feat: GraphQL filtering, sorting, search & pagination

.agents/skills/deploy-railway/SKILL.md

@@ -0,0 +1,143 @@
+---
+name: deploy-railway
+description: Deploy the Hyperindex frontend and backend to Railway. Use this skill when the user asks to deploy, redeploy, or update the production services on Railway.
+---
+
+# Deploy Hyperindex to Railway
+
+## Project Layout
+
+Hyperindex is a monorepo with two Railway services:
+
+| Service | Source | Dockerfile | Railway Name |
+|---------|--------|------------|-------------|
+| **Backend** (Go) | repo root `/` | `Dockerfile` | `backend` |
+| **Frontend** (Next.js) | `client/` | `client/Dockerfile` | `frontend` |
+
+## Custom Domains
+
+| Service | Domain |
+|---------|--------|
+| Backend | `https://api.hi.gainforest.app` |
+| Frontend | `https://hi.gainforest.app` |
+
+Legacy domains (still active): `backend-production-95a22.up.railway.app`, `frontend-production-dcce.up.railway.app`
+
+## Prerequisites
+
+- Railway CLI v4+ installed and logged in (`railway whoami`)
+- Linked to project: `railway status` should show project `hyperindex`
+- On the correct git branch (typically `tap-feature`)
+
+## Deploy Backend
+
+The backend deploys from the repo root using the root `Dockerfile`:
+
+```bash
+railway up -s backend -d
+```
+
+This uploads the entire repo, builds the Go binary in Docker, and deploys it. Takes ~3-5 minutes.
+
+### Verify backend:
+```bash
+curl -s https://api.hi.gainforest.app/
+# Should return: {"name":"Hyperindex","version":"0.1.0-dev",...}
+```
+
+## Deploy Frontend
+
+**CRITICAL:** The frontend MUST use `--path-as-root` to avoid Railway picking up the root Go Dockerfile:
+
+```bash
+railway up --path-as-root client/ -s frontend -d
+```
+
+This makes `client/` the archive root so Railway only sees `client/Dockerfile` (the Next.js build). Takes ~3-5 minutes.
+
+### Why `--path-as-root`?
+
+Without it, `railway up` uploads the entire monorepo and Railway finds the root `Dockerfile` (Go backend) instead of `client/Dockerfile` (Next.js frontend). This causes the frontend service to run the Go binary instead of the Next.js app.
+
+### Verify frontend:
+```bash
+curl -s -o /dev/null -w "%{http_code}" https://hi.gainforest.app/
+# Should return: 200
+
+# Verify it's actually Next.js (not the Go server):
+curl -s https://hi.gainforest.app/ | grep -o '<title>[^<]*</title>'
+# Should return: <title>Hyperindex</title>
+```
+
+## Deploy Both Services
+
+```bash
+# Backend (from repo root)
+railway up -s backend -d
+
+# Frontend (with path-as-root)
+railway up --path-as-root client/ -s frontend -d
+```
+
+## Environment Variables
+
+### Backend (`backend` service)
+| Variable | Value |
+|----------|-------|
+| `HOST` | `0.0.0.0` |
+| `PORT` | `8080` |
+| `DATABASE_URL` | `sqlite:/app/data/hypergoat.db` |
+| `EXTERNAL_BASE_URL` | `https://api.hi.gainforest.app` |
+| `TRUST_PROXY_HEADERS` | `true` |
+| `ADMIN_DIDS` | `did:plc:qc42fmqqlsmdq7jiypiiigww` (daviddao.org) |
+| `OAUTH_LOOPBACK_MODE` | `true` |
+| `SECRET_KEY_BASE` | *(set on Railway, do not change)* |
+
+### Frontend (`frontend` service)
+| Variable | Value |
+|----------|-------|
+| `PORT` | `3000` |
+| `PUBLIC_URL` | `https://hi.gainforest.app` |
+| `NEXT_PUBLIC_API_URL` | `https://api.hi.gainforest.app` |
+| `HYPERINDEX_URL` | `https://api.hi.gainforest.app` |
+| `COOKIE_SECRET` | *(set on Railway, do not change)* |
+| `ATPROTO_JWK_PRIVATE` | *(ES256 JWK, set on Railway, do not change)* |
+
+**Note:** `NEXT_PUBLIC_API_URL` is a build-time variable (inlined by Next.js during `npm run build`). The `client/Dockerfile` declares `ARG NEXT_PUBLIC_API_URL` so Railway passes it during Docker build.
+
+## Troubleshooting
+
+### Frontend shows Go JSON response instead of HTML
+You forgot `--path-as-root client/`. Redeploy with:
+```bash
+railway up --path-as-root client/ -s frontend -d
+```
+
+### "Application not found" on custom domain
+SSL certificate is still provisioning. Wait 5-15 minutes after adding DNS records.
+
+### GraphiQL returns 500 through frontend
+GraphiQL is served directly by the backend. The frontend has a `/graphiql` server-side redirect route that redirects to `https://api.hi.gainforest.app/graphiql`.
+
+### OAuth login fails
+Check that `ATPROTO_JWK_PRIVATE` and `PUBLIC_URL` are set on the frontend service. Generate a new JWK with:
+```bash
+node scripts/generate-jwk.js  # (in hyperscan repo, or client/scripts/ if copied)
+```
+
+### "admin privileges required" after login
+Ensure `TRUST_PROXY_HEADERS=true` is set on the backend. Without it, the backend ignores the `X-User-DID` header from the Next.js proxy.
+
+## Setting Environment Variables
+
+```bash
+# Set a variable on a service
+railway variables set 'KEY=value' -s backend
+railway variables set 'KEY=value' -s frontend
+
+# View all variables for a service
+railway variables -s backend
+railway variables -s frontend
+```
+
+After changing env vars, redeploy the affected service.

