fix(api): move JSONPath modifier to query parameter with improved error handling

[crivetimihai]

Note: This PR was re-created from #3023 due to repository maintenance. Your code and branch are intact. @rakdutta please verify everything looks good.

closes #2848
This PR enhances the tools API endpoints (/tools and /tools/{tool_id}) by refactoring JSONPath modifier support from request body to query parameters, improving error handling, and adding comprehensive logging for better debugging.

Changes

API Parameter Changes

• Moved apijsonpath parameter from request body to optional query parameter in both list_tools and get_tool endpoints
• Enables JSONPath modifiers to be passed as JSON strings in GET requests, improving API usability
• Added unified parsing logic to handle apijsonpath as either a string (HTTP requests) or model instance (internal calls/tests)

Response Handling

• Changed endpoints to return ORJSONResponse when JSONPath modifiers are applied, bypassing FastAPI's response model validation
• Ensures correct response format and prevents validation errors on modified responses

Error Handling

• Improved error reporting for invalid JSONPath modifier input with appropriate HTTP exceptions
• Added detailed error messages for parsing and processing failures

Test Updates

• Updated unit tests to use new query parameter format for apijsonpath
• Switched tests to use JsonPathModifier model instances
• Validated that endpoints return ORJSONResponse objects when modifiers are applied

Documentation

• Added docstring notes about raised exceptions
• Clarified parameter descriptions in endpoint documentation

Impact

These changes improve API flexibility by allowing JSONPath modifiers in GET requests, enhance reliability through better error handling, and improve maintainability with comprehensive logging and updated tests.

Testing

All existing unit tests have been updated and pass successfully. The changes maintain backward compatibility for internal calls while adding new query parameter support for HTTP requests.

[TS0713]

Review: apijsonpath query parameter change

Tested all edge cases for the apijsonpath query parameter change. All tests pass as expected.

Tests executed

#	Test	Result
1	No apijsonpath — full object returned	✅
2	{"jsonpath":"$[*].name"} — filters names	✅
3	{"jsonpath":"$[*].id"} — filters IDs	✅
4	Mapping {"tool_name":"name","tool_id":"id"} — renames fields	✅
5	{"jsonpath":null} — defaults gracefully	✅
6	{"jsonpath":""} — empty string defaults to $[*]	✅
7	Invalid JSON string — returns 400 with clear message	✅
8	Unknown fields {"unexpected_field":123} — returns 400 Extra inputs are not permitted	✅
9	Invalid JSONPath syntax $$[invalid — returns 400	✅
10	JSONPath matches nothing — returns []	✅
11	Body on GET ignored — full object returned, not filtered	✅ regression confirmed fixed
12	Access to non-existent resource ID — returns 403, consistent with existing access control behaviour across all endpoints	✅ working as designed

Verdict: Approved ✅

[ja8zyjits]

Hi @crivetimihai , we need conflict resolution here.

[TS0713]

Tested the updated implementation for /tools and /tools/{tool_id} endpoints. All scenarios behave as expected.

Tests executed

#	Test	Result
1	No apijsonpath — full object returned	✅
2	{"jsonpath":"$[*].name"} — filters tool names	✅
3	{"jsonpath":"$[*].id"} — filters tool IDs	✅
4	Mapping {"tool_name":"name","tool_id":"id"} — renames fields correctly	✅
5	{"jsonpath":null} — defaults gracefully	✅
6	{"jsonpath":""} — empty string defaults to $[*]	✅
7	Invalid JSON string — returns 400 Bad Request	✅
8	Unknown fields {"unexpected_field":123} — returns 400	✅
9	Invalid JSONPath syntax — returns 400	✅
10	JSONPath matches nothing — returns []	✅
11	Body on GET ignored — full object returned (regression fixed)	✅
12	Access to non-existent resource ID — returns 403	✅
13	Pagination works with JSONPath (include_pagination=true)	✅

Pagination verification

Verified pagination works correctly when JSONPath is used.

curl -G "$BASE/tools" \
  -H "Authorization: Bearer $MY_BEARER" \
  --data-urlencode "include_pagination=true" \
  --data-urlencode 'apijsonpath={"jsonpath":"$[*].name"}'

Approved!

[crivetimihai]

Review Complete — Ready to merge

Rebased onto current main (db620e9), no conflicts. Thorough code review + live testing performed.

Changes made during review (2 commits)

0260232a9 — validate apijsonpath before DB query + test coverage

• Moved _parse_apijsonpath() before the database query in list_tools — fail fast on invalid input without wasting a DB round-trip
• Added 2 tests for the ValidationError path (extra="forbid" rejecting unknown fields) which had zero coverage

1ba2c5b0e — correct nextCursor wire key, sanitize debug log, add e2e tests

• Bug fix: Paginated JSONPath response emitted next_cursor (snake_case) instead of nextCursor (camelCase) because the hand-built dict bypassed Pydantic aliasing via ORJSONResponse. Confirmed live: normal pagination returned nextCursor, but JSONPath+pagination returned next_cursor. Fixed.
• Security fix (CWE-117): Debug log in jsonpath_modifier() recorded raw user-supplied JSONPath without sanitization. Wrapped with SecurityValidator.sanitize_log_message() to prevent log forging.
• Test gap: All existing tests used __wrapped__(), bypassing FastAPI's HTTP query string parsing. Added 3 end-to-end TestClient tests covering the actual wire path.

Verification

Area	Result
Unit tests	539 passed (536 original + 3 new)
curl API tests	15/15 passed (baseline, pagination, JSONPath, JSONPath+pagination, mappings, single tool, 7 error cases, auth, body-on-GET)
Regression endpoints	/health, /resources, /prompts, /servers, /gateways — all 200
Playwright UI	Login, dashboard, Tools (list + View + Test invocation), Prompts, Resources — all render, zero new console errors
Gateway logs	No errors from test window
Pagination wire key	Confirmed fixed live at localhost:8080 — nextCursor in both normal and JSONPath+pagination paths