Required parameters accept null values, bypassing validation

[zesty-clawd]

Summary

ParseParams treats a required parameter as present when the JSON key exists, even if its value is null. This lets callers bypass the required check by sending {"param": null}, resulting in a nil value flowing into downstream tooling.

Steps to Reproduce

1. Define a tool parameter as required (e.g., a required string).
2. Invoke the tool with a JSON body that sets that parameter to null.
3. Observe that the request is accepted and the parameter value becomes nil.

Expected

Requests with null for a required parameter should fail with a validation error (e.g., 400 / agent error indicating the parameter is required).

Actual

ParseParams only checks for missing keys, not null values. Required parameters can be bypassed by sending null, which can later cause parsing errors or unexpected nils in templates/queries.

Code Pointer

internal/util/parameters/parameters.go:

// ParseParams
v, ok = data[name]
if !ok {
  v = p.GetDefault()
  if CheckParamRequired(p.GetRequired(), v) {
    return nil, util.NewAgentError(fmt.Sprintf("parameter %q is required", name), nil)
  }
}
if v != nil {
  newV, err = p.Parse(v)
}

Proposed Fix

Treat null as missing for required parameters, e.g.:

v, ok := data[name]
if !ok || v == nil {
  v = p.GetDefault()
  if CheckParamRequired(p.GetRequired(), v) { ... }
}

This preserves defaults while enforcing required fields when a client explicitly sends null.

[twishabansal]

Thanks for reporting this bug! I have raised #2519 as a fix.