.beads/.gitignore

@@ -0,0 +1,46 @@
+# SQLite databases
+*.db
+*.db?*
+*.db-journal
+*.db-wal
+*.db-shm
+
+# Daemon runtime files
+daemon.lock
+daemon.log
+daemon.pid
+bd.sock
+sync-state.json
+last-touched
+
+# Local version tracking (prevents upgrade notification spam after git ops)
+.local_version
+
+# Legacy database files
+db.sqlite
+bd.db
+
+# Worktree redirect file (contains relative path to main repo's .beads/)
+# Must not be committed as paths would be wrong in other clones
+redirect
+
+# Merge artifacts (temporary files from 3-way merge)
+beads.base.jsonl
+beads.base.meta.json
+beads.left.jsonl
+beads.left.meta.json
+beads.right.jsonl
+beads.right.meta.json
+
+# Sync state (local-only, per-machine)
+# These files are machine-specific and should not be shared across clones
+.sync.lock
+.jsonl.lock
+sync_base.jsonl
+export-state/
+
+# NOTE: Do NOT add negation patterns (e.g., !issues.jsonl) here.
+# They would override fork protection in .git/info/exclude, allowing
+# contributors to accidentally commit upstream issue databases.
+# The JSONL files (issues.jsonl, interactions.jsonl) and config files
+# are tracked by git by default since no pattern above ignores them.

