Deny unknown fields on RPC Request and Response

[sudo-shashank]

Summary of changes

Changes introduced in this pull request:

• Reject unknown fields in RPC request parameters and response payloads when FOREST_STRICT_JSON is enabled.
• FOREST_STRICT_JSON to be enabled for api compare test in a follow up PR.

Reference issue to close (if applicable)

Closes #5600

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Outside contributions

• I have read and agree to the CONTRIBUTING document.
• I have read and agree to the AI Policy document. I understand that failure to comply with the guidelines will lead to rejection of the pull request.

Summary by CodeRabbit

• New Features

  • Enhanced RPC JSON validation: with FOREST_STRICT_JSON enabled, strict mode now rejects unknown JSON fields for both RPC requests and RPC responses (in addition to duplicate-key detection).

• Documentation

  • Updated reference for FOREST_STRICT_JSON to clarify the expanded strict validation behavior.

• Tests

  • Updated/added tests and validation checks to ensure unknown-field rejection is enforced in strict mode.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: c4a3c16f-9368-47f6-ac37-40864e346ce3

📥 Commits

Reviewing files that changed from the base of the PR and between f8bbdfb and c3410d3.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• CHANGELOG.md
• Cargo.toml
• docs/docs/users/reference/env_variables.md

✅ Files skipped from review due to trivial changes (3)

• docs/docs/users/reference/env_variables.md
• CHANGELOG.md
• Cargo.toml

---

Walkthrough

This PR extends FOREST_STRICT_JSON strict validation to reject unknown fields for RPC request parameters and RPC response results. It adds a serde_ignored-based deserialization helper and replaces direct serde_json::from_value calls with the new validator across RPC parsing, response handling, and related test utilities; docs and changelog updated.

Changes

Cohort / File(s)	Summary
Configuration & Documentation CHANGELOG.md, docs/docs/users/reference/env_variables.md	Documented that FOREST_STRICT_JSON now rejects unknown fields (in addition to duplicate-key detection) for RPC requests and responses.
Core Validator Implementation src/rpc/json_validator.rs, Cargo.toml	Added serde_ignored dependency and implemented pub fn from_value_rejecting_unknown_fields<T: DeserializeOwned>(value: serde_json::Value) -> Result<T, serde_json::Error) which uses serde_ignored when strict mode is enabled; added tests for strict/non-strict behaviors.
RPC Request/Response Integration src/rpc/reflect/parser.rs, src/rpc/reflect/mod.rs	Replaced serde_json::from_value usage with json_validator::from_value_rejecting_unknown_fields for request parameter deserialization and successful response deserialization, preserving existing error mapping.
Test / Tooling Updates src/tool/subcommands/api_cmd/api_compare_tests.rs	Updated RPC JSON syntax and semantic validation utilities to use the new validator so tests reject unknown fields under strict mode.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Reflect
    participant Parser
    participant Validator

    Client->>Reflect: send JSON-RPC request
    Reflect->>Parser: extract params (serde_json::Value)
    Parser->>Validator: from_value_rejecting_unknown_fields(params)
    Validator-->>Parser: Ok(T) / Err(unknown fields error)
    Parser-->>Reflect: deserialized params / propagate error
    Reflect->>Client: invoke method or return parse error

    Note over Validator,Parser: For responses, Reflect also calls Validator to deserialize results before returning to client

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat(rpc): implement duplicate key detection for json-rpc requests #6455: Introduced duplicate-key detection and earlier strict-mode helpers in src/rpc/json_validator.rs, which this PR extends to reject unknown fields.
• fix(ci): prefetch state computation snapshots to make codecov less flaky #6496: Also modifies JSON validation logic in the same module and may overlap with the validator behavior changes here.

Suggested reviewers

• hanabi1224
• LesnyRumcajs

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Deny unknown fields on RPC Request and Response' accurately describes the primary change: implementing rejection of unknown JSON fields in RPC requests and responses when FOREST_STRICT_JSON is enabled.
Linked Issues check	✅ Passed	The PR implements the core requirement from #5600: rejecting unknown fields on RPC request/response deserialization. A new helper function from_value_rejecting_unknown_fields is integrated into RPC parsing, request/response handling, and API test validation to surface malformed requests instead of silently ignoring them.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing unknown-field rejection for RPC: dependency addition (serde_ignored), validator implementation, integration into RPC parsing/response handling, documentation, changelog, and test updates. No extraneous changes detected.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch shashank/deny-unknown-fields-rpc

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch shashank/deny-unknown-fields-rpc

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CHANGELOG.md`:
- Line 32: Update the CHANGELOG entry that currently references the PR number
[`#6926`] to reference the tracked issue numbers instead; replace the PR link and
label with the issue reference(s) [`#5600`] and/or [`#5635`] and the corresponding
issue URL(s) while keeping the rest of the description unchanged ("Added strict
JSON validation to deny unknown fields in RPC request parameters and response
results when `FOREST_STRICT_JSON` is enabled."); edit the exact line that
contains the current "- [`#6926`](...): ..." entry so the format matches other
changelog entries (use [`#ISSUE_NO`](link-to-issue): <description>).

In `@src/rpc/reflect/mod.rs`:
- Around line 278-285: The current validation only re-serializes Forest's own
LotusJson before returning; to actually reject unknown fields from remote nodes
update RpcMethodExt::call_raw to validate the incoming JSON payload using
crate::rpc::json_validator::from_value_rejecting_unknown_fields (into the
<Self::Ok as HasLotusJson>::LotusJson type) instead of using plain
serde_json::from_value, so the client.call(...) result is passed through
from_value_rejecting_unknown_fields (honoring FOREST_STRICT_JSON behavior) and
any unknown fields cause an error.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 9e9c365b-6589-49ef-96e3-d17f624df0ce

📥 Commits

Reviewing files that changed from the base of the PR and between 09376b7 and b48816d.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (6)

• CHANGELOG.md
• Cargo.toml
• docs/docs/users/reference/env_variables.md
• src/rpc/json_validator.rs
• src/rpc/reflect/mod.rs
• src/rpc/reflect/parser.rs

[codecov]

Codecov Report

❌ Patch coverage is 95.83333% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.03%. Comparing base (3dcb3e4) to head (c3410d3).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/rpc/json_validator.rs	97.77%	0 Missing and 1 partial ⚠️
src/rpc/reflect/mod.rs	0.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

Files with missing lines	Coverage Δ
src/rpc/reflect/parser.rs	80.66% <100.00%> (ø)
src/rpc/json_validator.rs	96.72% <97.77%> (+0.61%)	⬆️
src/rpc/reflect/mod.rs	69.45% <0.00%> (ø)

... and 6 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3dcb3e4...c3410d3. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.