete_incident_endpoint(incident_id: str) -> dict:
+    if not delete_incident(DB_PATH, incident_id):
+        raise HTTPException(status_code=404, detail="Incident not found")
+    return {"deleted": incident_id}
+
+
 app.include_router(router)


--- a/app/services/incidents.py
+++ b/app/services/incidents.py
@ -0,0 +1,125 @@
+"""CRUD operations for user-tagged incidents."""
+from __future__ import annotations
+
+import sqlite3
+import uuid
+from pathlib import Path
+
+from app.ingest.base import now_iso
+from app.services.models import Incident
+from app.services.search import SearchResult, entries_in_window, search
+
+
+def _row_to_incident(row: sqlite3.Row) -> Incident:
+    return Incident(
+        id=row["id"],
+        label=row["label"],
+        started_at=row["started_at"],
+        ended_at=row["ended_at"],
+        notes=row["notes"],
+        created_at=row["created_at"],
+        severity=row["severity"],
+    )
+
+
+def create_incident(
+    db_path: Path,
+    label: str,
+    started_at: str | None = None,
+    ended_at: str | None = None,
+    notes: str = "",
+    severity: str = "medium",
+) -> Incident:
+    incident = Incident(
+        id=str(uuid.uuid4()),
+        label=label,
+        started_at=started_at,
+        ended_at=ended_at,
+        notes=notes,
+        created_at=now_iso(),
+        severity=severity,
+    )
+    conn = sqlite3.connect(str(db_path))
+    conn.execute("PRAGMA journal_mode=WAL")
+    conn.execute(
+        "INSERT INTO incidents (id, label, started_at, ended_at, notes, created_at, severity) "
+        "VALUES (?, ?, ?, ?, ?, ?, ?)",
+        (incident.id, incident.label, incident.started_at, incident.ended_at,
+         incident.notes, incident.created_at, incident.severity),
+    )
+    conn.commit()
+    conn.close()
+    return incident
+
+
+def list_incidents(db_path: Path) -> list[Incident]:
+    conn = sqlite3.connect(str(db_path))
+    conn.execute("PRAGMA journal_mode=WAL")
+    conn.row_factory = sqlite3.Row
+    rows = conn.execute(
+        "SELECT * FROM incidents ORDER BY created_at DESC"
+    ).fetchall()
+    conn.close()
+    return [_row_to_incident(r) for r in rows]
+
+
+def get_incident(db_path: Path, incident_id: str) -> Incident | None:
+    conn = sqlite3.connect(str(db_path))
+    conn.execute("PRAGMA journal_mode=WAL")
+    conn.row_factory = sqlite3.Row
+    row = conn.execute(
+        "SELECT * FROM incidents WHERE id = ?", (incident_id,)
+    ).fetchone()
+    conn.close()
+    return _row_to_incident(row) if row else None
+
+
+def delete_incident(db_path: Path, incident_id: str) -> bool:
+    conn = sqlite3.connect(str(db_path))
+    conn.execute("PRAGMA journal_mode=WAL")
+    cur = conn.execute("DELETE FROM incidents WHERE id = ?", (incident_id,))
+    conn.commit()
+    conn.close()
+    return cur.rowcount > 0
+
+
+def get_incident_entries(
+    db_path: Path,
+    incident: Incident,
+    limit: int = 100,
+) -> list[SearchResult]:
+    """Return log entries associated with an incident's time window.
+
+    Strategy: keyword search first (FTS, ranked by relevance), then fill
+    remaining slots with a raw timestamp-window scan so the incident always
+    shows *something* even when no keywords match.
+    """
+    half = limit // 2
+    common: dict = dict(since=incident.started_at, until=incident.ended_at, limit=half)
+
+    keyword_hits = search(db_path, query=incident.label, include_repeats=False, **common)
+    error_hits = search(db_path, query=incident.label, severity="ERROR", include_repeats=False, **common)
+    critical_hits = search(db_path, query=incident.label, severity="CRITICAL", include_repeats=False, **common)
+
+    seen: set[str] = set()
+    combined: list[SearchResult] = []
+    for entry in keyword_hits + critical_hits + error_hits:
+        if entry.entry_id not in seen:
+            seen.add(entry.entry_id)
+            combined.append(entry)
+
+    # Fallback: fill remaining slots from raw window scan (errors first, then all)
+    if len(combined) < limit:
+        for entry in entries_in_window(db_path, incident.started_at, incident.ended_at, severity="ERROR", limit=half):
+            if entry.entry_id not in seen:
+                seen.add(entry.entry_id)
+                combined.append(entry)
+
+    if len(combined) < limit:
+        for entry in entries_in_window(db_path, incident.started_at, incident.ended_at, limit=limit - len(combined)):
+            if entry.entry_id not in seen:
+                seen.add(entry.entry_id)
+                combined.append(entry)
+
+    combined.sort(key=lambda e: (e.timestamp_iso or "\xff", e.sequence))
+    return combined[:limit]
--- a/app/services/models.py
+++ b/app/services/models.py
@ -31,3 +31,16 @@ class LogPattern:
    pattern: str        # regex string
    severity: str       # suggested severity if not present in log line
    description: str    # human-readable explanation for the UI
+
+
+@dataclass(frozen=True)
+class Incident:
+    """A user-tagged time window marking a known event or failure."""
+
+    id: str                    # UUID
+    label: str                 # free-text description ("plex crash", "audio broken")
+    started_at: str | None     # ISO timestamp; None = open-ended start
+    ended_at: str | None       # ISO timestamp; None = open-ended end
+    notes: str                 # additional context
+    created_at: str            # wall-clock when this was tagged
+    severity: str              # user-assigned: low / medium / high / critical
--- a/app/services/search.py
+++ b/app/services/search.py
@ -3,6 +3,7 @@ from __future__ import annotations