.beads/.local_version

@@ -0,0 +1 @@
+0.49.6

.beads/README.md

@@ -0,0 +1,81 @@
+# Beads - AI-Native Issue Tracking
+
+Welcome to Beads! This repository uses **Beads** for issue tracking - a modern, AI-native tool designed to live directly in your codebase alongside your code.
+
+## What is Beads?
+
+Beads is issue tracking that lives in your repo, making it perfect for AI coding agents and developers who want their issues close to their code. No web UI required - everything works through the CLI and integrates seamlessly with git.
+
+**Learn more:** [github.com/steveyegge/beads](https://github.com/steveyegge/beads)
+
+## Quick Start
+
+### Essential Commands
+
+```bash
+# Create new issues
+bd create "Add user authentication"
+
+# View all issues
+bd list
+
+# View issue details
+bd show <issue-id>
+
+# Update issue status
+bd update <issue-id> --status in_progress
+bd update <issue-id> --status done
+
+# Sync with git remote
+bd sync
+```
+
+### Working with Issues
+
+Issues in Beads are:
+- **Git-native**: Stored in `.beads/issues.jsonl` and synced like code
+- **AI-friendly**: CLI-first design works perfectly with AI coding agents
+- **Branch-aware**: Issues can follow your branch workflow
+- **Always in sync**: Auto-syncs with your commits
+
+## Why Beads?
+
+✨ **AI-Native Design**
+- Built specifically for AI-assisted development workflows
+- CLI-first interface works seamlessly with AI coding agents
+- No context switching to web UIs
+
+🚀 **Developer Focused**
+- Issues live in your repo, right next to your code
+- Works offline, syncs when you push
+- Fast, lightweight, and stays out of your way
+
+🔧 **Git Integration**
+- Automatic sync with git commits
+- Branch-aware issue tracking
+- Intelligent JSONL merge resolution
+
+## Get Started with Beads
+
+Try Beads in your own projects:
+
+```bash
+# Install Beads
+curl -sSL https://raw.githubusercontent.com/steveyegge/beads/main/scripts/install.sh | bash
+
+# Initialize in your repo
+bd init
+
+# Create your first issue
+bd create "Try out Beads"
+```
+
+## Learn More
+
+- **Documentation**: [github.com/steveyegge/beads/docs](https://github.com/steveyegge/beads/tree/main/docs)
+- **Quick Start Guide**: Run `bd quickstart`
+- **Examples**: [github.com/steveyegge/beads/examples](https://github.com/steveyegge/beads/tree/main/examples)
+
+---
+
+*Beads: Issue tracking that moves at the speed of thought* ⚡

.beads/config.yaml

@@ -0,0 +1,67 @@
+# Beads Configuration File
+# This file configures default behavior for all bd commands in this repository
+# All settings can also be set via environment variables (BD_* prefix)
+# or overridden with command-line flags
+
+# Issue prefix for this repository (used by bd init)
+# If not set, bd init will auto-detect from directory name
+# Example: issue-prefix: "myproject" creates issues like "myproject-1", "myproject-2", etc.
+# issue-prefix: ""
+
+# Use no-db mode: load from JSONL, no SQLite, write back after each command
+# When true, bd will use .beads/issues.jsonl as the source of truth
+# instead of SQLite database
+# no-db: false
+
+# Disable daemon for RPC communication (forces direct database access)
+# no-daemon: false
+
+# Disable auto-flush of database to JSONL after mutations
+# no-auto-flush: false
+
+# Disable auto-import from JSONL when it's newer than database
+# no-auto-import: false
+
+# Enable JSON output by default
+# json: false
+
+# Default actor for audit trails (overridden by BD_ACTOR or --actor)
+# actor: ""
+
+# Path to database (overridden by BEADS_DB or --db)
+# db: ""
+
+# Auto-start daemon if not running (can also use BEADS_AUTO_START_DAEMON)
+# auto-start-daemon: true
+
+# Debounce interval for auto-flush (can also use BEADS_FLUSH_DEBOUNCE)
+# flush-debounce: "5s"
+
+# Export events (audit trail) to .beads/events.jsonl on each flush/sync
+# When enabled, new events are appended incrementally using a high-water mark.
+# Use 'bd export --events' to trigger manually regardless of this setting.
+# events-export: false
+
+# Git branch for beads commits (bd sync will commit to this branch)
+# IMPORTANT: Set this for team projects so all clones use the same sync branch.
+# This setting persists across clones (unlike database config which is gitignored).
+# Can also use BEADS_SYNC_BRANCH env var for local override.
+# If not set, bd sync will require you to run 'bd config set sync.branch <branch>'.
+# sync-branch: "beads-sync"
+
+# Multi-repo configuration (experimental - bd-307)
+# Allows hydrating from multiple repositories and routing writes to the correct JSONL
+# repos:
+#   primary: "."  # Primary repo (where this database lives)
+#   additional:   # Additional repos to hydrate from (read-only)
+#     - ~/beads-planning  # Personal planning repo
+#     - ~/work-planning   # Work planning repo
+
+# Integration settings (access with 'bd config get/set')
+# These are stored in the database, not in this file:
+# - jira.url
+# - jira.project
+# - linear.url
+# - linear.api-key
+# - github.org
+# - github.repo

.beads/daemon.lock

@@ -0,0 +1,7 @@
+{
+  "pid": 46504,
+  "parent_pid": 46496,
+  "database": "/Users/david/Projects/gainforest/hyperindex/.beads/beads.db",
+  "version": "0.49.6",
+  "started_at": "2026-02-18T08:44:00.42754Z"
+}