fix: address roborev findings for API handlers and remote engine

- Use r.Context() instead of context.Background() in all API handlers
  (handleAggregates, handleSubAggregates, handleFilteredMessages,
  handleTotalStats, handleFastSearch, handleDeepSearch)
- Add doRequestWithContext to remote.Store for context propagation
- Plumb context through all remote.Engine HTTP requests for proper
  cancellation/timeout support
- Fix SubAggregate to use opts.TimeGranularity instead of filter
- Add validation for view_type in handleFastSearch (return 400 if invalid)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: EconoBen

internal/api/handlers.go

@@ -1,7 +1,6 @@
 package api
 
 import (
-	"context"
 	"crypto/sha256"
 	"encoding/json"
 	"fmt"
@@ -875,8 +874,7 @@ func (s *Server) handleAggregates(w http.ResponseWriter, r *http.Request) {
 
 	opts := parseAggregateOptions(r)
 
-	ctx := context.Background()
-	rows, err := s.engine.Aggregate(ctx, viewType, opts)
+	rows, err := s.engine.Aggregate(r.Context(), viewType, opts)
 	if err != nil {
 		s.logger.Error("aggregate query failed", "view_type", viewTypeStr, "error", err)
 		writeError(w, http.StatusInternalServerError, "internal_error", "Aggregate query failed")
@@ -917,8 +915,7 @@ func (s *Server) handleSubAggregates(w http.ResponseWriter, r *http.Request) {
 	filter := parseMessageFilter(r)
 	opts := parseAggregateOptions(r)
 
-	ctx := context.Background()
-	rows, err := s.engine.SubAggregate(ctx, filter, viewType, opts)
+	rows, err := s.engine.SubAggregate(r.Context(), filter, viewType, opts)
 	if err != nil {
 		s.logger.Error("sub-aggregate query failed", "view_type", viewTypeStr, "error", err)
 		writeError(w, http.StatusInternalServerError, "internal_error", "Sub-aggregate query failed")
@@ -946,8 +943,7 @@ func (s *Server) handleFilteredMessages(w http.ResponseWriter, r *http.Request)
 
 	filter := parseMessageFilter(r)
 
-	ctx := context.Background()
-	messages, err := s.engine.ListMessages(ctx, filter)
+	messages, err := s.engine.ListMessages(r.Context(), filter)
 	if err != nil {
 		s.logger.Error("filtered messages query failed", "error", err)
 		writeError(w, http.StatusInternalServerError, "internal_error", "Message query failed")
@@ -997,8 +993,7 @@ func (s *Server) handleTotalStats(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	ctx := context.Background()
-	stats, err := s.engine.GetTotalStats(ctx, opts)
+	stats, err := s.engine.GetTotalStats(r.Context(), opts)
 	if err != nil {
 		s.logger.Error("total stats query failed", "error", err)
 		writeError(w, http.StatusInternalServerError, "internal_error", "Stats query failed")
@@ -1024,10 +1019,16 @@ func (s *Server) handleFastSearch(w http.ResponseWriter, r *http.Request) {
 
 	filter := parseMessageFilter(r)
 
-	// Get view type for stats grouping
+	// Get view type for stats grouping (optional, defaults to senders)
 	var statsGroupBy query.ViewType
 	if v := r.URL.Query().Get("view_type"); v != "" {
-		statsGroupBy, _ = parseViewType(v)
+		var ok bool
+		statsGroupBy, ok = parseViewType(v)
+		if !ok {
+			writeError(w, http.StatusBadRequest, "invalid_view_type",
+				"Invalid view_type. Must be one of: senders, sender_names, recipients, recipient_names, domains, labels, time")
+			return
+		}
 	}
 
 	offset := filter.Pagination.Offset
@@ -1036,10 +1037,9 @@ func (s *Server) handleFastSearch(w http.ResponseWriter, r *http.Request) {
 		limit = 100
 	}
 
-	ctx := context.Background()
 	q := search.Parse(queryStr)
 
