publish-proxy: close job list params - radrootsd - JSON-RPC bridge for Radroots event publishing

commit 1ed09f90a4fdf16acb411b93c6eb3d54f8830138
parent 51a5fefe711824643ae4d817ab2fc67537651278
Author: triesap <tyson@radroots.org>
Date:   Tue, 23 Jun 2026 22:03:42 +0000

publish-proxy: close job list params

- reject unknown publish.job.list object fields
- keep limit as the only v1 job-list parameter
- prove cursor status and extra fields return InvalidParams
- cover omitted empty-array and capped limit behavior

Diffstat:
M src/transport/jsonrpc/methods/publish_proxy.rs  | 43 +++++++++++++++++++++++++++++++++++++++++++

1 file changed, 43 insertions(+), 0 deletions(-)
diff --git a/src/transport/jsonrpc/methods/publish_proxy.rs b/src/transport/jsonrpc/methods/publish_proxy.rs
@@ -17,6 +17,7 @@ struct JobGetParams {
 }
 
 #[derive(Debug, Deserialize)]
+#[serde(deny_unknown_fields)]
 struct JobListParams {
     limit: Option<usize>,
 }
@@ -386,6 +387,34 @@ mod tests {
     }
 
     #[tokio::test]
+    async fn publish_job_list_rejects_unknown_fields() {
+        let (module, _ctx, _token, _event) = module_with_principal(false);
+        for params in [
+            r#"{"cursor":"next"}"#,
+            r#"{"status":"publishing"}"#,
+            r#"{"limit":1,"extra":true}"#,
+        ] {
+            let request = format!(
+                r#"{{
+                    "jsonrpc":"2.0",
+                    "method":"publish.job.list",
+                    "params":{params},
+                    "id":1
+                }}"#
+            );
+            let (response, _stream) = module
+                .raw_json_request(request.as_str(), 1)
+                .await
+                .expect("unknown field request");
+            assert!(
+                response.get().contains("\"code\":-32602"),
+                "{}",
+                response.get()
+            );
+        }
+    }
+
+    #[tokio::test]
     async fn publish_job_list_uses_configured_limit_when_omitted_and_caps_positive_limits() {
         let mut config = PublishProxyConfig {
             daemon_default_publish_relays: vec!["wss://relay.example.com".to_owned()],
@@ -429,6 +458,20 @@ mod tests {
             serde_json::from_str(response.get()).expect("omitted response json");
         assert_eq!(value["result"].as_array().expect("jobs").len(), 1);
 
+        let empty_array = r#"{
+            "jsonrpc":"2.0",
+            "method":"publish.job.list",
+            "params":[],
+            "id":1
+        }"#;
+        let (response, _stream) = module
+            .raw_json_request(empty_array, 1)
+            .await
+            .expect("empty array request");
+        let value: serde_json::Value =
+            serde_json::from_str(response.get()).expect("empty array response json");
+        assert_eq!(value["result"].as_array().expect("jobs").len(), 1);
+
         let over_limit = r#"{
             "jsonrpc":"2.0",
             "method":"publish.job.list",

	radrootsd JSON-RPC bridge for Radroots event publishing git clone https://radroots.dev/git/radrootsd.git
	Log \| Files \| Refs \| README \| LICENSE