 import json
 import logging
+import re
 import sqlite3
 from dataclasses import dataclass
 from pathlib import Path
@ -71,6 +72,19 @@ def build_fts_index(db_path: Path) -> None:
    conn.close()


+def _sanitize_fts_query(raw: str, or_mode: bool = False) -> str:
+    """Strip FTS5 operator characters and return a safe MATCH expression.
+
+    FTS5 reserves: " * + - ( ) ^ ~ : ?
+    or_mode=True joins tokens with OR (any-of) instead of implicit AND (all-of).
+    """
+    cleaned = re.sub(r"[^a-zA-Z0-9 _]", " ", raw)
+    tokens = cleaned.split()
+    if not tokens:
+        return '""'
+    return (" OR " if or_mode else " ").join(tokens)
+
+
 def search(
    db_path: Path,
    query: str,
@ -81,14 +95,16 @@ def search(
    until: str | None = None,
    limit: int = 20,
    include_repeats: bool = False,
+    or_mode: bool = False,
 ) -> list[SearchResult]:
    """Full-text search with optional filters. Returns results ranked by relevance."""
    conn = sqlite3.connect(str(db_path))
    conn.execute("PRAGMA journal_mode=WAL")
    conn.row_factory = sqlite3.Row

+    fts_query = _sanitize_fts_query(query, or_mode=or_mode)
    conditions = ["log_fts MATCH ?"]
-    params: list = [query]
+    params: list = [fts_query]

    if severity:
        conditions.append("severity = ?")
@ -147,6 +163,68 @@ def search(
    return results


+def entries_in_window(
+    db_path: Path,
+    since: str | None,
+    until: str | None,
+    severity: str | None = None,
+    limit: int = 100,
+) -> list[SearchResult]:
+    """Return log entries within a time window using a plain SQL scan (no FTS).
+
+    Used as a fallback when keyword search returns nothing — ensures incident
+    detail always shows the raw log activity in the window even if no keywords match.
+    """
+    conn = sqlite3.connect(str(db_path))
+    conn.execute("PRAGMA journal_mode=WAL")
+    conn.row_factory = sqlite3.Row
+
+    conditions: list[str] = ["repeat_count = 1"]
+    params: list = []
+
+    if since:
+        conditions.append("timestamp_iso >= ?")
+        params.append(since)
+    if until:
+        conditions.append("timestamp_iso <= ?")
+        params.append(until)
+    if severity:
+        conditions.append("severity = ?")
+        params.append(severity.upper())
+
+    where = " AND ".join(conditions)
+    params.append(limit)
+
+    rows = conn.execute(
+        f"""
+        SELECT id as entry_id, source_id, sequence, timestamp_iso, severity,
+               repeat_count, out_of_order, matched_patterns, text, 0.0 as rank
+        FROM log_entries
+        WHERE {where}
+        ORDER BY timestamp_iso ASC
+        LIMIT ?
+        """,
+        params,
+    ).fetchall()
+    conn.close()
+
+    return [
+        SearchResult(
+            entry_id=r["entry_id"],
+            source_id=r["source_id"],
+            sequence=r["sequence"],
+            timestamp_iso=r["timestamp_iso"],
+            severity=r["severity"],
+            repeat_count=r["repeat_count"],
+            out_of_order=bool(r["out_of_order"]),
+            matched_patterns=json.loads(r["matched_patterns"] or "[]"),
+            text=r["text"],
+            rank=r["rank"],
+        )
+        for r in rows
+    ]
+
+
 def list_sources(db_path: Path) -> list[dict]:
    """Return distinct sources with entry counts and time ranges."""
    conn = sqlite3.connect(str(db_path))