-	result, err := s.engine.SearchFastWithStats(ctx, q, queryStr, filter, statsGroupBy, limit, offset)
+	result, err := s.engine.SearchFastWithStats(r.Context(), q, queryStr, filter, statsGroupBy, limit, offset)
 	if err != nil {
 		s.logger.Error("fast search failed", "query", queryStr, "error", err)
 		writeError(w, http.StatusInternalServerError, "internal_error", "Search failed")
@@ -1082,10 +1082,9 @@ func (s *Server) handleDeepSearch(w http.ResponseWriter, r *http.Request) {
 		limit = 100
 	}
 
-	ctx := context.Background()
 	q := search.Parse(queryStr)
 
-	messages, err := s.engine.Search(ctx, q, limit, offset)
+	messages, err := s.engine.Search(r.Context(), q, limit, offset)
 	if err != nil {
 		s.logger.Error("deep search failed", "query", queryStr, "error", err)
 		writeError(w, http.StatusInternalServerError, "internal_error", "Search failed")

internal/remote/engine.go

@@ -351,7 +351,7 @@ func (e *Engine) Aggregate(ctx context.Context, groupBy query.ViewType, opts que
 	params := buildAggregateQuery(groupBy, opts)
 	path := "/api/v1/aggregates?" + params.Encode()
 
-	resp, err := e.store.doRequest("GET", path, nil)
+	resp, err := e.store.doRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -380,13 +380,15 @@ func (e *Engine) SubAggregate(ctx context.Context, filter query.MessageFilter, g
 	if opts.Limit > 0 {
 		params.Set("limit", strconv.Itoa(opts.Limit))
 	}
+	// Use TimeGranularity from opts, not from filter (fixes roborev finding)
+	params.Set("time_granularity", timeGranularityToString(opts.TimeGranularity))
 	if opts.SearchQuery != "" {
 		params.Set("search_query", opts.SearchQuery)
 	}
 
 	path := "/api/v1/aggregates/sub?" + params.Encode()
 
-	resp, err := e.store.doRequest("GET", path, nil)
+	resp, err := e.store.doRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -409,7 +411,7 @@ func (e *Engine) ListMessages(ctx context.Context, filter query.MessageFilter) (
 	params := buildFilterQuery(filter)
 	path := "/api/v1/messages/filter?" + params.Encode()
 
-	resp, err := e.store.doRequest("GET", path, nil)
+	resp, err := e.store.doRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -499,7 +501,7 @@ func (e *Engine) Search(ctx context.Context, q *search.Query, limit, offset int)
 
 	path := "/api/v1/search/deep?" + params.Encode()
 
-	resp, err := e.store.doRequest("GET", path, nil)
+	resp, err := e.store.doRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -549,7 +551,7 @@ func (e *Engine) SearchFastWithStats(ctx context.Context, q *search.Query, query
 
 	path := "/api/v1/search/fast?" + params.Encode()
 
-	resp, err := e.store.doRequest("GET", path, nil)
+	resp, err := e.store.doRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -611,7 +613,7 @@ func (e *Engine) GetTotalStats(ctx context.Context, opts query.StatsOptions) (*q
 	params := buildStatsQuery(opts)
 	path := "/api/v1/stats/total?" + params.Encode()
 
-	resp, err := e.store.doRequest("GET", path, nil)
+	resp, err := e.store.doRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
 	}

internal/remote/store.go

@@ -2,6 +2,7 @@
 package remote
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -77,9 +78,14 @@ func (s *Store) Close() error {
 
 // doRequest performs an authenticated HTTP request.
 func (s *Store) doRequest(method, path string, body io.Reader) (*http.Response, error) {
+	return s.doRequestWithContext(context.Background(), method, path, body)
+}
+
+// doRequestWithContext performs an authenticated HTTP request with context support.
+func (s *Store) doRequestWithContext(ctx context.Context, method, path string, body io.Reader) (*http.Response, error) {
 	reqURL := s.baseURL + path
 
-	req, err := http.NewRequest(method, reqURL, body)
+	req, err := http.NewRequestWithContext(ctx, method, reqURL, body)
 	if err != nil {
 		return nil, fmt.Errorf("create request: %w", err)
 	}